Podcasts
8th Layer Insights
Ep 25
8th Layer Insights 10.4.22
Ep 25 | 10.4.22

Open Source Intelligence (OSINT): The Data We Leak

Show Notes
Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights."

Perry Carpenter: Today's show is about an acronym. But don't worry, this isn't an episode about grammar or the use of language. It's about a concept. The concept is OSINT - O-S-I-N-T - open-source intelligence. It's an acronym you've probably heard a lot because it gets used a lot. But what is it really? If you're curious about OSINT, today's show is for you. I'll be speaking with Christina Lekati. She's the social engineer, OSINT investigator and a member of the OSINT Curious Project. I'll also speak with Chris Kirsch about some interesting new research he pulled together, covering the top OSINT sources and voice phishing pretexts from this year's DEF CON social engineering competition. So if you're OSINT curious, stay tuned. 

Perry Carpenter: Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights" Season 3, Episode 5. I'm Perry Carpenter. 

Perry Carpenter: As I mentioned in the intro, we've got two guests today, Christina Lekati and Chris Kirsch. Christina will walk us through some of the fundamentals of OSINT - what it is, how it's used and some of her favorite methods. Then we'll hear from Chris Kirsch. Chris will share some interesting research he gathered as he analyzed the OSINT reports submitted by teams from this year's social engineering competition at DEF CON. Let's get to it. We'll start with Christina Lekati. 

Christina Lekati: My name is Christina Lekati. I have a background and degree in psychology, but I also have a father who worked in cybersecurity pretty much his whole life. And growing up next to him, I got to see and learn a lot of the tools and techniques and tricks that cyberattackers use. Back in the days, it all seemed like magic to me. I became completely magnetized by the field, and I based my life together in a way that eventually I could work in the field. And therefore today, I work on the human aspect of cybersecurity and within social engineering. 

Christina Lekati: But at the same time, to be good at social engineering, you also need to have some solid open-source intelligence skills and to understand how that aspect works. And in doing that, I realized that I have a pretty big investigative element in me that now I channel through open-source intelligence to find details about the targets that I am researching or about the corporations that I am researching and to help them understand and realize their own vulnerabilities based on their digital footprint. 

Perry Carpenter: So if you could, just give us a little bit of a description about what OSINT is. We'll start from there and then see where this goes. 

Christina Lekati: So open-source intelligence is the collection of data from publicly available resources. And that could be anything from your digital trail from online resources to newspapers to conferences to interviews - anything. However, it's not purely data collection. It has to have a specific intelligence goal. And that could be protective, having a protective intelligence goal, figuring out vulnerabilities and how to cover them, or it could be offensive. But again, on the security perspective, as an offensive security capability, how can I exploit this vulnerability so that I can simulate an attack and help this target understand? So open-source intelligence has to do with collecting publicly available data from publicly available resources and organizing them in a way that answer an intelligence question. 

Perry Carpenter: From a cybercriminal's perspective, how would they use open-source intelligence in order to gain some kind of foothold? Or how do they exploit that? 

Christina Lekati: My focus is on social engineering attacks, and we saw almost every social engineering attack exploiting some sort of information found online. 

Christina Lekati: That could be opportunistic. For example, they might see that a company just had a picnic, let's say, and they decide to impersonate one of the members in that picnic, in that gathering, and send a phishing email saying, hey, I took some pictures yesterday. Here's the folder. They share a folder. You can click on it, and it's malicious. Or they can actually thoroughly profile their target. And we have seen this in certain targeted attacks. 

Christina Lekati: They can profile a target. They can identify what motivates them, how to engage with them, build a relationship with them online that very much resembles a normal, good relationship you might have with a very good friend and then exploit it either by sending malicious links and malicious attachment, of course, under a ruse, under a certain pretext, or covert interviewing, as we call it, elicit information that they care about that you - at that time, you don't realize you're being asked to disclose sensitive information. You base your approach and you profile the target based on the information you find online about them. If you know, for example, what - if you have seen online what they like, what their hobbies are, you will use those hobbies to initiate conversation. If you have - or let's identify whether they are extroverted, whether they are communicative. Again, they become a bit of a lower-hanging fruit because you know they will probably engage with a stranger. 

