CyberWire Daily - The OSINT revolution: How cyber and physical security teams are leveraging open source intelligence. [CyberWire-X]
Episode Date: October 2, 2022On this episode of CyberWire-X, we dive into the essential role of open-source intelligence in identifying cyber and physical threats and reducing risk across your organization. The CyberWire's CSO, C...hief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table members Dr. Georgianna Shea, CCTI and TCIL Chief Technologist at the Foundation for Defense of Democracies, and Bob Turner, Field CISO – Education at Fortinet. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor risk intelligence firm Flashpoint's Chief Intelligence Officer Tom Hofmann. They explore the foundational importance of open source intelligence, which includes social media platforms and geospatial data and insights. Plus, they explore real-life examples of how organizations, from governments to commercial enterprises, are leveraging open source intelligence and technology every day to protect their people, places, assets, and critical infrastructure. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics
affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire.
And in today's episode, we're talking about how cyber and physical security teams are
leveraging open source intelligence.
A program note, each CyberWireX special features two segments.
In the first part, we'll hear from a couple of industry experts on the topic at hand.
And in the second part, we'll hear from our show's sponsor from their point of view.
And since I brought it up, here's a word from today's sponsor, Flashpoint.
Flashpoint is a globally trusted leader in risk intelligence and provides both the intelligence and the technology that empowers physical and corporate security, cyber threat intelligence, or CTI, vulnerability management, and vendor risk management teams to reduce risk across the entire organization. Governments, commercial enterprises, and educational institutions worldwide
trust Flashpoint's industry-leading open-source intelligence,
including social media and geospatial data,
to protect their assets, people, and places from a variety of cyber and physical threats,
including fraud, ransomware, insider threat, emerging malware, cybercrime, protests, and violent extremism.
Flashpoint's open-source intelligence also drives on-the-ground situational awareness
for national security, public safety, and commercial security teams,
including executive protection, geopolitical risk assessments, counterterrorism, misinformation and disinformation, identification
and response, and crisis response. To learn more, visit flashpoint.io today.
And we thank Flashpoint for sponsoring our show.
I'm joined by Dr. Georgiana Shea.
She is the Chief Technologist for Cyber and Technology Innovation and the Transformative Cyber Innovation Lab
at the Foundation for Defense of Democracies.
She's also a long-running colleague and friend of mine
and a regular contributor here at the Cyber Wire.
Dr. Shea, thanks for coming on the show. Well, thank you so much for having me.
So today we're talking about open source intelligence, specifically from social media
platforms and geospatial data, and whether or not that kind of intelligence is helpful or useful
to practitioners defending their digital assets in cyberspace. Now, you've had a couple of decades of experience helping the Department of Defense
and other government organizations think about cybersecurity initiatives,
and you teach information assurance at the Colorado Technical University
as an adjunct professor on such topics as operations, threat intelligence, and many others.
So what's your take on this question? Is open source intelligence worth it? I think so, but I think you might get some pushback in
various industries that aren't really embracing it. So I think traditionally it's been one of
those areas that the intelligence community uses, law enforcement uses, but now you can really start
moving out into other organizations and looking at how does your organization look online to your partners, to your customers, to potential adversaries that are going to target you?
How much of your risk is exposed out there?
So I think so.
Yes.
It also depends on how big your organization is and how many resources you have.
I mean, you know, I work at a startup these days.
I don't have an intelligence team working for me who can daily monitor open source intelligence.
So what do those folks do, the non-financials, the non-government organizations who don't have those giant teams?
Can they buy that kind of intelligence and is it useful to them?
Oh, absolutely. There's
companies out there like they do open source intelligence and they actually go into the deep
and dark web and look for information on your company and come back to you and tell you,
this is what you look like. This is the kind of information that's being traded about your
company. This is what your reputation is. You look like low-hanging fruit to the hackers out there, or you don't.
And it goes beyond your business partners. It also extends into whether or not insurance
industries will want to insure you for cyber insurance. How big of a risk are you? So you
want to understand what kind of information is being put out about your organization,
not just on the internet, but also on the deep dark web and how exploitable
do you look? If most people are familiar with the MITRE ATT&CK framework already, and it really
starts from the cyber kill chain with that reconnaissance phase. There's different tactics
and techniques and the reconnaissance that the adversary uses. So you should be familiar if the
adversary is going out and doing reconnaissance as their very first step.
