Hackers use OSINT to find and exploit vulnerabilities in your organization. This information can come from many different sources, such as those under your own control, from your employees, from leaked/stolen data and from search engines that index devices connected to the open internet.
Before adversaries attempt to breach your organization, they start acquiring intelligence to map your attack surface. Intelligence agencies estimate that 80-95% of intelligence comes from publicly available sources, known as Open-Source Intelligence (OSINT) . More specifically, OSINT1 is anyinformation that can be gathered from publicly available sources in a legal manner2.
From sources your organization controls
With the increasing adoption of cloud services many cloud storage configurations could accidentally or intentionally be set to public, revealing internal confidential information. Worldwide, more than 11.6 billion3 files from organizations are publicly available.
We have seen public files containing personal data of employees, their passwords and even maps of facilities containing locations of critical business assets such as Operational Technology (OT) and server rooms. These files can be found with a method called Google dorking. Even if a file doesn’t contain any sensitive information, its metadata could reveal the name of the person who edited it and their location.
In addition, the job ads you post online may reveal the technology you use – useful information for adversaries to tailor their exploit.
Also, your promotional photos or videos online showing offices or factories could show vulnerable information such as OT, software or your facility’s physical security measures.
Social media
A very valuable social media platform for adversaries is LinkedIn, as employees use it to share their job positions and experiences. Such information can reveal organizational structures, personal information to be used for phishing, and technologies used within the organization as described in the work experience section of employee profiles4.
Leaked/stolen information
Third-party platforms used by your employees or your organization may have already experienced a data breach involving user credentials. When sites like haveibeenpwnd.com obtain these leaked credentials, adversaries can check your employee’s email address to see if their password has been compromised. If the password is similar to the password they use within your organization, adversaries can gain an initial foothold5.
Other unusual sources are 'pastebin' sites, which host plain text that users have pasted to share large texts. Such sites may also contain breached data such as credentials and other sensitive information obtained by adversaries6.
Finally, credentials from breaches, unknown vulnerabilities and exploits for software you use could also be sold on the dark web7.
Network and subdomain search engines
Furthermore, sites like shodan.io and censys.com index IP addresses of devices such as routers, webcams, servers and even OT-systems connected to the open internet and scan for software versions on their open ports. This information can be exploited to gain initial access8.
Another way to find hidden networked resources is via domain name enumeration. Your organization most likely owns a domain name and has probably created many forgotten subdomains such as 'blog.yourdomain.com'. Systems hosting these subdomains could have vulnerabilities that can be leveraged by adversaries to move laterally or escalate to higher domains9.
In order to minimize the impact of adversaries exploiting information or system vulnerabilities found with OSINT, we recommend to:
1. Ensure you have clear internal policies on what information can be publicly shared and include it in regular training.
2. Make sure that anything that is publicly accessible is free of sensitive or critical information, including metadata. One way to accomplish this is by using Data Loss Prevention (DLP) policies or specialized solutions such as a Content Management System (CMS) that automatically remove sensitive information before publishing it.
3. Use services such as Red Team exercises, Cyber Due Diligence and Internet Footprint Analysis from third parties such as our Cyber Defense Services to simulate how attackers can identify your attack surface.
4. Ensure that robust Cyber Threat Intelligence (CTI) and organization-specific processes and solutions are in place to receive early notifications about possible exposure of sensitive information and attacks against the organization.
In short, adversaries can discover a great portion of your attack surface by combining a wide variety of OSINT sources. Determining what sensitive information is accessible and how to contain it, creating security policies, implementing data classification, DLP, CTI and other safeguards are daunting tasks. If your organization does not have the in-house expertise or capacity to adequately address these critical measures, feel free to catch us for a coffee at our office in Zürich, or just reach out via the contact buttons on the right.
FAQs
Hackers use OSINT to find and exploit vulnerabilities in your organization. This information can come from many different sources, such as those under your own control, from your employees, from leaked/stolen data and from search engines that index devices connected to the open internet.
