Welcome to NeedleStack the podcast for professional online research. I'm your host, Matt Ashburn, a cybersecurity professional with a penchant for OSINT and all it has to offer.
And I'm Jeff Phillips, tech industry veteran, and curious to a fault. Today we have a special guest. He's here to talk about the role of OSINT in cyber threat intelligence, or CTI for short. He's a formally trained all source military intelligence analyst, and he spent several years as a CTI analyst in the private sector.
Adam, welcome to the show.
Thanks for having me, gentlemen.
All right. Let's kind of take this from the top Adam. Again, we've had a theme around OSINT for the last couple of shows. Can you tell me a little bit about how OSINT was applicable in your experiences in the cyber threat world?
OSINT was key in the cyber threat world, especially today where yes, I have access to all this closed information and stuff like that, but I still need to do my research and figure out how something impacts me, right? It's more of a... I'm looking for what's out there and publicly available to help understand either a threat, a vulnerability, TTPs, things like that, everything's shared on the internet.
And so, while a lot of people don't think they're doing OSINT every day, CTI analysts, they're just OSINT researchers. They're doing research every day to find out what this new thread is, how do I... how does it impact my organization? How can I... Can I do it? Can I give it to my red team guy? And" Hey, look, here's how someone did it on a video. Can you replicate this and see if it impacts my organization?" We're also using it to respond to our alerts that we have, where we're trying to figure out if something happens to our network or infrastructure, you're looking at what is this, what was it, right?
And that's where that research comes in. Like I said, we're investigating vulnerabilities a lot of the time because that's the threat, right?
A lot of organizations they care about how am I vulnerable? How's my organization or my infrastructure vulnerable to X? Zero days come out or some new vulnerability, Microsoft releases comes out, how am I vulnerable to it? Okay, give me 10 minutes, I'll figure it out. And then we're also supporting incident response by doing research on whether it's phishing sites or application attacks or things like that. Like the main focus, one of the main focuses I had on my previous location or previous job was looking at phishing sites and seeing what they're trying to gain from our customers, right?
And then how do I stop it? And was it open to where I could pull down a list of people that had been impacted and alert them, whether they were customers or not?
Yeah. I think you hit on something that's pretty important there. You know, and many times I say intelligence is not just going out and getting the information, right?
Anybody can go online and go to Google and find information and go to website and pull that down and then use it. But OSINT, open- source intelligence is really about getting that information and applying some kind of additional analysis to it, to create that intelligence. And you touched on it there a little bit about how you can use open- source research and intelligence to contribute to the sort of the SOC mission, incident response, and applying cyber threat intel to that.
Can you talk a little bit more about that?
How the role of OSINT can apply to cyber threat intel and how it can actually enable a SOC?
Well, you make a good point, Matt. We're not just... I mentioned we're doing research and doing open- source research, but it's not until I have an understanding of what I'm researching and what I'm researching it against will I make an intelligence decision, right? We'll equate it to... When I, worked in my previous company, I had to know what my network infrastructure is in order then to go and understand, go do research on what could impact that infrastructure.
And once I figured out what those things were, I would then look back at my infrastructure and say, how could this hurt me? And what was my risk rating or my... to give people the term of risk, what was the risk rating involved if this happened to us?
How much money would we lose? What would be lost from it from a user perspective or customer perspective even? And you know, when it comes to helping the SOC, what we're doing is the more in- depth research that they don't have time for.
Most SOCs are responding to events that happen whether it's a computer gets infected with malware, they've got to wipe it and tell the user," Hey, you got infected with malware, because you clicked on this link. How did you get this?" Okay. They send that information to me and then I would go and research why they got it or what does it look like? Right. Whether it's a PDF that looks familiar, that someone's reported on six months ago, I'm doing that research for them to find out how it happened and how we can mitigate it in the future. Whether that's not allowing certain PDFs to come through or this is a good example.
For a time, some organizations were allowing what they call MHTML files through an email. It's a benign file that if you click on it gets downloaded to your desktop and opens up a webpage, basically. There was an attack going around where MHTML was being used to load malware because it goes right down to your desktop and creates a file on your desktop, behind the scenes.