What does that look like for you?
What are they seeing?
So let's talk about those open source intelligence products.
You sent me a draft paper that you're working on where you describe the overlap between influence campaigns and cyber operations.
What's the paper called?
Well, I'm still working on the title, but right now it's tentatively
digital footprint that provides a criminal foothold. And it discusses that overlap between
the influence operations and cyber operations, because a lot of people look at those as two
different subjects. But when you actually dig into how both are performing, you see an overlap in tactics and techniques.
We're pretty familiar with the attack tactics and techniques of how adversaries go in and do cyber operations.
They break into your system.
They do lateral movement.
Before they do that, they will go through and establish their infrastructure, maybe a fake website, fake accounts.
There's another emerging framework out there called DISARM, which I'm really excited about. And it's the dis framework where you have different tactics and
the techniques for each of those. And it gets into very, very similar, develop your enabling
architecture and infrastructure. So you have to make fake people, make fake accounts, make fake
websites. So then when you look at both of these different frameworks, you're seeing, okay, there's
a development of disinformation
out there, some deception techniques. You have a website that maybe you think is authentic.
You trust it. You might see a little padlock in the corner. You believe it has a certificate.
You go to the website and it's giving you false information. If you're a company, maybe it's
giving you some bad information about your company and it's from a competitor or a disgruntled employee.
If it's a cyber attack, maybe it's a website that you're going to and they're now downloading malware on your system.
So the actual objectives of the website might be different, but the enabling infrastructures is pretty much the same. And so in my paper, I get into those overlapping technical pieces,
like using certificates on websites that really have no attribution or authentication as to who
they belong to. You can get a cert for a website that doesn't actually go back to a person who's
been authenticated. You go to websites that are using DNS abuse. So you think you're going to an
authentic website that's a part of an organization, but through typosquatting or other techniques,
it's not the real website. And then once you get to those fake websites, they can, again,
either do some disinformation or they can do some cyber operations. It kind of depends.
But through the social media platforms, you then see a lot of different accounts steering
people to those sites.
And when I say steering it, when you look at Twitter, you look at other platforms, you
have multiple users out there.
And it might be a real person.
It might be an account that has been hijacked.
So it looks like a real account, but now it's being used by someone else, or it might be a fake account altogether, fake name, fake person, or it could
be a bot. So you really don't know who's giving you this information and steering you to these
sites. And you really don't know, okay, is this true? Is this not true? Is this authentic? Is it
not authentic? And there's not the transparency there to really give you that warm and comfy feeling of, okay, I can believe this.
Bob Turner is the former CISO from the University of Wisconsin-Madison, but is now the field CISO for education at Fortinet.
He is also a regular here on the hash table, and he says that open source intelligence is worthwhile, but you probably shouldn't use it as the primary
source. My real concerns there is that it comes from social media. So is the material valuable?
Sometimes yes, sometimes no. When I'm looking at that as a CISO, I'm looking to find out if it
actually correlates with other trusted cyber intel sources before I
consider its use as good for whatever purpose I'm applying this intel to.
In the education vertical, I recommend that the education SOC teams use open source intel
from social media as a way to complete the picture, not as the primary source.
It is important that whatever we do with the intel we have be verifiable.
And I guess the real example I have from this is if you harken back to the solar winds events of a year or so ago,
several years ago, actually, we kept getting a lot of information about solar winds and what
it applied to. And we were getting those from a number of sources, some of those sources federal,
some of those sources state government, and a lot of those sources technology driven.
The social media posts, a lot of them on LinkedIn, before, during, and after the event
actually occurred, it actually helped to isolate whether or not our impacted systems
were truly impacted. And it helped us to determine that in our condition with the makes and the
models and everything being shown there and the DLL versions and all of that, that we actually
didn't have any possibility of exploitation. I would say that that is a case where the information derived from social media was very helpful.
But again, to reiterate my original point, we correlated that data with other information that we're getting from legitimate sources, including the FBI and the Research and Education Network's Information Sharing and Analysis Center.
So let's go do some basics here about DISARM.
I'm going to come back to MITRE ATT&CK in a second, all right?
But DISARM, does that acronym spell anything,
or is it just a fancy name that highlights what's going on here?
Yeah, so DISARM, it's Disinformation, D, Analysis, A, and Risk, R, Management, M.
So DISARM framework. It used to be called the AMIT, which was the Adversarial Misinformation Tactics and Techniques,
but they renamed it to disarm.
According to the Disarm Foundation website,
their vision is that all who encounter the existential problem of disinformation
and work to reduce the impact and risk are empowered to coordinate their efforts
through the sharing of a single,-source collaborative framework. Their framework published on their website is similar
in look and feel to the MITRE ATT&CK framework. Well, let's talk about the Winter Olympics study
because that's really fascinating. You were working with the sports ISAO to help with,
I guess, the most recent Olympics in Beijing, right, in 2022. Is that right?
Yep, correct. And what were you trying to do with
that study? The purpose was really just to kind of bring together the policy communities that are
looking at the cyber operations and influence operations as being two different things. So when
you hear about like the elections and disinformation in the media, a lot of topics come up like freedom of speech and censorship.
And I didn't want to go down that road with it. I really wanted to show the technical attribution
of where things are coming from so that you can see if there was transparency, you can go through
and do your research. You can trust a site or not trust a site. It's very closely parallel to
the cyber operations. You're not going to go to a website that you don a site. It's very closely parallel to the cyber operations.
You're not going to go to a website that you don't trust.
And if you don't know whose website it is, how can you trust it?
So with the Disarm framework, and until we started talking about this prepping for the show, I didn't realize there was so much overlap.
But what you're saying is for these influence operations, there is an infrastructure that the bad guys use to do these influence operations.
And it sort of overlaps with what we cover in the MITRE ATT&CK framework.
They still got to have websites.
They still got to have command and control.
They still have to do those things.
And so there'd be certain things that a network defender could do to prevent that kind of thing from showing up on their
user's equipment.
Did I summarize it correctly?
You did.
And I don't, well, maybe I don't want to say prevent it coming up because you may not be
able to go through and determine absolute, like in cyber operations, it's always difficult
to prove attribution.
In fluence operations, it'll be difficult to prove whether or not it's true or
not true. But you can definitely go through and determine ownership of sites, fake accounts,
DNS abuse, deception techniques that give you that transparent information on, okay,
this is an indication of not a trustworthy source. So you could identify user IDs from social media, inform your employees
that these are disreputable people. We could do those kinds of things and, like you said,
not stop these influence operations, but at least keep our employees and friends,
keep them aware of what's going on. Right. Absolutely. There's indications of a fake
account. There's indications of bots that are being used. There's indications of a fake account. There's indications of
bots that are being used. There's indications of hijacked accounts.
One of the really interesting finds that we found during the Winter Olympics was there were a number
of different handles being used that were actually compromised accounts from a company years before.
So someone had broken into a company,
they compromised it, they had all of the usernames and passwords, dumped them someplace,
and then someone else picked them up and used all those usernames as fake Twitter handles.
Now it looks like they're regular accounts with diverse names, but it's like, oh, these are all
the same individuals that we found were stolen from this
other compromise years ago. And we also found reused infrastructure. So the same bot networks
that are out there doing misinformation, promoting fraud, sports streaming, video streaming,
fraud, cybercrime activity, These were the same infrastructures that were
being used in previous major sporting events. So we're getting into the end of this, but I guess
from all the things you're throwing out here, I guess you're a big fan of open source intelligence
for social media and other things. What's your last word on this, George?
Well, you know, I don't think it's a new area. I just think it's a very underutilized skill set and capability that people aren't taking
advantage of.
In the cyber kill chain, the very first stage is reconnaissance.
That's how the adversary is going to pull all the information they can on you.
So you as an organization owner, you should know how you look.
And it's no longer, like I said, just from the hacker's perspective, do you have vulnerable software?
What kind of operating systems are you using?
Let me try to summarize it.
I think it's using some techniques
we know how to already use
with the MITRE ATT&CK framework
and applying it to a different set
of intelligence coming in.
