The goal of OSINT is to detect and analyse information about an enterprise based on publicly available sources, along with an indication of which information, and to what extent, can be used to launch a cyberattack on specific organisational assets. The collected data are analysed for possible attack vectors and the probability of their use. At the same time, an analysis is being conducted on how to limit the amount of company-sensitive information available on the Internet and how to counteract the publication of such content in the future.
OSINT, as an element of reconnaissance, is one of the first steps taken by an attacker. Information gained during the OSINT can be used to plan further actions, select a specific attack target, or select tools.
The ComCERT service resembles, in its essence, the attacker’s actions, but is extended to include closed sources and underground Internet information retrieval. The provided information can be used to reduce the risk of a successful attack.
The most important uses of the information provided in OSINT are:
- reduction of the “attack area” – by limiting external accessibility to services or infrastructure elements that do not require it,
- making it more difficult to map the network,
- making it more difficult to create links between employees of interest to criminals,
- verification of publicly available information on employed staff,
- removing vulnerabilities in externally accessible services or infrastructure elements,
- changing passwords for employee accounts that appear in leaks.
OSINT should be the first step in the process of conducting penetration testing. Correctly performed, it allows already in the first phase of testing to build a clear picture of the tested object, and very often detect many important irregularities
Basic Scope of the OSINT service
- Search for publicly released sensitive information
- Verification of the presence of employee accounts in leaks
- Search for information published on criminal forums and websites (underground/darknet)
- Identification of publicly available network services listening on standard ports (e.g. rdp, vnc, telnet, ftp…)
- Analysis of the possibility of unauthorized access to data (default passwords, no passwords)
DNS related tests
- Gathering information on available subdomains
- Verification of DNS configuration correctness – e.g. zone transfer attempt
- Identification of the (standard) web software and its version
- Verification of the presence of redundant files – leftovers of programmer work, files and documents that should not be publicly accessible (e.g. open directory)
- Accessible pages, login panels, etc. that should not be available to the public
- Identification of vulnerabilities in the CMS in use