Saying you are only as strong as your weakest link may be trite – but it’s true. While one organization might be investing in defense for data and networks, third-parties connected to them might not be doing the same. One way that bad actors can access your organization is through another less secure one. Vetting and monitoring Points of Interest, such as third-party organizations, for potential risks, is a necessity for security teams. Not doing so is costly.
The 2020 Cost of a Data Breach Report, conducted by Ponemon Institute and IBM Security, found that on average third-party vendor hacks cost companies $207,411 more than other types of breaches. Open-source intelligence is a major driver of POI intelligence and many companies are starting to tap into its capabilities to protect people, organizations, locations, and domains.
In the first post of this series, we focused on investigating people as our Points of Interest. We covered a number of common tools and techniques that can be used to initiate a POI investigation on a person using publicly available open-source data.
Our focus today: Organizations. We will share concepts and techniques for POI investigations with a focus on vetting and monitoring of third-parties such as partners, customers, or vendors. Where organizations specifically are concerned, Media Sonar makes possible the vetting and monitoring of POI, delivering more repeatable results in larger enterprises.
Step 1: Set up your POI Security Playbook
Each new relationship, connection, transaction with a third party can be accompanied by risk. Knowing what those risks are, being prepared to manage or avoid them, can save you operational disruptions and costs down the line.
Here are the most common reasons to investigate an organization:
- They might be a customer. Know Your Customer is an important concept for security professionals and an imperative in industries where financial transactions are concerned. It might even be a legal obligation.
- They might be a partner or vendor. Each time a new connection is established, this generates costly risks. Whether through tightly integrated infrastructures or through aligning interests, these possible “weak links” should be understood before a decision is made.
- They might be a competitor. We won’t be discussing this use case for open-source intelligence in great detail, but needless to say third-parties with competing interests are considered risks too. Open-source ntelligence is necessary.
There are many facets to consider when investigating organization POI. Depending on the type of relationship, you might be interested in these things:
- Official Brand Information. This refers to official brand assets such as a website or official brand materials like investor reports. This could also refer to news about the organization, either reported through press releases or by the media.
- Human Factor. Everyone’s biggest pain: ourselves. The Human Factor is hard to pin down, unpredictable, apparently unwilling to learn. This refers to the activities of agents of an organization, such as employees or executives. The Human Factor loves using its own devices, might not always have an organization’s best interest in mind, and is prone to mistakes.
- Technical Footprints. This is where open-source intelligence intersects with cybersecurity for a connected world. This might include looking at exposed ports, DNS and IP, network services, remote access capabilities, and vulnerabilities.
Many of the techniques discussed in the previous post of this series, OSINT Techniques for Security POI: People, will be used for a deeper dive into an organization’s executives and employees – including the Human Factor.
Step 2: Searching for Digital Footprints
An organization’s digital footprint will include any of their related Internet activities and communications, whether by them or about them. Once upon a time this meant a website and knowing what people were saying about them on social media or review sites – but the cloud changed all that. Today, an organization’s digital footprint must account for all the devices connected to the Internet and each third-party SaaS incorporated within their IT infrastructure. It must span a growing number of data points across an increasingly disparate Internet ecosystem.
For smaller businesses starting out, Google can provide a path forward. For a larger enterprise, manual OSINT research using common browsers and search engines is not feasible at scale. Nonetheless, these techniques and basic tools help illustrate the concepts involved in vetting organizations.
Let’s use Google as an example, an obvious place to start. While it is used every day to find “restaurants near me” and “cheap flights,” it can also be used for open-source intelligence. Google’s advanced search queries are referred to as “Google dorks” and they provide more precise results than a standard search.
The most obvious place to look for information is on their website. There are many different ways to search depending on what you need. The organization’s website, along with their social media pages and other sites “created by the company” is official information.
This could also be used to capture news or information about an organization on another domain with relevant information. News, blogs, forums, social media – domains can all be searched in the same way in Google. Any Surface Web information can be obtained in that way.
