We’ll just hit the controversial nail on the head upfront: the security landscape of tomorrow (read: actually today) demands the collection and analysis of open-source intelligence (OSINT) in order to accurately defend against attacks of all forms. While that purposely sounds dramatic, the point still stands – OSINT is and always will be valuable in giving the “good guys” the edge over the “bad guys”. In a landscape where the good guys are, in most cases, forced to react to emerging situations – every advantage gained ahead of time is invaluable.
We know it’s not easy. The fact remains that OSINT-incorporation is generally within the realm of more specialized teams or very mature security departments. Others are just beginning their journey to OSINT-maturity, or are still having a hard time convincing executives of the necessity of budget-allocation.
For teams at the beginning of the OSINT-incorporation journey – if there’s any reassurance that you’ve made the right choice to begin or the fact that may help convince leadership of the need is this – Whether or not the “good guys” utilize OSINT, the “bad guys” definitely are.
The Cybersecurity & Infrastructure Security Agency (CISA) recently released Alert AA20-258A, which found that the Chinese Ministry of State Security (MSS) affiliated threat actors had been using OSINT in order to target US-based corporate and Federal Government infrastructure across a multitude of industries. While this is a pretty high-profile example of OSINT-use by threat actors, OSINT-use is something we at Media Sonar see all the time.
For the sake of the following points – we’re going to assume two things:
1) We’re working from a team that already has some incorporation of OSINT in their security-framework (or the words in the intro magically convinced your exec-layer of why there needs to be).
2) Our OSINT program is truly following OSINT-frameworks and your program is diligently making sure your collection and analysis techniques are remaining legal and “OSINT”. For reference, check out our report OSINT Best Practices: Legal & Ethical Considerations.
Application to Cyber Security
As the CISA Alert showed, MSS-affiliated operatives used combinations of open-source information gathering in conjunction with vulnerability databases such as Common Vulnerabilities & Exposures (CVE) and NIST’s National Vulnerability Databases in order to identify weaknesses in infrastructure and choose targets.
Here at Media Sonar, we see CVE and NVD discussions on places like forums and Dark Web articles/posts all the time; these vulnerabilities are discussed in the open, and often, point directly to specific organizations. There’s a compounding of situations that makes CVE/NVD such an attractive target for threat actors, either at the State-level or criminal-level:
They have a rather large window of opportunity to utilize the vulnerability/exposure – even after the CVE/NVD has been reported and broadcasted. The average time it takes to patch a CVE in an organizational landscape: 102 days. That’s more than 3 months that a motivated attacker has, on average, to exploit a very well-documented vulnerability. That patch-cycle is the proof in the pudding: 57% of respondents of attacks said that a patch would have prevented said attack. For some, it’s even worse: 37% of attack respondents admitted that they didn’t scan their own systems and programs for these vulnerabilities.
Benefits of Taking a Proactive Approach to OSINT
OSINT, like in many applications, can be both an early warning device, and a way to gain vital contextual information about the risk, chance, and probability of an attack.
For the 37% of organizations that aren’t doing much internal-due-diligence on this front – simply taking advantage of the CVE and NVD databases and actually checking for exposures on their network would be a huge start. For a greater understanding of the risks and probabilities to one’s own network – having a monitoring and detection system for places like non-indexed forums, Dark Web nodes, and obfuscating social media platforms can be the difference between a “good” day and a “bad” day.
In many cases, we at Media Sonar have seen conversations on the Reddits, Telegrams, and Dark Web marketplaces of the Internet where CVEs are discussed in length, and in many cases – referring specifically to organizations. These types of posts are like Wikipedia posts for organizational vulnerabilities – all CVEs that affect the organization are listed, as well as affected ports, IPs address, etc.
Knowing when these conversations arise, especially surrounding CVEs that might affect your organization (or worse, are pointed to directly in a post) – can give security teams:
1) Valuable time to defend or recover from a cyber attack
2) A motivation of higher priority on patching a specific CVE/NVD
So - How Does Media Sonar Help?
Available time, lack of skills, and limited resources are always going to be obstacles to truly adopting a proactive approach to OSINT gathering and analysis.
Luckily, for those reasons, Media Sonar helps to cut down on time and skills required, when resources are hard to carve out of your team’s time and budget. Our platform allows for the automation of OSINT gathering and includes tools that allow you to analyze and correlate that data – allowing teams to action that intelligence into meaningful readiness.
- Set up rules and queries in one place, have them run continuously, and be alerted when new research or new threats pop up on the horizon.
- No need to manually use Google and copy/paste hard work through multiple search engines, platforms, and repositories.
Search through the Dark Web and non-indexed portions of the Internet (Deep Web) – which themselves alone are a treasure trove of actionable intelligence.
The truth is, while budgets, resources, time, and skills are all limiting factors in your ability to adopt proactive OSINT gathering and analysis – it’s just not so for the bad guys. At some point, we have to resolve this asymmetry, philosophically and financially.
Long ago in security, we believed that merely upgrading the network hardware would save us all from hacking woes. Executive-layers and budget-makers once believed that baseline Security Awareness training was a waste of money. But when millions and billions of dollars of infrastructure can be compromised by a human-as-the-weakest-link, we now have massive Security Awareness industries.
And similarly so for OSINT intelligence integration: when once seen as an unobtainable slice of a security budget, one day (read: should be today) it will be something common across all security teams, not just highly specialized ones. Reality and the security landscape demand it.