Perry Carpenter: Maybe describe some of the different things that can be mined for open-source intelligence. 

Christina Lekati: For a high-value target or for key people within organizations, we usually look into their accessibility, predictability and also visibility. So we look for predictable routines. We look, one, whether they have their private address publicly online, where there they can be accessed, for example, at the gym, if they have a certain routine going to the gym and you can identify which gym they are, could they be approached by someone? 

Christina Lekati: When you have a target that tries to remain private and there's not too much about them or even if there is something about them online, you will go and look into their social circle because it's almost certain that they will have some serious opsec failures in that they either disclose addresses, routines, characteristics about the individual and potentially also vulnerabilities. 

Perry Carpenter: You gave us three key words there - accessibility, visibility and predictability. Help us boil that down just a little bit more. Give us a really quick, succinct definition for each one so that we can keep that in mind as we go forward. 

Christina Lekati: So accessibility has to do with the ease of approach of the target, whether they engage or they would engage with someone they don't know online or in a social circle in the physical sphere. It also has to do with whether you can socially escalate that target. And this often has to do with whether they will be trusting with you or whether they are extroverted. 

Perry Carpenter: And visibility. 

Christina Lekati: Visibility has to do with how much information an adversary can collect on their target and how relevant they are to the intelligence requirements that they have for their attack. Predictability has to do with the ability of an adversary to identify a target and their predictable patterns within their daily routine but also their level of exposure and the profiling accuracy. 

Perry Carpenter: Let's say somebody gives you a social engineering engagement and you're starting the collection process. Where is your first step usually? Do you have a pattern that you generally follow of, I'm going to look here first, and then I'm going to move on to something else? 

Christina Lekati: You look for the opportunistic attacks first, I feel. But it also depends on the background of your target and whether they have had security awareness training... 

Perry Carpenter: Yeah. 

Christina Lekati: ...Whether they have a certain level of sophistication or not. So if they don't, you try from opportunistic approaches, from the quick, hit-and-run phishing emails where you pretend to be somebody else, you utilize one piece of information corresponding to the relationship of the target with someone else online, and you try to get into that relationship by pretending to be that trust individual and send either a phishing email, an attachment, a malicious link on social media, something like that. But it really, really depends on the target, and it also depends on the amount of time you have for the engagement. 

Perry Carpenter: Yeah. So as you're trying to figure out, how do I approach the target the first time... 

Christina Lekati: What would make them respond? You try to find what those pieces of information are that triggers them, that makes them respond, that cause an emotional reaction. Sometimes people have emotional reactions to subjects they feel strongly about. For example, if they have very strong political views, if they have very strong religious views, your pretext will try to trigger one of those pieces of information that they disclose online because you count on the fact that they will want to respond. Or, again, if you don't do your research, if you don't want to use open-source intelligence, you just base your approach on psychological principles like the one of curiosity. You can also combine those. 

Perry Carpenter: Yeah. Yeah. From the open-source intelligence gathering piece, when you're going after your target, do you generally say, here's the information I can find on Facebook or social media; here's the information I can find with, say, voting registration records; here's property ownership records? Do you start in one of those particular places, or what's your most reliable path for gathering the information that you need to figure out what your best approach is? 

Christina Lekati: Social media is usually pretty fruitful if they use social media. If they don't, then you rely on tools that help you piece together information about the individual and uncover whether they are also active on forums, on blogs, on certain groups that also correspond to specific hobbies or habits they might have. Things are very different between Europe and the U.S. - right? - in terms of... 

Perry Carpenter: Yeah. 

Christina Lekati: ...Open-source intelligence collection. In the U.S., you have so many tools and you have so many websites that freely share personal information about the targets. And almost always, you get a name and an address. And this is not the case at all in Germany. Germany, where I live, is extremely privacy-oriented, and it's very rare to be able to find an address and a name of an individual openly available. So in this case, you have to use Google dorking. You have to analyze images on social media and see whether you can narrow down the location of an individual or map out an area. So the approach is completely different, and the tools and the websites that you use are very, very different than the ones you would use on a U.S.-based target. And I feel that in Europe in general, we need to use more creativity when we research a target and rely a little less on tools. 

