Unmasking the Digital Shadows: OSINT Techniques for Cybersecurity Professionals - Sharon Knowles

good morning besides I don't know how many times you've said that but it's like welcome to my presentation um entitled unmasking the digital Shadows ENT and cyber security professionals so there's a bit of a backstory to why I decided to talk about the topic and I think it was initially sparked by an argument in the in the office where the pentester was saying mumble jumble and the investigators were saying well this is where the real work starts you guys just run your automated software pull out a report and go so you know listening to this conversation and disagreement between the teams it got me thinking ENT and cyber security are basically joined Hand by hand and a lot of what I'm going to talk

about today is my interpretation my assumptions my perception and I wanted to share this because I felt that it's quite important that we understand we on a holistic Journey we are there to fight the same enemy we are there to protect not only our organization we are there to protect our customers we're there to provide a service and the more efficient we are as a team with whatever we do the better the outcome so a little bit about myself um I am the CEO and founder and one of the investigators for deiny cyber security we have a foundation that's attached to us as well where we do specific cases that involve children and involve the

elderly that have been scammed that require assistance in these areas and a lot of these parents cannot afford the services so then they go through the foundation and they request assistance and the amount of scams these days is against the elderly well it's growing and it's worrying because the money that they are losing has an impact not only in their lives going forward but on their children's lives because we're there to support our parents and um in the last month and a half a woring sort of case that we've had is where a parent and I'm talking elderly parent has given access to that person via any desk and you think okay does this mean

we're not doing a good enough job in education in the content that we put out and not only ourselves there are a lot of organizations that put content out around education around being safe not clicking and doing what we need to do so you know that that's always on the on the board I collect all things Batman so I was told to put in something a little personal but I collect things Batman you know so I'm not going to tell you the dogs and the cats and all that type of thing I'm a certified crime cyber crime investigator I'm a certified cryptocurrency investigator I'm a certified cyber crime intelligence analyst I'm a certified ENT investigator I have an executive NBA and

business strategy masters of management in digital business and I'm currently busy with my LLB and CFE CFE which is a certified fraud examiner now I never used to put this type of slide on I never used to tell people really about myself and then I went to this leadership course and they said Sharon when you introduce yourself you're not establishing credibility people are going to think you you you know you're just putting stuff out there so it does you know I think about it but um you'll notice that there's nothing cyber security up there I'm not a ceso I'm not a ciso I'm not a I don't have any cyber security certifications just yet but there are a

number of things that have an impact on business and that is where I started my career I started in business I was a general manager for some of the the big retail Brands Dions before got sucked up by massmart Hi-Fi Corporation incredible connection clicks so that was my path up I never had a computer growing up I initially was going to be a vet and um I bug it around and they didn't appreciate my entrepreneurial SP spirit and I got booted out so my first job was a security guard you know at macro where they took those you know they check those Parcels that was my first job and I did enjoy it because in those days

we got to run around and it was like playing Crooks and robbers you know we were up in the roof and taking photographs catching people shoplifting so that's where I started my my career and eventually moved on from there but anyway let's move on so an attempt to break the ice and put a little bit funny in here and there I'm going to show you funny jokes feel free to laugh those of you catch them um just sub security joke you know we all do what we have to do but in the end human era gets us where we want to be so if we talk about cyber crime in South Africa our threat landscape has evolved

and we realize and we understand this when we we look and we read articles and we hear about this breach and we hear about that and this company's done this and this company's done that and then some of the organizations that we actually trust we hear they've been breached too and we think oh my goodness what the hell is going on but it poses challenges not only for individuals not only for businesses but for the teams that protect the organizations as well because you know if you if you heard the initial talk this morning we're all under stress so how do we cope with this ever evolving pressure these increasing cyber threats how do we prepare our teams to

