Zachary Hunsaker - Open Source Intelligence: What Does the Internet Know About You?

all right everybody we have our penultimate talk it's going to be Zachary hunsaker can you pronounce that right presenting open source intelligence what does the internet know about you please give him a round of applause um thank you so much and uh first of all just like to say I'm super excited to be here and uh if you're expecting some sexy talk where I'm going to put a whole bunch of dark web secrets and stuff on the uh in the presentation that's not going to be what we're doing but we'll talk about a little bit about what we are doing because hopefully we can give you some open source intelligence to bring back to your business and Implement some things that will help make your business better and maybe streamline and improve some processes so um and hopefully we can see this it's a I didn't plan on a projector I probably should have but uh mostly I'm going to be talking about what's up here it's not really heavily and heavy in visuals and everything so first off I'll just talk about who I am and you know why maybe you would care about anything I have to say um currently I'm an ocent security engineer at Abby it's a pharmaceutical company we do some really interesting stuff right now my primary function for ampy is I'm automating the oceans process that we use for mergers and Acquisitions and on some of the interesting things we got to do with that is when a new company that we're targeting for a merger or an acquisition is coming on the uh on onto the radar of the merger and Acquisitions team they'll reach out to us and they'll ask us hey can you take a look at this business and tell us everything you can find about their information security footprint they don't want any big scary things happening after a merger acquisition like ransomware they want to be aware of any misconfigurations any issues that we might run into so that they can either leverage that to you know maybe sweeten the deal a little bit with the understanding that we'll go and you know fix those things after the fact or so we can back away slowly and pretend like we were never interested um currently I'm automating a bunch of the processes that have already been kind of put in place by some of my peers and I'd like to say thank you to those wonderful people that happy that I've been helping that previously I worked at AWS I was a security engineer on the cloud formation team we got to do some interesting stuff at scale for infrastructure's code and if you've ever used cloud formation it's a very interesting product highly recommended that if you're doing things at scale at AWS either the SDK that cloud formation offers or cloud formation itself are both really powerful tools that I think are very underutilized and some interesting things about that as we've actually during my time there some of the things that we ran into would be from bug Bounty programs and some of the biggest things that were found were found with oceans I can't go too much into that because the mbas and all that jazz but what we're doing here is very applicable and ocean will definitely help us out before that I was an incident responder and security engineer at the national Center for atmospheric research um and I'm also a recovering Java developer which was my first position um a big shout out to any of you who write Java all day um you're the unsung heroes I like to joke that Java is basically what runs the whole internet like it's Java all the way down Java and caffeine so um a little bit more about me aside from my technical background I'm a dad that's my most important job and I really love it shout out to all the dads out there and I'm a permaculturist um so one of my big Hobbies is I like to you know build an ecosystem onto property that I bought here in Tennessee which thank you Tennessee for accepting me as a refugee from the state of Wyoming and I'm very big into fermentation and cultured food so some interesting things if you want to talk about those you can hit me up on Twitter this is my Twitter handle and there is a giant QR code that you can scan if you're interested in following me on Twitter at the end of this I'll also provide slides for this deck and again this isn't a PowerPoint presentation I apologize for how crazy it's going to be because of the the extra light in here but we'll continue so in this talk I want to talk a little bit about the intelligence life cycle is anybody here familiar with the intelligence life cycle as it permits to intelligence gathering and everything a little bit okay um so I want to talk about that because it's really important for making ocean applicable to your business um after that we'll talk about ocean and some of the steps and like some of the places in the intelligence life cycle that it really shines and we'll talk about why those things are important for your businesses because at the end of the day that's what pays the bills that's what lets us be here and I think ocean can actually be a very critical step of what you're doing and I imagine it's something that you are all using to some degree even if you're just Googling for an answer on you know a question or if you're using an RSS feed for finding vulnerabilities that you need to patch in your organizations um so the goals of this session I want to talk a little bit about the risks associated with your company's online presence there's probably a lot more out there especially for publicly traded companies than you might be aware of and I want to talk a little bit about the best practices that we can use for defending against online attacks via these vectors um specifically we'll be focusing on a lot of policies I'll also mention some tooling and some training that you might get if you're more interested in bringing more open source intelligence to your business for optimizing your business processes um and lastly well I hope you'll learn a little bit about the benefits of integrating ocent into your organization either as a standalone function like my job is currently at Abby which super excited about or as a typical day-to-day activity that you you do as part of your job whether it's in the help desk security operations center pen testing whatever it might be so I'm going to actually zoom out here a little bit and let's talk a little bit about the intelligence life cycle so this is just basically a process that the intelligence Community set up a few years ago well a long time ago on how they collect intelligence and the the processes involved within that um and from the beginning planning stages to the very end where you're disseminating reports and Gathering feedback so there's six main steps um the first one being your planning stage there's a lot to this you need to be aware of what your requirements are this is where you start whether you're writing software whether you're um you know setting up infrastructure whether you're trying to secure your organization and as part of Open Source intelligence it's it's critically important as well you define your requirements and objectives so at Abby for example our requirements are we want to know everything we possibly can without actually attempting to do a penetration test or you know scanning or any of those activities of a third party for a merger or an acquisition you need to identify your potential sources of information there's a lot of them if you are a publicly traded company and you fill out those SEC reports every year your 10q is one of the first places I will go when I am searching for information on your company where you talk about breach announcements when you talk about insider trading when you talk about anything that you have to fill out relating to your business to the SEC that's definitely going to be one of the first places I go again if you're a publicly traded company um so collection um and I put little monikers up here you probably can't see them the collection phase is what I like to call I don't have enough disk space um so ocean is one of those intelligence disciplines where there is more information available than you can probably gather and process so you need to be a little bit pickier about it um there's there's a lot going on so specifically at Abby one of the things I go and do is when we're looking at acquiring another company that is selling a drug that we're interested in and being able to sell at a later date or that's in their pipeline one of the first places I'll go is the dark darknet markets I'm gonna go see if there is a generic version of that drug available on any of those sites or if there's a copycat of any of those from suppliers in in east of here we'll just put it that way and then social media collection this is a treasure Trove of data and most of it will come from not the business public media presence but that of its CEOs of its employees and we'll talk a little bit more about that as we go into some of the stories that we'll talk about here next there's the processing and exploitation phase I also call this the import pandas's PD stage because this is where you're taking your information and you're going to compile it into a readable format and pandas is one of those libraries in Python that I absolutely could not live without it's it's critical for what I I do on a daily basis and it's a it's a great way to take and organize and filter data and be able to put it into a data frame so that you can continue to process it um well I'll just briefly go over some of these other stages but the analysis and production stage this is where you actually need an analyst on the ground to take a look at the data and be able to interpret it and translate it to the business so you need to be able to take all this information that you're finding it's very similar to a pen test report where you're taking and you're analyzing the vulnerabilities seeing if there's actual impact and being able to start producing a report next is the dissemination phase where you actually communicate these findings to the business this is critically important because this is where decisions get made as you're very well aware you need to process this in a way and be able to visualize this information one of the things I found is the first few reports that I I gave to to my employer um there there was too much reading involved and I don't mean that to be mean decision makers are busy they have tons of meetings every day and they have a lot of information and context switching that they do have to do so the more visual you can make these reports the more impactful they'll be for the business um you know bright red stop sign like don't buy this because XYZ um and then the feedback and evaluation this is a stage that gets overlooked a lot um but you need to sit down and talk to your your key stakeholders after disseminating a report like this and and basically ask you know what worked what didn't did you understand you know this from this information that I provided how could um you know try and understand their business position a little bit better so you can translate the report of the technical or other complex findings you have and be able to translate it into business speak and I found that this is critically important um so let's talk a little bit about open source intelligence as its own discipline um so open source intelligence as we mentioned before there's a plethora of information available basically anything accessible on the Internet or other protocols not just the internet that's openly available um is it's fair game um you know there's legal implications that you need to look for you know specific use cases if I go anonymously log into an FTP server that has the banner that says hey please don't come on to here that's obviously an ethical consideration you need to take into account um so don't do that but um open source intelligence as we mentioned before there's lots of problems associated with it as well first is the data volume there's more info than they'll be able to to go over reliability open source intelligence data can be generated on the Fly I mean we're living in a time with artificial intelligence have you has anybody played with you know Chad gbt or something with it um it's insane the amount the quantity and volume of information that it could put out I I mean I I spent um a couple weeks ago I took and I actually had it generate a fake LinkedIn profile for me like you know here's all the places I've worked here's all the blah blah blah for a puppet account to be able to do investigations um and it was amazing the things that it would the little nuances that it would throw in and so being able to reliably verify the sources that we're gathering with ocean is one of our more critical problems that we need to address and data quality so quality doesn't mean reliability here specifically I'm talking about the unstructured format that we find a lot of times if you're going and you know reading a blog post on somebody's blog that they wrote you know 12 years ago there's a lot of processing that you have to do in order to automate that and make that valuable um so first let's talk a little bit about the collection phase in open source intelligence we're Gathering from public sources websites social media news