OSINT (Open Source Intelligence), refers to the intelligence information collected and analyzed from publicly available sources. The internet itself is a huge big data platform and a space of collective intelligence. Most of the information on the internet, including media, search engines like Google, blogs, and social media, is publicly available, making it easy to acquire information. Public information can be viewed by anyone, but not everything should be viewed by everyone. Some information includes sensitive data such as personal data, national security, and corporate confidential data, which should not be made public.
OSINT can be used in various ways depending on its intended purpose and is increasingly needed in the field of cybersecurity. This article explains how OSINT can be used in cybersecurity to respond to potential threats.
Using OSINT in Cybersecurity
In cybersecurity, OSINT is not only used for the analysis of security incidents that have already occurred, but also for predicting potential security threats. Information based on OSINT that can predict potential security threats is commonly known as “Cyber Threat Intelligence.” The collection target of Cyber Threat Intelligence includes all internet sites, from the Surface Web to the Dark Web. Although hacking and cyber attacks are often thought to be primarily discovered in the Dark Web, the majority of cyber threat information is actually collected from the Surface Web.
Cyber Threat Information That OSINT Can Collect
- National security / defense-related information
- Equipment vulnerable to CVEs
- Personal information / data leaks
- Infrastructure system information
- Malware C2 servers
- Cybercrime and Dark Web information
Although security incidents that have already occurred are usually shared and traded among hackers on the Dark Web, potential threats tend to occur on the Surface Web. Sensitive information exposed on search engines like Google, Bing, and Naver, or information that can be obtained through IP addresses or domain addresses, is the actual information that hackers collect for their attacks. Hackers continuously scan the vast internet to find attackable surfaces. Web pages containing sensitive information that should not be exposed on search engines, or serious vulnerabilities in applications and domains, such as servers operating at corporate and institutional IP addresses, are the threat information that hackers want to find.
Therefore, it is continuously emphasized in recent cybersecurity industry standards to use OSINT to check for cyber threat information and remove attackable surfaces before becoming a hacker’s target.
What You Can Do With Cyber Threat Intelligence
There is a lot of threat information included in IP addresses and domain information. By utilizing IP address intelligence, you can identify vulnerabilities in IP addresses and domains in your possession. You can also detect and prevent suspicious IP addresses and malicious domains that may be used for attacks.
- IP address / Port information: Malicious IP addresses or ports, IP addresses used for distributing malware, IP addresses used for bypassing (VPN, Tor, etc.)
- Domain information: Phishing domains, voice phishing used for cybercrime, smishing domains
- SSL certificates: Malicious self-signed SSL certificates, stolen or impersonated SSL certificates
1. Identifying Attackers Through IP Address / Port Information
IP address information can be used as an element to identify attackers. Sites created to distribute malware use hosted IPs or overseas IP addresses that are not normal country IPs. Therefore, the ASN (Autonomous System Number) in the IP address information can be used to identify the web hosting service which is preferred by cyber attackers.
You can also collect significant cyber threat information from the Port information of an IP address. For example, high-numbered ports other than the commonly used web service ports 80/HTTP and 443/HTTPS, or the 8080 and 8443 ports used in enterprises, are typically used for malicious purposes.
2. Threat Detection Through Domain Address Information
There is also a lot of threat information contained in domain information. Phishing sites, C2 servers, and malware servers can be inferred from domain hosting information. In particular, free top-level country domains such as .cf, .to, .tk, .pw, and .ga are often used for phishing attacks, and therefore, they are more likely to be malicious domains. Malicious domains often use techniques such as Cloudflare CDN to hide their IP addresses or use specific HTTP patterns (Content-Leng: 0) or RTLO URL Tricks1).
1) RTLO(Right to Left Override): RTLO uses Unicode (Arabic character code), which overrides from right to left. If the RTLO is applied to the filename ‘gepj.xyz’ in the URL path, it will be recognized as ‘zyx.jpeg’.
3. Detecting Threats Through SSL Certificate Analysis
An SSL certificate is a technology used to encrypt data transmitted between a website and a browser to securely protect a user’s internet connection. Most malicious websites created by hackers are not equipped with legitimate SSL certificates.
By examining the information about the certificate’s signature owner, such as the Issuer, Common Name, Subject Name, or Subject Fields, it is possible to determine whether the certificate is an unauthorized private certificate or a self-issued certificate. Additionally, attacks that utilize stolen SSL certificates to disguise ransomware and malware as legitimate programs can also be detected. Furthermore, it is possible to detect command and control (C2) servers through TLS protocol fingerprinting profiling (JARM, JA3).
Malware Threat Information Found Through the OSINT Search Engine, Criminal IP
OSINT search engines can be used to collect cyber threat information. Criminal IP is a search engine that provides various cyber threat information such as IP addresses, domains, and SSL certificates.
The following are examples of detecting threat information on malware using Criminal IP, an OSINT search engine.
Detecting Malware Using IP Address Information With the OSINT Search Engine, Criminal IP
- Info Stealer – Granda Misha (also known as Misha Stealer)
- Info Stealer – Collector Stealer
- Info Stealer – Titan Stealer
- Malware Command and Control (C2) Server – Cobalt Strike Beacon
Searching for Crypto Bots Using IP Address Information With the OSINT Search Engine, Criminal IP
- Malware Infecting Coin-mining Servers – DeepMine
- Malware Infecting Coin-mining Servers – CoinHive
CVE Vulnerability Information Found With the OSINT Search Engine, Criminal IP
In addition to malware, Criminal IP can also locate servers with serious CVE vulnerability information that could be targeted by hackers.
The following are examples of using Criminal IP to find servers with CVE vulnerabilities.
- Citrix Security Equipment With CVE Vulnerabilities
- Fortinet UTM devices
In addition to the cases introduced above, there are countless ways to utilize Criminal IP’s OSINT and cyber threat intelligence. You can start collecting cyber security OSINT information right away by using Criminal IP’s Tag and Filter search, along with API.
Please refer to our article on how to utilize Criminal IP data as an attack surface management solution for more information.
Source: Criminal IP (https://www.criminalip.io/)
관련 글 :