How do hackers find vulnerabilities? ›
Hackers can use scanners to find vulnerable networks by checking exposed ports and then they can exploit vulnerable ports to get control over the device.
How are vulnerabilities detected? ›
Vulnerability detection refers to the process of identifying weaknesses in smart contracts to prevent potential attacks. It involves techniques such as fuzz testing, symbolic execution, formal verification, and deep learning-based methods to enhance security measures.
How are security vulnerabilities found? ›
Generally speaking, a vulnerability scanner will scan and compare your environment against a vulnerability database, or a list of known vulnerabilities; the more information the scanner has, the more accurate its performance.
How do security researchers find vulnerabilities? ›
Vulnerability Research is the process of analyzing a product, protocol, or algorithm - or set of related products - to find, understand or exploit one or more vulnerabilities. Vulnerability research can but does not always involve reverse engineering, code review, static and dynamic analysis, fuzzing and debugging.
How are vulnerabilities tracked? ›
Vulnerability Management Automation
A vulnerability management system can help automate this process. They'll use a vulnerability scanner and sometimes endpoint agents to inventory a variety of systems on a network and find vulnerabilities on them.
Which type of tool can be used to detect vulnerabilities? ›
A vulnerability scanner enables organizations to monitor their networks, systems, and applications for security vulnerabilities. Most security teams utilize vulnerability scanners to bring to light security vulnerabilities in their computer systems, networks, applications and procedures.
What are the methods of identifying vulnerabilities? ›
Identifying and preventing vulnerabilities
- penetration testing.
- network forensics.
- network policies.
- user access levels.
- secure passwords.
- encryption.
- anti-malware software.
- firewalls.
Though different security pros might have different names for the various types of vulnerability scans or phases in security exploit detection, security scanning typically falls under one of three categories: Discovery Scanning. Full Scanning. Compliance Scanning.
How do I know my vulnerabilities? ›
Examples of Vulnerability
Taking chances that might lead to rejection. Talking about mistakes you have made. Sharing personal details that you normally keep private. Feeling difficult emotions such as shame, grief, or fear.
CVE defines a vulnerability as: "A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.
How are new vulnerabilities discovered? ›
The processes used to discover vulnerabilities rely on the communication of their outputs in order to be effective. Automated processes (such as vulnerability scans) will usually have alert systems that can be configured based on the severity of what they discover.
How is vulnerability shown? ›
Vulnerability happens when you're honest and transparent with your feelings, thoughts, and experiences by sharing personal stories, or admitting mistakes, and this emotional exposure can come with a degree of uncertainty. That's because being vulnerable invites others to see you as you truly are.
How do hackers scan for vulnerabilities? ›
What is scanning? Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities. It's often that attackers use automated tools such as network scanners and war dialers to locate systems and attempt to discover vulnerabilities.
How do attackers find vulnerabilities? ›
Hackers use OSINT to find and exploit vulnerabilities in your organization. This information can come from many different sources, such as those under your own control, from your employees, from leaked/stolen data and from search engines that index devices connected to the open internet.
How is the vulnerability data collected? ›
Vulnerability data refers to the collection of information about known security flaws in software, which is generated by various sources including software vendors, vulnerability researchers, and software users.
How do hackers find weaknesses? ›
Before launching an attack, hackers often engage in a phase known as 'reconnaissance. ' During this phase, they scan for vulnerabilities in the target's security infrastructure. This could involve anything from identifying poorly protected data storage to spotting weak passwords.
How are vulnerabilities determined? ›
Testers use a combination of automated tools, manual testing, and individual skills to identify vulnerabilities, then attempt to exploit them to gain access to additional hosts, accounts, and permissions. This process is repeated to bore into a network and identify vulnerabilities hidden from surface assessments.
What is the most common ways hackers find information? ›
What is the most common way hackers find information? Scraping social media and buying bundles of stolen data on the dark web are some of the most common ways to find information. However, the actual statistics are impossible to determine as there's no way to record all hacks or the tools used to carry them out.
