Breaking in: how to use OSINT for pen testing

Steve: [00:00:00] We saw the clothes that the individuals wore at the company. We bought the same clothing. They have jackets with their logo. We had them all forged and made up the badges. We learned off of the badges that the company has. So, you know, when you see somebody on a late day going, Hey, first day on the job and they show you a badge, not a good thing to do.

Jeff: Welcome to Needlestack. I’m your host, Jeff Phillips.

Shannon: And I’m Shannon Reagan. Today we are talking to Steve Stasikonis, founder and president of Secure Network Technology or SNT. Steve, welcome to the show.

Steve: Glad to be here. Thank you.

Shannon: Steve, could you tell us a little bit about Secure Network Technologies as we get started just to see what space you’re in and how you’re using OSINT?

Steve: Uh, yeah, so we started the company in 1997, really built a software security product. A lot of year later, really kind of bought it. became a security penetration testing assessor type of a company. Um, and and really started focusing [00:01:00] on doing assessments, pen tests early on. By 2002, a couple companies called us.

They had been compromised, hacked, and Next, you know, we’re doing incident response and one of the things that kind of came about, um, about doing pentesting and evolving over the years was, you know, people want to say, well, geez, find out what’s out there about our company, you know, do something that a threat actor or a bad hat bad guy would do, or a hacker would do.

So we started to do open source intelligence gathering and it became kind of like one of the things that are, that are part. Of a job that we get. So if it’s a patent test where we’re hitting a perimeter or the inside of a building or some facet of, of, uh, you know, really compromising that entity posted was, was kind of where it was at

Shannon: for, for the uninitiated, uh, Could you summarize what is pen testing or what is the goal of pen testing?

Steve: So penetration testing is, is finding every possible way, [00:02:00] uh, that you can exploit a weakness within a network. So ultimately you’re, you’re ethically hacking that business or either from the perimeter, from the, on the internet. To the inside of the company or finding a weakness there, once you’re on the inside, trying to get privileged to like active directory, you’re trying to get data stores, everything that a threat actor would do on the inside of your network in today’s world, they ransom a company and encrypt their data.

That’s for a giant amount of crypto to get about it. So that’s pentesting. Um, OSINT. I probably should explain that that’s open source intelligence for those who don’t know as well. We’re not talking acronyms here. Right? So that’s anything publicly made available. As long as I don’t have to commit a felony or a crime to retrieve that data, um, it’s fair game, right?

So we’re not going to be breaking the laws to do a job. But at the same point, Yeah, you put it out there and we find it, you know,

Shannon: we’ll use

Steve: it. Okay. Yeah, exactly. So, yeah, be careful what you [00:03:00] post.

Jeff: Yeah, be careful what you post. And, and I know we, we were talking earlier and we talked about, you were telling us a little bit about the role of OSINT, uh, in pen testing.

Do you, can you tell us a little bit about that? And, and if you think maybe, do you take a little bit of a unique approach to penetration testing? Penetration testing and, and leveraging OSINT.

Steve: Yeah, I think, yeah, I think we, you know, everybody does it. I think that we do a really good job at it. Um, the key is, is to find any useful information that could lead to a potential, you know, exploitation.

So, you know, if we have to hit the perimeter of a network, you know, my guys are out there scouring the internet to find all the addresses that belong to that company. If we’re going to fish them, we have to figure out who the employees are that we want to fish. And you know what? The thing is, is we want to find people that are focused on, you know, the potential people that will click.

So, you know, if you just cast this giant net to everybody, oh, then none of your stuff gets through. So if you’re more selective and you do some [00:04:00] intelligence gathering and find out that, yeah, the CFO is probably going to be our guy. You know, you’re going to focus on. The C suite or the guys that the individuals that you would assume that think that they’re protected and then you you fish them and go after them.

So OSINT is really about, you know, we finding the stuff that’s going to lead towards something that’s going to work out to our favor or a bad guy’s favor as you get a report on it.

