OSInt, shoe laces and bubblegum


At Kobalt, we use OSInt (Open Source Intelligence) to help build an external view of a client’s environment and start helping them make forward progress on their security journey from day one. OSInt is a tool to help baseline what organizations are showing to the world, helping to gain visibility of what an attacker can see and what they might target.

“Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context.” - Wikipedia.

Operations teams struggle getting a handle on the swarm of alerts, constantly changing infrastructure surface area, subscribed SaaS services and 3rd party tools in use. OSInt helps reveal legacy and forgotten systems, new services being stood up across distributed teams and better understand the attack surface.

Getting started – DNS recon and the public domain

DNS records reveal a startling amount of information about most organizations. Services they thought were private. 3rd party providers integrated into the technology stack, representing a point of weakness and potential attack. They unveil who carries and can forward mail on behalf of your domain, who your service providers are (such as O365/Google), if misconfigured can expose internal IP address information, even reveal details on your production cloud environments.

Try the dnsrecon and amass tools to get an overview of your organization's DNS surface area. Consider using pywhois to discover weakly protected domains that could be the target of a takeover.

Another area DNS can be useful is looking proactively for signs of potential future or active attacks via phishing, typo squatting and business email fraud. DNSTwist is a useful tool to help identify domains that have been registered that are similar to your corporate domains, and you can configure your mail gateways to block these domains for safety.

Try the DNSTwist tool to look for potential active or future attacks.

Websites are often run by less technical parts of the organization, and properly configuring and maintain good certificate security can be a challenge. Tools like ssylyze and ctfr can help discover weaknesses in certificate configurations.

Looking deeper – exposed ports and services, account discovery

Once you (or an attacker) has a high level overview of your domains, potential systems, it’s time to dive into the details. Tools like nmap, masscan, Shodan help to profile exposed ports and services, vulnerable systems. Many systems will respond back with service banners that include version numbers so you can immediately determine if there is a vulnerable service exposed.

In the same way you can collect information on systems, social networks and other tools can be used to profile employees within organizations to help build strong phishing attacks and social engineering. Tools like InSpy, prowl, metagoofil and just simple google and bing searches help reveal the information people reveal about themselves.

Grabbing the data and the keys

Unfortunately, in agility and speed comes occasional carelessness and mistake. People leave keys in code repositories, expose S3 buckets, and automated tools scrape and post details to services like pastebin. Fortunately, you can proactively protect yourself using tools like surch, AWSBucketDump, Pastehunter and more to help enumerate your own weaknesses and resolve them before attackers do.

Consider using tools like surch, AWSBucketDump, watching pastebin and other sources for inadvertent key and data exposure.

Consider an integrated approach

Another advantage of regularly applying the tools above and diffing against historical results is it lets you see changes to your infrastructure over time. If a DevOps team member stands up a new service on Heroku but doesn’t consider dependencies, if someone deploys a new Docker container but forgets to decommission it, often these items can be discovered using passive intelligence tools.

It’s even possible to script these tools into your continuous integration processes, so that if a change ends up creating a new, unexpected surface area for attack, they will be spotted early on rather than discovered too late when it’s in production.

At the end of the day, your operations team are going to be dealing with a lot of noise – security and otherwise. Using tools like these can help you reduce your surface area so they are a little less overwhelmed.

At Kobalt, we integrate OSInt tools into our monitoring stack for clients. If you’d like to talk to us to learn more, please contact us.

This blog post is based on a talk originally delivered by Jamie McMurray at BSides Vancouver. For a copy of the slides, click here.

Kobalt offers an automated OSInt report that provides an external view of your organization, updated monthly. It covers areas like lookalike domains, misconfigured SSL, vulnerable services, all for a low monthly fee. If you like the idea of OSInt but don’t have the time or expertise to use the tools, contact us for our monthly service.