cope with this the impact of what these breaches have our clients who information is then either sold on the the dark web or pasted on pastebin or whatever um a tool or or uh sort of platform is used to to get this information out so I think the basic thing that I really wanted to talk about today is um it doesn't matter what team you on you know um you're all a Power Ranger we all all there to do what we need to do we all need to understand that we have a job to do and the only way we're going to be effective in doing that job is if we all work together and we

understand what role we play in the cycle so whether you're an investigator whether you are doing penetration testing social engineering digital forensics we're all on one team and I was going to use the superhero image but I thought this was just cute so let's talk about ENT open source intelligence so it refers to the collection the analysis and utilization of publicly available information from various sources now when we talk about various sources these are two tools that we use that are available and some of them are free some of them are paid and you might start off on a free tool they become exceptionally popular and in six months you're paying for a

license but ENT is incredibly important and it's important from different viewpoints it's important for the organization and their teams to understand where it fits in the process it's important on the investigations you do for clients it's important for understanding the bigger picture and the reason I say that is I'm going to give you a few examples a little bit later but understanding that there's a holistic picture and as the Cyber Team all team members whatever sort of part that you play you one team so there's often a joke about open- Source intelligence and collecting intelligence and if you sit and you talk to somebody and you can try it today we're all people we all have an emotional part

to us we build our networks that's what we had to do we had to network we had to build our Network we had to to meet new people um and we had to build our networks and and part of doing that is having a conversation part of that is getting to know the other person because you don't do business with a person you don't trust okay you do business with people you trust and you get to establish that relationship and if you sort of just stop and think about the things that you talk about out you know how much information are you giving away or how much information are you sharing but saying that you

don't want to sit like a clam and like have this awkward silence because you know you're too scared to share something so sort of there's fine-tuning a little bit so the reason I use the word digital Shadows is because a lot of this information um and a lot of the information that we share online we leave traces and we we leave hidden elements behind so if you just think of an example um let's say you go on to a platform and it says you can [Music] use let's be simple you use Facebook you can use your Facebook logins okay so you sign into this platform you using your Facebook logins but Facebook Facebook had a breach a couple

of years ago so that date is available but what you did was you didn't want to really create a another password so you use the same password um just just convenience and time and you know you saved it in your Google browser not that I'm saying you guys would do that not that I'm saying you guys would do that but you leave traces behind and whatever we do online we leave a trace behind and some sometimes that challenge of being invisible you know we all think that we know where we're going and how we doing it and what we're entering but we're people we're human and sometimes we take the quickest route and um Anna spoke this morning

about when she clicked on a uber link which was a a training session by her it team you're in the moment you're busy you're stressed you're on your phone you're multitasking and that's and that's sort of real life today because we are so busy we're so stressed we have a lot of things to do we've got email to answer youve got the client phoning you you might have one of the team members who want something or they want to go off early or they don't like the coffee so like things are really really evolving around you and you click on things you know and and that happens it happens so the challenge with open source

intelligence is it's actually a double edge sword because on one side you're using all this intelligence gathering to to build your investigation you're using specific tools you're building this all up the baddies are using it too you know if you're their target they're using the same tools and maybe they're using more more sophisticated tools with you because they can afford to pay the licensing you know where we we have to like really think um you know that license you know they they've got all the money and they must proba probably paying for it in crypto because the amount of crypto scams going around you know these guys are coining it so it really is a double-edged sword because

you know we all have the hashtag well a lot of us have the hashtag osen forg good because we want to do good that's where we want to be but that information that's publicly available can be used two ways and I think with the whole conversation about those that are in cyber security teams today and looking after their organization we then say to the team have you done a deep dive on yourself have you had a look at what you've put out onto the internet have you double checked your email email you know how secure your passwords and um you know the information that comes back especially when you search yourself or you have a

look at the information out there you think oh my goodness you know and I'll tell you a funny story we had a client um and I was engaging with the CEO and he was you know these beep stuff they do this they into this they do this what what what and he says Sharon I want you to go out there and I want you to go and check and um every staff member you find with exposed details we have to sort out what are we going to do are we going to have disciplinary are we going to do this this I said no no we're not going to do disciplinary we're going to do training because this is a learning

