-
1.
Offensive OSINT mindset to
defend your Organization
Chandrapal Badshah
-
2.
About Me
Chandrapal Badshah
Security Researcher
Open Source Enthusiast
Twitter : @bnchandrapal
Website : badshah.io
-
3.
Story time ...
-
4.
Fiction ?
-
5.
https://hackerone.com/reports/397527
-
6.
What is Open Source Intelligence ?
-
7.
What is OSINT ?
“An art of collecting publicly available data and deriving
useful information from it”
-
8.
The OSINT Mindset
-
9.
The OSINT Mindset
Consists of 3 phases in general:
Data
aggregation
Deriving
intelligence
Storing the data
& intel
-
10.
The OSINT Mindset
Consists of 3 phases in general:
Data
aggregation
Deriving
intelligence
Storing the data
& intel
-
11.
The OSINT Mindset
Consists of 3 phases in general:
Data
aggregation
Deriving
intelligence
Storing the data
& intel
-
12.
The OSINT Mindset
Consists of 3 phases in general:
Data
aggregation
Deriving
intelligence
Storing the data
& intel
-
13.
Three questions to ask yourself ?
What do you know about the organization ?
What do you technically know about the organization ?
Did you checkout the employees of the organization ?
-
14.
What do you know about the organization ?
-
15.
What do you know about the organization ?
● What does it sell - a product / service / something else ?
● How does the company make profit ?
● Board of Directors & Investors
● Acquisitions and Partnerships
● Job openings
● Supply chain / vendors
-
16.
Sources
● Company website
● Blogs
● LinkedIn
● Newspapers
● Third party review blogs
● Crunchbase
-
17.
Example : Job openings
-
18.
Impact : Breaches on Acquisitions might affect you
https://www.infosecurity-magazine.com/news/paypal-acquired-company-suffered/
-
19.
Impact : Supply Chain Attacks
-
20.
What do you technically know about the
organization ?
-
21.
Domains and subdomains
Virustotal
-
22.
Domains and subdomains
Virustotal
SecurityTrails
-
23.
Domains and subdomains
Virustotal
SecurityTrails
Rapid7’s FDNS
-
24.
Domains and subdomains
Virustotal
SecurityTrails
Rapid7’s FDNS
Google Certificate Transparency
Logs
-
25.
Digital Assets
Subdomain takeovers
Exposed databases
Software with default and weak passwords
-
26.
Impact : Digital Assets
-
27.
IP addresses & open ports
● Shodan
-
28.
IP addresses & open ports
● Shodan
● Software running on non standard ports
-
29.
Did you checkout the employees of the
organization ?
-
30.
Email addresses
hunter.io - allows to get email address patterns
-
31.
Email addresses
hunter.io - allows to get email address patterns
HaveIBeenPwned
-
32.
Online coding platforms
Online code platforms:
● GitHub
● Gitlab
● Bitbucket
Online code compiling platforms:
● Repl.it
-
33.
Online content sharing
● Pastebin & other pastie sites
● Public GitHub gists / Gitlab snippets
● Google docs / sheets with public shareable link
● Trello boards
-
34.
Password Reuse
-
35.
How can we protect organization using OSINT ?
-
36.
Understand what’s in your control and what’s not
Digital assets
What the organization posts online
Security & Organizational policies
-
37.
Understand what’s in your control and what’s not
Digital assets
What the organization posts online
Security & Organizational policies
Employees’ personal online accounts
-
38.
How to tackle (un)intentional data leaks ?
-
39.
Continuous Monitoring
Monitor for keywords on about your organization on online platforms
● Google alerts
● Tools like Real Time Scrapper & DataSploit
● Third party monitoring services
-
40.
Continuous Monitoring
Monitor for keywords on about your organization on online platforms
● Google alerts
● Tools like Real Time Scrapper & DataSploit
● Third party monitoring services
Monitor if employee’s email is found in a data breach
● HaveIBeenPwned FREE notification service
-
41.
How to proactively defend your organization ?
-
42.
Never Reuse Passwords
Evangelize the use of password managers
-
43.
Never Reuse Passwords
This breach
could have
never happened
-
44.
Vulnerability Management
● Allows you to know your network
○ Network
○ DNS records
○ Open Ports
○ Software / Technology stack used
● Vulnerable software
○ Dependency Check
-
45.
Vulnerability Management
This could have
been prevented
-
46.
Thank You
Any Questions ?
It was getting dark and our hacker hero was tired of looking at multiple online code repositories.
Before he closes his 30 tabbed browser, he stumbled upon an unusual repository. What intrigued him was that the code repo had less code, but lots of releases.
After downloading, decompiling and hours of debugging, he found the slack token of the target organization.
Using the slack token, he was able to get messages from most of the Slack channels of the target organization.
This has happened even to one of the best companies among us
Data could be scattered on multiple places or could get it in a single place
Is not confined to a bunch of tools which call them the best OSINT tool
Let us forget the organizations we work with for some time
http://www.mca.gov.in/mcafoportal/checkCompanyName.do
https://www.tripwire.com/state-of-security/featured/operation-shadowhammer-hackers-planted-malware-code-video-games/
Exactis
Shodan - allows to monitor upto 16 IPs
Shodan - allows to monitor upto 16 IPs
hunter.io - get the email format. Is it {firstname}.{lastname}@company.com or {firstname}@company.com. If you find the pattern, with the help of LinkedIn you could actually get all emails of employees
HIBP - was this email leaked in some previous breach ? If yes, can we get the credentials from the breach ?
hunter.io - get the email format. Is it {firstname}.{lastname}@company.com or {firstname}@company.com. If you find the pattern, with the help of LinkedIn you could actually get all emails of employees
HIBP - was this email leaked in some previous breach ? If yes, can we get the credentials from the breach ?
If you find the info, contact the website to take down the info
https://github.com/NaveenRudra/RTS
https://github.com/DataSploit/datasploit
https://github.com/NaveenRudra/RTS
https://github.com/DataSploit/datasploit
Know yourself
Since you can look into your digital assets, make sure it is configured properly
Remove DNS records when no longer used
Think like an attacker
Always think how the public information could be used against your company
Proper compartmentation
Without proper compartmentation, attackers are able to leverage information from one compromised account to access another related account.
Vulnerability Management
A good vuln mgmt covers all assets. Vuln mgmt tools will find easily exploitable vulns
Employee awareness
You cannot control the employees’ personal online accounts
All you can do is give provide general awareness of how posting company data online / reusing passwords could be tragic
----
Have different accounts for different env
HaveIBeenPwned - free updates
---
Devils advocate (policies, Data Loss Prevention)