Perry Carpenter: The global perspective is really important - right? - because that touches on two different things. One is the research method that you're having to take, but the other is the inherent vulnerabilities that citizens of different countries have. If I'm a U.S. citizen, then I have two different mindsets. So I've got my consumeristic mindset, where I leave a data trail without really thinking about it. But then I also have the mindset and the expectation of all the different companies and government agencies that are basically telling me that that's the way I need to live as a citizen. 

Christina Lekati: I don't think you can avoid being exposed in the U.S., also because the legal environment doesn't protect you as a consumer, but also as an individual. It's not as much of a priority as it is for the German-speaking countries. 

Perry Carpenter: Right. 

Christina Lekati: German-speaking countries are very sensitive about privacy. 

Perry Carpenter: So if you're going after a U.S.-based person, do you primarily start in social media as your beginning piece of the reconnaissance phase? 

Christina Lekati: It depends on your requirements. Do you want to find an email address? Do you want to find - you can decipher potential email address of a target based on pure guessing and - but also then verifying whether this email address exists or not through Hunter.io or other tools that are available out there... 

Perry Carpenter: Quick note for listeners - don't worry about writing down any of the tool names now. You'll find a list to all the tool names mentioned in this episode and more in the show notes. Let's get back to Christina. 

Christina Lekati: ...Through Hunter.io or other tools that are available out there. There are tools where you can put just a name out there, and they come out with a list of potential email addresses. And you can test them all as a bulk and see which ones are verified, which ones exist and which ones don't. I can give you another tool that is very interesting, by the way... 

Perry Carpenter: Sure. Yeah. 

Christina Lekati: ...And that also works on European targets. It is called webmii.com. 

Perry Carpenter: Webmii, OK. 

Christina Lekati: And in this -\ for example, if you start looking into an individual from this website, you just type in the name, the name of the person as you know it - name, surname - and it comes out with a list of potential connections - people, that is. It comes out with a curated list of contributions they have made online under this name - either interviews, presentations, blog articles, anything that revolves around their name online - in a pretty well-curated way. And it also gives you some social media profiles if they are available with that full name. 

Perry Carpenter: That's good. I don't know that I've ever tried to use that site. That's really cool. 

Christina Lekati: Let's see what it says about you. 

Perry Carpenter: (Laughter) We'll be right back after this message. 

Perry Carpenter: Welcome back. Just before the break, Christina Lekati was talking about webmii.com. That's webmii.com. And I made a remark about not hearing of or having used that website before. And then she said this. 

Christina Lekati: Let's see what it says about you. 

Perry Carpenter: Now, here's a question for you. If somebody that was skilled in open source intelligence gathering made that statement to you... 

Christina Lekati: Let's see what it says about you. 

Perry Carpenter: ...Would your heart speed up a little bit? Would you wonder what's out there? Well, we're not going to answer whether Christina was able to find anything interesting about me or not today because it's time to move on to the next interview with Chris Kirsch. 

Perry Carpenter: Now, Chris is going to be talking all about the kinds of things that people can find, some additional tools that they've used and how all of that was used very practically in this year's DEF CON social engineering competition. This is a voice phishing competition where there are several objectives that team members are trying to find. Chris can explain it a lot better than I can, and he wrote a Medium article on it recently, where he analyzed all of the team submissions, which are very long reports that each team writes, showing how they grabbed the objectives. And what Chris did is a deep dive data analysis on that. He published it on Medium, and I wanted to have him walk us through that because there's some interesting data there. So let's see if we can get Chris. 

Perry Carpenter: Hey, Chris. Is now still a good time? 

Chris Kirsch: Hi, Perry. It's great to hear from you. Yeah, I've got time right now. 

Perry Carpenter: Awesome. 

Chris Kirsch: I'm Chris Kirsch. I am the co-founder of the asset inventory company runZero, which is formerly known as Rumble, and I'm also the black badge winner of the DEF CON social engineering competition of 2017. And this year, I returned to DEF CON as a judge and published some of the interesting findings that I had coming out of the reports and the social engineering competition at that conference. 

Perry Carpenter: There's a lot of really cool stuff in here. Can you walk us through what you had hoped would come out of some of this, and then what prompted you to do this deep analysis? And then we can go into some of the findings. 

