Are we surprised that the bad guys are taking advantage of the COVID-19 pandemic and the rush into remote work at many companies that it has caused? Our new guide to critical OSINT research tools helps you to spot threats early.
For criminals and state-sponsored threat actors, the work-from-home arrangements that organizations have set up for their employees (often in a rush) present a golden opportunity.
While mandated lockdowns and social distancing are devastating businesses and their employees, purveyors of disinformation and fraudsters are thriving. Google’s Threat Analysis Group warned on April 22 that over “18 million malware and phishing Gmail messages per day related to COVID-19.”
According to that post, more than a dozen of the threat groups behind such campaigns are state-sponsored attackers. They are on the lookout for new targets every day, around the clock, and unlike most of their victims not constrained by a 9-to-5, Monday-through-Friday schedule.
How to Use OSINT to Spot Threats Early Under COVID-19
Most companies have not yet transitioned into a fully secured online environment, often relying on their employees’’unmanaged devices and home networks. This scenario leaves many organizations vulnerable when remote workers access corporate resources online.
Let's be real - your NSOC wasn’t designed to cover the remote “new normal”, either. The attackers know full well that your hands are tied behind you back, so to speak, while you’re trying to protect your network, and they’re taking full advantage of the crisis.
The booklet 21 OSINT Research Tools for Threat Intelligence, published by Authentic8, introduces tools and apps that help investigators scour the open, deep, and dark web under these challenging conditions.
Many researchers are already leveraging web isolation with the Silo for Research (Toolbox) platform, which provides multiple layers of protection and managed attribution capabilities to keep OSINT investigations secure and efficient. What else can they turn to in their arsenal?
Top OSINT Tools, Handpicked for You by Our Team
In our new quick guide, our open-source intelligence specialists, analysts, and threat hunters introduce you to some of their other favorite tools. A few items in this collection are desktop clients; others are services that facilitate data mining in particular OSINT areas.
One example is Torch, which enables investigators to conduct keyword searches for hidden services only accessible through Tor. It can be used to cross-reference conversations across different .onion sites when trying to deanonymize adversaries who use Tor.
For attackers, reconnaissance and information gathering is the crucial element that determines whether or not an attack is going to be successful. Where do they get their data? In a word, everywhere on the web - from a WiFi-connected refrigerator in the (home) office to your open and vulnerable Elasticsearch Kibana instance.
Tips and Tricks for Systematic Exploit Searches
The booklet we compiled for you presents an arsenal of tools for identifying vulnerabilities and obtaining artifacts that you can leverage for threat intelligence gathering. Such artifacts include geolocation data, 1day exploits, where images come from, IoT devices left exposed to the web, website changes over a given time, voter records, police records, or bitcoin transaction traces.
Examples of tips and tools in the booklet include:
- How to gather geolocation information with Cree.py by feeding it social media artifacts;
- an introduction to performing state-of-the-art binary code analysis with IDA Pro, to see what control servers your IoC artifacts communicate with;
- how to mine, merge, and map information with Maltego plugin transforms, from tracing bitcoin transactions to attributing a trove of attack servers to one particular threat actor.
OSINT Threat Intelligence and Remote Work
How can you prevent attackers from exploiting the weakest links in your organization’s WFH environment?
What you need now are ways to spot vulnerabilities first, before your adversaries. Where is the next phishing, malware, mass exploitation campaign going to happen?
This is a good time for taking measure, by finding information left out in the open by employees that could be leveraged in pinpointed attacks on your organization.
Destroying such information from the internet can be as hard as removing piss from a swimming pool, so knowing what’s out there in the first place goes a long way towards reducing the attack surface.
Where to begin? What data are relevant? Where do we find it? How do we search for it and turn it into knowledge? We hope our free guide 21 OSINT Research Tools for Threat Intelligence will provide a solid starting point.