May 3, 2013

Execute WEBINT to prevent cyber attacks

Common practice
Many organizations understand the need to perform hardening on servers and network equipment, write secure code, perform penetration test, implement DLP systems etc.

In similar, we protect our personal interests as well, e.g. we keep our passwords secret, don't put our credit card details on web sites that we don't trust etc.

What do you miss?
The first and the simplest question is: "Did you Google yourself at least once?"
If your answer is yes, then you in half of the way to understand what should be done.

Second question: "Did you looked in people specific search sites? e.g. and
people search engine can collaborate any filer specific information on specific person. For instance, by searching my name, I can find the following interesting facts about myself (not all true, but it's pretty good):
By searching people, we actually do HUMINT (Human Intelligence). This method can assist cyber criminals to manipulate us, steal sensitive information or to spoof our identity.

What do your organization miss?
In similar to performing HUMINT on people, cyber criminals collect information about organizations using OSINT (Open Source Intelligence). The most common way to collect information is the web, which called WEBINT (Web Intelligence).

WEBINT is NOT less important than the common way to protect the organization. Actually, by execution of WEBINT on the organization, the information security manager can get a picture of what does the cyber criminal see while collecting information before the attack. Henceforth, the information security manager can take proactive steps to minimize the residual risk on assets.

How to execute WEBINT on your organization?
The most important question that should be answered prior execution is "what do you know about your organization?". Organize the answer somewhere and begin the WEBINT.

There are many great tools to do that, I want to demonstrate a the common ways:
1. Use Google hacks to find URLs, email addresses, sub-domains and other entry points. For example, in order to find Facebook's sub-domains, the following query can be googled: "site:* -www", which means to look in any prefix and then the domain '", except if the prefix is "www". See the result below:

2.  Use SHODAN search engine to find if organization's IP addresses are published and what are the banners that people see. See search results below:

3. Find job openings in your organization. Sometimes the requirements in the job description can expose the technologies in the company, e.g. Java developer with experience in Hibernate framework, System admin with experience in Windows 2003 and above, WebSCADA expert.

4. Underground work.. Go to the Onion network (Darknet), look into private blogs or follow people/hactivists on Twitter to find information about your organization and even planned attacks.

Important to mention that these are only examples - each organization may need to look in many more sources.
Note: Maltego is a pretty good tool that can combine few of the methods above and even more.

In many cases cyber criminals can use the collected HUMINT information to do social engineering on your organization. By knowing facts from WEBINT, it makes the criminals stronger since they have not only business information, but also personal information, which leads to higher level of trust in case of social engineering.

There is no finger solution since any exposure can lead to other types of risks. Moreover, this process shouldn't occur one time only, but as ongoing process like performing penetration tests.

1 comment: