Essential Guide to Open-Source Intelligence (OSINT)

Exploitation through publicly available information is the single largest threat to companies and their people today.

Known as Open-Source Intelligence, or OSINT, this public data reveals to hackers how they can compromise human targets via social engineering attacks and defeat the most powerful technical solutions.

The bad news for organizations is that the internet makes it easy for attackers to find information about them and their employees to craft convincing attacks.

The good news is that enterprise security teams can also use OSINT for defensive purposes in order to level the playing field and prevent attacks. With companies recognizing the important role this data plays, the global demand for OSINT tools is on the rise, with research predicting a market growth rate of 28.33% between 2022 and 2030. Fortunately, companies can now automatically harness OSINT like never before to protect their people and their assets.

We’ve created this e-book to explain OSINT, how it’s used, and how security professionals can use Picnic’s powerful new technology to take the advantage away from threat actors.

What you’ll learn:

  • What OSINT is
  • The history of OSINT
  • How people collect OSINT
  • The most-used OSINT tools
  • The information people can find with OSINT
  • How cybercriminals use OSINT for social engineering
  • How cybersecurity teams can use OSINT

What is Open-Source Intelligence (OSINT)?

Open-Source Intelligence (OSINT) is information available through public data sources that someone can collect and analyze.

People can engage in OSINT gathering legally using tools that find data on:

  • the “surface web,” including search engines, blogs, and job postings
  • social media
  • databases containing public records

Additionally, malicious actors often use specialized intelligence tools and search engines for finding information on the dark web.

What is the history of OSINT?

Gathering OSINT is not a new phenomenon. However, the information available and the search processes have changed, especially as more people share data on the internet.

During World War II, the Office of Strategic Services established the first Research and Analysis Branch dedicated to collecting OSINT and using it for the war effort. Since then, global military and intelligence services have used publicly available data for their operations.

In the late 1980s, the US military first used the term OSINT, noting its tactical battlefield value. During the 1990s, OSINT became even more important to the US intelligence community, with the 1992 Intelligence Reorganization Act incorporating public information as valuable and the 1994 establishment of the Community Open-Source Program Office (COSPO) within the CIA.

As the internet became more accessible, so did OSINT. From websites with public government data and social media networks, almost anyone can search publicly available data legally and ethically.

Outside the confines of legality and ethics, threat actors use sophisticated tactics to gather data. For criminals, the definition of “public” also includes the dark web where malicious actors share stolen, otherwise-nonpublic personal information like credit card numbers, passwords, and social security numbers.

How do people collect OSINT?

Since OSINT focuses on publicly available information, people can find it using paid and unpaid search methods. Further, their processes can be as simple as a Google search or as complex as creating a specialized tool.

Surface Web
The surface web is the internet that most people use. It’s easy for the general public to search using standard search engines.

Search Engines
When people want to find information, they usually start with generally available search engines. Most people are familiar with how these work. Google’s search engine has become synonymous with looking up facts and data.

  • Google
  • Bing
  • Yahoo!
  • DuckDuckGo
  • Startpage

Blogs
Blogs are regularly updated websites or web pages that people and organizations use to inform readers. An organization’s blog might try to educate readers about topics related to its products or services. A personal blog often shares stories about someone’s interests, like hobbies, books, music, television shows, or movies.

Job Postings
Most companies list job postings on their websites so that interested applicants can find them. Since companies use job postings to attract candidates, researchers can use them to:

  • Locate corporate offices
  • Find Human Resources contacts

Social Media
People and companies increasingly use social media. Many companies have social media marketing strategies that they use to make important announcements, like when they hire a new senior executive or acquire a new company. Similarly, people often share personal stories and information on social media sites.

For example, LinkedIn enables organizations to create digital business networks. However, since the company shares this information publicly, it becomes an OSINT source. As a career-focused social media site, people may be more “trusting” and open to connecting with others.

Some examples of OSINT gathering on LinkedIn include searching by company name for job roles like:

  • Chief executive officer
  • Chief financial officer
  • Account executive

Someone could do a search for account executives at an organization, look at their connections, and then find a senior leadership team member’s information.

Data Brokers/People Search Engines
Data brokers collect and sell personal or corporate data. While they often use public records to aggregate this information, they can also source it privately. As a paid service, they collect data from multiple locations that can include:

  • Census records
  • Electoral rolls
  • Social media
  • Court reports
  • Purchasing history

Some examples of data brokers and people search engines include:

  • PeopleFinderFree
  • Truthfinder
  • Spokeo
  • US Search
  • Whitepages

Custom Search Engines
More technical researchers can build custom search engines. With a custom search engine, a researcher can collect OSINT across multiple social media websites or filter searches by file type.

For example, the Google Programmable Search Engine is a platform enabling web developers to use Google search capabilities on their websites. However, researchers can use this functionality to search across specific websites and take multiple actions. When engaging in OSINT, researchers might create a custom search engine that enables a simultaneous search across various social networks that can isolate each network’s results in their own tab. This streamlines their process, giving them a way to use the collected data more effectively and efficiently.

