OSINT and the new perimeter
“The perimeter” is probably one of the most used metaphors in Information Security, and as an attacker or defender it’s often the first place analysed to identify vulnerabilities.
In this post I explore the perimeter metaphor and look at the impact of OSINT (Open Source Intelligence) when trying to defend or attack an organisation’s perimeter.
The early perimeter
Especially in the world of IT, metaphors are essential because they reduce highly complex things down to more familiar terms that humans can easily grasp (think of “firewall” and “cloud”, for example). But unless everyone in the conversation has the same understanding of what the metaphor actually represents, they aren’t talking about the same thing. Or worse, if what the metaphor used to mean no longer makes sense in today’s world, you have a problem.
For a long time the perimeter metaphor made a lot of sense because if we wanted to defend an organisation we needed to find all the points of possible weakness that an attacker might target.
Back when the IT estate of organisations used to be much simpler, we would reasonably start this process at the network layer. We would tightly control all the incoming paths of communication to the resources that needed to be externally accessible, and completely close off access to everything else.
Then, with the network controlled you would work your way up the stack to tighten access at the application layer so that the exposed services were further protected, maybe through the use of authentication, encryption, sandboxing and so on. What we were left with was what we would refer to as the perimeter — the systems accessible by distrusted (or at least less trusted) users.
So far, so good; the perimeter metaphor worked reasonably well because it mapped well to reality.
Then the world changed
Blind spots started to form when we moved beyond the organisations of the early 2000s where life was lived mostly behind a firewall, to modern-day organisations that likely also include:
- Servers hosted in a mixture of on-premise and cloud facilities
- Cloud-based office productivity tools like Google Mail, Dropbox, …
- Object storage in the cloud such as S3 buckets
- SaaS platforms like Zendesk, Mailchimp, …
- Third parties managing DNS across many alternative domains and TLDs
- BYOD (Bring Your Own Device) in the workplace
- Outsourcing companies handling more of the technology value-chain
- 3rd party network connectivity with partners and suppliers
- Shadow IT
- Presence on social media platforms for marketing, branding and recruiting
- Employee personal and professional presence on social media
Where is the perimeter in all of this? How could it possibly be identified, let alone controlled?
Because of these changes, the risk that organisations face is far beyond the perimeter of their own network because their own network is no longer the sole place where damage can be inflicted on their assets, brand and reputation.
This means that the perimeter (if we really still want to call it that) is no longer made up of just hostnames, IP addresses and open ports. It now also includes e-mail addresses, employee names, social media accounts, public records (Whois, certificate transparency, etc.), data leaks and any other freely available information about the organisation which might give the attacker an advantage.
My introduction to OSINT was back in 2005 when I created the first version of SpiderFoot, except I didn’t know it at the time.
Back then, OSINT wasn’t a term you would hear in InfoSec circles — it was mostly “network scanning” or “reconnaissance”. OSINT was still very much relegated to the world of three-letter government agencies, which had this to say about it:
“Today, open source [intelligence] has expanded well beyond “frosting” and comprises a large part of the cake itself. It has become indispensable to the production of authoritative analysis.”
— John Gannon, former Chairman, National Intelligence Council, 2001
These days — particularly in the past couple of years — OSINT seems to be everywhere: blogs, podcasts, books, tons of tools and entire platforms dedicated to it. Just take a look at this graph from Google Trends which indicates a steadily decreasing interest in “network scanning” vs. a growing interest in “OSINT” over the past ten years:
The above image coupled with the general growth of the OSINT ecosystem indicates there is some kind of awareness-shift happening. I believe people are catching on to the idea that the perimeter of an organisation goes well beyond the network and see OSINT as a solution to gaining the necessary visibility.
The OSINT explosion
In developing SpiderFoot over the years, I’ve witnessed first hand the growing availability of OSINT that makes the task of identifying an organisation’s true perimeter possible. Services to search data leaks, find employee details, reverse-lookup Whois data and more are popping up continuously and best of all, exposing their functionality through APIs to make automation possible. When I started with SpiderFoot, it integrated with about five different data sources. Today it stands at over 150 (and I have a backlog of 100 more to implement, and growing).
The bad news is that the open nature of this information means it is also available to attackers, so the burden lies on the defender to gather as much OSINT as possible about the organisation they are defending to identify unintended exposures, and do it regularly in the same way that they would perform vulnerability scans.
If you doubt the practical applications of OSINT for an attacker, consider the following questions:
- Why try and brute-force all the host names belonging to your target if you can just search the certificate transparency log to find all the hosts for which certificates have been issued?
- Why try and look for unmaintained parts of the infrastructure when you can just look for hosts on the organisation’s domain which are not hosted on the same infrastructure as all of their other sites?
- Why bother breaking into the network to get sensitive information if you can find poorly managed S3 buckets they use?
- Why bother sending a phishing e-mail to every possible e-mail address on the domain when you can target the employees who have domain administrator rights, as mentioned on their social media profile?
- What’s the point in getting into the organisation’s network in the first place if they use Github and Atlassian cloud services for managing their intellectual property? Then all you’d need is the credentials of an employee who has access, which are likely to be the same credentials they use for their social media account. Perhaps the same credentials recently revealed in a data leak.
- Why spend so much time performing port scans, banner grabs and so on to identify the applications exposed by your target when you can use a service like SHODAN, Censys or BinaryEdge to get all that information, all without transmitting a single packet to the target’s network?
The new perimeter
It seems unlikely that the perimeter metaphor is going to disappear any time soon, but the definition has to change to look more broadly at all the ways an attacker can gain critical insight into an organisation and use that information to their advantage. We have to stop seeing the perimeter as the border of the network and instead see it as all the information openly available about an organisation which could be used against it.
In today’s organisations, the new perimeter is the sum of all systems that can be accessed externally plus all the information available about the organisation that could be used against it — directly or indirectly.
This information needs to be identified and controlled if not eliminated, just like the old network-centric perimeter was.
What’s great about OSINT is that it represents a methodology of using openly available information to understand your target. OSINT isn’t just about port scans and host name enumeration; it extends into the world of social media, cloud services, data leaks, public records and much more. OSINT makes the task of identifying an organisation’s true perimeter possible.
If you are new to OSINT, there are plenty of tools and resources available to help you get started and apply it as part of your overall security strategy. Check out this article about OSINT resources I posted recently to get more insight into resources that should be helpful. What you find about your own organisation might surprise you.