process so you start off small and you teach people no no no no this is what he wants so I said okay let's let's start let's see what we go and find two weeks later I send him back the mail and I said term you will notice I've included no one else on the email and there's a Excel spreadsheet attached I said the reason I haven't included anybody else on this mail even though you've asked me to feedback is because your Ashley Madison logins are still valid and your wife is on the team so I think you need to like really sort of trying not to be judgmental and diplomatic but you really need to clean

your act up and you know and uh I got a mail back okay I think you need to speak to manager going on we'll get this resolved but it was funny was funny it was very funny actually so if we talk about understanding the power of ENT we're looking at uncovering Hidden threats and it complements our traditional cyber security tools it's cost effective and when I think about cost effective I just think about the licensing and I think I don't know if that's actually applicable anymore and you have proactive threat detection so yes the cyber security team whatever team they're in plus the oent investigators we all use tools we all use software and it can be a very coste

effective investigation and it can be a very cost effective service that you provide to your clients if you understand their objective and how you pack everything together so when I talk how this fits into the cyber security Arena we're talking about we can enhance threat detection we can investigate and track malicious actors and we can mitigate potential risks and that's quite important so we look at from intelligence to impact the effectiveness of gathered intelligence depends on the C the capacity to cause harm so if you think about open source scanning tools like nmap and open vs and those type of things where you can you can scan and you can get open ports and whatever you

need to do and tools like met sploit you can build something really worthwhile together with the Cyber team with your pentesters your ethical hackers whatever team member you have but understanding how the information works and what you can use and build a more effective package to your client package for the organization but it's about protecting so when we look at um um open source vulnerability scanners like I mentioned there cyber criminals use that as well I don't call them hackers we call them cyber criminals because you have good hackers as well so let's try and be precise cyber criminals use the same tools and they use the information that they found to get into organizations and you

might think it's a bit simplified it is a bit simplified but it is a matter of fact so when we look at the type of threats that are out there exposed credentials vulnerable infrastructure fishing and social engineering campaigns inside of threats threat active profiling fraudulent activities dark web threats leaked sensitive information emerging threat Trends and physical security risks so what I what I have for my teams is a sort of a a spreadsheet for want of a better word where we say okay this is how the oan teams can use it this is how the Cyber teams can use it and it just says okay if you're using intelligence for this this is how you can use it with

the the Cyber teams this is how you can counteract or you can use it to complement what you're doing and I'm going to share a few things um now with you a couple of areas that we use as ENT investigators I will once I finish that I'm not going to go into depth how to use all the tools but I do have a QR code that you can scan that will lead you to a page with some of the tools and I'm not going to ask you for your ID number and your mother's maiden name here you can you can just have a look at the tools so that's what my sheet looks like and um I'm sure you can't read it but

from where you are then it might be a little blurry but it enables cyber Security Professionals to proactively detect and respond to threats by collecting analyz and acting on publicly available material and when you go out and you go and have a look what's available you'll be surprised and don't go to the normal just Google and go and search yourself I mean you could start there but use some of the tools we provide that I share with you and go and search yourself and just go and see what's out there and maybe don't do it at work yeah yeah maybe don't do it at work and and just going have a look what your what information of yours is actually

available out there so techniques and tools so when we talk about techniques and tools um it's not everything and I haven't used all the the fancy oent terminology you've got geoint you've got sock mint you've got humint you got peppermint you got all types of mints I haven't used that because even oh excuse me even I can't keep up with with all of the mints that are coming out so um basically when we talk about techniques and tools techniques Drive tools techniques guide investigators on how and where to use the tools effectively and tools support the techniques tools make it possible to execute techniques more efficiently or with greater accuracy so an example integration and who is