So, we started blocking those from coming in, just making sure that things that are coming into your environment shouldn't be coming in, right? Like I get, and it also not just if certain file types, but network say, network engineers have to download a new config file, right? They shouldn't be getting it through email.
They need to download it from the actual website that they need to get the config file for say a firewall or something or updates, right?
Yeah. Some of the other things I'm thinking of too, that you touched on a bit, you mentioned phishing, right? And so, not only is it important to support the immediate incident response, but to do that long term analysis.
You know, why was this person chosen as the target of a phishing campaign or were they chosen or was it just sort of a random targeting, let's say of different email addresses or are they targeting them because of their location or their role within the company or the organization?
All these things are really, really important.
With that Matt, one of the things I think people forget is when an attacker gets in, they try and find the easiest route in and then they move laterally until they find someone who's got the access they need.
They're not going to target the senior engineer for network security because he's probably smart enough not to click on the phishing link. They're going to target the lowest common denominator, the lowest employee who yeah, they view email, but they may not realize what they clicked on is going to be malicious intent, and then they'll traverse laterally through an organization and find that person they need to get access to.
Hey Adam, it's you used an acronym earlier on and I like to sometimes define these for myself and the audience. TTPs, I believe that's tools, techniques, and procedures. So, that MHTML example and what you guys were just discussing, would that fall into that kind of framework of understanding the tools, techniques, and procedures of your adversary?
Yeah. You're understanding the tactics, techniques, and procedures of the adversary that you're trying to get to. And that can be, what we could do then is if we figured out what type of MHTML file it was, we throw it against... We go and search for who's been using that recently, and we can identify what groups using that. Not necessarily attributing it to a group, because you normally don't want to call out that you've attributed an attack to a group.
If you go online and say it on Twitter and be like," Hey, this is so- and- so we attributed an attack on us to this organization," and it wasn't them, they're going to come and get you.
We don't want that.
You don't want to highlight yourself saying," Hey, we figured we thought we, or we think it's this group. Or we say, it's this group," and all of a sudden, it's really not them. Then they're going to come after you. It's like saying," Hey Anonymous, you attacked us.
And we stopped it." And Anonymous group goes, we didn't attack you, but now we are.
Exactly. We don't want that. Now we're talking thus far using OSINT right in the moment, dealing with incident response. The other element of a SOC has to do with threat intelligence. Can you talk a little bit about the role OSINT plays in terms of enriching the threat intelligence that you might get through your threat intelligence platform or different subscriptions you might have to feed?
So, when we talk about it in enrichment, when I think of enrichment, I think of adding more context to what a report that may have been put out, right? Or something that's going on. I've got to be able to understand how this works... And that's what I mean, when I think of enrichment or... It's not just," Hey, here's a set of indicators." It's what do these indicators mean to me? How can I then protect my organization from them and others potentially if they're not seeing certain ones or maybe I found different ones?
You're just trying to add as much value add as you can, when you're looking at that detail, that information. And it's not an easy job, it's not an easy thing to enrich information, enrich intelligence. It's somewhat difficult at times.
Yeah. One of the things that we've seen over the past few years, especially, is the rise in ransomware attacks against organizations. And many times. This scenario goes, they'll get into a system in some way, they'll compromise the internal workings of a network, spread laterally, and then encrypt files or delete files or both, and then hold copy of those files ransom in some way.
So, it's been pretty successful what these guys have done, and we've actually seen some real- world effects from that.
As a result, though, there's been additional attention, I think now on the dark web and on Tor to go and find this information, get some information on these groups, maybe even go collect the information that was stolen and do some analysis on it if you're the victim of one of these attacks. Can you talk a bit about how Tor can be used, how the dark web can be used as a source of information for these types of investigations and some of the challenges about that?
Yeah, I think one of the things that a lot of organizations aren't doing is looking at the dark web, because it's there, they're scared of it, they don't have an idea of how to get to it.
But there's information out there that you can find. Where I came from in the financial sector, there's tons of... we were looking for credit cards that were breached, or usernames and passwords that may be associated with the accounts that are at the organization. But the dark web has tons of data out there. And it, sadly, this is where these people live. The people conducting these ransomware attacks live on the dark web and they're sharing this information on the dark web. And if you're not looking at it, you're missing... It's like trying to do intelligence in a vacuum. And I had a Marine Corps Captain tell me this long ago, he goes," Nature abhors a vacuum." It was a great saying because he added to it when we were over in Iraq about it, but he's like," You know, nature abhors a vacuum, but threats don't, or terrorists don't." It's the same concept.
