MATT ASHBURN

Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, and personally I'm most vulnerable during a good Romcom, but that information is now open source.

JEFF PHILLIPS

And I'm Jeff Phillips, tech industry veteran and curious to a fault. Today, obviously, we're talking about weakness in the sense of a cybersecurity contact. And we're going to talk about this from the perspective of how you can use open source intelligence to proactively identify vulnerabilities in your organization. Now we're going to discuss it in relation to incident response and threat intelligence on the cybersecurity front. And that's compared to Red Teaming recall. That was a topic in an earlier episode. If you want to check out more about Red Teaming, please listen to Episode 20 with Rob Fuller. So what does that mean we're going to focus on today? So we're going to look at tools that can help you do some of this open source intelligence gathering, dealing with looking at your organization from an outside perspective. We'll also talk about, can you automate it? There's a lot of information out there. How do you make this more efficient? And then finally, whether you're doing this manually, doing your own research, or you're doing it through automation, what are some of the trade craft considerations you need to take into account now, Matt, your background is in cybersecurity and in some very important places, including as a CISO. What role did this type of self reflection or weakness identification play with regards to your teams?

MATT ASHBURN

So researching, particularly by looking at your organization through the lens of an adversary, is a critical component of a mature cybersecurity organization or even just a security organization in general for your particular company, agency, department, whoever you're working for at the time. And it really is about understanding from the adversary perspective what they can view, what they can see, and then what they can possibly use against you, whether it's a vulnerability that can be exploited, finding information out there that could be useful to commit some kind of attack or compromise of your systems or your people even perhaps.

JEFF PHILLIPS

That's interesting. So when you're kind of doing the self reflection and looking at it from that perspective, from the adversaries perspective, did you have was there sort of some go to approaches as well as tools or resources that you would use? And were those applicable just within the government space? Did they apply commercially?

MATT ASHBURN

Great question. So I think that while research is very important in and of itself, it's also important to be a component of a larger security program. And you really need to know what I would call the five W's, the who, what, when, where, and why of your systems and your organization's networks, right? That includes some foundational elements like who is on your network, what people are authorized to be on there, and what are the functions that they're performing of what is on your network. Things like having a good device inventory and understanding what that is and what the devices are and where they're supposed to be in the world and all those things, and having a network map, understanding data flows and all those requirements, things like that. And also building additional understanding through things like vulnerability management and patching, eventually incident detection and response. All of these things are critical components of a good solid security program and that Proactive Research is a nice overlay of all of those things. It can be useful for detecting information that would lead to further compromise or find perhaps sensitive location information about maybe locations of your company or organization, things of that nature. It can also be useful for detecting data breaches, right? Finding accounts of yours that may be compromised by looking at forums and things like that on the dark web. So lots of information out there. There's also some things out there that can be very useful, some tools out there that can be useful to help automate some of that.

JEFF PHILLIPS

That makes a lot of sense. You have to have a strong foundation just as a program and then you can build on top of that with Proactive Research any of those tools that stand out in your mind that are particularly useful.

MATT ASHBURN

Sure, there are a couple of out there when it comes to vulnerability research and looking at your IP address space and finding vulnerable systems or even just understanding what systems are publicly exposed to an attacker. Things like Shodan. So Shodan.io is a great website out there. It's free, easy to use and an excellent resource. It's one of the go-to resources, I think that's in every Red Team or a pen tester's toolkit. There are also some other tools out there as well for maybe helping to automate some of the more manual research. One of them that comes to mind is the DomainTools set of tools that they have. DomainTools is a great resource as well and they have a number of different program offerings. One of my favorite though is actually being able to have keyword searches and automated searches that take place in automated notification for things like typosquatting domain names. So if you're a financial institution, for example, that's a great example where attackers will attempt to phish your customers. You want to be aware of that. And so if they register a domain name that is very similar to yours, you can get a heads up by using some of these automated tools. Another capability that may be helpful is automated pen testing and vulnerability assessment. And there are a lot of tools that are out there for this. One in particular that I can think of is Horizon Three AI. They're a fairly new company that was started in the past couple of years. But they have gained a lot of traction because of the way in which they can actually go out and perform essentially automated pen testing and their reports are pretty impressive and can really be an efficiency and time saver for organizations that need to do that. So lots of great resources out there to help automate things.

JEFF PHILLIPS

Got you. Now, are there - here we're talking about you're either researching yourself or about yourself, right? You're trying to gather information to help with threats and any weaknesses out there. Are there any limitations or obstacles when you're doing that so that you can truly get an outsider's perspective?

