OSINT and Technical Threats: The Shift in Peoples Threat Landscapes and the Increase in Ransomware Attacks
Online activity has increased massively over the most recent years, with the development of social media as well as technological advances. This has encouraged a huge increase in general attacks, with people's personal information being more accessible. This blog highlights what the shift means for the technical threat landscape and what can be done.
How Have Technical Threats Shifted?
Technical threats have shifted from a time when cyber attacks were very mild, shutting down a computer at most, to the most recent years where cyber attacks can shut down a whole business through one piece of information. With more sophisticated attacks such as Ransomware and Phishing, this is a huge worry for individuals, especially business owners.
Technical threats are a huge part of our research here at DarkInvader, as they pose a large threat, especially in the last year or two, this has become a huge part of people's landscapes including an increase in ransomware attacks and hacks in general. This has mainly come from that there has been a deeper understanding of what your profile infrastructure looks like and your threat landscape through the use of social media and online profiles. It's incredibly important to the team here at DarkInvader, to look for any subdomains, IP addresses that can be tied back to your business, and use a variety of tools to collect that information in order to protect your identity from the risk of cyber attacks.
Open Source Intelligence
Open Source Intelligence is the process of collecting, analysing and making use of information that is publicly available. This can be done through a number of ways, such as social media monitoring and advanced Google searches. This process is important as it can help you to understand what type of information is publicly available about you or your business, and how this could be used against you in a cyber attack.
It is becoming increasingly difficult to protect yourself from technical threats, but by understanding the shift in the landscape, and utilising Open Source Intelligence, you can put your business in a good position to fight off cyber attacks.
The amount of information the DarkInvader team can gather is significant, without even using any pen-testing techniques. From this, you can follow the path of an attack which is then fed back to you through the portal. OSINT gathering is passive information gathering. So if you're able to map the attack surface without touching your target, then there is a big advantage to that.
What Can be Done?
The first, the most obvious one is you have to have a clear understanding of your public infrastructure, so that is crucial. What firewall rules are in place? And what information is out there? Having this information helps protect yourself from potential attacks. It's massively important to be aware of the information that has been gathered.
DarkInvader offers a more threat intelligence approach. This is so we're able to give you a better understanding of how these things might tie together and for you to know what kind of things you can do about it. Ultimately, it's all about knowing what's out there and having a good awareness of what information is available on the public web & how this could be a potential threat to your business. Without that awareness, it's hard to start building up a security programme.
Hello, and welcome to the second episode of OSI deep dives. Today, Garth and Liam will be talking about the technical threats. Liam, shall we start with you?
Thank you very much of your introduction there, there. And then we'll Yeah, so technical threats. So Can other technical precursor is another big part of the open source intelligence we do here at dark and beta, the dark web obviously poses a large threat. And those kinds of technical attacks, especially over the last year, year and a half, two years, have become a massive part of people's threat landscapes, the increase in ransomware attacks, the increase in just kind of hacks in general, have meant that having a deep understanding of what your kind of peripheral infrastructure looks like what your technical landscape looks like, is incredibly important. And and that's part of what the team never hear a darkened Bay to do. So we are looking for any subdomains that you might have forgotten about, we'll look for IP addresses that can be tied back to your to your business. And we use a massive variety of tools to collect all of that information and really, and then push that through to you via the portal. The tools such as that are pretty well known such as showdown or CRT dice, H are all collated and then used to feed that back. And the vulnerabilities that naturally we're not we're not pentesters, obviously, we have a background in pentesting. From we're just looking at it from from an open source intelligence perspective. But you'd be amazed at the amount of information we can gather without ever doing anything that would be considered fantastic stuff sites, again, we'll try to answer those so sage Wayback Machine, they all log things like headers, and various services that are open. And by just by inspecting those, you can start to see how what an attacker would do how what kind of path they'd go down, in order to, to stop causing damage. And that can then be fed back to you via the portal. So you get to start to build up this picture of what your friends threat landscape really looks like