isn't so great these days but analyzing domain ownership and um we all know you can't really see much information and um there's a nice little tool called hookie uh wh XY where if you pay for credit you can go and look at the history because they only redacted the current I'm not sure how long that's going to be but learn techniques thoroughly as they're Universal and adaptable and then select your tools based on your techniques needs so plan it out and make sure that your investigation is efficient and the investigation scope that you you actually understand your investigation scope because when you start playing with the tools and especially a lot of you I think maybe ADHD or you know you you

like you wake up and you're on a cooking channel you know and you were were busy with investigation so you you manage your time manage your investigation and um you know it's quite nice to to find uh the information that you do so I've just put it out in a little box about the aspect the techniques and the tools that you can use so um I'm not going to read everything but it's quite a nice way and this is quite a simplified way of just looking at tools and techniques because that's what will drive your investigation that's what you sort of when you prepare your investigation when you're talking to the team when you're understanding your

scope and the way that you move forward it's nice to to make sure that you're on track and that you keep on track so with the tools that I will share with you a lot of these categories are covered so there is I think there's like only three or four tools um I have a start page where I use which I use with all my tools on I didn't share it because if you had to look at it you'll think oh my goodness this is the most disorganized person I've ever seen but I understand it so what I did was I just put some of the tools on a page and some of the tools are really

really cool to play with and information that you can get on them is is um is great it's it's good for investigations it's good to build your case and you know making sure that you do your investigation within the scope and with without doing what's not illegal okay and and this is a very holistic way of looking at ENT but this is also a very superficial way I haven't gone in depth about making sure that you're secure and all the normal oan tools but you don't just go to the dark web and go and look for yourself on the dark web there are practices in place and that is being secure yourself and making sure your

operational security is is in place and you know the dark web isn't all bad in in in a way I mean yes there is bad information and there is things that offer sale that you don't normally get at take a lot or Amazon but there are there is some good in the dark web as well and if you think about some of the countries that are restricted in in you know getting access to data or getting access to to information um I'm still trying to sort of convince myself in that way but I have a friend called Sam bent who who's an american guy and he was a bit of a baddy because he smuggled drugs and and he went to

jail and he's telling me all about the good that the dark web does but anyway I'll put some tools there for you to go and have a look at okay sock Min social media intelligence the bane of all our lives um Facebook Twitter which is X Instagram and all these type of things that you follow but redit and obviously blue sky and the one thing I do want to share with you is um this is one of our investigative tools um and this took me a very long time to to build because the tool I use wouldn't work and I had to use PowerPoint and my little lines wouldn't line up but this is like an a sort of a

aack threat map investigative Mac so when we do an investigation on social media on some of the apps we sort of build out the way that we get to look at and you'll see these that are in red are some of the tools that we use but we sort of plot out the target person person we're investigating and we sort of build out this whole in investigation on using the data that's avail ailable because you know and blue sky is relatively new and um there's not a lot of traffic on there but there's some good content there and this is how we'll do it so so we have this for most of the social media

platforms um well we got it all for for all of the the apps that are available and this is how we do our sock Min social media investigations we pled them out this we look at the tools that we're going to use and it's not cost in stone because as you're investigating you'll find um that the tools not maybe the best tool for that particular piece of information you new so so we adapt okay metadata analysis so there's lots of ways that you can analyze analyze metadata and it's PDF documents photos video geotagging websites and I mean there's a few others that I haven't put up there as well but you know it used to be cool when you could go to

Instagram and you could say to mates listen post a picture I can tell you where you are you can't do that anymore you know like just post that P I'll put your location I'll tell you where you are and like that wow you know that's amazing can't do that anymore so but there are ways that you can get the the metadata um and especially sometimes with the baddies that are doing fishing hacks and that they don't change all the document Properties or they make a mistake here and there so metadata is important and then domain and IP intelligence um it's also a way to to look at the infrastructure used by um attackers to understand what's there how