If you're just looking in one small space, one small square, you're missing out on other pieces that you could use for intelligence and to enrich that information even more, as we talked about earlier.
The dark web, even though it took us... As Matt, you mentioned you have to use Tor to get to it or another tool that's still considered open- source, correct?
It's still considered open- source. You just need specific software, and you need to have an understanding of how... I would say you need to have a basic understanding of how it's working and also understand how to get to some of the websites and how to search some of these sites because while the search engines on the dark web we'll say are like built off of Google, they're not as easy to search as you would think. You've got to have a better understanding of what you're looking at.
You know, we've touched a lot on different scenarios in which open- source research and intelligence can be helpful. I guess, Adam, in your experience, from your perspective, do you see organizations really understanding the value of OSINT and realizing the importance of getting access when you need it and where you need it?
I think they understand the value, but I think a lot of people are putting different values ahead of it, right?
We're more concerned about... a lot of people are trying to make the easy button selection, right? As far as you've got threat intelligence feeds and other things you can get access to, and be given access to through these certain companies you pay for, and they want the easy solution, right? They want the easiest way to get there, and that's from a risk management perspective.
A lot of organizations are going well, my risk is... I'd rather see what the risk is going to be versus identifying a threat. And I guess that's the hard part, right? Is how do we measure that? How do we, as analysts, say," Look, I get this from a risk management standpoint. You want this, but I need to be able to do this, to give you that better perspective."
That makes a lot of sense, Adam.
We often like to tell our listeners about any tools or resources that are out there so they can better leverage OSINT.
Any recommendations in terms of tools or resources, OSINT tools and resources that are related to CTI?
Because we are looking at open source I wouldn't say just related to CTI, but cybersecurity in general, one of the tools that I actually loved to use was feedly.com. And it made me... It allowed me to set up my own lists of what was going to find my own list of sources that I wanted to see articles from, or what's going on in the world. And a lot of times I could find out a ton of information just by monitoring the right groups, whether it's Bleeping Computer, Krebs online, CISA, Cyber Scoop, you can set up feedly.com to literally feed you all this stuff as it's happening.
While I didn't do a lot of malware analysis you know, sandboxes are a great thing.
You've got Joe Sandbox, you've got the cyber information sharing in collaboration programs that are out there. There's a ton of social media groups. One of the best ones doing OSINT research honestly, is Bellingcat.
They do great products and great reviews. And then there's some closed groups that you have to pass backgrounds, or have a membership to InfraGard, and any of the ISACs, if you're in the financial sector or the... I can't remember... The retail sector, hospital sector, they all have their own ISAC information sharing association that they'd use.
Yeah. That's great. Adam, thank you so much for being with us today. In closing any parting thoughts, anything else you'd want to leave the listeners with today?
I would just say that it takes a lot more than just a normal person, someone like myself to do CTI.
You need to have a group of individuals who can do different sets of jobs. Like I said, I didn't do malware analysis, but I need a malware analyst on my team to help me. I need someone like myself who can read and ingest the material and put out a report. I need somebody who's smart on coding, not me, but you need multiple groups of people... You need a group of people to help with CTI, not just trying to search for the one- all, the unicorn we say.
Yeah. Cybersecurity is definitely a team sport. So, that's a good perspective, Adam. Thanks again for joining us today and thanks to everyone at home for tuning into the show. If you liked what you heard today, you can always subscribe to our show wherever you get your podcast. You can watch episodes on our YouTube channel and also view transcripts and other episode info on our website. That's authentic8.com/ NeedleStack. That's authentic with the number eight dot com, slash NeedleStack, and be sure to follow us at NeedleStack_pod on Twitter. We'll be back next week with our listeners live event dedicated entirely to audience Q and A.
To register for that special Q and A event, visit authentic8.com/ NeedleStack, that's authentic with the number eight dot com, slash NeedleStack. We'll see you then.