The OSINT revolution: How cyber and physical security teams are leveraging open source intelligence.
Rick Howard: Hey, everyone. Welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And in today's episode, we're talking about how cyber and physical security teams are leveraging open source intelligence.
Rick Howard: A program note, each CyberWire-X special features two segments. In the first part, we'll hear from a couple of industry experts on the topic at hand. And in the second part, we'll hear from our show sponsor from their point of view.
Rick Howard: I'm joined by Dr. Georgianna Shea. She is the chief technologist for Cyber and Technology Innovation and the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies. She's also a long-running colleague and friend of mine and a regular contributor here at the CyberWire. Dr. Shea, thanks for coming on the show.
Georgianna Shea: Well, thank you so much for having me.
Rick Howard: So today, we're talking about open source intelligence, specifically from social media platforms and geospatial data and whether or not that kind of intelligence is helpful or useful to practitioners defending their digital assets in cyberspace. Now, you've had a couple of decades of experience helping the Department of Defense and other government organizations think about cybersecurity initiatives. And you teach information assurance at the Colorado Technical University as an adjunct professor on such topics as operations, threat intelligence and many other. So what's your take on this question? Is open source intelligence worth it?
Georgianna Shea: I think so. But I think you might get some pushback in various industries that aren't really embracing it. So I think traditionally, it's been one of those areas that the intelligence community uses, law enforcement uses. But now you can really start moving out into other organizations and looking at how does your organization look online to your partners, to your customers, to potential adversaries that are going to target you? How much of your risk is exposed out there? So I think so, yes.
Rick Howard: It also depends on how big your organization is and how many resources you have. I mean, if - you know, I work at a startup these days. I don't have an intelligence team working for me who can daily monitor open source intelligence. So what are those folks do, the nonfinancials, the nongovernment organizations who don't have those giant teams? Can they buy that kind of intelligence? And is it useful to them?
Georgianna Shea: Oh, absolutely. There's companies out there - like, they do open source intelligence, and they actually go into the deep and dark web and look for information on your company and come back to you and tell you, this is what you look like. This is the kind of information that's being traded about your company. This is what your reputation is. You look like low-hanging fruit to the hackers out there or you don't.
Georgianna Shea: And it goes beyond your business partners. It also extends into whether or not insurance industries will want to insure you for cyber insurance. How big of a risk are you? So you want to understand what kind of information's being put out about your organization, not just on the internet, but also on the deep, dark web and how exploitable do you look.
Georgianna Shea: If most people are familiar with the MITRE ATT&CK framework already - and it really starts from the cyber kill chain with that reconnaissance phase. There's different tactics and techniques in the reconnaissance that the adversary uses. So you should be familiar. If the adversary is going out and doing reconnaissance as their very first step, what does that look like for you? What are they seeing?
Rick Howard: So let's talk about those open source intelligence products. You sent me a draft paper that you're working on where you describe the overlap between influence campaigns and cyber operations. What's the paper called?
Georgianna Shea: Well, I'm still working on the title, but right now it's tentatively "Digital Footprint that Provides a Criminal Foothold." And it discusses that overlap between the influence operations and cyber operations because a lot of people look at those as two different subjects. But when you actually dig into how both are performing, you see an overlap in tactics and techniques. We're pretty familiar with the attack tactics and techniques of how adversaries go in and do cyber operations. They break into your system, they do lateral movement. Before they do that, they will go through and establish their infrastructure, maybe a fake website, fake accounts.