articles government reports I'd mentioned the Edgar database that the SEC has for reports that they publicly traded companies have to do public records this is a treasure trove here in Tennessee and many other states I don't know if you're aware but there is a land parcel database that if you've ever owned a land or bought a property if you're a landowner essentially your information is probably in this database and it's open to the internet you can go take your you can go request your information to get out but when I'm searching for somebody um that's a really good source of information um there's lots of things like that um I want to mention some interesting trainings or tools that you can take a look at so ocean curious is a good one this is by Mike Hoffman um the ocean which is Joe here no okay so um Joe gray is one of the organizers here he has a great training available for open source intelligence inteltechnics.com this is a really interesting one so Mike bizell is largely considered the The Godfather of ocean he is very focused on privacy and kind of removing himself from a lot of these open source intelligence you know databases or places and he has a wealth of information and knowledge available on his website here which I gotta say last time I gave this talk I sent on I had people going here and it was actually the day that his website got taken down and all the information so please I hope that doesn't happen now um but um he's a great resource and there's actually really good tools there that he tries to keep up to date um for doing manual investigations on phone numbers on domain names IP addresses usernames that can help you track down somebody's you know username across various social media sites it's a great resource if you're looking for that um there's another tool here called obsidian markdown it's a great knowledge database that you should keep for yourself osim is one of those things that the tools that you're using or the the techniques that you find they're probably going to break tomorrow um I have my GitHub page with skeletons of projects that I was working on where the next day the vendor found oh you know we didn't mean to release this information and they they fixed it and my tool no longer works right so it's a cat and mouse game that's frequently happening but the thing that doesn't change a lot is your framework for you know here's my process for going and investigating things and I found that obsidian is one of those tools that lets me do a mind map and kind of track down some of those things I'll also say RSS feeds are one of my favorite tools if you aren't using one I highly recommend it even just for vulnerability tracking but there's lots of tools out there that you can have web pages Twitter feeds all of that converted into an RSS feed so it's a great source of information to you know be able to programmatically grab those types of things and process them um I'll kind of skip over the processing and exploitation the other stages but they're very important from an open source intelligence perspective but I'd like to get a little bit more to the the meat and potatoes the why we're here so let's talk a little bit about your businesses and how we might be over sharing information and some of the implications of those things so first data breaches it's on everybody's mind and a lot of them can happen because of oversharing of company information online um with information that's publicly accessible there are frequent cases where we're more at risk of a data breach because of it um who here has seen one of those pictures on Twitter or LinkedIn or something where somebody's like taking a picture and they're like it's my first day at this company super excited anybody I can't be the only one okay so everybody's seen one um does anybody know why people do that it's a serious question anybody they're excited we are social human beings we social media took off because of the dopamine hits and everything but it's because we're social creatures we want to include people in our lives that we care about so when they're sitting there taking a picture and saying like look how excited I am um it's not a terrible thing for them to want to do it's a terrible thing for your business um recently I found like why I was looking at an organization I found a tweet from somebody said it's my first day super excited and it was a picture of life their badge it was a picture of their badge which makes you know being able to copy one of those RFID tags super easy to do you can see the format that they're using the type of logo they're using which seems innocuous enough Until you realize that they're also sharing where they went where they're going to go on their you know with their group after their first day and they say hey we're all going to meet at this bar and you know after work I'm super excited I have an awesome new team so you go there with a prox Mark or something and you just you walk by and beep and you've got a picture you've got their badge you know the hours where they're going to be at work or when they might be after where when they might be somewhere after work um and it starts to look a little bit scarier another example I have this really happened and it's really sad who here can tell me what an Etsy shadow yes go ahead yeah it's the it's the actual you know document on a Unix system that stores your password and it's not easy to get to you need you know hype like you need escalated privileges to get it um I was investigating um some open indexes um I was investigating my boss had asked me um to go and look at and this is a former employer I'm just going to say that now so you know um that's abundantly clear um he's like we have a problem we're seeing a lot of we're getting a lot of reports from a third party about these open indexes can you go take a look I said okay let's go take a look so I'm going through I'm going through some open indexes and I'm seeing a lot of you know publicly available data some web servers that are just misconfigured incorrectly you can see the files in there you know nothing too crazy and I get to about the sixth one down like on my list of of servers to go check and I go on to here and I see a folder called backups so I go to backups I'm like okay well this looks interesting um there is some commands that they run to do backups like they're scripts that they're using with hard-coded credentials I might add there is a copy of the data that they're backing up into a folder date and time stamped and in one of these there is your Etsy password and your Etsy shadow files so I'm like okay well maybe it's old maybe it's