Specialized Search Engines
Specialized search engines enable researchers to expand their data collection. These provide search options and capabilities that typical search engines lack.

Some examples of specialized search engines include:

  • Wayback Machine: cached website data providing historical information
  • Searx.me: ability to export results and enabling researcher anonymity
  • Exalead: unstructured data to find documents and audio files, including papers or webinars

Caller ID Databases
Caller ID databases enable people to do reverse lookups on phone numbers. While these traditionally only worked for landlines, more databases now provide services for cellular phones. When researchers input a known telephone number, they can retrieve data like:

  • Country
  • Name
  • Carrier name
  • Carrier type

Third-Party Data Breaches
Whether researching legally or illegally, people can find public databases containing information about compromised email addresses and the passwords associated with them.

For example, cybercriminals often post this information on websites like Pastebin. Further, in response to increased data breaches, ethical services now exist, including:

  • Have I Been Pwned
  • Spycloud
  • Scylla
  • Leaked Source
  • Ghost Project
  • PSBDMP

While researchers need an email address to use these services, they provide valuable information by:

  • Confirming that an email address is valid
  • Providing insight into the breach that compromised the email

Since cybercriminals are not held to legal and ethical research requirements, they often download databases of publicly available and stolen databases, then run the data through analytics tools. If they find a username and password for one service, like LinkedIn, they can try those credentials to gain access to a corporate environment.

Custom Tools
Gathering OSINT information from all these diverse locations manually isn’t efficient. Often, researchers create or leverage custom tools. With these tools, they can more rapidly search across all potential locations and search engines.

Dark Web
What people call the dark web is really internet traffic directed through the Tor network that conceals users’ location and network usage. This anonymity makes it more difficult to trace activity back to the user, including websites hosted on the network. Criminal activity thrives on the Tor network because the sites are not hosted on publicly viewable networks.

Download your free copy of Picnic’s OSINT eBook

What Are the Most-Used OSINT Tools?

While threat actors may build their own tools, many ethical researchers leverage pre-existing research tools. Below are some of the OSINT tools often used to uncover publicly available data about people and technologies.

Maltego
Focused on discovering relationships, this gathers data like:

  • Names
  • Email addresses
  • Aliases
  • Companies
  • Websites
  • Document owners
  • Affiliations

It uses several common public information sources, including:

  • DNS records
  • Whois records
  • Search engines
  • Social networks

Then, it provides charts and graphs that uncover the connections between the data points.

Mitaka
Mitaka enables people to research using their web browsers. With the ability to search across more than seventy search engines, it returns information like:

  • IP addresses
  • Domains
  • URLs
  • Hashes
  • ASNs
  • Bitcoin wallet addresses
  • Indicators of Compromise (IoCs)

Spiderfoot
A free tool, Spiderfoot is an application that red teams often use during their reconnaissance activities. Some information that it returns includes:

  • IP addresses
  • CIDR ranges
  • Domains and subdomains
  • ASNs
  • Email addresses
  • Phone numbers
  • Names and usernames
  • Bitcoin addresses

Spyse
Focused on detecting internet assets, Spyse collects and analyzes publicly available data about:

  • Websites
  • Website owners
  • Servers associated with websites
  • Internet of Things (IoT) devices

BuiltWith
BuiltWith provides information about a website’s technology stack and platform. For example, it generates information that includes:

  • Content management system (CMS), like WordPress, Joomla, or Drupal
  • Javascript/CSS libraries, like jQuery or Bootstrap
  • Plugin installed
  • Frameworks
  • Server information
  • Analytics and tracking information

Intelligence X
As an archival service and search engine, Intelligence X enables researchers to obtain historical versions of webpages and leaked data sets, including controversial content.

Some examples of the data that Intelligence X retains include:

  • Lists of compromised VPN passwords exposed on cybercriminal forums
  • Indexed data collected from political figures’ email servers
  • Information from social media site data leaks

Ahmia
Ahmia enables dark web research by making Tor results visible without requiring users to install the browser. However, to open links and results, researchers still need to install the Tor browser to open links and results.

DarkSearch.io
As of January 2022, this service is available only to organizations who request private access. The platform allows researchers to run automated searches of the dark web without requiring them to use .onion versions or install the Tor browser.

Grep.app
Grep.app focuses on git repositories, providing a single search across:

  • GitHub
  • GitLab
  • BitBucket

People use it when searching for code strings associated with:

  • IoCs
  • Vulnerable code
  • Malware

Recon-NG
Recon-NG is a Python-based tool that enables researchers to automate redundant, manual tasks. It offers:

  • Independent modules
  • Database interaction
  • Built-in functions for convenience
  • Interactive help
  • Command completion

Creepy
Another Python-based technology, Creepy is a geolocation OSINT tool that collects data from various online sources, including social media and image hosting sites. Users can

  • Create maps
  • Filter searches based on exact location and/or date
  • Export data

theHarvester
With theHarvester, users can search for:

  • Emails
  • Subdomains
  • IP addresses
  • URLs

It offers both passive search and active DNS brute-forcing capabilities.

