How attackers use open source intelligence against enterprises
Cato Networks' Etay Maor explains how cybercriminals use open source intelligence to detect and attack vulnerable enterprise networks and employees.
Open source intelligence is a powerful tool for security professionals. Unfortunately, cybercriminals use it as well. With free and accessible information, criminals can easily identify and attack vulnerable and misconfigured systems. The work-from-home model has increased these risks, as many employees work outside the security perimeters of the office.
Understanding how threat actors operate and use Open Source intelligence enables security stakeholders to strengthen their cyberdefenses.
What is in it for the attackers?
The assumption that only script kiddies use Open Source information found on the internet is false. Likewise, thinking sophisticated attackers, such as nation-state actors, have virtually unlimited resources at their disposal and use highly specialized, costly tools that amateur threat actors would not even know about is also wrong.
Attribution is easier with sophisticated tools that only a few entities can access. However, with open source intelligence, it is hard to trace if data is collected from different open sources, as well as to know who was looking for unpatched systems and from where.
Free tools have valuable information that even sophisticated threat actors want. For example, open source intelligence tools, such as Censys and Shodan, enable you to find unpatched systems or misconfigured or unprotected internet-connected devices in different countries. Attackers can use these tools to spot weaknesses in the supply chain of otherwise well-protected organizations.
The dark web also has lots of information for sale, such as credentials and vulnerable servers. Essentially, someone else does the hard work, and then anyone, even novices, can buy their way into corporate networks.
The people side of open source intelligence
Aside from devices and technology, attackers can use open source intelligence to find information about people to design social engineering attacks, such as spear phishing. For example, attackers can find the executives of their target company through a simple Google search. They can then find executives' social media accounts to learn about their family, friends, location, interests and hobbies. When attackers know a lot about their victim, they can easily craft an undetectable social engineering attack.
Threat actors may target an employee who publicizes his cooking skills on social media, for example. The attackers can email him a discount coupon for a supposedly new gourmet store. It will look like a harmless PR email, but it can deliver malware to open a backdoor in the employee's device. The consequences can be catastrophic if the victim is linked to a critical infrastructure or third-party partner. Defenders need to protect more than just technology but people, too.
Threat actors are hitting close to home, literally
The shift to work from home has given rise to a global cybercrime pandemic. Outside the security perimeters of offices, employees using personal devices pose an easy target for threat actors. People often leave default passwords in place for peripherals, such as printers, and IoT devices, including security cameras and thermostats. Default passwords for these devices are available via a simple web search. Compromising such devices is as simple as that. Even a single compromised device can give attackers a strong foothold in the network.
There are also shops on the dark web that sell access to computers. One shop alone has access to more than 350,000 computers, including those representing industries such as healthcare and government and military entities. Access to these computers exposes people's credentials, while also revealing information about the websites people visit, enabling attackers to set up a targeted social engineering attack.
Unaware employees working from home are a serious threat to organizations because they often fail to follow basic security measures, such as changing default passwords and installing new security patches.
Paving the way for future-ready cybersecurity
Social engineering techniques are going to become more targeted, sophisticated and undetectable with time. Security-conscious people likely know how to photo search potentially bogus social profiles. That will soon become irrelevant, as attackers start using AI tools to generate fictional faces. Inevitably, the cyber threat landscape is going to become even more complex.
Plus, remote work is here to stay. As organizational boundaries become more flexible, so should enterprise security perimeters. Organizations must bring their cybersecurity controls closer to home offices by implementing a Secure Access Service Edge architecture. More importantly, organizations need to empower their employees to make wise choices on the internet -- in an attempt, at the least, to prevent information being handed over on a silver platter.
About the author
Etay Maor is the senior director of security strategy at Cato Networks. Previously, Maor was chief security officer for IntSights, where he led strategic cybersecurity research and security services. Maor has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security's Cyber Threats Research Lab, where he managed malware research and intelligence teams. Maor is an adjunct professor at Boston College and is part of Call for Paper committees for RSA Conference and Qubit Conference. He holds a B.A. in computer science and an M.A. in counterterrorism and cyberterrorism.