Shannon: Well, you have a lot of crazy stories in your background, and we’ve been doing some, you know, conversations offline and, uh, the things that you do, the things that you make and find out, um, are crazy and frightening in a way, um, but also really valuable, you know, to improving the security of the people that hire you.

Um, could you walk us through down memory lane of, you know, some pen tests where you’ve leveraged O syn either in the cyber sphere or more for like physical, you know, entry penetration testing.

Steve: [00:05:00] Um, yeah, I think some of the more elaborate jobs, you know, what it’s, what it’s getting past the building controls, the people that guard the property to get into the data center, you’re conceivably walking past the firewall.

And those are the jobs where. Intelligence gathering just became paramount and a great job that one of we did was I thought was probably one of the most elaborate was, um, was really understanding this one business to get into the building and every aspect of of the job was was complex. So, finding the building was hard finding the way to get into the building.

All the security controls on the outside, then you got to figure out who the people on the inside. It was, it was, you know, I’d say probably 2 months of. Just learning about the business. Um, in fact, at some point, we got so desperate, we sent a private investigator out to the location. He came back and he said, Steve, you’re screwed, man.

He says, there’s no way you’re getting in that building. He says, those people are literally on lockdown. He goes, they [00:06:00] checked everybody that walks in and walks out with a badge. He goes, literally, the only people that come and go are the delivery people. And believe it or not, that was the avenue in. So we saw these containers coming in from the Middle East.

These guys had these giant KB crates that were coming in, probably collected by the military or what is what is an S.

Shannon: K. B.

Steve: It’s a giant box. That’s about the size of your desk. And they would fill in all the stuff from whatever they would, let’s say, kick the door in in the Middle East and they would put it in there and then it ship it overseas.

And then these, these 2 delivery people from a certain company would show up and deliver it in the building and they were well known and they were, those are the guys that were trusted. So that delivery company was trusted. Those individuals changed, but we bought a box. Um, We saw the clothes that the individuals wore at the company, we bought the same clothing, they have jackets with their logo, we had them all forged and made up, the badges, we [00:07:00] learned off of the badges that the company has, so, you know, when you see somebody on a late day going, hey, first day on the job, and they show you a badge, not a good thing to do, horrible thing to do, and then, and then what we did is we took our little, we took our guy, our And we had a machine shop actually make this box that had life support, a periscope that he could pop up the locks were on the inside.

And then we showed up as that delivery company. We put the man in the box and we were so confident about what we needed to do. We delivered them like the regular guys that would show up. And we delivered him in the building. They push him in the building and then he’s inside. And then we walked, actually, before we walked away, the real delivery guy showed up and said, Hey, you’re from the same company.

It’s like, yeah, we’re out of the other office. We’ll be there at the other office. Yeah. Yeah. So they validated that we’re, and we were so, we were so, I mean, the intelligence gathering and the, and the attention to detail was so good that we even fool the [00:08:00] original delivery company and the delivery guys that were there.

We have a picture of both trucks side by side. You couldn’t tell the difference. So once your guy is in, it’s, it’s, it’s much like oceans 11, you know, he’s kind of in, and at that point. You know, you’re, you’re, you blend in with a group of people. And once again, it’s all about attention to detail and it’s about learning and, and it pulled it off really well.

And I think, I think the bad guys are doing it too. So the bad guys are doing it. You know, why the hell would we, why, why, why wouldn’t we do it? Right. So that’s, that’s the deal.

Jeff: And I can imagine that’s another element. If, if. If on the pen test side on, on, on, on the network side, um, you’re leveraging OSIN and, and needing to be anonymous and things because that’s what you’re trying to do.

Right? You’re, you’re trying to break in. And so you don’t want them to know it. You don’t want the company to know, or some of their analysts to go, Oh, this, we must be getting tested by this pen testing vendor. Um, [00:09:00] So you’ve got to create your personas and look like regular people, even, even though you’re being paid to do that job.

Right,

Steve: correct. It’s interesting to it’s not just the aspect of learning about your target. It was also about learning about who you’re portraying, you know, who you’re going to go in as or portray. So, for example, the delivery guys was 1 of them, um, uh, another organization we’re, we’re focusing on becoming, let’s say a vendor.