Georgianna Shea: There's another emerging framework out there called DISARM, which I'm really excited about. And it's the disinformation analysis and risk framework. You can read more about it under disarm.foundation. Contact Jon Brewer or SJ Terp. They're developing it. And it gets into the influence operation campaigns, where it follows the attack framework, where you have different tactics and the techniques for each of those. And it gets into very, very similar develop your - enabling architecture and infrastructure. So you have to make fake people, make fake accounts, make fake websites. So then when you look at both of these different frameworks, you're seeing, OK, there's a development of disinformation out there, some deception techniques. You have a website that maybe you think is authentic. You trust it. You might see a little padlock in the corner. You believe it has a certificate. You go to the website, and it's given you false information. If you're a company, maybe it's given you some bad information about your company, and it's from a competitor or a disgruntled employee. If it's a cyberattack, maybe it's a website that you're going to and they're now downloading malware on your system. So the actual objectives of the website might be different, but the enabling infrastructures is pretty much the same.
Georgianna Shea: And so in my paper, I get into those overlapping technical pieces, like using certificates on websites that really have no attribution or authentication as to who they belong to. You can get a search for a website that doesn't actually go back to a person who's been authenticated. You go to websites that are using DNS abuse. So you think you're going to an authentic website that's a part of an organization, but through typo-squatting or other techniques, it's not the real website. And then once you get to those fake websites, they can, again, either do some disinformation, or they can do some cyber operations. It kind of depends.
Georgianna Shea: But through the social media platforms, you then see a lot of different accounts steering people to those sites. And when I say steering it, when you look at Twitter, you look at other platforms, you have multiple users out there. And it might be a real person. It might be an account that has been hijacked, so it looks like a real account, but now it's being used by someone else. Or it might be a fake account altogether - fake name, fake person. Or it could be a bot. So you really don't know who's giving you this information and steering you to these sites. And you really don't know, OK, is this true? Is this not true? Is this authentic? Is it not authentic? And there's not the transparency there to really give you that warm and comfy feeling of, OK, I can believe this.
Rick Howard: Bob Turner is the former CISO from the University of Wisconsin-Madison but is now the field CISO for education at Fortinet. He's also a regular here on the Hash Table, and he says that open source intelligence is worthwhile, but you probably shouldn't use it as the primary source.
Bob Turner: My real concern there is that it comes from social media. So is the material valuable? Sometimes, yes, sometimes, no. When I'm looking at that as a CISO, I'm looking to find out if it actually correlates with other trusted cyber intel sources before I consider its use as good for whatever purpose I'm applying this intel to. On the education vertical, I recommend that education SOC teams use open source intel from social media as a way to complete the picture, not as the primary source. It is important that whatever we do with the intel we have be verifiable.
Bob Turner: And I guess the real example I have from this is if you harken back to the SolarWinds events of a year or so ago - several years ago, actually - we kept getting a lot of information about SolarWinds and what it applied to, and we were getting those from a number of sources - some of those sources federal, some of those sources state government and a lot of those sources technology driven. The social media post, a lot of them on LinkedIn, before, during and after the event actually occurred, it actually helped to isolate whether or not our impacted systems were truly impacted and helped us to determine that in our condition, with the makes and the models and everything being shown there and the DLL versions and all of that, that we actually didn't have any possibility of exploitation. I would say that that is a case where the information derived from social media was very helpful. But again, to reiterate my original point, we correlated that data with other information that we're getting from legitimate sources, including the FBI and the Research and Education Networks, Information Sharing and Analysis Center.
Rick Howard: So let's go do some basics here about DISARM. I'm going to come back to a MITRE ATT&CK in a second, all right? But DISARM, does that acronym spell anything or is it just a fancy name that highlights what's going on here?
Georgianna Shea: Yeah. So DISARM - it's disinformation, D, analysis, A, and risk, R, management, M - so DISARM framework. Used to be called the AMTT, which was the adversarial misinformation tactics and techniques, but they renamed it to DISARM.
Rick Howard: According to the DISARM Foundation website, their vision is that all who encounter the existential problem of disinformation and work to reduce the impact and risk are empowered to coordinate their efforts through the sharing of a single open source collaborative framework. Their framework, published on their website, is similar in look and feel to the MITRE ATT&CK framework. Well, let's talk about the Winter Olympics study because that's really fascinating. You were working with the sports ISO to help with them, I guess the most recent Olympics in Beijing - right? - in 2022. Is that right?
