“White Hat Anonymity”: Current challenges security researchers face preforming

actionable OSINT

Christopher R. Barber, CISSP, C|EHv7Threat Analyst Solutionary Inc.

Security Engineering Research Team (SERT)

Introduction

• Member of Solutionary’s Security Engineering Research Team (SERT) specializing in threat intelligence and analysis

• Research and discovery of emerging threats and vulnerabilities

• Use of Open-Source Intelligence Techniques(OSINT) for tracking threat actor activities

• Analysis of threat landscape trends monthly and high level analysis annually

Outline

• Challenges

• Establishing Anonymity

• OSINT Tools and Techniques

• Sources

• Information Sharing

Challenges

• Anonymity Challenges

• Source Information Challenges • Intelligence Sharing Challenges

Anonymity Challenges

• Security policy prohibits the use of 3rd party VPN providers and access to TOR network

• Lack of funds, resources and personnel for the development of secure anonymous channels.

Source Information Challenges• Large volumes of information from a diverse

collection of sources

• Being able to discern between valid information and injected disinformation

• Personnel and Resources

Intelligence Sharing Challenges• Conflicts between organizations due to

differences in security policies

• Lack of security from collaborating organization leads to pivot point for compromise

Establishing Anonymity

• Having an unknown or unacknowledged name

• Having an unknown or withheld authorship or agency

• Having no distinctive character or recognition factor

• Being able to gather information in a manner that does not reveal your personal, professional, or organizations identity

Digital Paper Trail: The bread crumbs left as we traverse the cyber domain.

• IP Address

• User Agent

• Cookies

• Behavioral habits

Anonymizing Service Providers• Private Internet Access• HideMyAss• BlackVPN• IVPN• AirVPN• TorGuard

Anonymizing Virtual Machines

• Whonix

• Tor Middlebox

• Tails VM

Whonix

Tor Middlebox

• Works as proxy between host machine and Virtualbox

• Routes all VM traffic through Tor proxy on host machine

Tails Virtual Machine

Open-Source Intelligence

• Collection and analysis of information gathered from publicly available sources

• Sources involve any form of electronic or printed material available in the public domain

• Intelligence is obtained through the statistical analysis of the occurrence and relationships between pieces of information

Tools and Techniques for OSINT

• Collection Tools

• Search Engines

• Social Media

• Intelligence sources

Collection Tools

• Paterva/Maltego

• Recorded Future

Maltego

Recorded Future

Search Engines

• Google Custom Searches

• Iseek

• Addic-to-matic

• Shodan

Google Custom Search

Google Custom Search

iSeek

Addict-o-matic

Shodan

Social Media

• Facebook

• Twitter

• Google+

Dump Sites

• Pastebin• Reddit• AnonPaste• PirateBay• Zone-H• Pastie

Honey Pots and Nets• Provides automated method for distributed

traffic analysis.• Provides early signs of malware or botnet

activities.

Intelligence Sources

• Cyber War News• The Hacker News• Darkreading.com• FirstHackNews

Shared Intelligence

• Intelligence Sharing Organizations

• Intelligence Assimilation and Sharing Applications

Intelligence Sharing Organizations

Intelligence Assimilation and Sharing Applications

• Structure Threat Information eXpression (STIX)

• Trusted Automated eXchange of Indicator Information (TAXII)

• Common Attack Pattern Enumeration and Classification (CAPEC)

Intelligence in Depth• Intelligence research and analysis

should be practiced with the idea of “defense in depth”.

• Validity and actionable predictions can only be made with the collective analysis of multiple sources.

Solutionary’s 2013 Global Threat Intelligence Report

http://go.solutionary.com/GTIR.html

Solutionary Minds Bloghttp://www.solutionary.com/resource-

center/blog/

Thank You

Questions?