recon / osint [open source intelligence] -...
TRANSCRIPT
![Page 1: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/1.jpg)
recon/OSINT[OpenSourceIntelligence]
TRAVERSINGDOWNTHERABBITHOLE
EricHart--CreditSuisse
![Page 2: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/2.jpg)
INTELLIGENCEGATHERINGANDRECONNAISSANCE
Ifyoudon’tknowwhereyou’regoinganyroadwillgetyouthere.
EricHart--CreditSuisse
![Page 3: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/3.jpg)
ManyCommuniMes|OnePurpose
• Governments
• IntelligenceCommuniMes
• ArmedForces
• HomelandSecurity
• LawEnforcementAgencies
• Businesses
EricHart--CreditSuisse
![Page 4: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/4.jpg)
ManyGoals|OnePurpose• GatherasmuchinformaMonaspossiblefromallavailablesourcesandanalyzingittodoonething:
• ProduceAc*onableIntelligence*
EricHart--CreditSuisse
*pentest-standard.org
![Page 5: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/5.jpg)
AllroadsleadtoNirvana…ordothey?
EricHart--CreditSuisse
![Page 6: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/6.jpg)
INTELLIGENCETHEORY
• IntelligenceistheulMmateparadox
• AssumpMonsmustbeexplicit
• Intelligencecanproducebenefitsandcanalsobeharmful
• Intelligencecannotbepredicted,onlyrecommended
• Intelligencecanproduceunintendedoutcomes
OxfordHandbookofNaMonalSecurityIntelligence–Dr.PeterGill
EricHart--CreditSuisse
![Page 7: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/7.jpg)
INTELLIGENCETHEORY
• TheCriMcalRealistApproach• CausaMonthroughinteracMonbetweenactorsandstructures• Processescannotbeobserved• Evidenceshouldbetestedagainstthehypotheses|applicaMonofalternaMvetheoriesandmodels
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
EricHart--CreditSuisse
![Page 8: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/8.jpg)
INTELLIGENCETHEORY
• Intelligenceisasubsetofsurveillance• Theheartofriskmanagementcombinesknowledgeandpower
EricHart--CreditSuisse
IntelligenceAc*vi*esTargeMngCollecMonAnalysisDisseminaMonAcMon
POWER
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
![Page 9: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/9.jpg)
INTELLIGENCETHEORY
• DefensiveSurveillancevsIntelligence
• DefensiveSurveillance=Risk• Intelligence=Threats
EricHart--CreditSuisse
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
![Page 10: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/10.jpg)
INTELLIGENCETHEORY
• FourTypesofKnowledgeandPower
• Certainty–outcomesareknown,clarityofpreferenceisneeded• Risk–benefitsandadverseeffectsareknown,probabilityofvariousoutcomes
• Uncertainty–Possibleoutcomesareknown,nowaytoesMmateprobability
• Ignorance–cannotanMcipateadverseeffects,magnitude,relevanceandprobabilityareunknown
EricHart--CreditSuisse
OxfordHandbookofNaMonalSecurityIntelligence-PeterGill
KNOWLEDGE
POWER
![Page 11: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/11.jpg)
INTELLIGENCETHEORY
• WhatisIntelligenceorOSINT?• [Art+Craa+Science+Capability(read:DomainKnowledge]–RichardsJ.Heuer
TheTaoofOpenSourceIntelligence–StewartK.Bertram
EricHart--CreditSuisse
![Page 12: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/12.jpg)
• OSINT|FourconceptsorFourLayeredApproach
• MulMlayered
• Cybergeography• MixedMedium
• Tangibility
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
![Page 13: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/13.jpg)
• MulMlayered• SurfaceWeb
• CommonKnowledge**caveatemptor–GoogleisNOTtheinternet• GenerallynotsensiMvedata• Availableviamainstreambrowsers
• DeepWeb• Notindexedbymainsearchengines• CannotbereadbyconvenMonaltechnology• InformaMononindividualsislocatedherebutnoteasilyaccessible
• DarkWeb• Accessedbyanonymizedmethods(TOR)• OaenusedforcriminalacMviMes
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
![Page 14: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/14.jpg)
• CyberGeography• Regionbased
• Anglophone• Russophone• Etc.