But there is overlap in some of the things
we can do to protect our enterprise, right?
Is that the summary?
Is that close enough?
Yes.
Yes, I believe so, yes.
All right.
Next up is Dave Bittner's conversation with Tom Hoffman, the VP of Intelligence at Flashpoint, our show's sponsor.
So today we're talking about open source intelligence and how that applies for enterprise security, also physical security. In your mind, how do you define OSINT?
Yeah, it's an interesting conversation.
OSINT has definitely been around for quite some time, going back to World War II.
But really, in the public sector national security space, it has a specific definition,
which is the gathering of publicly available information and using that for decision advantage
within the national security apparatus.
using that for decision advantage within the national security apparatus.
Within the commercial space, it's been also evolving over the years as more and more companies are worried about cyber threats and things happening outside of their networks.
They too have been really embracing this, looking at information that they know, not
only attackers, but then also individuals on the internet, what they can learn about an organization, their exposures.
And this is where the commercial space has really adopted the same techniques.
And they're starting to look at information that you can access on the internet.
And as we know, that really runs the full gamut now.
on the internet. And as we know, that really runs the full gamut now. It's no longer just text and newspapers, it's videos and images and lots of different information that really has been
transforming the way people are thinking about how they use publicly available data for their
commercial and public sector use cases. Are there examples of things that folks don't generally
think about when it comes to open source intelligence?
I mean, I think about my name, my address, maybe my birth date, but those are all out there.
But what other things people generally don't consider?
Yeah, this is an interesting aspect. A lot of public sector customers who, when they are talking with us and understanding where the commercial sector is really leveraging different requirements on us to go find information, they're really fascinated with really the scope of what it is.
So this runs counterterrorism, so tracking jihadist activity, and then that also extends into domestic extremists. And a lot of people
are surprised. They're like, wow, I didn't realize there was a commercial use case for that. But when
you start thinking about physical security and organizations with oversee operations and
employees traveling to different parts of the globe, you start to understand that there is an
actual real compelling need there to understand what's happening.
It includes cybercrime.
This has also been interesting where for a lot of times it was really thought about the criminal community.
They're stealing credit cards.
They're stealing information.
Yes, but it was kind of just focused and closed into a few use cases.
More and more we're seeing that the tools and the techniques that are
being developed within these criminal communities are being used for a lot of different reasons,
to include where we see some of the ransomware gangs, those operations. We're now seeing nation
states use those as false fronts. So now it's really blending where traditionally you would
think that there were nice separations with some of the activities on the Internet.
We're seeing more and more that there's dual use, there's false flags, there's a lot of reasons why strong interest in really understanding all types of activities that are happening on the Internet.
Yeah, I recall a conversation that was a little bit of an eye opener for me.
Yeah, I recall a conversation that was a little bit of an eye-opener for me.
I was talking to someone who's a security person at an organization that was in the food processing industry, and they dealt with chicken.
And he was saying that one of the things that he relied on, threat intelligence, was to know if people were going to be protesting at one of their plants, for example. Yeah, we had, in one of my previous positions,
working with a large bank,
it was another similar thing where it was different groups
who were protesting, not breaking the law,
but just disagreed with some of the corporate policies.
And they would routinely stage different demonstrations
outside different bank locations.
And we were able to use our intelligence process to understand what was happening outside in the real world
to then notify the local branches that this activity was going to happen.
And we could provide them some background about what the group was coming for.
And it was a peaceful protest. There was no problem there, but it was just a different way in which you can start
thinking about, there are different applications for where some of these commercial intelligence
capabilities have developed and they aren't all for threats. Sometimes it's for brand awareness.
Sometimes it's for educating your employees. Sometimes it's, as you were saying, there is a threat
and you want to make sure that you're taking those proactive steps to protect your employees
and your corporate assets. What is the difference for an organization with engaging with an
organization like yours versus trying to take care of these things in-house?
to take care of these things in-house?
Yeah, we're asked that quite often,
and a lot of it has to do with the scale.
Referencing the earlier position I had within a bank,
it was also about your risk exposure.