Georgianna Shea: Yep. Correct.
Rick Howard: And what were you trying to do with that study?
Georgianna Shea: The purpose was really just to kind of bring together the policy communities that are looking at the cyber operations and influence operations as being two different things. So when you hear about, like, the elections and disinformation in the media, a lot of topics come up like freedom of speech and censorship. And I didn't want to go down that road with it. I really wanted to show the technical attribution of where things are coming from so that you can see there was transparency. You can go through and do your research. You can trust a site or not trust a site. It's very closely parallel to the cyber operations. You're not going to go to a website that you don't trust. And if you don't know whose website it is, how can you trust it?
Rick Howard: So with the DISARM framework - and until we started talking about this, prepping for the show, I didn't realize there was so much overlap - but what you're saying is for these influence operations, there is an infrastructure that the bad guys use to do these influence operations, and it sort of overlaps with what we cover in the minor attack framework. They're still going to have websites, they're still going to have command and control. They still have to do those things. And so there'd be certain things that a network defender could do to prevent that kind of thing from showing up on their users' equipment, is - did I summarize it correctly?
Georgianna Shea: You did, and I don't - well, maybe I don't want to say prevent it coming up because you...
Rick Howard: Yeah.
Georgianna Shea: ...You may not be able to go through and determine absolute - like in cyber operations, it's always difficult to prove attribution. Influence operations, it'll be difficult to prove whether or not it's true or not true. But you can definitely go through and determine ownership of sites, fake accounts, DNS abuse, deception techniques that give you that transparent information on, OK, this is an indication of not a trustworthy source.
Rick Howard: So you could identify user IDs from social media - you know, inform your employees that these are disreputable people. You know, we could do those kinds of things and, like you said, not stop these influence operations, but at least keep our employees and friends - keep them aware of what's going on.
Georgianna Shea: Right. Absolutely. There's indications of a fake account. There's indications of bots that are being used. There's indications of hijacked accounts. One of the really interesting finds that we found during the Winter Olympics was there were a number of different handles being used that were actually compromised accounts from a company years before. So someone had broke into a company, they compromised it, they had all of the usernames and passwords, dumped them someplace, and then someone else picked them up and used all those usernames as fake Twitter handles. Now it looks like they're regular accounts with diverse names, but it's like, oh, these are all the same individuals that we found were stolen from this other compromise, you know, years ago.
Georgianna Shea: And we also found reused infrastructure. So the same bot networks that are out there doing misinformation, promoting fraud, sports streaming, video streaming fraud, cybercrime activity - these were the same infrastructures that were being used in previous major sporting events.
Rick Howard: So we're getting into the end of this, but I guess - from all the things you're throwing out here, I guess you're a big fan of open-source intelligence for social media and other things. What's your last word on this, George?
Georgianna Shea: Well, you know, it's - I don't think it's a new area. I just think it's a very underutilized skillset and capability that people aren't taking advantage of. In the cyber kill chain, the very first stage is reconnaissance. That's how the adversary is going to pull all the information they can on you. So you as an organization owner, you should know how you look. And it's no longer, like I said, just from the hacker's perspective, do you have vulnerable software? What kind of operating systems are you using?
Rick Howard: Let me try to summarize it. I think it's using some techniques we know how to already use with the minor attack framework and applying it to a different set of intelligence coming in, but there is overlap in some of the things we can do to protect our enterprise, right? That's - is that the summary? Is that close enough?
Georgianna Shea: Yes. Yes, I believe so, yes.
Rick Howard: All right.
Rick Howard: Next up is Dave Bittner's conversation with Tom Hofmann, the VP of intelligence at Flashpoint, our show sponsor.
Dave Bittner: So today, we're talking about open-source intelligence and how that applies for enterprise security - also physical security. In your mind, how do you define OSINT?