Shodan
Shodan is a search engine that both security teams and threat actors use to discover internet-connected devices and services.

The Shodan suite of products includes:

  • Search engine
  • Monitor to track devices
  • Maps
  • Collection of screenshots
  • Collected historical data

TinEye
TinEye is a reverse image search tool that allows researchers to upload images or use URLs. With reverse image lookup, someone can find where a picture was taken so that they can find a physical location.

Metagoofil
With Metagoofil, researchers can scan a domain’s documents and uncover the metadata. The tool provides information about files like:

  • PDFs
  • Word Documents
  • Excel Spreadsheets
  • PowerPoint Presentations

The metadata, or “data about data”, can include information such as:

  • User names
  • Email addresses
  • Printers
  • Software

What information can people find with OSINT?

While all OSINT information is publicly available, most people may not realize what is out there about them and how someone can find it. Even people who think they have a limited digital footprint would be surprised at what OSINT researchers can uncover.

Email Addresses
Today, most people have at least one personal and one professional email address. According to research, 90% of Americans have an email address, averaging 1.75 email addresses each. Typically, people use their email addresses to:

  • Log into social media
  • Access work resources
  • Use ecommerce applications
  • Register for media, like news, professional publication, and streaming services

Usernames
To maintain consistency, many people use the same username across different online services. For example, someone with an email [email protected] might also use jdoe as a social media handle. Further, these are typically the same types of usernames that corporations use for generating user IDs. With this information, cybercriminals can try to connect known usernames to compromised passwords as a part of credential-based attacks.

Addresses
Personal and professional addresses are easily discoverable. On its own, an address may not impact cybersecurity. However, when aggregated with a name or IP address, ethical and criminal actors can use the information to build a relationship with a target.

Phone numbers
When researchers collect and aggregate OSINT, phone numbers become even more valuable. When connecting a person’s name and phone number, someone can spoof, or create a fake version of, that phone number as part of an attack. For example, when a smishing attack sends a text message that appears to come from a trusted contact, the target is more likely to take the action that the attacker requests.

IP Addresses
When someone obtains an IP address, it gives them the ability to do a reverse lookup that gives them a lot of information about the server hosting a domain, including:

  • City
  • State
  • Zip code
  • Open ports

Free threat exposure report

See how a social engineer is most likely to contact you along with how an attacker might attempt to compromise you with Picnic’s free threat exposure report—CheckUp Light.


How do cybercriminals use OSINT for social engineering?

The first step to a successful social engineering attack is to gain a target’s trust or buy-in. People may be skeptical enough to ignore an email from a Nigerian prince, but they’re far less likely to ignore an email from their boss or human resources department.

Cybercriminals leverage OSINT so that they can build their attacks around information that will prompt someone to take an action that’s against their best interests. Further, cybercriminals collect and correlate various data types so that they can build out robust attacks. They rarely just use one type of data, like an email address.

Email Attacks
Phishing, spear phishing, and whaling are all typically email-based social engineering attacks. However, they use OSINT in subtly different ways.

Phishing
With a phishing attack, cybercriminals send out high volumes of fake emails, pretending to come from a legitimate entity. In this case, they really only need the email domain of the entity they want to impersonate.

For example, in a sophisticated attack targeting Office 365 credentials, cybercriminals imitated the domain for the US Department of Labor. They created domains like dol-gov.com, using a legitimate dol.gov domain for replies. The emails sent fake bidding instructions with a PDF that redirected the target to a phishing site where the criminals collected credentials.

Spear Phishing
With a spear phishing attack, cybercriminals might start by doing a LinkedIn search to find someone new to an organization in a high-visibility position, like a Chief Executive Officer (CEO). Once the cybercriminals have this information, they can search LinkedIn for people who will work directly with the new CEO. 

They find the organization’s domain and make a fake, or spoofed, version of it. For example, fakcompany.com would be fakecompany.io. With this fake domain, they create a form that hides the “.io” so that it looks like it’s from the organization’s legitimate domain. 

Building on this, they can then find examples of past statements that the new hire made for the email’s text. They email the form to the targets that they found on LinkedIn, requiring them to supply login credentials when they complete it.  
Between 2013 and 2015, cybercriminals used a spear phishing attack to steal $100 million from Google and Facebook. In this case, they created a fake computer manufacturing company, then sent invoices to targeted employees under the guise of being the legitimate services provider. Instead of paying the real provider, the companies directed the deposits to the cybercriminals’ bank accounts. 

Vishing
Also called “phone phishing” or “voice phishing” attacks, cybercriminals call their targets to deploy the attack. During a vishing attack, cybercriminals will often incorporate pretexting, creating a situation that lures the target into taking action.