Look for additional Google dorks on the Google Hacking Database. These can be useful for security professionals. Bear in mind, bad actors use these as well. Consider how these might be used against your organization. Bear in mind, bad actors use these as well. Consider how these might be used against your organization.
Searching Websites & Domains
Searching for an organization by name on a given domain
- Search string: “company name” site:example.com
- Expected Result: Look for an exact match to that company name on a given domain.
Searching for a keyword on a given domain
- Search string: “keyword” site:example.com
- Expected Result: Look for an exact match to that keyword on a given domain.
Searching for an email address on a given domain
- Search string: “@example.com” site:example.com
- Expected Result: Search for all emails on a given domain.
Searching mentions of an organization by name on Twitter
- Search string: “company name” site:twitter.com
- Expected Result: Look for an exact match to that company name on Twitter.
Searching mentions of an organization by name on Twitter
- Search string: “company name” site:twitter.com
- Expected Result: Look for an exact match to that company name on Twitter
The caveat is worth repeating: search engines only let you search across the Surface Web, which makes up a fractional 4% of the Internet, and do not include Deep and Dark Web data. For a majority of Internet data, it is necessary to search the source directly, a highly time-consuming task.
That is the first reason larger enterprises look to Media Sonar. Our data sources are carefully curated and our platform provides searchable, safe access to the right information. Advanced search capabilities deliver precisely what you need, and repeatable workflows save you time and a lot of hassle.
Let’s be honest – using a common search engine to conduct open-source intelligence is kind of like using a butter knife to cut a tomato. You can fumble your way through the job, but it’s going to get messy.
Organization & Company Info Databases
There are specific databases that can speed up the task of gathering basic information and news about an organization, each with a different focus. Primary OSINT databases have a high standalone cost and like search, will generally focus on surface information. The value in these platforms does not come in the form of unique data, but instead, the gain comes from the data being categorized, classified, and organized automatically, speeding up the process and consolidating the information in one place.
Media Sonar was developed with automated classification in mind and our Footprint search feature lets security professionals obtain information on multiple types of POI. We capture data across multiple databases and platforms and from your initial discovery, analysts can look for more, keeping everything stored in one place.
Step 3: Ongoing Risk Management
Vetting is only half the job. Third-party organizations, whether customers or partners, might need to be monitored depending on your relationship. You may need ongoing intelligence to keep your assets safe and secure.
If a third-party is involved, a breach of your system or leak of confidential data will be that much costlier and harder to contain. According to Deloitte’s 2016 Global survey on Third-Party Governance and Risk Management, 87% of firms have experienced an incident with a third party that disrupted their operations, and 11% have experienced a complete failure in their vendor relationship. And this has only gotten worse since the COVID-19 pandemic.
A Gartner survey asked participants: Which third-party compliance risk has increased (or could increase) the most at your organization as a result of COVID-19?
Cybersecurity and data breaches topped the list, and legal compliance stands to be a major concern in the coming years. That same survey suggests that security professionals do not feel entirely prepared to address the problem.
Larger enterprises are opting to stay more informed using open-source intelligence to get data related to:
- Third-party breaches in the media
- Leaked information on the Dark Web
- Vulnerabilities to specific integrated technologies
- Disclosure of confidential information
- Unethical behavior and other compliance matters
To learn more about the detection and monitoring of open-sources to capture ongoing third-party risk intelligence, contact Media Sonar. Our platform gives security professionals advanced capabilities in vetting and monitoring third-party organizations, investigating incidents, and reporting to decision-makers.
Step 4: Automating Third-Party Intelligence
The explosion of data that must be obtained to capture the digital footprint of an organization, whether of a third-party or your own, has made it necessary to approach the problem with a new breed of tools. In large-scale security operations, OSINT techniques can be automated and streamlined to accelerate the velocity of POI investigations using specialized platforms like Media Sonar.
The Media Sonar platform bundles together the tools and access to datasets in one place to help automate third-party vetting and monitoring workflows. With best-in-class digital footprint features and advanced search functions, queries and filters, access to data sources across social, Deep and Dark Web, and specialized OSINT checks, the platform is developed to help you investigate key POI like these.