Tom Hofmann: Yeah, it's interesting conversation. OSINT has definitely been around for quite some time - going back to World War II. But really, in the public sector and national security space, it has a specific definition, which is the gathering of publicly available information and using that for decision advantage within the national security apparatus. Within the commercial space, it's been also kind of evolving over the years as more and more companies are worried about cyberthreats and things happening outside of their networks. They, too, have been really embracing this, looking at information that they know - not only attackers, but then also individuals on the internet, what they can learn about an organization, their exposures. And this is where the commercial space has really adopted in the same techniques. And they're starting to look at information that you can access on the internet. And as we know, that really runs the full gamut now. It's no longer just text and newspapers. It's videos and images and lots of different information that really has been transforming the way people are thinking about how they use publicly available data for their commercial- and public-sector-use cases.
Dave Bittner: Are there examples of things that folks don't generally think about when it comes to open source intelligence? I mean, I think - you know, I would think about my name, my address, maybe my birth date. But those are all out there. But what other things people generally don't consider?
Tom Hofmann: Yeah, this is an interesting aspect. We have a lot of public sector customers who, when they are talking with us and understanding where the commercial sector is really leveraging different requirements on us to go find information, they are really fascinated with, really, the scope of what it is. So this runs counterterrorism, so tracking jihadist activity. That - and then, that also extends into domestic extremists. And a lot of people are surprised. They're like, wow, I didn't realize there was a commercial-use case for that. But when you start thinking about physical security and organizations with oversea operations and employees traveling to different parts of the globe, you start to understand that there is an actual, real, compelling need there to understand what's happening. It includes cybercrime. This is also been interesting where, for a lot of times, it was really thought about the criminal community - they're stealing credit cards. They're stealing information, yes. But it was kind of just focused and closed in to a few use cases.
Tom Hofmann: More and more, we're seeing that the tools and the techniques that are being developed within these criminal communities are being used for a lot of different reasons, to include where we see - I don't know - some of the ransomware gangs. Those operations, we're now seeing nation states use those as false fronts. So now it's really blending where, traditionally, you would think that there were nice separations with some of the activities on the internet. We're seeing more and more that there is dual use, there is false flags, there is a lot of reasons why strong interest in really understanding all types of activities that are happening on the internet.
Dave Bittner: Yeah, I recall a conversation that was a little bit of an eye-opener for me. I was talking to someone who's a security person at an organization that was in the food processing industry. And they dealt with chicken. And he was saying that one of the things that he relied on, you know, threat intelligence, was to know if people were going to be protesting at one of their plants, for example.
Tom Hofmann: Yeah, we had a - in one of my previous positions, working with a large bank, it was another similar thing where it was different groups who were protesting, not breaking the law, but just disagreed with some of the corporate policies. And they would routinely stage different demonstrations outside different bank locations. And we were able to use our intelligence process to understand what was happening outside in the real world, to then notify the local branches that this activity was going to happen. And we could provide them some background about what the group was coming for. And it was peaceful protest. There was no problem there.
Tom Hofmann: But it was just a different way in which you can start thinking about there are different applications for where some of these commercial intelligence capabilities have developed, and they aren't all for threats. Sometimes, it's for brand awareness. Sometimes, it's for educating your employees. Sometimes, it's - as you were saying, there is a threat, and you want to make sure that you're taking those proactive steps to protect your employees and your corporate assets.
Dave Bittner: What is the difference for an organization with - you know, engaging with an organization like yours versus trying to take care of these things in-house?
Tom Hofmann: Yeah, the - we are asked that quite often, and a lot of it has to do with the scale. Referencing the earlier position I had within a bank, it was also about your risk exposure. And for us, while we were well-equipped and had a very large team, it was a step too far to think that we were going to have a Russian linguist and a Chinese linguist and a Persian Farsi linguist, and then also have the infrastructure in which to operate anonymously on the internet so you further reduce your digital footprint or the different areas in which you're operating. And this is one where commercial intelligence vendors - they are able to bring this capability and really assume some of the risk on behalf of the corporate customers. And this is where a lot of organizations come to us.