Chris Kirsch: So I had been a contestant in two very similar contests before, and I always had a few questions. You know, I also sometimes see in somebody else's reports or when they went up into the booth and actually called a company. So I'd seen individual things, but I never really had the chance to see it across all of the contestants. And that was really interesting. This year, as a judge, I had access to all of the OSINT reports. So OSINT is online research - publicly available information, open-source intelligence. I had access to all of their vishing pretexts. So vishing with a V is voice phishing, so it's basically scamming somebody over the phone. 

Chris Kirsch: And I also had the scoring sheets from the day of the competition, so I knew how well the different teams did. And so I was really interested in, what are the top-producing OSINT sources? So where do companies leak the most information that's helpful for attackers? Then also, how difficult are different types of objectives to find, and also what OSINT source is the best for which type of objective? So if you're trying to figure out what VPN somebody is using or what access - physical access control somebody is using, like, where would you find that and where is that found most often? 

Chris Kirsch: And then, you know, going through the motion myself as a contestant, when you're looking for an OSINT objective, you never know if it's actually out there. It's not that somebody hid it somewhere and you know it's out there and you can find it, but you get a target that's a real company, and you actually don't know if it's out there. And it's different for you than for your, you know, next contestant who's got a different target. So I wanted to know, can you actually find more objectives on average than the contestants found? And this year was unique because each company was tasked out to two different teams. So I could compare, you know, what was the difference between the scores, and also, were there any that the higher-scoring team didn't get? Because the question is always, do you keep digging or do you just give up? You know, have you found everything? And another thing that I was interested in is which pretexts actually yielded the best results on the phone, on the day of the competition when they actually went up in the booth? 

Perry Carpenter: So I think we need to back up just a little bit and describe the scenario. So for people that aren't familiar with competitions like this, can you kind of set the stage a little bit about - you know, when you say the booth, what does that mean? Talk about the things that people are trying to find. And then how does this scenario differ from what a, quote-unquote, "real attacker" may do? 

Chris Kirsch: What the competition is trying to emulate is an attacker that is researching a company and then using the research that they found online to phone them, live on stage in a soundproof booth, and to extract these and similar types of information over the phone. We call these pieces of information objectives. Half of the objectives are pieces of information that would get you into the digital networks, and half of the pieces of information are things that would help you physically get into the building - right? - because both of those can be hacking vectors. And the way the competition is set up is that the contestants, after they get chosen, they get assigned a company that they have to target. They were all from the same industry. 

Chris Kirsch: Then the contestants have a certain amount of time - it's a few weeks - where they can actually go and do online research on these targets to figure out what they can find out online. They're not allowed to contact the company at that stage. This is a pure online exercise where they are not allowed to call, to email, get in any way in contact with the target. And then they write up a report. So these reports are between 50 and 120 pages each. 

Perry Carpenter: Wow. 

Chris Kirsch: And the contestants spend about - between 40 and 120 hours on research on these targets. So this is really, really deep research. And they're trying to find about 25 different objectives. And then at DEF CON, they come to the social engineering community. There's a soundproof booth set up in the corner, and they have 25 minutes, live in front of an audience, to call the company. They can pick specific numbers that they want to call - individual dial-ins, reception numbers, help desks, anything like that - and they have to extract similar objectives over the phone. They're not identical with the OSINT report, but they are similar. 

Chris Kirsch: And there are some specific ones where not only are you trying to extract information, but there is one specific one that has a really high point rate, and that is to get somebody to actually type the URL of your choice into a browser and get them to read back what they're seeing on the screen. Because if you're able to do that as an attacker, then you can get somebody to a website that has malware on it. And you can infect their machine, and you can then compromise the network from within. So how does it differ from a real-life attack - right? - because there are... 

Perry Carpenter: Yeah. 

Chris Kirsch: ...Obviously some differences between a competition and a real attack. So, first of all, in the competition, we try not to ever cross legal or ethical boundaries. So legal boundaries would be anything that goes after passwords, Social Security numbers, credit card numbers, any PII, any sensitive information like that. We stay clear of that. Secondly, for legal and ethical reasons, we wouldn't ever impersonate a law enforcement officer or something like that - right? - so a person of government authority, for example. 

Perry Carpenter: Right.