they've used it what they've used where the IP is now a lot of people use vpns um and if you patient a VPN doesn't protect you 100% because I'm sure some of you know that if you're your connection drops the real IP you can see the real IP so and a lot of people only use VPN um open source Network mapping um multigo is quite a nice tool here and it has a lot of sort of um third party tools that you could also bring in here and you could do you know whatever you you're sort of investigating depending on your scope you can bring it into multigo and that's a nice way to to map

your investigation geospatial intelligence um this is also quite nice because when you find out a person's sort of a location you can use things like Google Earth you can use different mapping tools you can find out what Wi-Fi they using if uh you use a tool called Wiggle it'll tell you what um internet um providers are there so there's a whole lot that you can build into this and when you show your um pen testers this they they still not impressed but yeah okay then Automation and scripting um you know python doing a lot of um web scraping that type of thing so you can streamline and and build Automation and you will know or you will

notice that I'm not talking AI okay there's no AI here not at all um I think the only AI used in this was maybe some of the pictures okay so that that's the tools the QR code it'll take you to our website um and there's a a few tools there that you can use and hopefully there are some tools that you haven't used before and you'll find that um those tools are interesting and you enjoy using

them okay so so the case study I'm going to talk about today was the client that we went into um the company with no name because obviously we're not allowed to share company details but we were asked to do a penetration test a fishing test and then cyber security training and this was my favorite part this is a tickp exercise because we're quite Savvy when it comes to cyber security so you all know that feeling when somebody says that to you your eyes light up but you don't look smug but your eyes light up so I'm just going to read this the way that we did it so we looked at you YouTube and Instagram

videos discussing bus business and personal um information of the target person now establishing who your target person is not as simple as saying that person is your target person you have a look and you know you do a bit of research and then you decide which person you'll use as your target person and then we used various tools to confirm identity as well as LinkedIn and media articles of the target person and we were able to confirm email addresses of various senior staff members including the target person now there's a tool that plugs into LinkedIn you get I think five free credits a day it's called signal hire it's a lovely tool it gives you all the

information gives you lots of information so we were able to confirm this target person their work email and their personal email and we able to tie the the whole package together their email address as well as their their personal address then we found their Facebook page we identified their partner and we identified the granny and the granny loved the children a lot and she took pictures and lots of pictures and more pictures and she spoke about about her the grandchildren she said this is Jack and Sally this is the dog and your eyes light up and you think oh my goodness this is lovely and there were happy birthday messages so with all that information we

went to Google doing and gave us more information about some of their marketing campaigns so you know with Google doing you able to extract certain documents that I uploaded so we found board minutes and charity Day events with emails and telephone numbers and then we all had a glass of wine because we were happy so we used ENT tools and we could tie the personal and the work email account to the the target person we could see that the email accounts were flagged several breaches and we were able to identify some of the passwords that the account holder had used our Target person and we were happy and we broke bread and we had more

wine because this this sounds really easy and um not all investigations work out this way but this this was really good for us so we examined the organization where the to Target person works and we identified several cloud services by using scripts to check DNS records and open services and we discovered three public web applications from the list of services that we had previously identified and one of the three applications was included in the penetration test we were conducting so what we did was we entered the password into the application's login page with um an incorrect password so sometimes when you are doing an investigation you will enter an incorrect password to get the reset

email link or the telephone number so we could establish that the person was a registered user um but obviously the password was wrong we went back to the client and we asked for permission and um we were able to find the credentials and the rest is a beautiful story because when we went back to the C o and we said well this is what we're going to do for the cyber security training but everybody's going to have to go through the training because this is what we were able to find and there was no smugness involved there was no air punching involved but this was a very nice investigation because like for once in a lifetime it

went so smooth and it was like all this information was out there it was like you know the gods were smiling upon on us but investigations are not all that easy and it's not all one two three there are a lot of steps involved takes a lot of time and you have to verify information so when we talk about being practive and um I'm also not popular in the office when I have this picture on with the red team underneath but social media fortification and this is as the cyber security team making sure your business is secure as well continuous monitoring vulnerability management security awareness training and you know don't do the run-ofthe-mill stuff do

