OSINT for Attack Surface Monitoring
Oct 12, 2020
In this series of posts, Victoria Willis explores how OSINT (Open Source Intelligence) can be applied in the areas of Cyber Threat Intelligence, IT Asset Discovery, Security Assessments and Attack Surface Monitoring. In this fourth and final post of the series, the focus is on the relevance of OSINT when attempting to monitor your “attack surface.” Check out the previous posts on using OSINT for Cyber Threat Intelligence, OSINT for IT Asset Discovery. and OSINT for Security Assessments.
If you’re looking to beef up your attack surface monitoring efforts, understanding your OSINT footprint is essential. OSINT, or Open Source Intelligence, refers to the gathering of publicly available information on an individual or organization. This information represents a collection of data that can be gathered by a malicious actor and used to identify systems and users, as well as gather information about them. This can lead to increased (and possibly unintended) visibility of an organization’s assets and associated information security risks.
Although OSINT can be used by malicious actors, it also provides valuable information on what an organization’s attack surface looks like to the public. For organizations, OSINT can be used as a reconnaissance effort to better understand what their footprint looks like to the outside world. Attackers will often use OSINT through both manual methods and tools to research their targets for potential information that may be weaponized in support of launching an attack. Due to the potential for an individual or group with malicious intent to use OSINT against an organization, it’s important that organizations have an understanding of what data can be found on them in the wild.
With the use of OSINT, security leaders can verify information they wouldn’t want to be public and use that data to ultimately reduce their attack surface exposed to potential threats. Security operations can also leverage OSINT as an early warning system for identifying problems that may have already occurred, like a data breach.
Attack Surfaces and Hidden Risks
In the modern digital landscape, your attack surface consists of much more than just open ports, host names and IP addresses. Email addresses, employee names, SaaS platforms, cloud-based tools and storage, public records, data breaches, social media accounts and more are now all potential areas of risk. Exposed emails and information available on social media can be used to help attackers lead targeted phishing attacks, for example. Or, a malicious actor might use credentials from a recent data breach to gain access to intellectual property stored in a cloud-based service.
With an attack surface that now extends far beyond an organization’s own network, traditional methods of scanning and reconnaissance are no longer enough. The amount of publicly available information is constantly expanding; identifying what information is available about your organization is critical to your ability to adequately address potential risks.
To fully understand the scope of information that may be publicly accessible, organizations need to utilize multiple sources of OSINT for data collection. Through OSINT, organizations can actually begin to piece together a complete picture of what their attack surface looks like to the world, and what unintended exposures may be available to the eyes of malicious actors.
While this information can help give organizations a full picture of what their attack surface looks like to the public, the growing availability and scope of OSINT really puts the onus on security leaders to gather as much data as possible for proactively identifying new exposures.
Automating Attack Surface Monitoring
Using multiple OSINT sources to gather information is critical to getting a full view of an organization’s attack surface visibility — but the process of obtaining all the information necessary through many sources can be overly complicated and time-consuming. There are new sources of OSINT cropping up all the time and different sources provide different APIs; this can create many additional steps in the information collection process. Normalizing and correlating the data can also be a tremendous undertaking in addition to keeping up-to-date with API changes over time. However, automated OSINT tools gather the critical information organizations need for accurate attack surface monitoring, allowing users to focus their energy on analysis and response.
An automated OSINT solution like SpiderFoot is one platform that has been created with this use case front and center. Users can monitor over 100 different sources of OSINT to gather intelligence on IP addresses, domain names, email addresses, names and more. As part of a new generation of reconnaissance tools, SpiderFoot integrates easily with third-party APIs like Shodan, HaveIBeenPwned, AlienVault OTX and more. For OSINT automation, the ability to integrate with third-party APIs and correlate the results is key to overall effectiveness and there are many different sources of APIs, such as internet scanners, passive DNS services, and reputation systems. Compatibility with this vast array of sources is critical to helping security professionals better understand and assess their organization’s attack surface visibility.
SpiderFoot streamlines both the processes of data collection and continuous monitoring, automatically triggering notifications via email, Slack and others when an organization’s OSINT footprint is detected. Taking the automation a step further, this can help security operations run more efficiently through integration with their SIEM, vulnerability scanners and risk dashboards to support incident response and overall information security risk management.