[PPT] - Digital Intelligence Gathering Using The Powers Of OSINT For Both PowerPoint Presentation

SLIDE 1

Digital Intelligence Gathering

Using The Powers Of OSINT For Both Blue And Red Teams

BSidesSF February 2016

1 / 71

SLIDE 2

Ethan Dodge

 DFIR @ Nuna Health.  DFIR professional and perpetual learner.  @__eth0  dodgesec.com

2 / 71

SLIDE 3

Nuna Health

 We work with the government and self-insured employers to understand and improve how people use healthcare.

3 / 71

SLIDE 4

Nuna Health

 We work with the government and self-insured employers to understand and improve how people use healthcare.  Security is the foundation of our culture and products.

4 / 71

SLIDE 5

Nuna Health

 We work with the government and self-insured employers to understand and improve how people use healthcare.  Security is the foundation of our culture and products.  We're accepting resumes!

5 / 71

SLIDE 6

 OSINT

6 / 71

SLIDE 7

What is OSINT?

Using information available to everyone to gather intelligence

7 / 71

SLIDE 8

What is OSINT?

Using information available to everyone to gather intelligence

 Social Networks

8 / 71

SLIDE 9

What is OSINT?

Using information available to everyone to gather intelligence

 Social Networks  Public Data Records

9 / 71

SLIDE 10

What is OSINT?

Using information available to everyone to gather intelligence

 Social Networks  Public Data Records  Leaked Customer Data

10 / 71

SLIDE 11

11 / 71

SLIDE 12

12 / 71

SLIDE 13

Why OSINT?

 Private Investigators/Detectives  Investigative Journalism  Criminal Activity/Law Enforcement  Threat Intelligence

13 / 71

SLIDE 14

14 / 71

SLIDE 15

15 / 71

SLIDE 16

DISCLAIMER

16 / 71

SLIDE 17

Identify Source

 Identify possible sources of intel  Validate  Automate

Basic Workow

17 / 71

SLIDE 18

Identify Source Analyze

 Does it apply to our target?  Determine probability  Apply condence  Generate new potential sources

Basic Workow

18 / 71

SLIDE 19

Identify Source Analyze Enrich

 Add context to target  Add probability, condence level to details  Develop narrative

Basic Workow

19 / 71

SLIDE 20

 Maltego

20 / 71

SLIDE 21

Mal...what?

Link Analysis Visualization Tool

 Enrich entity with other sources of information automatically  Identify relationships between entities  Visualize relationships

21 / 71

SLIDE 22

Common Terms

 Entities

22 / 71

SLIDE 23

Common Terms

 Entities  Transforms

23 / 71

SLIDE 24

Common Terms

 Entities  Transforms  Machine

24 / 71

SLIDE 25

Transform Example

25 / 71

SLIDE 26

Transform Development Primer

from MaltegoTransform import *

26 / 71

SLIDE 27

Transform Development Primer

me = MaltegoTransform() me.parseArguments(sys.argv) location = sys.argv[1]

27 / 71

SLIDE 28

Transform Development Primer

ent = me.addEntity("maltego.Location","DNA Lounge") me.returnOutput()

28 / 71

SLIDE 29

 Gavel

 Custom maltego transform we developed.

29 / 71

SLIDE 30

 Gavel

 Custom maltego transform we developed.  Digs up court case records from individual states.

30 / 71

SLIDE 31

 Gavel

 Custom maltego transform we developed.  Digs up court case records from individual states.  Tons of sensitive information.

31 / 71

SLIDE 32

 Gavel

 Custom maltego transform we developed.  Digs up court case records from individual states.  Tons of sensitive information.  https://github.com/brianwarehime/gavel

32 / 71

SLIDE 33

Gavel Example

33 / 71

SLIDE 34

 Story Time

34 / 71

SLIDE 35

Ever seen this?

35 / 71

SLIDE 36

Or this?

36 / 71

SLIDE 37

37 / 71

SLIDE 38

Twitter Data

 Start with best source of data - Twitter

38 / 71

SLIDE 39

Twitter Data

 Start with best source of data - Twitter  We needed a way to parse through all the data

39 / 71

SLIDE 40

Twitter Data

 Start with best source of data - Twitter  We needed a way to parse through all the data  We identied it, validated it, now we analyze...