Tom Hofmann: And then, it's also operating in that space. If you're a bank or manufacturer or operating a pipeline, that's not your core business to understand what's happening within some of these far reaches of the internet. And that's where companies like Flashpoint really specialize in indexing what's happening there and making it a lot easier for organizations to understand what's happening. And then if there is something that they deem a threat, that they're able to mitigate it as well.
Dave Bittner: Yeah. I would imagine that a lot of particularly smaller and medium-sized businesses, they may think, well, you know, I'm so small, what do I need this sort of thing for? How do you go about dialing it in for organizations like that, of demonstrating, you know, here's the actual value here?
Tom Hofmann: Yeah. Unfortunately, a lot of the headlines drive that conversation and a lot of those over the past two years has been ransomware. This has been one where the ransomware attacks that hit big companies, yes, they clearly get the headlines, and they get a lot of the press attention. But really, where this is impacting is those small and medium-sized businesses. To your point, they typically do not have the large budgets. They do not have the teams in place to really deal with this type of threat. And this is where that education and helping them understand those basics of cyber hygiene, what their exposure is, how to train your employees, which is most important to really help your employees understand those threats so that - so they can avoid some of these common attack techniques. And that's one where the education aspect and helping them just understand how these attacks occur so they can look at their own organization and then better deploy new technologies, move things to the cloud, educate your employees - these are all things that we see that there is strong adoption and interest even with the smaller organizations.
Dave Bittner: Do you have examples of, you know, when folks are on the other side of this? You know, perhaps they were skeptical coming in, but then, you know, they see the sort of information that's being provided. Is there an aha moment there for them?
Tom Hofmann: Yeah, the aha moment - and I have this with my family as well. We are sitting on an archive of all of the stolen databases, stolen emails, and we make that available to customers so they can help understand what their exposures are just from stolen username and passwords. And when you can go in here and quickly search across 40 billion username and passwords that have been compromised and sold and resold and reposted, and you can look at that, and you can see passwords and accounts that you haven't touched in 10 years. And you realize, oh my gosh, this is what's out there. And even for me, I searched through there and saw one of my passwords that I reused all the time that was for an account 10 years ago. I was like, yeah, even I am, like, the - you fall into some of the - these habits, and they're bad habits. And it's a great eye-opening thing when you see that. And that's when you understand, wait, if Flashpoint has access to this, that's where all the bad people have access to this as well. And it really is a great way to really bring home and take a lot of the mystery out of what's happening within some of these communities and helping people really understand what the real threats are.
Dave Bittner: What are your recommendations for folks who are looking to explore this, who may think, you know, they want to get started, but they're not sure where to begin?
Tom Hofmann: Where to begin, it's a great question. First, it's understanding what your threats are. And do you even know what's happening on your networks? And we see that is often a great question when you are starting this journey to see if other organizations or other companies can help you understand what your exposure is. So we are quite often just asked to do a simple look to - for an organization or a company to see what is exposed, what is - it's called tech surface management, where it's just really understanding what is out there. And that oftentimes leads to a lot of conversations about what the exposure is, how you can mitigate that. And that often leads to much more fruitful conversations where you can actually start talking about those different steps in which you can help mitigate this. And the good news is, a lot of times it is a - I shouldn't say a simple conversation, but it is getting the multifactor authentication set up. It's making sure that your employees are properly educated on the common phishing techniques and how to report. And just getting an understanding of what's happening within your own networks is often the first step.
Rick Howard: We'd like to thank Dr. Georgianna Shea, the chief technologist at the Foundation for Defense of Democracy, Bob Turner, the Field CISO for education at Fortinet, and Tom Hofmann, the VP of Intelligence at Flashpoint for helping us get some clarity about how to think about open source intelligence. "CyberWire-X" is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.