OSINT and the new perimeter

Steve Micallef
Jan 27, 2019 · 6 min read

“The perimeter” is probably one of the most used metaphors in Information Security, and as an attacker or defender it’s often the first place analysed to identify vulnerabilities.

In this post I explore the perimeter metaphor and look at the impact of OSINT (Open Source Intelligence) when trying to defend or attack an organisation’s perimeter.

The early perimeter

Especially in the world of IT, metaphors are essential because they reduce highly complex things down to more familiar terms that humans can easily grasp (think of “firewall” and “cloud”, for example). But unless everyone in the conversation has the same understanding of what the metaphor actually represents, they aren’t talking about the same thing. Or worse, if what the metaphor used to mean no longer makes sense in today’s world, you have a problem.

Image for post
Image for post
When you think of a perimeter, does it look anything like this? It might be closer to reality than you think.

For a long time the perimeter metaphor made a lot of sense because if we wanted to defend an organisation we needed to find all the points of possible weakness that an attacker might target.

Back when the IT estate of organisations used to be much simpler, we would reasonably start this process at the network layer. We would tightly control all the incoming paths of communication to the resources that needed to be externally accessible, and completely close off access to everything else.

Then, with the network controlled you would work your way up the stack to tighten access at the application layer so that the exposed services were further protected, maybe through the use of authentication, encryption, sandboxing and so on. What we were left with was what we would refer to as the perimeter — the systems accessible by distrusted (or at least less trusted) users.

So far, so good; the perimeter metaphor worked reasonably well because it mapped well to reality.

Then the world changed

Blind spots started to form when we moved beyond the organisations of the early 2000s where life was lived mostly behind a firewall, to modern-day organisations that likely also include:

  • Servers hosted in a mixture of on-premise and cloud facilities

Where is the perimeter in all of this? How could it possibly be identified, let alone controlled?

Because of these changes, the risk that organisations face is far beyond the perimeter of their own network because their own network is no longer the sole place where damage can be inflicted on their assets, brand and reputation.

This means that the perimeter (if we really still want to call it that) is no longer made up of just hostnames, IP addresses and open ports. It now also includes e-mail addresses, employee names, social media accounts, public records (Whois, certificate transparency, etc.), data leaks and any other freely available information about the organisation which might give the attacker an advantage.

Enter OSINT

My introduction to OSINT was back in 2005 when I created the first version of SpiderFoot, except I didn’t know it at the time.

Back then, OSINT wasn’t a term you would hear in InfoSec circles — it was mostly “network scanning” or “reconnaissance”. OSINT was still very much relegated to the world of three-letter government agencies, which had this to say about it:

“Today, open source [intelligence] has expanded well beyond “frosting” and comprises a large part of the cake itself. It has become indispensable to the production of authoritative analysis.”

John Gannon, former Chairman, National Intelligence Council, 2001

These days — particularly in the past couple of years — OSINT seems to be everywhere: blogs, podcasts, books, tons of tools and entire platforms dedicated to it. Just take a look at this graph from Google Trends which indicates a steadily decreasing interest in “network scanning” vs. a growing interest in “OSINT” over the past ten years:

Image for post
Image for post
https://trends.google.com/trends/explore?date=2009-01-01%202019-01-01&q=osint,network%20scanning

The above image coupled with the general growth of the OSINT ecosystem indicates there is some kind of awareness-shift happening. I believe people are catching on to the idea that the perimeter of an organisation goes well beyond the network and see OSINT as a solution to gaining the necessary visibility.

The OSINT explosion

In developing SpiderFoot over the years, I’ve witnessed first hand the growing availability of OSINT that makes the task of identifying an organisation’s true perimeter possible. Services to search data leaks, find employee details, reverse-lookup Whois data and more are popping up continuously and best of all, exposing their functionality through APIs to make automation possible. When I started with SpiderFoot, it integrated with about five different data sources. Today it stands at over 150 (and I have a backlog of 100 more to implement, and growing).

The bad news is that the open nature of this information means it is also available to attackers, so the burden lies on the defender to gather as much OSINT as possible about the organisation they are defending to identify unintended exposures, and do it regularly in the same way that they would perform vulnerability scans.

If you doubt the practical applications of OSINT for an attacker, consider the following questions:

  • Why try and brute-force all the host names belonging to your target if you can just search the certificate transparency log to find all the hosts for which certificates have been issued?

The new perimeter

It seems unlikely that the perimeter metaphor is going to disappear any time soon, but the definition has to change to look more broadly at all the ways an attacker can gain critical insight into an organisation and use that information to their advantage. We have to stop seeing the perimeter as the border of the network and instead see it as all the information openly available about an organisation which could be used against it.

In today’s organisations, the new perimeter is the sum of all systems that can be accessed externally plus all the information available about the organisation that could be used against it — directly or indirectly.

This information needs to be identified and controlled if not eliminated, just like the old network-centric perimeter was.

Conclusion

What’s great about OSINT is that it represents a methodology of using openly available information to understand your target. OSINT isn’t just about port scans and host name enumeration; it extends into the world of social media, cloud services, data leaks, public records and much more. OSINT makes the task of identifying an organisation’s true perimeter possible.

If you are new to OSINT, there are plenty of tools and resources available to help you get started and apply it as part of your overall security strategy. Check out this article about OSINT resources I posted recently to get more insight into resources that should be helpful. What you find about your own organisation might surprise you.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store