Many cybersecurity awareness training modules include pretexting scenarios where someone calls a new employee, pretending to be from human resources. For this attack to work, cybercriminals need to do their OSINT research.

For large organizations that might have upwards of 100 global new hires per week, this scenario provides cyber attackers a significant return on investment. To be successful, attackers need a few different types of OSINT data. First, they need to find people on LinkedIn who recently announced that they joined an organization. Next, they need to find the VOIP data for the organization’s phone system so that they can spoof it. Then, they create a fake HR portal that sends data directly to them. They call the new employees, telling them that to get paid they need to confirm payment data by clicking on a link that they’re sending while on the phone. When the targets enter their credentials, the cybercriminals collect it.

In 2020, attackers compromised 130 Twitter accounts with a vishing attack. Twitter classified this as a phone spear phishing attack, saying that cybercriminals called employees and tricked them into revealing account credentials.

How OSINT Enables Cybersecurity Teams

The good news for organizations is that their security teams can also use OSINT. The information itself is benign. The danger or benefit comes from how someone uses it.

When organizations use OSINT to protect themselves, they can follow the same processes as threat actors. When security teams have access to the same publicly available information that malicious actors have, they can mitigate risk by reducing their digital footprint or implementing additional security controls.

Discover Public-facing Assets
Most security teams leverage OSINT to detect assets connected to the public internet. For example, many security teams use Shodan to detect IoT devices so that they can implement controls or protections.

Locate Information Outside Organization Boundaries
Sometimes, employees share information on social media without realizing that a little personal information can lead to an attack that leads to a breach.

For example, an employee might list their telephone number on LinkedIn. With this information, skilled attackers can implement a successful vishing or smishing attack that could compromise both the personal and corporate accounts of the employee.

When security teams have visibility into this risk, they can implement preventative measures that reduce risk, in this case working with the employee to remove the phone number before it can be leveraged in a social engineering attack.

Identify External Threats
When security teams have OSINT tools, they can monitor dark web forums for stolen credentials that compromise the organization’s security.

According to research, 70% of users tied to breach exposures from 2021 or earlier were still reusing the exposed credentials. Further, more than two out of three people use the same passwords across multiple accounts, meaning a compromised personal password could impact someone’s professional login credentials.

Security teams that can find and link employee personal and professional leaked credentials can use this information to make sure these credentials are no longer being used.

Enhanced Penetration Tests
Penetration tests look for weaknesses in an organization’s security program. As part of this process, penetration testers start with the reconnaissance phase to map out the attack surface of the target. This involves running OSINT, looking for accidental sensitive information leaks across social media, data brokers, and other publicly available data locations. Then they leverage this information to aid their ethical social engineering attacks.

With regular OSINT monitoring, security teams can reduce the number of findings by proactively identifying and mitigating these risks.

Design Adversary Emulations
When security teams engage in adversary emulations, they follow threat actor tactics, techniques, and procedures (TTPs) to test their defensive controls.

For example, when security teams want to emulate a remote desktop protocol attack, they need to follow the same steps that attackers do. Many security teams focus on the steps that attackers take once they gain access to systems because they lack the OSINT visibility to emulate attackers’ social engineering and credential theft capabilities.

When security teams can effectively obtain publicly available data, like information employees post on social media, they can create more realistic emulations. By identifying employees that attackers might target, they can implement controls that proactively address these risks.

For large organizations that might have upwards of 100 global new hires per week, this scenario provides cyber attackers a significant return on investment. To be successful, attackers need a few different types of OSINT data. First, they need to find people on LinkedIn who recently announced that they joined an organization. Next, they need to find the VOIP data for the organization’s phone system so that they can spoof it. Then, they create a fake HR portal that sends data directly to them. They call the new employees, telling them that to get paid they need to confirm payment data by clicking on a link that they’re sending while on the phone. When the targets enter their credentials, the cybercriminals collect it.

In 2020, attackers compromised 130 Twitter accounts with a vishing attack. Twitter classified this as a phone spear phishing attack, saying that cybercriminals called employees and tricked them into revealing account credentials.

Picnic: Automated OSINT Monitoring and Remediation for Enhanced Cybersecurity
Picnic is the first technology platform that allows organizations to fully and automatically harness OSINT for defensive purposes.

The platform provides enterprise security teams with the capability to instantly emulate attacker reconnaissance on the entire OSINT footprint of their organization and its people across the surface web, social media, data brokers, breach repositories, and the deep and dark web. At the same time, Picnic’s technology continuously hunts and flags any exposed data and PII that would be of value to threat actors, identifies likely human targets and pathways to compromise, streamlines external data footprint cleansing, and enhances existing security controls to prevent attacks.

Since attackers have OSINT exposure too, Picnic also monitors for suspicious domains and other attacker infrastructure before these can be leveraged against an organization’s people.

With these preemptive and continuous capabilities, organizations gain an unprecedented level of visibility and control over their OSINT footprint and can substantially reduce a threat actor’s ability to use OSINT successfully against them.

Picnic’s technology marks a decisive moment in the history of OSINT, as it takes away the asymmetrical advantage threat actors have had until now.

Attackers need OSINT to craft their attacks. The public data vulnerabilities revealed during a cybercriminal’s reconnaissance are ultimately what lead to phishing, credential compromise, ransomware, malware, and the like.

Picnic’s platform addresses this problem head-on by providing enterprises and their people with the power to automatically know the full extent of their OSINT exposure, proactively remediate their human risk, and preemptively neutralize the pathways to compromise that their public footprint reveals. In this way, they can detect and prevent attacks before they happen on a scale not previously possible.

SANS FIRST LOOK WHITEPAPER ON PICNIC

SANS First Look Report

Jeff Lomas of SANS discusses the importance of knowing your attack surface from the outside in and how Picnic can help organizations tackle the largest problem in cybersecurity—social engineering.

Just a little bit of exposed personal data can go a long way for a hacker

Hackers today use our exposed personal data against us. More than 90% of the time, cyberattacks are specifically crafted from users’ public data. To a hacker and to cyber specialists in general, this exposed, publicly available information is known as OSINT, or Open-Source Intelligence. OSINT can be any publicly available information a hacker can find on a target, such as data from LinkedIn, Instagram, and other social media sites, data brokers, breach repositories, and elsewhere. Hackers use this data to craft and power social engineering attacks. It is the data that tells the attacker who is a vulnerable and valuable target, how best to contact them, how to establish trust, and how ultimately to trick, coerce, or manipulate them. Social engineering attacks fool people into performing a desired action and criminals use social engineering to lure targets into handing over personal information, opening malicious files, or granting access to sensitive data.

In this post, we highlight some of the ways in which bad actors use our information in social engineering campaigns. Understanding the various ways in which even a limited amount of exposed personal information can be weaponized by social engineers can help us not only become more vigilant and cautious but will hopefully also motivate us to take proactive measures to protect ourselves and our companies before attacks happen.

Hackers need—and harvest!—personal information to craft attacks

In order to identify, choose, and plan attacks against potential targets, threat actors must first conduct OSINT reconnaissance. Hackers have a variety of tools that automate this process. They begin by searching for information and selecting a vulnerable target, and then using the target’s data to create a compelling story that will trick them. The social engineer uses one of several means, such as an email, social media, or a phone call, to contact the target and establish trust. If the communication is convincing enough, the victim will be fooled and unwittingly click a malicious link or give the attacker sensitive information that will be used against them or their company. 

On account of the essential role that public data plays in social engineering attacks, it behooves us to be aware of, and especially limit, the amount of personal information we share online. The larger our digital footprint is, the larger our attack surface is and the more visible we are to social engineers. The more information attackers have on a target, the easier it is for them to craft convincing, and ultimately successful, social engineering attacks. The less visible we are, the less attractive we are to hackers and the less paths to compromise there are to be exploited.

While deleting oneself entirely from the internet in the 21st century is not viable, by carefully manicuring what you share and with whom you share it, you can significantly reduce your visible attack surface and prevent social engineering attacks.

Even a little bit of exposed information can be dangerous

Hackers don’t need much personal information to wreak havoc on your life. They can do a significant amount of damage with just your cell phone number. Typing your number into a people search site, for instance, can reveal your personal information to an attacker in just a few seconds. This information can then be used for social engineering, identity theft, doxing, or other malicious actions, such as taking over your email and other accounts. 

With only your phone number, a hacker can easily determine your email address. They can then contact your mobile provider and claim to be you, route your number to their phone, log into your email, click ‘forgot password,’ and have the reset link sent to them. Once they have your email account, all of your other accounts are potentially vulnerable. This is one reason to avoid using the same username and password across multiple accounts! 

Once acquired, a hacker could also decide to ‘spoof’ your phone number. This makes your number appear on a caller ID even though it is not you. Using this method, a bad actor can impersonate you to trick one of your friends or colleagues, or call you from a spoofed number, one that you may recognize or trust, in an attempt to socially engineer you or to record your voice for use in another scam.

The fact that a hacker can do so much with just a limited amount of information should make us think twice about what we share publicly, even if it’s only our phone number. To see some of your exposed personal data, get your free report below.

GET YOUR FREE REPORT

See your exposed personal data

Exposed data and credential compromise

Hackers can also do a lot of damage with exposed login credentials. Usernames, email addresses, and corresponding passwords become available on the dark web (and the public web!) once they have been involved in a data breach. You can find out if your personal data has been compromised in a breach by checking haveIbeenpwned.com, for example. Whenever this type of information gets exposed, it can leave users vulnerable to credential compromise.