spice it up a little bit least privilege Access Control threat intelligence integration and then red teaming and penetration testing so it's about having the conversation and not and being proactive in whatever you do as a cyber security team being out there making sure that you all speaking the same language and that you're all working together to give your client the best possible service to give your internal team and your internal business you know just making sure that you are doing whatever you have to do and then obviously no ent ent talkers you have to have the ethical and legal considerations so the most important thing is we do have poy and we have to adhere to certain

regulations and we don't just hack and crack and attack people we only use the information that is available and is out there on public sources um and you've also got to be careful of what your scope is so we do have people that come to us and say um can you hack my boyfriend girlfriend's Facebook because they're doing this and they're doing that and we say no that's we don't that's not in our service portfolio cuz that's you know you're being polite and you won't you'll be surprised and you know if you read some of the posts on Facebook these groups drive me crazy you know hacker for hire hack your boyfriend's account account hack this hack that that type of

thing we are responsible we do our intelligence investigations we do it for good and that must be your mindset whatever you do whatever team you're on we do things for the better we we want to improve the current situation and you've always got to verify the one thing with information and the collection of information you have to verify you can destroy somebody's life by taking information that you haven't verified and I'm not talking verify once I'm talking verify a number of times you can destroy somebody's life with incorrect information so you have to make sure and sharing IR responsibly is also you know it's share it with another team member um you're just sharing it with this

person whatever information it is even if it's not in an investigation you know artificial intelligence if you look at some of the videos and you look at some of the images and you think to yourself today is the worst that image will ever be today is the worst that video will ever be going forward it's only going to get better so before you share that WhatsApp message before you share any emotional string image you need to have a look and you know it sounds tedious just verifying everything that you get or see or information around another person and that but be responsible let chain letters die with you let those chain WhatsApp messages die with

you okay those those images whatever they are let them die with you okay teaching your mom that's another thing um and teaching your grandmother that's that's like even also on another level but be responsible and then evolving Trends um I think that penetration testing and ENT investigations can compliment each other and you can see by my slide I I really believe strongly that they compliment each other by addressing both internal vulnerabilities and external intelligence gathering aspects of cyber security so comprehensive threat mapping I mean that will take you to the next level enhanced reconnaissance attack surface expansion post breach analysis I mean for those penetration testers in the room yes you do your report but have

you ever sat down with a client or the ENT person in your team and had that conversation sort of really have a discussion about what you found and also with the organization you know how do you move to the next level and also it leads to improved social engineering um you know social engineering is also something that's growing in in South Africa and um you know if you think about it I social engineered my way into parking stot just right outside here um and I didn't FIB I did a 10 GSB a few years ago and I still have my lanard which I had on but he didn't ask me for details and I just said I'm

coming here and he said please go and park over there so it is evolving in South Africa it's not you know with the penetration test that you do very few organizations do ask for the social engineering as well but you know it is becoming a bigger part and and that's where ENT intelligence and ENT investigations can play a part so you can work you can work together as one team and then that's my last uh joke of the day

okay so thank you very much I'm sure we haven't done the 45 minutes I'm not really a 45 minute speaker but um that's a link to the tools again for those of you who missed if you have any questions or if you'd like to come chat to me and want access to my need to start page I can give you that um but any questions anything that you would like to know and I think one of the the the the questions people do ask me is because you didn't grow up with a cyber security background how can you run a cyber security company um and there are two things understanding business and understanding people is crucial to

knowing the Cyber threats out there and obviously you do your little courses here and there but I mean it's crucial because people are people and that underpins any form of cyber security because it doesn't matter what tool you put in people of people thank [Applause] you across the attack surface scattered products and siloed views create blind spots that feel Unstoppable the deadliest risks are in these gaps where attackers move in it's time to ify fragmented snapshots into one allseeing view of risk and unleash a platform born with one intention isolate and eradicate your priority exposures from it infrastructure to Cloud environments to critical infrastructure and everywhere in between this is tenable your exposure ends here