Using Open-Source Intelligence to Mitigate & Investigate Insider Threats
Another mid-month special issue! Guest author Thomas Fogle of Hetherington Group discusses the importance of leveraging OSINT for Insider Threat investigations and mitigation.
Wide adoption and use of social media networks and applications has provided threat actors with an easy and low cost threat vector for access to sensitive information; sensitive personal and organizational information is now freely shared with the world by many social media users, creating new risks and responsibilities for employees and organizations. Whether the social media user shares sensitive information maliciously or innocently, threat actors enumerate and use this information to tailor their social engineering messaging and inform their attack methods.
Open-Source Intelligence (OSINT) plays an important role in mitigating and investigating these risks. The Office of the Director of National Intelligence defines Open-Source intelligence (OSINT) as, “publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the internet, commercial databases, and videos, graphics, and drawings.”
This article highlights OSINT techniques, tactics, and procedures (TTPs) that act as a force multiplier when mitigating accidental, negligent, and malicious insider threats. We will examine data breaches, social media operational security, cyber monitoring (Dark Web), and social media investigation tools.
Social media networks, other Internet services and communities, and organizational computing environments continue to be attacked and exposed, resulting in lists of information about their users and their account details being freely posted or sold via the Internet. These attacks are referred to as Data Breaches.
Attackers use the information exposed in these breaches to attack even more services in targeted and in credential stuffing attacks, knowing many people make the mistake of re-using the same username and password across multiple services.
(1) Employees and security teams can and should monitor whether their accounts have been exposed via breach data monitoring services.
One service making this monitoring possible is haveibeenpwned.com.
Haveibeenpwned.com was developed by Troy Hunt, a Microsoft Regional Director. It is a free service for individuals that allows users to search their email address against the data from thousands of data breaches, including prominent breaches of Chegg, LinkedIn, Adobe, and Facebook. This source is updated frequently to include newly identified data breaches, and they provide the ability to receive email notification when they ingest a new breach containing your email address. Organization-wide email domain monitoring options are available for a fee.
(2) The Insider Signal team recommends (a) use of a password manager tool & complex passwords, (b) having a unique password for every service (avoid password re-use), and (c) enabling MFA/2FA for all services that support MFA/2FA. Changing passwords regularly may also be beneficial, with every three months being a common change frequency. However, the practice of changing passwords regularly is falling out of favor with the security community given the availability of the more effective protection methods listed above as well as human behaviors and operational conflicts associated with regular password changes.
Social Media Operational Security
Social media and technology innovation has drastically changed the security industry. Quality of photos captured with even the most basic and inexpensive consumer-level phones and cameras have improved to capture even tiny text and intricate details, and these photos are shared on social media and made immediately available to individuals almost everywhere in the world, making it easy for threat actors to find and take advantage of the posts and images.
While users are free to post what they want and share information about their life as they see fit, they are often times unaware of the associated security risk associated with doing so.
(3) Encourage employees to sanitize their social media profiles by removing posts containing personally identifying information (PII) and sensitive organizational information.
They should consider posts and settings that include PII such as date of birth, locations, contact information such as phone numbers and email addresses (especially those of the employer) and/or those that include photos capturing their computer screens, phone screens, asset tags, and/or physical work documents/papers, and similar items. Are their photos exposing the names and roles of other employees and their roles? Of company products, IP, initiatives? Clients, vendors, customers, or other stakeholder relationships?
It’s common practice to post images on social media, and it’s unfortunately not uncommon for employees to take pictures in their work environment or with colleagues. This practice can pose a significant security risk. For example, if an employee takes a ‘selfie’ at their desk, a number of items may be in view such as calendars, computer screens, or sensitive paperwork. A simple image of a calendar can expose client information, schedules, and potentially violate non-disclosure agreements.
Consider this example:
The above Instagram social media post example shows how someone proud to show off their home office setup can inadvertently expose PII. A quick glance at the photo while scrolling through Instagram appears benign and most viewers probably wouldn’t notice the exposure. However, a threat actor zooming in on the photo would identify the poster’s mailing address, phone number, place of work, and other sensitive information.
Many organizations recognize and have procedures to mitigate these risks. A common example is the Department of Defense. They require that publicly released images undergo a security process before publication to ensure sensitive military information remains confidential.
(4) Organizations should also train their employees to recognize and avoid common social media social engineering attacks.
Professional networking social media sites (such as LinkedIn) allow threat actors to identify temporally vulnerable victims. For instance, if someone shares they have recently changed jobs, attackers are able to see the update and may take advantage of the individual being temporarily more susceptible to social engineering than normal. The attacker may attempt to impersonate a superior or coworker to socially engineer the victim into sharing sensitive information before the individual becomes more familiar with her new coworkers’ behaviors, tendencies, and communication preferences and therefore better equipped to recognize and avoid the social engineering attack.