And for us, while we were well-equipped and had a very large team,
it was a step too far to think
that we were going to have a Russian linguist and a
Chinese linguist and a Persian Farsi linguist, and then also have the infrastructure in which to
operate anonymously on the internet. So you further reduce your digital footprint for the
different areas in which you're operating. And this is one where commercial intelligence vendors,
they're able to bring this capability and really assume
some of the risk on behalf of the corporate customers. And this is where a lot of organizations
come to us. And then it's also operating in that space. If you're a bank or a manufacturer
or operating a pipeline, that's not your core business to understand what's happening within some of these far reaches of the internet.
And that's where companies like Flashpoint really specialize in indexing what's happening there
and making it a lot easier for organizations to understand what's happening.
And then if there is something that they deem a threat, that they're able to mitigate it as well.
Yeah, I would imagine that a lot of particularly smaller and medium-sized businesses, they may think, well, you know, I'm so small, what do I
need this sort of thing for? How do you go about dialing it in for organizations like that,
demonstrating, you know, here's the actual value here? Yeah, unfortunately, a lot of the headlines
drive that conversation, and a lot of those over
the past two years has been ransomware. This has been one where the ransomware attacks that hit big
companies, yes, they clearly get the headlines and they get a lot of the press attention.
But really where this is impacting is those small and medium-sized businesses. To your point, they
typically do not have the large budgets. They do not have the teams in place to really deal with this type of threat. And this is where that education and helping them understand those basics of cyber hygiene, what their exposure is, how to train your employees, which is most important to really help your employees understand those threats so they can avoid some of these common attack techniques.
And that's one where the education aspect and helping them just understand
how these attacks occur so they can look at their own organization
and then better deploy new technologies, move things to the cloud,
educate your employees.
These are all things that we see that there is strong adoption and interest,
even with the smaller organizations.
Do you have examples of when folks are on the other side of this?
Perhaps they were skeptical coming in, but then they see the sort of information that's being provided.
Is there an aha moment there for them?
Yeah, the aha moment,
and I have this with my family as well.
We are sitting on an archive
of all of the stolen databases,
stolen emails,
and we make that available to customers
so they can help understand what their exposures are
just from stolen username and passwords.
And when you can go in here
and quickly search across 40 billion username and passwords that have been compromised
and sold and resold and reposted,
and you can look at that and you can see passwords and accounts
that you haven't touched in 10 years, and you realize,
oh my gosh, this is what's out there.
And even for me, I searched through there and saw one of my passwords
that I reused all the time that was for an account 10 years ago.
I was like, yeah, even I.
You fall into some of these habits and they're bad habits
and it's a great eye-opening thing when you see that.
And that's when you understand, wait, if Flashpoint has access to this,
that's where all the bad people have access to this as well.
And it really is a great way to really bring home and take a lot of the mystery out of what's happening within some of these communities and helping people really understand what the real threats are.
What are your recommendations for folks who are looking to explore this, who may think they want to get started, but they're not sure where to begin?
Where to begin? It's a great question.
First, it's understanding what your threats are
and do you even know what's happening on your networks?
And we see that as often a great question
when you are starting this journey
to see if other organizations or other companies
can help you understand what your exposure is.
So we are quite often just asked to do a simple look for an organization or a company to see
what is exposed. It's called tax surface management, where it's just really understanding
what is out there. And that oftentimes leads to a lot of conversations about what the exposure is,
how you can mitigate that. And that often leads to much lot of conversations about what the exposure is, how you can mitigate that. And
that often leads to much more fruitful conversations where you can actually start talking about those
different steps in which you can help mitigate this. And the good news is a lot of times it is a,
I shouldn't say a simple conversation, but it is getting the multi-factor authentication set up.
is getting the multi-factor authentication set up.
It's making sure that your employees are properly educated on the common phishing techniques
and how to report.
And just getting an understanding
of what's happening within your own networks
is often the first step.
We'd like to thank Dr. Georgiana Shea, the Chief Technologist at the Foundation for Defense of Democracy,
Bob Turner, the Field CISO for Education at Fortinet,
and Tom Hoffman, the VP of Intelligence at Flashpoint,
for helping us get some clarity about how to think about open source intelligence.
CyberWireX is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity
startups and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilby.
And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off.
Thanks for listening.