MATT ASHBURN

Great question. So I would say that organizations typically will have some kind of vulnerability scanner or as part of a larger vulnerability management program and these are set up to essentially scan for vulnerabilities to in a sense gain an outsider's perspective or an adversary's perspective on finding vulnerabilities that need to be patched before the adversary finds them. Right? Those are extremely common, but there are also some cases there where that may not be sufficient or may want to have a research overlay that we talked about earlier that can help beef up that capability. So as an example, let's say you have a SoC, right? And this is actually an example that we've had from an actual customer of ours where they have received an alert that perhaps an adversary has tried to exploit or maybe has successfully exploited through maybe direct retroversal or some other kind of attack technique like that and they've gained access to a particular URL or a particular set of sensitive data. And as a SoC analyst, you want to very quickly triage that alert and understand if it seems to be an actual incident or perhaps something that is a false positive. So to look at it from the outsiders perspective, it's important to actually go outside of your network and come back in and view it from that perspective. So things like having a virtual machine or a cloud browser or something like that, some kind of manage attribution research platform is obviously the best recommendation there so that you can as a SoC analyst, go outside of your network and then try to verify that that attack could be successful. That's one example that I can think of that we've had actually in conversations with customers where it's actually a real use case for that outside view. Looking back in.

JEFF PHILLIPS

You mentioned, Matt, that you use tools like VMs or possibly even a managed attribution platform or service to give you that get outside of your internal network to get that external perspective. Is there any element of in region presence or being able to do this on a global basis that helps security teams?

MATT ASHBURN

Absolutely. So I would say things like trying to find search results in a particular region, particular target area. You want to use a local search engine or even just the local version of Google as an example, but also search in the local language and from an IP address in that region. That's a pretty common one. You get the best results, the most accurate results for that region by trying to blend in with folks that are in that region, be consistent with folks in that region. The other I would suggest is the ability to log into maybe regionally restricted websites or data holdings of some kind. So I think maybe forums, things like that, social media platforms that could be foreign social media platforms, maybe regionally focused. That's another good one. And then I think the final one would be to access things like data breach information. So obviously on the dark web as an example, lots of information is bought and sold there and available there. So if you can get actually get a heads up, for example, on a data breach by continually looking for that information there on the dark web you mentioned automation earlier and I think there's an important point here to be made that it's good to be able to do this manually and it's important to be able to do this manually. But also, again, keep in mind that this shouldn't be something that is a drain on your efficiency. It is actually possible to use some cyber threat intel providers that are out there to set up automated alerting and based on keywords and other things. So that way you can get a heads up without having to do this manual research all the time.

JEFF PHILLIPS

So if you take advantage of automation, does that mean you now don't have to take care at all? From a trade craft perspective, I'm thinking about if you're doing it yourself and you're scraping sites or continually visiting all this different information that's out there, does automation at all present a risk or something you need to think about from a research perspective?

MATT ASHBURN

I wouldn't say that automation creates a risk other than perhaps a false sense of security in that if you're assuming that it's capturing everything that's out there, that's obviously can't be the case. Right? Second to that, you also should have personnel that are capable of going out and performing this research themselves or getting into the source material for this. If you want to go in there and corroborate information or look for additional leads or perhaps just get a secure copy of that, a verified copy of that data without having to rely solely on the third party sources that you may have.

JEFF PHILLIPS

Okay, that makes a lot of sense. Well, you know Matt, after this conversation I feel a lot safer. I also think there's a ton of information out there that these analysts need to get access to to help prevent some of these weaknesses.

MATT ASHBURN

Yeah, absolutely. The key here is that research is really important, right? And again, think of research as that overlay in your security program, whether using it for vulnerability management or proactive corporate data leakage detection, things like that, or even in response to a security incident as part of the incident response process. It's good all the way across and research is a good component to have there. Well, thank you to everyone for joining us today. If you liked what you can heard, you can always subscribe to our show wherever you get your podcasts. You can also watch episodes of our show on YouTube and view transcripts and other episode info on our website at authentic8.com/needlestack. That's authentic with the number eight dot com slash needlestack. And also be sure to follow us on Twitter @needlestack_pod. And we'll see you back next week with more on SOC investigations and cyber threat intel analysis. We'll see you then.

OSINT is a powerful tool to identify vulnerabilities in your organization. But with all the information out there, how do you zero-in on the data you need quickly? In this episode, host and former CISO Matt Ashburn gives his advice on go-to resources, where to automate, how to truly gain an outside perspective and tradecraft considerations.

Resources mentioned

Subscribe
Enter your email address below to receive notifications from needlestack@authentic8.com
Close
Close