Now we learn everything about the vendor and then we become that. That group. Um, and like I said, once you get accepted in and you can plug in now, you’re in at that point. So, yeah, so that’s yeah. And once again, it’s become a line item for testing what people are saying. Yeah, of course, charge me for it because you know what?

Um, I want I want you to do something more than just tailgated behind 1 of our employees that will hold the door for you. It’s right. Okay. Yeah, I’ve been done to death. Joe, [00:10:00]

Jeff: you also mentioned that, uh, you guys get involved in incident response with some of your companies, uh, or some of your clients, um, I think you, you know, we also again talking earlier, it seemed like one of the key ones was around ransomware.

Um, can you tell us a little bit about how those engagements typically go? Like, what kind of, how does that work? Your client, they pick up the phone. How does this work? I’ve been, I’ve been hacked and I’ve got a ransomware. How does that work? And what are they asking you to do on their behalf?

Steve: Well, Jeff, number one, the phone call always comes in at a Friday night at about six o’clock when you’re about to suck down a beer or it’s going to be on a Sunday morning at seven o’clock when you’re like, why can’t I sleep in?

And that’s the God’s honest truth. It’s ruined more holidays and weekends for us. So that, that, that, that, that really happened. So. Usually the call comes in, the victim is like, Oh my gosh, we, we know that our stuff works, [00:11:00] everything’s encrypted. And then the sort of response team that I have will go in there and we, we find, you know, what, what’s been going on through an indicator of compromise.

And, you know, ultimately who, who let them in because it’s normally through social engineering or if they choose something, and then there’s always a ransom note. And it’s interesting. So, you know, the interesting thing is, you know, everybody’s like, well, you know, how much is it going to cost? How much is it going to pay?

What do they want? And, and we, we don’t want to just hop on some dark website with the computer. We don’t want to unleash some sort of new malware. So we leverage tools like what, you know, from your, from Authenticate that gives us the anonymity to like log into a dark website. Um, but even so we wait and we’re cautious because the minute we log in, the threat actor knows that we know and, um, ultimately the clock starts ticking.

They say you may have 24 hours to pay 2 million bucks. Um, so at that point, you know, If we do come to that where we have to log in on a threat actor site and negotiate, the negotiation happens [00:12:00] typically within his forum. Um, and then it’s going to be, you know, what’s it’s going to cost us, and you’ve got to be incredibly polite.

You’ve got to be, you know, diplomatic. And at the same point, understand that if you make these people angry, then it’s going to be a bigger problem. This,

Shannon: I feel like it’s been coming up time and time again. It’s like, remember that threat actors are people and they’re emotional people for better or worse.

So, yeah. Never,

Steve: you know, and you got to give them a lot of respect because they’re winning. I think they’re winning. Everybody. I see that, you know, getting hit lots of amazing products and they have smart people and they still get compromised. So you have to respect them who they are, but at the same point.

You know, um, I, I fear them because I think that, you know, you just can’t go show yourself and who you are or else they could potentially retaliate. Yeah,

Shannon: well, I know we talked a lot about, you know, kind of the, the OSINT work [00:13:00] that you’ve done. It sounds like mostly on the surface webs and surface webs. On the surface web in term of understanding, you know, your client, uh, organization, and then also, you know, maybe companies or, uh, contractors and third parties that they’re affiliated with.

Are you using the dark web either for similar purposes or to understand the threats against them or information? Maybe that that threat actors have compiled on your customers.

Steve: We use it for, I think the dark web is probably one of the most interesting things that are out there. I’m on it every day before this call around right now.

I was using your product on a dark website to look at this one threat actor group because they had some companies. I was interested in what they had to say. But the other thing to Shannon, all the different places that are down there. It’s interesting. There’s always something to see. Good example. You know, the data that’s being sold.

You know, nobody’s just giving stuff away when [00:14:00] you see the commercials on TV. It’s like, we’re going to scan your stuff and on the dark web and find your stuff. It’s like, no, you can only pay for stuff down there. Those guys are criminal. They charge for that data. So you go to a dark market. We sometimes buy some some of the content that’s down there, you know, out of interest or.