Credential compromise, also known as ‘credential stuffing,’ happens when an attacker obtains a list of breached username and password pairs (“credentials”) from the dark web and then uses automated scripts or ‘bots’ to test them on dozens or even hundreds of website login forms with the goal of gaining access to user accounts. There are massive lists of breached credentials available to hackers on the black market and, since most people reuse passwords across different accounts, it is inevitable that some of these credentials will work on other accounts, either personal or corporate.

Once hackers have access to a customer account through credential stuffing, they can use the account for various nefarious purposes such as stealing assets, making purchases, or obtaining more personal information that can be sold to other hackers. If the breached credentials belong to an employee, the hacker can use that access to compromise a company’s systems and assets. 

Since credential compromise relies on the reuse of passwords, avoiding the reuse of the same or similar passwords across different accounts is critical. Always use strong passwords that are difficult to guess and change them frequently. Additionally, using multi-factor authentication, which requires users to authenticate their login with something they physically have and something they personally know, is a good defense against credential stuffing since an attacker’s bots cannot replicate this validation method. 

Recent real-world examples reveal the dangers of exposed personal data for companies

Companies should be especially wary of the role exposed personal data of employees plays in cyberattacks. Three recent examples that made headlines highlight how just a limited amount of exposed employee information can be used to craft a successful social engineering campaign and breach organizations. 

Twilio and Cloudflare

In August, hackers targeted two security-sensitive companies, Twilio and Cloudflare, as part of a larger ongoing campaign dubbed “Oktapus” that ultimately compromised more than 130 organizations and netted the attackers nearly 10,000 login credentials. In the case of Twilio, the hackers began by cross referencing employee public data from Twilio’s LinkedIn roster (the starting point of most attacks) against existing exposed 3rd party breach data sets (e.g., haveibeenpwnd.com) and data broker data (e.g., white pages). This gave the attackers a list of personal information of employees to target. The hackers then created a fake domain and login page that looked like Twilio’s (twilio-sso.com or twilio-okta.com). Using the acquired personal data, they then sent text messages to employees, which appeared as official company communications. The link in the SMS message directed the employees to the attackers’ fake landing page that impersonated their company’s sign-in page. When the employees entered their corporate login credentials and two-factor codes on the fake page, they ended up handing them over to the attackers, who then used those valid credentials on the actual Twilio login page to access the systems illegally. 

exposed personal data

Although Cloudflare was also targeted in this way, they were able to stop the breach through their use of FIDO MFA keys. Even though they were able to keep the attackers from accessing their systems through advanced security practices, Cloudflare’s CEO, senior security engineer, and incident response leader stated that “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached.”

Indeed, the exposed personal data used to power the Oktapus attacks shows how dangerous even a small amount of public data can be in the hands of a social engineer.

Cisco 

In another example from May of this year, the corporate network of multinational security company Cisco was breached by hackers with links to both the Lapsus$ and Yanluowang ransomware gangs. In this case, the hackers acquired the username or email address of a Cisco employee’s Google account along with the employee’s cell phone number. They targeted the employee’s mobile device with repeated voice phishing attacks with the goal of taking over the Google account. The employee was using a personal Google account that was syncing company login credentials via Google Chrome’s password manager. The account was protected by multi-factor authentication (MFA), however, so the hackers posed as people from the technical support departments of well-known companies and sent the employee a barrage of MFA push requests until the target, out of fatigue, finally agreed to one of them. This gave the attackers access to the Cisco VPN through the user’s account. From there the attackers were able to gain further access, escalate privileges, and drop payloads before being slowed and contained by Cisco. The TTPs (techniques, tactics, and procedures) used in the attack were consistent with pre-ransomware activity.

Uber 

Most recently, the ride-hailing company Uber was breached by a hacker thought to be linked to the Lapsus$ group, who gained initial access by socially engineering an Uber contractor. The attacker had apparently acquired the corporate password of this contractor on the dark web after it had been exposed through malware on the contractor’s personal device. The attacker then repeatedly tried to login to the contractor’s Uber account, which sent multiple two-factor login approval requests to the contractor’s phone.  Finally, the hacker posed as Uber IT and sent a message asking the contractor to approve the sign-in. After successfully exhausting the contractor, the approval was granted, and this provided the hacker with the valid credentials needed to gain access to Uber’s VPN. Once inside, the hacker found a network share that had PowerShell scripts. One of these scripts contained admin credentials for Thycotic [a privileged access management solution]. Once the hacker had access to this, he was able to get access to all other internal systems by using their passwords. 

The Uber hack is a prime example of how, with only a limited amount of exposed personal data and some social engineering, a hacker can easily trick, manipulate, or coerce a human and compromise a company’s systems. See our key takeaways and remediation recommendations.