with, with open source intelligence gathering this, the vast majority of it, if not all of it is is passive information gathering. They think I think that's, that's quite important here. And Liam mentioned about pen testing and pen testers will they'll run Port Scans, you know, we're very active, there'll be there'll be banging on the door trying to map out the external infrastructure, what what services do you have publicly facing, you know, what ports are open, and what they're hoping to find, like Port 445 or RDP or something, you know, that they can attack that there's likely to have some kind of a vulnerability, but, you know, doing that is is noisy. I mean, you know, you can go via proxies, you can go by VPNs, and all sorts of ways to try and mask your kind of where you're coming from, but again, is it still active, it still is still noise is there is still an element of risk there. So if you're able to map that, that attack surface without touching your target, then there is there out there that there's a big advantage to that. And, you know, depending on what, you know, what your objectives are, as, as, as Liam mentioned, there is and why why do that yourself when there are all of these bots, all of these solutions and things out there scanning the internet, you know, showed up being a huge, a huge source of information that you can, you can start to map this attack surface via these, these other these other tools, and with absolutely no risk. And, you know, the kinds of things they're looking for that you mentioned about subdomains there that that's quite a big one pentesters with brute force subdomains, they will run to a big word lists, dictionaries, create loads and loads of requests, but that information is ordered that has been done already. That information is already there. So you just need to go and grab it. You don't need to do it yourself. And you're looking for things like test.or, FTP door VPN diode VPN, big big one. Yeah. Is there is something your that the company is hosting publicly that could get you onto that internal network, you know, that really juicy targets? And, you know, we need to keep keep in mind that these ransomware attacks a lot of the time they are not hugely elaborate attacks. Some of the most the biggest tax have recently have simply been that the attackers discovered a public facing VPN poll with no two factor and views credentials that were there on the dark web that you know, they've been leaked in other other breaches. It was really really straightforward but incredibly effective attack. And you know, the this initial stage of of gathering reconnaissance of mapping out that attack surface is is so, so critical to any attack, but the more information you have, the more likely you are to succeed.
Absolutely, absolutely. And as a touched upon that, you are ultimately, it's very difficult to protect against suddenly, if you don't know that somebody's coming after you. And your ancestors, they do create massive amounts of noise, you're effectively walking into a room with two bad pound smashing them together, here, watching any kind of logs, then you'll see that pretty much immediately you can start to mitigate against these things. But the scan has already happened. And in fact, this happened this morning, a website had been kind of picked up as having an out of date software, but it was disclosed by some scheduling that one of the sites have been doing. And it turns out that that service actually vulnerable to some forms of remote code execution. That was something we picked up without ever having to even browse to the site. So you know, these things are very prevalent. The Deann as a precursor, without even touching it, you know, somebody knows that they can fire off a pre written exploit against one of your servers to gain and start, even when the staff there, that's the beginning of a ransomware attack, and very hard to notice that the locks, you know, the big things were done instant responses. Normally, you'll see a day or two of scanning before somebody actually punches to get in or even months or kind of compromises.
In terms of you know, what can be done? What can what can you do about this this kind of thing? I think the first most obvious one is you got got to have a very clear understanding of your public infrastructure. I know that sounds like a really obvious thing. But we have dealt with a lot of clients that have actually asked us to help them map it out. And so I think it's a really important exercise to define that what servers are public facing what firewall, firewall rules are in place? What what are you actually advertising out to the public, do you then that that puts you in a much better position to put controls in place to prevent attacks? And they also to do to us, you have to use these tools? A lot of them are free online, use them to see what information about your attack surface is publicly available and to not fall into a very easy trap of security through obscurity? I remember once I created a subdomain with incredibly arbitrary string. I mean, there's no way it could have been guessed, it wasn't based on anything. And, you know, discovered weeks later that it was it was on the surfaces, you know, they had come across it bizarrely, you know, I'm the slot shop this day exactly how they were discovered, Buddy was, you know, so it is very important to be aware of what information is being gathered.
Absolutely. Things like asset registers or massive wealth, if you're talking about an asset, when you go back to, to try and understanding what the threats look like, and when you prioritise these things. So just to recap sentiment that a lot of these tools are free. Now, you can, you can use those, and you can interact with them, so you can get a bit of an understanding. Obviously, Darth Vader and rep sat with them with a little bit more of a kind of threat intelligence, so we're able to. So we were able to give you a better understanding of how these things might tie together, which of course is valuable in itself, although I'm biassed in any way. But know that the kind of things you can do about it. Ultimately, it's all about knowing what's out there. But you have to have a good awareness of what is out there about what kind of threat might be biassed. And without that awareness it's really hard to start building up a security programme.
Thank you both for talking us through the technical threats. Join us next week where Gavin lane will be discussing another topic of the OSI deep dives.