Because the clients and customers that we have say, you know, we’re concerned we had a partner or a vendor get hit. We think our stuff’s mingled in with theirs. Could you let us know? We need to prepare. And believe it or not, more times, a lot of times we’ll find somebody’s information that’s out there as a result of somebody else’s, you know, compromise.

But there’s a lot of crazy stuff out there. I mean, you could buy anything on dark web. It’s like, yeah, so

Jeff: yeah, let’s not tell everyone what they can go buy on the dark web. Yeah. Yeah. That idea showed my kids, you know, fake IDs or something like that. [00:15:00] But it is interesting how you mentioned, uh, that there’s a, that whole scenario, which is, uh, you know, now you’re worried about my data and being compromised due to, due to, due to one of my suppliers.

It’s not even me. That was hacked and it’s, it’s a partner or vendor or supplier. And through them, my information could end up on some of these forms. So a lot of ways for that to happen. It sounds like, yeah, that’s cool. Steve. Um, We’ve got a wide range of practitioners here, uh, that listen to the show. Um, as we, as we start to close up our, our, our talk with you, any other.

Tips or tricks or recommendations you have for folks that are having to go out and do these kinds of, you know, do OSIN and do digital investigations online.

Steve: You know, I, I think one of the, one of the, the key that using the product is, is clearly helpful without the share those plugs. Great [00:16:00] product without question.

I use it all the time, but the key is you just can’t rely on the tool itself. You know, take the time. Create the aliases, the synthetic identities. If you’re going to go down to a forum and start, you know, chatting it up with some bad guys and discussing, or you’re, you know, you’re inquisitive because you want to know how these guys work and how they think or whatever.

Be careful. I would use an alias, make sure that you do all the things you have to do to protect yourself personally. Uh, and once again, you know, separate that from anything that could be tied to your personal life. Don’t even share a password that you think that, you know, would be a concern. Um, we’ll break it down to that level.

Um, and you know, the other thing too is, the tool is interesting because, you know, it gives you this protected environment, and you can download stuff, but once again, once you take it out of the silo environment, and the protected environment, and bring it into your own, Post machine, you know, that, that could unleash some bad things to you.

[00:17:00] So, you know, you have to be prepared to, to examine things in a more sandbox and, and, you know, more safe environment so that the last thing I want to have is somebody here download something and poison my network. And now I’m a security company that’s trying to figure out what’s my, what’s my next side hustle to make a living.

So. Yeah. Okay.

Shannon: Speaking of shameless plugs for people that don’t want to have to navigate all of this, um, they can call S& T, right?

Steve: Yeah, sure. Yeah, of course. Yeah. Yeah. Call us in the event. They need a pen test or if they have an incident, you know what, um, it’s, it’s everybody else calls it. So, Hey, you know, by all means, if something comes up, feel free, not on Saturdays and Sundays.

No, not

Shannon: all he’s cracking up here.

Steve: You know what? Three day weekend coming up. Right. Today’s Friday. Big eclipse where I live. All right. Huge. All right. I guarantee you our day of the eclipse will be destroyed. We’re not watching anything. [00:18:00] Pass it over the side. Nothing like that’s happening. We’re going to be pounding the keys on some keyboard, looking for some correct actor guarantee.

Shannon: That’s just because of the solar flares and Venus in retrograde. That’s, that’s just going to happen.

Steve: Three day. We can go to hell, Shannon.

Jeff: For whatever reason. Well, Steve, thank you for joining us today. It’s been a super interesting conversation. Everyone check out, um, secure network technologies. Uh, thanks to our audience for listening.

You can view transcripts and other episode info, uh, on our website, authentic8.com/needlestack. That’s authentic with the number eight dot com slash Needlestack. And be sure to let us know your thoughts on X formerly Twitter or Bluesky, where we are at needlestackpod and like, and subscribe wherever you’re listening today, and we’ll see you next time on NeedleStack.

Thank [00:19:00] you.