• DividedlinguisMcally• Knowingonlyonelanguagediminishessuccess
• Beware‘single-sourceintelligence’
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
![Page 15: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/15.jpg)
• MixedMedium• Notsingle-sourced• ComplexcombinaMonofsearchanddisplaytechnologies
• Eachcomponentrequiresauniquesetoftechniquestomaster
• RisksandoperaMonalrequirementsmustbeevaluatedbeforebeingputintouse
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
![Page 16: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/16.jpg)
• Tangibility• ‘Realworld’vstheInternet• Importancetothehumanexperience?• Relevancetobasicneeds,eg.stableelectricityandcleanwater
EricHart--CreditSuisse
INTELLIGENCETHEORYTheTaoofOpenSourceIntelligence–StewartK.Bertram
![Page 17: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/17.jpg)
ELEMENTSOFOSINT
• OSINT–4Elements• Uncovering• DiscriminaMon• Refining• Delivering
InfosecInsMtute
EricHart--CreditSuisse
4Elements|SMllonepurpose:ProduceAcMonableIntelligence
![Page 18: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/18.jpg)
ELEMENTSOFOSINT
• OSINT–Uncovering• Whoknowsaboutthedata?• Wheredowelook?• Whichdataisappropriate• LeveragedistributedexperMseandknowledge
InfosecInsMtute
EricHart--CreditSuisse
![Page 19: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/19.jpg)
ELEMENTSOFOSINT
• OSINT–DiscriminaMon• Disseminatebetweenthegoodandthebad• Eliminatetheoutdatedandirrelevant
InfosecInsMtute
EricHart--CreditSuisse
![Page 20: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/20.jpg)
ELEMENTSOFOSINT
• OSINT–Refining• Assemblingthefinaloutput• Lengthdependsuponrelevantdata
InfosecInsMtute
EricHart--CreditSuisse
![Page 21: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/21.jpg)
ELEMENTSOFOSINT
• OSINT–Delivery• MustbegiveninproperMme• Formathastobeclearandeasilyunderstandable
InfosecInsMtute
EricHart--CreditSuisse
![Page 22: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/22.jpg)
ELEMENTSOFOSINT • OSINT–amaturitymodel• Corporate• Individual• CovertGathering• FootprinMng• IdenMfyProtecMonMechanisms
• 3LevelsofInformaMonGathering• Level1|Compliance• Level2|BestPracMce• Level3|StateSponsored
www.pentest-standard.org
EricHart--CreditSuisse
![Page 23: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/23.jpg)
OSINTFRAMEWORK
EricHart--CreditSuisseEricHart--CreditSuisse
![Page 24: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/24.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBeginsPhase2:DuringDefiniMonandDesignPhase3:DuringDevelopmentPhase4:DuringDeploymentPhase5:MaintenanceandOperaMons
www.owasp.org
EricHart--CreditSuisse
![Page 25: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/25.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase1:BeforeDevelopmentBegins1.1:DefineaSDLC1.2:ReviewPoliciesandStandards1.3:DevelopMeasurementandMetricsCriteriaandEnsureTraceability
www.owasp.org
EricHart--CreditSuisse
![Page 26: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/26.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase2:DuringDefiniMonandDesign2.1:ReviewSecurityRequirements2.2:ReviewDesignandArchitecture2.3:CreateandReviewUMLModels2.4:CreateandReviewThreatModels
www.owasp.org
EricHart--CreditSuisse
![Page 27: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/27.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase3:DuringDevelopment3.1:CodeWalkThrough3.2:CodeReviews
www.owasp.org
EricHart--CreditSuisse
![Page 28: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/28.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase4:DuringDevelopment4.1:ApplicaMonPenetraMonTesMng4.2:ConfiguraMonManagementTesMng
www.owasp.org
EricHart--CreditSuisse
![Page 29: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/29.jpg)
ELEMENTSOFOSINT
• OWASP–TesMngFrameworkPhase5:MaintenanceandOperaMons5.1:OperaMonalManagementReviews5.2:PeriodicHealthChecks5.3:EnsureChangeVerificaMon
www.owasp.org
EricHart--CreditSuisse
![Page 30: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/30.jpg)
ELEMENTSOFOSINTdigital-forensics.sans.org
EricHart--CreditSuisse
IPAddresses
DomainNames
Network/HostArMfacts
Tools
TTPs Tough!
Challenging
Annoying
Easy
Trivial
CollecMveIntelligenceFramework
collecMveintel.net• REN-ISACproject• PullsinfeedofIOC’sfrompublicandprivatesources
• Focusesonlowerendof“pyramidofpain”• Exportsdatatoinfrastructureorsupportslookupduringresponse
![Page 31: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/31.jpg)
EricHart--CreditSuisse
FrameworkandMethodologyComparison ProgramObjec*vesUsedforComparisonCriteria
FrameworkorMethodology
SponsoringOrganiza*on
ProgramStructure ControlBaseline RiskTriage RiskBusinessCase
COBIT5 ISACA 4 2 0 0DSS PCI 0 2 0 0FAIR TheOpenGroup 0 0 2 4IRAM2 ISF 3 0 2 2ISO27000x ISO 4 1 0 0ISO31000 ISO 2 0 0 0SANS-20 CSC 0 3 0 0SP800-30 NIST 2 4 2 2SP800-53 NIST 1 4 1 0UCF UnifiedCompliance 0 3 0 0
HarveyBallfillpercentageindicatesrelaMvestrengthwithineachprogramobjecMvefromnone(0)tostrong(4).
GartnerResearch
![Page 32: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/32.jpg)
AFrameworkisjustaguideline SoisOSINT
EricHart--CreditSuisse
!
![Page 33: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/33.jpg)
APPENDIX
Sources:pentest-standard.orgOxfordHandbookofNaMonalSecurityIntelligenceTheTaoofOpenSourceIntelligenceInfosecInsMtuteosinuramework.comowasp.orgdigital-forensics.sans.orgverizon.comDavidJ.BlancoGartnerResearch EricHart--CreditSuisse
![Page 34: recon / OSINT [Open Source Intelligence] - Meetupfiles.meetup.com/1487178/OWASP-recon_OSINT-June_2016.pdf · recon / OSINT [Open Source Intelligence] TRAVERSING DOWN THE RABBIT HOLE](https://reader038.vdocuments.net/reader038/viewer/2022102920/5a81fd897f8b9a682c8da056/html5/thumbnails/34.jpg)
QUIZ
EricHart--CreditSuisse
• NamethefirsttwoofficialintelligenceagenciesformedintheUS?
• InwhatyearwastheCIAfirstformed?• WhenwasGaryPowersshotdown?• WhichTCPportishackedmostoaen?• Windows8isa_____ringprocessmodeoperaMngsystem?
• Namethem• WhichofthefollowingismostcommonlyusedtodisableDEPin
Windows7orWindows8?• VirtualAlloc()• WriteProcessMemory()• VirtualProtect()• NtSetInformaMonProcess()