Through robust research and commercial engagements covering eight years, Cytelligence are able to attest that the element of Open Source Intelligence [OSINT] is not only a major source of exposure and a potential point of exploitation, but it can also be key in the majority of successful cyber attacks against random, and/or selected targets.
It is in this area where one piece of work which was produced on this journey to prove the exposure and went on to outline some of the areas of potential exploitation which were made available to potential attackers.
It is also of added value to introduce the results of a mini survey which was conducted in November 2014 where 80 delegates were asked to confirm if their organisations considered, and/or protected against the threats posed by OSINT. The response was however low, with only five per cent confirming that this had been considered as a potential exposure – which seems to indicate that we may have a breakdown in understanding the actual risk posed by this potential of proffered insecurity!
What is it?
Applying OSINT seeks to leverage what titbits, and data leakage are occurring from an organisation, through both direct means, and the more subliminal indirect representations where interesting data objects are unintentionally exposed, or say emended within a publication in the form of MetaData which finds its way into the public domain.
Remember, no matter the deployment of firewalls, IDS/IPS, or those systems considered to be silver bullets in the form of hardware security modules, they offer no real protection against this threat.
Like any military operation where intelligence may be sought prior to a mission against a target, cyber criminals and adversaries also follow this same model, seeking out intelligence against a target pre-launch of their attack. Therefore this maximises the potential of success of exploitation by identifying areas of interest in the form of locating hidden assets, servers, information or gateways into the intended target via some third party link, or association.
Exposed builds and upgrades
Whilst conducting internal examinations of organisational assets, it can soon become clear that the standard build on most corporate systems can be flawed by what are installations of features which offer a high potential for exploitation by both internal, and any external attacker who has managed to circumvent the perimeter of security.
In these manifestations, there are two very powerful and common tools which may be located on around 90 per cent of desktop builds: one of which is a key target for any attacker penetrating the supposed protected environment, to leap over to other collocated assets, or to deploy some malicious tool, application, or even a disk imaging application over the network whilst the administrat
ors sleep.
There are also some potential leakages which are associated with a simple upgrade to Microsoft Office 2010, which in one high profile case allowed their internal personnel to export any classification of data to a selected internet connected private/personal under the very noses of their expensive deployment of a Data leakage Service, and not to mention the firewall, IDS/IPS and HSM [Yes no silver bullets in sight here].
The real point about such misconfigurations was proven during a research project with advanced evasion techniques, where it was demonstrated that by manipulation of the IP Stack, it was possible to circumvent the protection of up-to-date perimeter devices, in order to gain access to a LAN based asset in the form of a servers, laptops, and desktops.
It was from this point in the attack where one could generate a shell with a piece of well-known malware, and then fire up a default-build resident tool to further infiltrate the protected environment. Just in case you are wondering about the anti-malware protection under employment on some of these selected server targets, in some cases, they have been found not to have been provisioned with protection, thus old and useful malware agents such as Conficker still work to this day – even in large UK based PLCs!
We have seen much in the press relating to cyber attacks, compromises, and incursions – and it is time to take this very seriously. As time has proven, governance, and tick-box security standards are simply not working. It is time in my opinion that we must all take steps to assure our cyber security skills are lowered to respond to the threat!
Gasp, yes, that is right – I said ‘lowered’ – which means we move away from the high level view driven out of standards like PCI-DSS, and veneer of the old tag line we follow the spirit of the ISO/IEC 27001, and get back to basics – lower and tune our cyber-skills to a level where we understand security, the associated threats, and the security attributes we may harness to combat the potential incursions before they happen.
Many of us now agree that in 2014 and onward, there are only two types of organisation attached to the Internet: those who have been hacked; and those who will be hacked. The real question is, which category does your organisation fall into?
Professor John Walker is a member of the British Computer Society Elite Group