Last Updated on 17 October 2022 by Alastair Digby
The numerous external-facing IT assets connected to business networks are all potential entry points for malicious actors to access valuable resources. Comprehensive asset discovery is crucial in helping to mitigate exploitable attack surface weaknesses or vulnerabilities. This article describes the use of publicly available OSINT data for asset discovery in today’s complex IT environments.
What is Open Source Intelligence (OSINT)?
Open-source intelligence (OSINT) refers to the process of legally gathering and piecing together publicly available information about an organization or person for a specific purpose. Threat actors and pen testers commonly use OSINT as part of the research phase to get actionable intelligence before conducting a genuine or simulated cyber attack.
While commonly associated with cybersecurity, the use of OSINT is not restricted to this domain. In fact, OSINT traces its roots all the way back to the Second World War. The US intelligence agency at the time, the Office of Strategic Services (OSS) had an entire branch that collected information about enemies, much of which came from publicly available newspaper reports, maps, charts, radio broadcasts, and photographs.
Aside from the military or cybersecurity use cases for OSINT, its findings are also often useful in a number of other domains, including journalism, litigation, business intelligence, and scientific research. Consider how an investigative journalist could trawl social media or read old newspaper articles to piece together a narrative about a story.
Returning back to cybersecurity, there is a plethora of possible information to glean online for free about companies or the people that work for them. The diversity and amount of OSINT sources only increase as the digital footprint of companies and people continues to expand. Potential sources of OSINT about your company include:
- Public DNS records
- Email addresses
- Domain names and subdomains
- Public cloud buckets
- Publicly available business information (annual reports, company profiles, news media)
- Hosts and open ports
- Company or employee social networking profiles
All of this information is potentially useful in the hands of the wrong people. That said, OSINT can provide invaluable intelligence for shoring up your own cyber defenses, particularly in terms of managing your attack surface.
Hidden risks in attack surfaces
Today’s attack surfaces contain many hidden risks. IT admins or operations spin up cloud infrastructure that serves a particular use and then gets forgotten about. Web applications are left unpatched; SSL certificates on domains expire. Developers use personal accounts for code repositories in which they store sensitive business assets (e.g. proprietary code) or hardcoded credentials. Employees or business units deploy SaaS applications to solve specific problems without the purview of central IT admins.
Aside from the above risks, your business might also be susceptible to other hidden attack surface risks. Compromised credentials published and freely available in clear web, paste bin, or dark web data dumps are another source of intelligence. These credentials usually come from previous data breaches, but being publicly available makes them an easy and free source of intelligence for malicious actors.
These hidden risks originate from reduced visibility into IT assets, which is itself a result of the increased complexity of digital ecosystems. Cloud adoption, hybrid workforces, BYOD policies, digital transformation—these concepts and strategies are beneficial, but they bring an added risk of increasing the entry points into your network, many of which remain hidden or forgotten about.
How to use OSINT for asset discovery
Central to the reconnaissance phase of modern cyber attacks is threat actors trying to find as many possible points of entry to networks in order to achieve their goals. Much of the information available for this purpose comes from OSINT sources. Ethical hackers use the same sources when conducting penetration tests.
A somewhat overlooked benefit of OSINT beyond informing your periodic pen tests is its use in the discovery phase of attack surface management. Asset discovery identifies, catalogues, and monitors the active and inactive assets on your network. Various OSINT tools have the capability to:
- Find all the different types of devices connected to a network.
- Discover open ports, the services running on them, and the versions of those services.
- Unearth passive and historical DNS and Whois data.
- Get a detailed list of IP addresses and ranges belonging to a company.
These discovery capabilities are a game-changer in defending your attack surface. Without up-to-date and comprehensive asset discovery, the chances of deterring successful attacks markedly reduce.
Identifying internet-facing assets with OSINT
Getting an attacker’s perspective is what’s so powerful about attack surface management. Specifically, it’s imperative to identify all Internet-facing assets that comprise your external attack surface as this is where the majority of cyber threats come from. Aside from identifying Internet-facing servers, apps, and services, OSINT sources also enable your company to gauge other information about external threats:
- Ascertain which email addresses on your company domain are available online (and then exercise extra caution around the potential for social engineering).
- Find publicly available cloud storage used by your company and mitigate the risks.
- Detect leaked credentials belonging to employees (current and former), business partners, and contractors and either reset their accounts or close them.
The traditional picture of assets paints them as tangible things, such as hardware, software, firmware, computing platforms, network devices, etc. But as NIST says, IT assets can also be intangible “(e.g., information, data, trademark, copyright, patent, intellectual property, image, or reputation)”. With this broadened definition in mind, Internet-facing assets are more numerous and diverse than perhaps you expect. However, it’s still possible to get a comprehensive inventory of external assets.
Automating continuous monitoring
Threat actors are more determined than ever to find hidden or vulnerable assets and break into your network where they can extract valuable resources or encrypt systems and demand ransoms. External attack surface management helps defend your business by monitoring your assets for weaknesses and vulnerabilities and accelerating remediation. But you need to get on top of asset discovery for other phases of attack surface management to realize their full value.
If leveraging the full wealth of intelligence available from OSINT sources for comprehensive asset discovery sounds challenging, that’s because it is. Few companies have the resources to hire a dedicated specialist who compiles all this data manually and helps to build an asset inventory.
Informer’s attack surface management platform automates asset discovery using a vast range of open-source intelligence techniques (OSINT) and data sources to identify known and unknown assets you didn’t know you had. Not only that, but the platform continuously and automatically scans assets for over 40,000 application and infrastructure-level vulnerabilities.