Chris Kirsch: And then for ethical reasons, we also never want to use fear-based pretexts. So never say, hi; I'm calling from the incident response team. Your machine was compromised, and we're doing cleanup, you know, because then you're forcing the other person into a sense of compliance where they're already in trouble. They don't want to get into more trouble and so on. And that's not an ethical way to conduct a competition, right? So we actually don't go after some of the harder - arguably harder and illegal targets, but we are trying to substitute them with other things that are almost of equal value but legal to obtain. 

Perry Carpenter: OK. 

Chris Kirsch: So, for example, some of the objectives are, what browser version are you using and what browser type, what operating system, what VPN - those kind of things. And then on the physical side, you know, do you have access badges? What type of access badges? Who does your shredding service? Who does your waste pickup? Who - you know, like, all of these things that would get you physically into the building. And so these stand in as a legal and ethical proxy for these other things that we can't do in a real attack. Another big difference is that you have a real time constraint. So you have 25 minutes. And in these 25 minutes, if somebody doesn't pick up the phone, you lose a lot of time. You might not get a connect. 

Perry Carpenter: Yeah. 

Chris Kirsch: If you are a real-life attacker, you have much more time. 

Perry Carpenter: So you mentioned the 25 things that are there. And you said roughly they're broken up in half, as far as half will take you through a digital environment; half will take you through the physical environment. Do you want to talk about the - any of those 25 points? I know you kind of touched on a couple, but is there anything in-depth you want to say before we go past those? 

Chris Kirsch: I can talk about how easy or hard it is to get certain things through OSINT, and then I can explain why they might be relevant. 

Perry Carpenter: Just a heads-up - I have a link to Chris' research in the show notes. If you'd like to track along with us as we talk through it, feel free to go ahead and check out that link. Now back to Chris. 

Chris Kirsch: So one of the things that I was interested in is, are some objectives harder to find online than others? And so I tracked how many people got which objective in the reports. The one that was easiest - and every team got that one - was, do they have physical access control? So that means, do they have, you know, turnstiles where you need to swipe your badge? Or do they just have, like, an office door with a key? Or what does the point of entry look like? Everybody got that. And that was usually through either the website of the building, you know, if they're a tenant in a building, in a corporate office building, or through a virtual office tour in some way, shape or form, office building recruitment video, something like that... 

Perry Carpenter: Yeah. 

Chris Kirsch: ...Where they show a day in the life, where they show the office, or simply Google Street View, where you go onto Google Maps and you say, street view. I want to see the building. And if the access control is outside the building, if there's a badge reader or something like that or a PIN pad, you can see that by zooming in... 

Perry Carpenter: Right. 

Chris Kirsch: ...On the street view, right? So that was pretty easy to find. And it was also the first objective people were asked to get. And I think that also plays a role because there were all - you know, their minds were fresh. They were really... 

Perry Carpenter: Right. 

Chris Kirsch: ...Eager to find it and so on. And so everybody got that one. That was the only one that everybody got. All of the other ones were in the midfield with - out of 16 people, only five people got the vendor check-in process. So we were asking them, hey; can you find out, as a vendor coming into the building, what's the check-in process with the security desk? But still, 5 out of 16 found that out. And it was usually through the building website where they described the process, through some form of training or help desk documentation, something like that that they found online. And if you know the vendor check-in process, if you know what's required to get in, then you can prep for that. You can fake an ID, or you, you know, know not to go through that path if it's too onerous. 

Chris Kirsch: So those are two, like, physical types of objectives that help you get into the building. Let's talk about some of the ones that might get you into the digital network. So these were things like operating systems. You know, 14 out of 16 got that one. What web browser was same number of people - what antivirus solution, VPN vendor and so on. And all of these things help you penetrate a network because if you know what operating system and browser version somebody is using or what antivirus software they're using, now you can tailor your payload to evade all of these things and to be specific for that target. 

Perry Carpenter: From your perspective, what was the most shocking thing that came out of this study? 

Chris Kirsch: One thing I did not expect was that YouTube would be the top source for open-source information because YouTube is not very searchable. You can search for a topic on YouTube, but, I mean, I guess now you can also search for the actual transcripts and so on because they now automatically transcribe everything. 

Perry Carpenter: Right. 