Limiting exposed personal data to prevent attacks

The examples provided here illustrate some of the common ways our personal information can be successfully weaponized by today’s hackers. It is now more urgent than ever for people and companies to know and manage their exposed public information proactively to help prevent attacks. Attackers are opportunists who care about their ROI. By limiting exposed personal data, it becomes more difficult and therefore more expensive for threat actors to succeed in social engineering attacks. Companies that recognize this fact pattern and take action to protect their employees will be more likely to avoid expensive and damaging breaches.

An electric utility company takes cybersecurity beyond the perimeter

The challenge


This client, like most utilities, possesses a strong culture of safety and a similar commitment to security. As a utility, it also operates in one of the 16 sectors designated by the US Cybersecurity and Infrastructure Security Agency (CISA) as part of the United States’ critical infrastructure. This means that the organization faces a specific set of requirements, which include disciplined cybersecurity practices.

Traditional cybersecurity has focused mainly on the internal environment and on data layers within the organization. For that reason, the organization sought a solution that expanded the purview and practice of cybersecurity beyond its walls. Management felt the need to identify and address vulnerabilities in the data “out there,” where more than 90% of cyberattacks now originate.

They also wanted an external perspective to support an outside-in approach to security. They wanted to know how malicious actors could gather information about users to mount an attack on the company. What could those actors find on social media profiles and what messages could they use to launch socially engineered attacks? What could they learn about the organization’s hardware and software and its methods of authentication? What could they learn about its supply chain: What products does it buy? From whom does it buy these products? How does it pay its vendors? What could attackers learn about the leadership team, the Board, employees, investors, and other stakeholders that would make the organization vulnerable to attacks?

Another goal was to broaden the conversation about cybersecurity within the organization. Given the exposures that can be unwittingly created by users with legitimate access to the organization’s systems, leaders had come to see that cybersecurity is everyone’s responsibility. They also wanted to go beyond simply training and coaching people on how to “be careful” when using their laptops and devices; they wanted easy-to-use tools to support users’ efforts to keep systems secure.

Before learning about Picnic, the security team had worked to understand which publicly available data could create vulnerabilities and, to address reputational risk, what people were saying about the company. Yet these efforts were ad hoc, such as monitoring social media feeds, and they employed few tools, such as customized scripts and open-source tools. They wanted to harness data science to see across the internet and to identify the controls they really needed to have in place.

In sum, the security team realized that their environment lacked a defined perimeter, which meant that firewalls, endpoint protection tools, and role-based access controls could no longer provide the needed level of security.

The solution

Picnic provided both ease of enrollment for employees and tools that enabled employees to easily remove publicly available data on themselves.

Picnic’s capabilities let a user simply agree to be deleted from multiple sources of public data gathering, which Picnic handled for both the user and the organization.

The Picnic Command Center enabled analysts from the security operations team to seek out types of data that expose the organization to risk. That, in turn, positioned the team to educate employees about ways in which an attacker could use a particular type of information against themselves or the company. This created a clear division of responsibility: The organization flagged the risks while the employees controlled the data they deleted or left up.

The organization presented Picnic as a benefit to employees, which it is. Although other identity protection tools are presented that way, they are primarily geared to post-event remediation. In contrast, Picnic enables each employee to identify and deal with their publicly available data in private, so they can lower their individual risk, and by extension risk to the organization. Each employee gets to make changes dictated by their own preferences rather than their employer’s. With information from Picnic, they were able to, for example, adjust the privacy settings on their social media accounts so that only specific family members and friends can view them. Whatever steps they took reduced their exposure to attack—a benefit to them and to the organization.

Clear and consistent communications during rollout clarified both the rationale and use of the tools. Integration with the organization’s existing technology was straightforward, with Picnic tools fitting readily into existing solutions. The client/Picnic team took an agile approach to both the development methodology and operational implementation.

The impact

Picnic has assisted the security staff in identifying vulnerabilities and assisted employees in monitoring and limiting their risk exposures. The tools have provided protective controls for employees while minimizing extra steps and added work on their part. It has also helped the security staff to more effectively identify where potential threats might originate and the various forms that attacks could take.

Yet the impact of Picnic extends beyond what the platform itself does. It has enabled the security staff to launch a broader and deeper conversation about cybersecurity at the organization. This has created the opportunity to better understand, explain, and contribute to the organization’s culture of security. The security staff does not usually use the term “culture of security” with employees but the leadership team discusses it and works to create that culture. Picnic has accelerated that effort.

Picnic has also reduced burdens on the security team. It has helped to establish that everybody needs to maintain high awareness of how their social media settings or internet presence create risks. By their nature, the tools dramatically increase employee engagement in cybersecurity in ways that training sessions or video tutorials cannot.

The Picnic toolset has delivered capabilities that allow security staff to see risks outside of their corporate walls and to mitigate them. The security team can now not only alert users to the risks they face; they have also initiated new controls, such as multi-factor authentication on items that could be of use to an attacker. They have added new controls over remote access and other attack vectors where an attacker could access personal information from a data log or a compromised website. The organization is also using password reset tools that make users’ lives easier, while increasing their efficiency and effectiveness.