Cyber Monitoring (Dark Web)
The Dark Web has many definitions but generally refers to web content, communities, and marketplaces not indexed by public search engines such as Google, Bing, and Yahoo and content that is only accessible by using specialized software and computing infrastructure designed to provide anonymity for users, those hosting the content, and the network and hosting infrastructure. While there are many benign applications of Dark Web technologies, the Dark Web is a haven for a wide variety of illegal content and behaviors including illegal sales of drugs, firearms, hacked materials, counterfeit goods, and worse. Virtually everything not legal for commercial sale is available to buy on the Dark Web.
Because Concerta is very common, accessible, and relatively inexpensive, the makers of Concerta would likely not benefit from monitoring the many instances of illegal sales of their product on Dark Web sites and marketplaces.
However, pharmaceutical companies would certainly benefit from cyber monitoring programs that detect attempted sales of less common products, especially those that are experimental, rare, dangerous, and/or valuable. These attempted sales by unauthorized and unregulated sellers may pose significant threat to the company that produces the goods and any buyers. Detecting the attempted sales provides important early awareness of counterfeiting, liabilities, and/or potential insider leaks in their R&D, manufacturing, and/or supply chain operations. Monitoring programs that detect these threats create opportunitiy to minimize victimization and impact.
(5) Organizations should consider cyber monitoring services to detect sensitive information leaks, operational/reputational threats, sales of counterfeit or diverted products, and other security and insider threats to their organization and stakeholders.
However, monitoring the Dark Web is challenging and requires specialized knowledge, tools, and techniques, warranting professional services from a well-qualified and experienced vendor such as Hetherington Group.
Social Media Investigation Tools
(6) If your security team receives information of employee misconduct or potential threats, as part of the subsequent investigation, the employer may wish to review the employee’s social media activities and content. It is important to leverage available tools to ensure wide coverage of the hundreds of available social media networks.
Enumerating an employee’s social media presence can be difficult because there are hundreds of social media networks and services, and most social media users have many social media accounts. Each social media platform has its own unique social norms and what tends to be appropriate on each platform differs. For instance, users may not feel comfortable posting certain content and beliefs on their more professional LinkedIn profile, but may feel more inclined and emboldened to do so on their Twitter profile due to the less professional, and more outward-facing conversational culture of the platform. This concern is even more pressing on social media platforms such as Gab, commonly used by those that identify with extreme right-wing ideologies.
Thankfully, it is common for individuals to use a single username or small group of a few usernames across many social media platforms, similar in nature to the above-mentioned password re-use epidemic. Better still, there are many tools that help efficiently enumerate accounts across many popular social media networks. One such fantastic option is WhatsMyName.
WhatsMyName was developed by the OSINT Combine and Micah Hoffman. The tool allows investigators to input a social media username and search that username against over 300 platforms, including but not limited to Twitter, Gab, Telegram, and Instagram.
A very important caveat when using tools of this nature is that the investigator must do research to confirm accounts with the same username on two different services belong to the same individual; the association can not be taken for granted based on username alone.
The Insider Signal team recommends the following resources as starting point for learning more about the many great tools and techniques available to OSINT investigators:
There are a lot of options for commercial providers of OSINT investigative services but the Insider Signal team is, of course, partial to the longevity, experience, and results of iThreat and Hetherington Group.
It seems as if we learn daily of a new social media platform or of a new data breach with the potential of devasting consequences. New OSINT tools and techniques will remain critically important in addressing and mitigating emerging threats, so it is important for OSINT investigators remain aware of new developments. There are many free and paid resources to help investigators and analysts keep up with the times. Check out Hetherington Group’s blog for weekly, monthly, and quarterly tips to keep your investigative skills sharp!
About the Author
Thomas Fogle - Mr. Fogle is an Open-Source Intelligence Analyst with the Hetherington Group. As an Open-Source Intelligence Analyst, he is responsible for foundational work in risk assessment and removal, monitoring, and social media/cyber/background investigations for HG clients. He employs sophisticated OSINT skills to conduct social media investigations and to remove extensive personal identifying information (PII) in support of risk assessments.
About Hetherington Group
Hetherington Group - With over two decades of expertise, Hetherington Group is a leader in investigative due diligence, corporate intelligence, and cyber investigations. We track down and expose vital data on national and international investigations, train thousands of investigators in the public and private sectors annually, and share our expertise in this increasingly data-intensive, cyber focused-world through the publication of an Industry Newsletter and recognized investigative reference books.
Thanks to Thomas & Hetherington Group
We Want Your Feedback!
How are we doing? Are you enjoying our content and insights? Are there specific stories you’d like us to cover? We would love your feedback via firstname.lastname@example.org. With your permission, we may even publish it!