Chris Kirsch: But when I think back at when I wrote up these reports, I would look at all of the YouTube videos that I could find by a certain company and then literally go frame by frame. And there is two types of videos that have really a lot of information. There is the type of recruiting video where they interview people, show the office, walk you through the office, those kind of things. 

Perry Carpenter: Yep. 

Chris Kirsch: And you can see badge designs. You can see badge readers. You can see what hardware they're using, what operating system they're using, all of that stuff in the background around the interview and the recruiting videos. And these are often also very high quality because they're getting somebody in with a professional video system and all of that stuff. So you don't always target a specific piece of information and then look for the video, but you look for the videos and look for all the pieces of information that you can find. And the other type of YouTube video that I found really useful was webcasts - either a vendor trying to sell something, or it's maybe an internal onboarding or helpdesk video or something like that. And when somebody is sharing their full screen, you can see the taskbar on the bottom right. You know what operating system they're using. You're seeing the antivirus. You're seeing the VPN client. All of that has little icons that, if you know what they are, you can interpret that, and you can sometimes know down to the major version of the software - know what they're using. Also, the browser is often shared as part of these types of webcasts and so on. So you can get a ton of information from that. 

Chris Kirsch: The second source of information is maybe a little bit more intuitive, and that's LinkedIn profiles - people's personal LinkedIn profiles. LinkedIn is a recruiting platform. Everybody wants to look good, show off their jobs, show off their skill set and so on. So many people that work in IT and sometimes even security will talk about all of the software packages and hardware that they're working with. So they might say, hey, I'm the Cisco admin, and I'm familiar with these types of firewalls. I also manage our Symantec endpoint protection, and I do this and that, right? I've done the Windows 11 rollout. You know, those kind of things people state on their on their profiles, and you can get a ton of information from that. So that was the No. 2 source. 

Chris Kirsch: No. 3 was Google dorking. And your listeners may or may not know what dorking means. It basically means using advanced Google search parameters. So you can, for example, say site: and then, you know, knowbe4.com or something like that. And then whatever you type after that will be searched only on that site, or you can limit it to certain documents. You can say, I want to see everything with that company name that is an Excel spreadsheet. And so with these kind of Google dorks, you can find a lot of very specific information very fast. 

Perry Carpenter: Yeah. So the one that I think is interesting because this may also help people protect their environments better - job posting is listed here. What kinds of information are people pulling out of job postings? 

Chris Kirsch: There were two big types. One is what types of technology they're using. So if you're looking for somebody to be a specialist in SAP or if you're looking for somebody to be a specialist in Cisco VPNs or something like that - right? - you know what they're using internally. So that's one side. The other side that - what people were using it for was the security guard questions because we were asking, do they use security guards, and what hours do they work? And so in the job postings, you usually have both of those things, right? Is it an internal or outsource position? Do they have any? And it'll say, you know, our shift schedules are A, B and C, right? 

Perry Carpenter: Yeah. 

Chris Kirsch: And so you know exactly when they change shifts and all of that stuff. 

Perry Carpenter: Anything else you want to bring out of that list? 

Chris Kirsch: Matterport was a really interesting one. That's a website that does virtual office tours. So you can basically have, like, a virtual reality tour of your office. And so this being real estate companies, a couple of them had that. And I remember one person used that to walk around the office and found an SSID for a Wi-Fi written on a whiteboard or something and then also found, like, a COVID poster somewhere... 

Perry Carpenter: Yeah. 

Chris Kirsch: ...Which he used to kind of carbon date this thing because they weren't allowed to use any information that was collected prior to 2019 because it was too old, right? You don't want something that's super outdated. So they had to somehow prove that this is newer information - 2019 or newer. And by showing anything related to COVID, you know that pretty much proved the point. 

Perry Carpenter: Right. Yeah, that's really cool. 

Chris Kirsch: One technique that some of the folks used that I hadn't run across before was a feature of an open source piece of software called Recon-ng that some of the listeners might know. And they used a function in there called cash snoop. So essentially, what you can do with that is you can query a name server, so the name server of your target company, and you can figure out what kind of fully qualified domain names or hostnames are cached on the server. So if you then look at things like different antivirus update servers, and those are cached on the DNS server, now you know that somebody inside this company is using that antivirus solution, right? 

Perry Carpenter: Yeah. 