While no single solution can eliminate every data security issue, Picnic has broadened the organization’s view of its threat landscape and positioned it to better address risks. It has also reduced its attack surface, broadened the conversation about cyber risk and security, and delivered increased security to employees and the organization. This has occurred in the context of Picnic’s sound and sustainable methodology, process, and program for identifying and addressing social engineering threats.

1 https://www.cisa.gov/critical-infrastructure-sectors

RedTeam Raw, Episode #1: Marcello Salvati on how he became a leading Red Teamer (and Cyber Security Expert)

In the very first episode, Picnic’s own Director of Global Intelligence, Manit Sahib, talks with InfoSec legend Marcello Salvati, most famously known as the creator of CrackMapExec and SilentTrinity. He is the founder and CEO of Porchetta Industries, Security Engineer at SpaceX, and is known on Twitter as @byt3bl33d3r. We discuss his perspectives on InfoSec, advice for those getting started in this space, how he got to where he is now, overcoming burnout and managing time, red team stories, and where he thinks InfoSec is heading over the next 10 years.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

Cybersecurity is a new HR benefit

Cybersecurity has traditionally been seen as a job for IT departments – and most employees assume that cybersecurity is simply a technical issue. But an examination of current threat types shows that social engineering attacks on employees is now a major concern for corporate security. However, protecting employees from social engineering attacks means protecting the whole person – at work and at home. The challenge becomes the line between what is corporate and what is personal. Innovative Human Resources (HR) departments have a solution. Cybersecurity can be a gift to employees, not unlike health insurance. This new benefit further underlines HR’s important role in promoting a healthy corporate culture…including cybersecurity.

Cybersecurity – The role of HR in mitigating risk

It is estimated the financial impact of cybercrime costs the global economy nearly $3 million per minute with 27% of all cyberattacks resulting from employee errors. Many companies are aware that employees are the weakest link in an organization’s cybersecurity. 9 out of 10 times, it is unintentional. Yes, you might get the odd disgruntled employee, but more often than not, employee negligence is the primary source of data breaches. From falling afoul of phishing, to accidental installation of malicious apps and using unsecure networks, the variety and prevalence of cyber-traps are growing daily. Even common behaviors that seem trivial, like shared passwords, lax BYOD habits, remote working, and leaving devices laying around – all can lead to loss of data or even large sums of money.

Since people are a key factor in many cybersecurity-related issues, HR should be involved to minimize the risk. Why? HR is uniquely equipped to humanize and promote security within an organization. Whether it’s through the onboarding process, providing security guidelines or educating employees, the HR department can cover the majority of cybersecurity threats – and your company will be much safer for it. “HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a “human firewall” for your organization, turning employees – your greatest security threat – into your greatest asset,” says Marcy Klipfel  of Businessolver.

Some forward-thinking companies already employ the skills and insight of their HR teams to enhance risk mitigation. But as the digital footprint of an individual continues to grow like a ripple effect, and the lines continue to blur between personal and business use of technology, modern cybersecurity requires more than firewalls, antivirus and HR polices. If a business is serious about protecting itself and its employees, it’s time the business started thinking about offering cybersecurity as a HR benefit.

Cybersecurity as an HR benefit

We live in a digital era and, as such, it’s likely that most, if not all, of your employees have a digital footprint. This is normal. Daily, most of us engage in some form of online activity, such as photo sharing, online dating, banking, shopping, gaming, and social/professional networking. Like it or not, these all add to one’s digital footprint. And that’s not all. Others may post photos or information about us online. And then there are search engine histories, smart phone geolocation data, etc.

While an individual’s growing online digital footprint and relentless tracking of all their thoughts and data might not be a problem to them, it may be exploited by those with malicious intent. What your employees do and say online, or how they use digital devices, can make them and your organization vulnerable to a range of security threats. Most hackers are just looking for that one right chance and an employee’s online activities can create an ideal passageway into your company, potentially resulting in unintended, or even catastrophic, consequences.

Unplugging yourself or an employee from the rest of the world is not really an option. But what is an option is that your company can help protect its employees – while protecting itself. While it’s a novel concept, data hygiene management should now be considered the newest employee benefit. Like a person’s health, if things go bad, cybercrime can be very costly for the individual. Like health insurance benefits, cybersecurity benefits reduce the financial risk and give peace of mind.  

Future of cybersecurity

The biggest challenge for HR is explaining the threat of social engineering to individuals while not being perceived as “Big Brother.” Employees can be very wary of privacy, though at the same time may not be very aware of the vulnerability of their personal digital footprint. But everyone is susceptible to cyberattacks and the impact can be severe for both individuals and their employers. The perceived value of cybersecurity as an HR benefit will only increase with time – and with the preponderance of cybercrime. Prescient employers are making moves now to bolster their cybersecurity culture and offer a competitive benefit that will be attractive to employee candidates.