Cisco Blogs

Profiling Through Open Source Intelligence

December 10, 2009 - 0 Comments

I’ve covered the proliferation of digital traces, as well as how those footprints can be combined to de-anonymize data, eroding the privacy of users. This week, we see another chapter emerge in this storyline, with a report from Computerworld about tools for mining social networks and other open sources. In this week’s Cyber Risk Report, we talked about the risks posed by these tools to organizations, and I’d like to expand on that, as well as some benefits, here in this post.

These open source intelligence (OSINT) tools are a major step forward for ease of use and accessibility into mining public data or other private repositories. For the most part, all of the information being collected is freely available. It is in the normalization and correlation of data that patterns and intelligence begin to emerge. What these tools provide over previous methods is a quick method for tearing through piles of data and evaluating the relationships that appear and how meaningful they might be.

In fact, businesses themselves might benefit from finding how such tools could be useful in their own security efforts. Vendors of these kinds of tools have been proliferating, and they have been eagerly showcasing their capabilities through videos and software demos. If they become a fixture in business, or even a particular industry, they could provide a distinct advantage by permitting their users to sift through large quantities of data and support decision making.

Cisco’s IntelliShield team uses OSINT as a major component in collecting and processing the intelligence that we publish to customers. I can speak from experience on its usefulness in finding, correlating, and making actionable decisions regarding software vulnerabilities. The tools and capabilities that we use to perform our work are incredibly useful to us, and I can see many valid applications for security administrators, incident responders, and forensic investigators (to name a few).

But what if the tools are used maliciously?

Quite simply, I do not think that this is a new risk. Instead, I think that it is a lowered barrier of entry for threats for an existing risk. What was formerly only possible among the especially gifted or talented miscreants has now become accessible to anyone with even a modest budget. The kinds of information that can be assembled allows an attacker to quickly build a picture of their target, whether that be a computer, person, or company.

The relatively low barrier of entry now allows a committed but individual attacker, such as a criminal with anywhere from a few hundred to a few thousand dollars to spend, to leverage these capabilities. What was once only leveraged by well-funded adversaries, such as governments, can now be collaboratively leveraged by run-of-the-mill Internet miscreants.

Malicious e-mail messages can be more quickly targeted to specific individuals:

“Hey [person’s actual name], I liked your picture on [link to the user’s own web-based photo gallery]. Check out this movie that I took at [name of the same place where user’s photo originated]. If you’d like, share it with [name of a friend who knows that person] or [name of another friend]. [link to a malicious movie]”

Combined with some automation (and some devious creativity), this could be a fairly devastating capability, taking targeted attacks and making them massively distributable.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.