Chris Kirsch: And so when we were asking about what antivirus solutions were in play in this company, they use that technique to figure out which ones were active. 

Perry Carpenter: OK. Maybe you can talk a little bit about this chart that's here. This is the - it looks like it's a dump from an Excel spreadsheet that has the physical access control at the top, company lingo, it's basically showing the points for the objectives that were pulled. 

Chris Kirsch: Yeah, it's just a - like a matrix that shows... 

Perry Carpenter: Yeah. 

Chris Kirsch: ...Which type of information was gathered how. So basically, you see, for example, Wi-Fi SSID. Eleven of those were gathered through wigle.net, right? And then... 

Perry Carpenter: Right. 

Chris Kirsch: ...If you look at Hunter.io, that was only used for email format. But if you also want to look at YouTube, for example, you see the - you know, all the different types of things that showed up in there. 

Perry Carpenter: Let's talk about any other finding that you want to talk about and then hit this piece on how to mitigate that you have at the end, as well. 

Chris Kirsch: So far, we've only talked about the OSINT reports. So I'd love to now dig in on the actual calls that people... 

Perry Carpenter: Yeah. 

Chris Kirsch: ...Did on the day and how they did there and, like, what kind of pretexts they chose when they were calling their targets. So most of the pretexts - both that the teams planned in their reports, but also that they did on game day - were centered around IT. And mostly it was centered around somebody impersonating a help desk or IT employee and phoning a - an employee of the company. 

Perry Carpenter: Yeah. 

Chris Kirsch: So one of their coworkers. The pretexts varied a little bit. Sometimes it was the IT help desk reaching out or IT or security doing a survey to say, hey, do you have this installed? How happy are you with that? And so on. Sometimes there was a software satisfaction survey - so, like, hey, we're the UX team and we'd love to know, like, how easy or difficult you find XYZ software and so on. Those were by far the most prevalent. And then there were some more exotic ones. So, for example, an employee saying, hey, I'm a little worried about security. I'm switching offices and I want to know, like, do you have security guards on staff even in the evenings? Because I - you know, I've been mugged before, and I'm worried about that or something like that. 

Perry Carpenter: Right. 

Chris Kirsch: Somebody said, like, hey, you know, my spouse works for you and I'd like to bring by a surprise birthday gift. Like, how can I get into the building? So most pretexts around the IT thing, which makes sense because the objectives are around IT. So pivoting from a non-IT pretext to IT objectives is a little bit hard. I don't think that necessarily every social engineering pretext is going to be around IT. It's really going to be, what are you going after, right? If you're trying... 

Perry Carpenter: Right. 

Chris Kirsch: ...To do, you know, business email compromise or the phone version of that - trying to figure out how to get a fake invoice paid by a company, you're going to call the accounting department as a vendor, maybe. So no IT pretext there. I think we were guiding people towards a certain type of pretext through the objectives that we provided. You've got to build from small to big, and you've got to build in a narrative that makes sense. 

Perry Carpenter: Let's face it - every organization and every individual leak data constantly via social media and YouTube videos, webinars, photos and more. It seems like every interaction we have is an opportunity to leak some bit of data that can be useful for a would-be attacker. And that means that we need to be a lot more circumspect about the data we put online, how that data can be used, and what inferences can be made by people who find the data. And the implication of that is that we need to become masters of viewing our organizations and ourselves through the eyes of an attacker. That is a mindset that we need to adopt. In addition, we should also adopt a practice of threat modeling and continually working to evaluate our attack surface and current exposure. Because for cybercriminals, this is the real world, not a game, and there is no time limit. They have as much time as they need to continue to research, evaluate, refine and launch attacks. 

Perry Carpenter: And with that, thanks so much for listening, and thank you to my guests, Christina Lekati and Chris Kirsch. I've loaded up the show notes with links to all the references that we mentioned today, including Chris' Medium article, some prior presentations on OSINT from both Christina and Chris, and several other tidbits that you should find interesting. So be sure to go check those out. 

Perry Carpenter: If you've been enjoying "8th Layer Insights," please go ahead and take just a couple seconds to head over to Apple Podcasts or Spotify and rate and consider leaving a review. That does so much to help. And you can also help by posting about the show on social media, recommending it within your network and maybe even finding an episode to recommend to a friend or family member. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. And if you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.