The best defense is a good OSINT

Malicious actors affiliated with China’s Ministry of State Security (MSS) are utilizing publicly available data to identify vulnerabilities and penetrate government systems, according to a recent Cybersecurity and Infrastructure Security Agency (CISA) alert.

CISA’s review of the threat activity identifies open source intelligence (OSINT) as one of the MSS-affiliated attackers’ primary tools to collect info on common vulnerabilities and exploit unpatched systems.

Publicly sharing vulnerabilities has become common practice as the private sector and the US government exchange threat information. Publishing the vulnerabilities is the most efficient way to raise awareness and enable organizations to patch or otherwise mitigate the threat. However, malicious actors are watching the same vulnerability alerts. These actors know many organizations will fail to rapidly implement patches to widespread critical vulnerabilities and attack.

Timely patching of well-known vulnerabilities will go a long way in protecting against these threats. It not only prevents malicious actors from leveraging these relatively low-cost, low-effort exploits, but is also forces them to spend time and resources developing novel malware strains and other zero-day threats instead.

This recent CISA report should serve as a wake-up call that our adversaries use OSINT to great effect. Sophisticated actors penetrating networks using publicly available information demonstrate they don’t need to develop advanced malware when the vulnerabilities are sitting in plain sight.

The public and private sector can leverage their open-source intelligence collection efforts to maintain an advantage against threat actors. Regardless of industry, private sector organizations collect cyber threat intelligence and investigate potential attacks to protect their networks and customers. Using OSINT to assess publicly available vulnerabilities and research the tactics used to exploit them is a way to get ahead of the threat.

Its critical organizations use the proper tools to conduct OSINT collection, particularly when investigating a potential attack from a sophisticated adversary. As this CISA alert illustrates, attackers can leave behind digital footprints that allow them to be identified. The same is true for investigators and threat hunters. If an adversary knows you’re watching them, you become a bigger target. Or you will cause the attackers to adjust their tactics to avoid detection in the future.  OSINT capabilities that obfuscate online identity and intent will help mitigate the risk of further exploitation.

Another recent government cybersecurity alert highlights the importance of operational security when investigating a potential breach or attack. The Five Eyes intelligence organizations published a Joint Cybersecurity advisory on “Technical Approaches to Uncovering and Remediating Malicious Activity.” The advisory notes a common incident response mistake is “tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).

Touching adversary infrastructure is one of the easiest ways to tip off your target. An organization must separate its investigative network from the victim network. Using OSINT tools that enable managed attribution - manipulating how your Internet activity appears to observers - can mitigate adversary’s ability to determine what a victim is doing. Another important OSINT capability is a secure and isolated investigative ecosystem where investigators can capture malware without putting critical network assets at risk.

As publicly available vulnerability data continues to grow, patching before attackers can find and exploit vulnerabilities is absolutely critical. But organizations can give themselves an edge through proactive OSINT collection. And in the event of an attack, OSINT capabilities and tradecraft enable secure investigation and remediation.