Get the basics on online investigations to build cyberthreat intelligence, including the role of OSINT, typical workflows and more.
In the world of combating cyber threats, time is of the essence. But the volume of alerts requiring investigation and the scale of information that an investigation can encompass can make time the enemy.
That’s why it’s so important to have the tools and tradecraft to find the information you need as quickly as possible. Not only can you conduct investigations more quickly, but you can improve the quality of intelligence delivered and ensure the course of the online investigation doesn’t introduce new risks to your organization.
Through a series of upcoming blogs, Authentic8’s experienced cybersecurity personnel and training team will outline some tips, tricks and tools that can be used by cyber threat intelligence personnel for online investigations.
In this post, let’s start with the basics.
OSINT and threat intelligence investigations
OSINT is the practice of collecting information from publicly available sources and turning that information into actionable intelligence or information that can be consumed by an organization for protection or risk reduction. OSINT is useful not just to sophisticated government agencies and law enforcement, but to financial crime analysts, fraud and brand misuse investigations and particularly cybersecurity.
Cybersecurity teams frequently use OSINT for OPSEC (operational security) by understanding what of their company’s information is publicly available. This information may be on assets they control; assets designed to be public-facing (or become so through error); or assets outside the company perimeter (e.g., social media or third-party websites that may accidentally leak information)
Additionally, cybersecurity teams use OSINT to identify threats and vulnerabilities in their organizations that may require updates, reconfiguration of security controls or remediation through software/hardware updates.
OSINT is used to analyze, monitor and track cyberthreats from targeted or indiscriminate attacks against an organization by malware and bad actors. There are several ways a cyber OSINT investigation is triggered:
- A flag or item of interest identified from a threat intelligence platform (TIP) or subscription service
- A new threat, vulnerability or data breach is identified in media reports
- Announcement by a government cybersecurity organization
- A threat hunter identifying a potential advanced persistent threat (APT) within the network
An issue caught by a TIP will require a greater detail of research to understand how significant it is. Conducting OSINT across the surface, deep and dark web can enrich the indicator to understand urgency and scope.
For example, a TIP may flag email addresses and passwords in a breach package or on a forum or dark website. An analyst will want to go and see the full breach package to understand potential high-ranking targets for phishing attacks.
The analyst can get more detailed information regarding the breached information to include who may be impacted at their organization along with how the breach occurred. This amplifying information becomes key for the identification of the risk to the organization and what actions will need to be taken for that reduction in risk.
In the case where a threat hunter identifies an anomaly on the internal network, they need to understand if it’s malicious. This often requires a lot of research into current attacker tactics, techniques and procedures (TTPs). This may require researching and collecting info in areas where attackers reside (e.g., forums)
When it comes to the identification of a new threat or vulnerability that was reported by a news organization or cybersecurity research organization, the analyst needs to confirm the reports. This is done by not only looking on the surface and deep web for additional reporting and details, but it may also include looking on the dark web for information on where this new threat or vulnerability will be conducted or has been conducted.
This is where having the knowledge and ability to access the deep and dark web becomes important for a cyberthreat or cybersecurity analyst.
What is an online investigation for threat intelligence?
In the world of cyber threat intelligence, an online investigation is the research that security operations center (SOC) and cyber threat intelligence (CTI) teams conduct using publicly available information, commercial data sets and threat intelligence, as well as investigating the deep or dark web for harder-to-find information. With all of this information combined and corroborated, these teams can neutralize threats and protect their organizations.
Research often involves proactive collection to enrich threat subscription information like indicators of compromise (IOCs) and also helps inform directed investigations of known potential threats. Threat intelligence investigations also prevent or reduce the severity of disruption or theft from threats evading detection.
Online investigations can be conducted for a myriad of reasons by a variety of organizations. Some examples are concerns for national security, violation of terms of service agreements, law enforcement research and financial fraud.
Investigators may look into phishing campaigns, malware exploitation or other cyberattacks that can put an organization’s IT infrastructure, intellectual property or other proprietary data (e.g., PPI of employees or customers, financial records, sensitive documents) at risk.
Listen to NeedleStack's Know thyself, disguise thyself podcast episode for more information on tools that can aid an online investigation.
Where threat intelligence investigations fall in the SOC workflow
Typically, one of two “upstream” sources kick off the SOC or CTI analysts’ investigative work.
- Indicators are provided by a tool, service feed or report. This external data is piped into SIEM and correlated with log data.
- A senior CSOC analyst or senior CSOC manager either requests additional information or creates a new task that is escalated to CTI analysts.
- A tier 3 SOC analyst escalates an event to higher tiers.
In either scenario, CTI analysts must perform primary research on the web to enhance information; analyze collected information (in a tool like Maltego or DomainTools); and draft a threat assessment that can be distributed throughout the organization and applicable teams.
Analysts may need to explore multiple layers of the web to determine how to handle a cyberthreat.
Diving deep into the layers of the web
The first layer of research can be conducted on the surface web — the internet most of us use daily. The surface web is the traditional format of the web, composed of open pages easily accessed by search engines on any browser.
The deep web is the secondary layer of information that requires logins, passwords, subscription services, or paywalls. The deep web has some barriers to accessibility while being adjacent to the surface web and is typically accessed via the same browsers.
The dark web is the area of the internet that can’t be found by search engines and requires specific software installation to access. It is most notoriously known for the illegal activity it sometimes facilitates that allows users to have encrypted, private access to information, websites and marketplaces.
SOC and CTI analysts may find the dark web useful when collecting information for threat intelligence because it can provide context to how cybercriminal marketplaces are operating as well as reveal hacker trade secrets on dark web forums. This information can mitigate cyberthreats as well as recover leaked info.
Each of these layers can provide valuable information. But no matter where an investigation leads, security risks are everywhere. And the last thing a SOC or CTI analyst wants is for their work to be the source of a security breach. That’s why it’s important to isolate browsing activity from analyst machines and corporate IT infrastructure, and to avoid arousing suspicion with investigative targets.Threat intelligence