40 / 71

SLIDE 41

Get the tweets

def download_tweets(screen_name,number_of_tweets,max_id=None): api_url = "%s/statuses/user_timeline.json?" % base_twitter_url api_url += "screen_name=%s&" % screen_name api_url += "count=%d" % number_of_tweets if max_id is not None: api_url += "&max_id=%d" % max_id # send request to Twitter response = requests.get(api_url,auth=oauth) if response.status_code == 200: tweets = json.loads(response.content) return tweets

41 / 71

SLIDE 42

All the tweets!

def download_all_tweets(username): full_tweet_list = [] max_id = 0 tweet_list = download_tweets(username,200)

ldest_tweet = tweet_list[::-1][0]

while max_id != oldest_tweet['id']: full_tweet_list.extend(tweet_list) max_id = oldest_tweet['id'] time.sleep(3) tweet_list = download_tweets(username,200,max_id-1) if len(tweet_list):

ldest_tweet = tweet_list[-1]

full_tweet_list.extend(tweet_list) return full_tweet_list

42 / 71

SLIDE 43

43 / 71

SLIDE 44

Where the tweets at?

for tweet in tweets: templist = [] if tweet.has_key("geo") and tweet['geo']: latitude,longitude = tweet['geo'].get("coordinates") r = requests.get("http://maps.googleapis.com/maps/api/geocode/json? latlng="+str(latitude)+","+str(longitude)+"&sensor=true") res = json.loads(r.text) try: for i in res['results'][0]['address_components']: if "neighborhood" in i['types'] or "administrative_area_level_2" in i['types'] or "postal_code_suffix" in i['types'] or "country" in i['types'] or "postal_code" in i['types']: pass else: templist.append(i['long_name']) except: pass

44 / 71

SLIDE 45

Enriching Maltego

last = Counter(newlist).most_common(5) x = 5 for address in last: ent = me.addEntity("maltego.Location",address[0]) ent.addAdditionalFields('link#maltego.link.thickness','','',x) x = x - 1

45 / 71

SLIDE 46

Transform in Action

46 / 71

SLIDE 47

Then we found this...

47 / 71

SLIDE 48

28702eb195e8b292ceb8c5eb4d8b94d05b6c2a62 SHA1 : 3nd3rwiggin 48 / 71

SLIDE 49

49 / 71

SLIDE 50

Unique Username = Win

50 / 71

SLIDE 51

51 / 71

SLIDE 52

52 / 71

SLIDE 53

Personal  Home address (Twitter & Etsy)  Class locations (Twitter)  Password (Have I Been Pwnd?)  Close Friends (Twitter & Instagram)  Job History (LinkedIn & Facebook)  Home IP Address (Reddit Login History)  Birthdate (Etsy)  Barber (Twitter)

What we found:

53 / 71

SLIDE 54

Personal Family  Addresses (Whitepages & Property Records)  Members (Google+)  Names (Maltego)

What we found:

54 / 71

SLIDE 55

 Use Cases

Red Team 55 / 71

SLIDE 56

56 / 71

SLIDE 57

57 / 71

SLIDE 58

 Use Cases

Blue Team 58 / 71

SLIDE 59

WALK THE LINE

59 / 71

SLIDE 60

Twitter  See if public activity is malicious  Following with competitors?  Talking with competitors?  Talking about your brand?

Blue Team

60 / 71

SLIDE 61

Twitter Instagram  Work badges  Passwords  Network Diagrams

Blue Team

61 / 71

SLIDE 62

Twitter Instagram Github  Committed sensitive les  Committed proprietary code  Committed company info

Blue Team

62 / 71

SLIDE 63

Twitter Instagram Github Facebook  See if public activity is malicious  Friends with competitors?  Talking about your brand?

Blue Team

63 / 71

SLIDE 64

Twitter Instagram Github Facebook Brand Monitoring  Scumblr by Netix  Monitor Forum Chatter  Monitor Your Name

Blue Team

64 / 71

SLIDE 65

Twitter Instagram Github Facebook Brand Monitoring Rate Employees  Most is going to be accidental  Who's your most active employee?  Monitor them closer

Blue Team

65 / 71

SLIDE 66

Twitter Instagram Github Facebook Brand Monitoring Rate Employees SEIM  Alert  Correlate

Blue Team

66 / 71

SLIDE 67

Interrogator

 Web Application  Continuous OSINT Monitoring of Workforce  Visualize relationships with a Graph Database  Coming mid 2016!

67 / 71

SLIDE 68

68 / 71

SLIDE 69

Reccomendations

 Justin Seitz - @jms_dot_py  The Grugq - @thegrugq  automatingosint.com  bellingcat.com

69 / 71

SLIDE 70

 Q&A

70 / 71

SLIDE 71

Ethan Dodge

 @__eth0  ethan@nuna.com  dodgesec.com

71 / 71