CHICAGO -- Social media and blogs are generally considered by enterprises to be time sucks for users at the best of times, and at the worst, they can be the source of malicious downloads and communication channels for adversaries. On Wednesday, a panel of experts at the 2013 (ISC)2 Security Congress flipped the script and tried to show how IT security teams can use these resources for good.
We have to give people something other than 'I don't know' all the time, but that something can't be crap.
CEO, Rook Consulting
Attempting to define open source intelligence, panel leader J.J. Thompson, CEO of Rook Consulting, said it is the ability to utilize publically available information from social media sources to make security more proactive and to decrease incident response time. Though Thompson admitted that the topic can seem broad, he emphasized that businesses can draw real value from the concept.
To prove that value, he utilized the recent example of the Syrian Electronic Army (SEA) defacing high-profile Twitter feeds and websites. What if, he said, after seeing the hacking attempts by the SEA, a senior-level executive asked an enterprise security team, "What's that mean for us?"
Typically, such a team would have no clear answer to that question, he noted, because they aren't following the activity of the SEA. While a non-answer would have been fine in the past, top-level business executives are more aware than ever of security issues, thanks to Mandiant Corp.'s APT1 report and other recent revelations of advanced attacks.
"We have to give people something other than 'I don't know' all the time," said Thompson, "but that something can't be crap."
As for defining that something else, Thompson emphasized how open source intelligence can be used to make enterprise defenses more proactive. For example, after jumping through many hoops, an attacker can purchase a zero-day vulnerability for sometimes as much as six figures on the online black market. After that original purchaser has utilized the zero-day in an attack, they will oftentimes sell the vulnerability on again at a lesser value. This process will repeat until antivirus vendors write a signature for it, at which point it becomes worthless. For enterprises though, Thompson said the time until that signature is written can be many months, leaving them vulnerable to such attacks for an extended period.
Instead of waiting for that signature, though, Thompson said enterprises can utilize online resources to monitor attacker communications, social media feeds and blogs such as Malware don't need Coffee to sniff out such vulnerabilities before they spread. Once found, the enterprise could proactively patch the vulnerability and work with AV vendors to create a signature.
"What if you could pick that up earlier?" Thompson asked. "What could that do for your organization?"
Andy L., an attendee and CISSP who asked that his company's name be withheld, agreed that open source intelligence could really bring value to businesses by making IT security more proactive. Many companies are currently looking to "head things off at the pass" with preventative measures, he said, instead of waiting to react after attackers strike. "This is a tool that actually leads more to preventative measures," he added.
How to start with open source intelligence
To wade through potentially millions of online resources, the panel demonstrated what they admitted were fairly rudimentary open source intelligence tools, cautioning that they are only in "infancy." Thompson said that they start by throwing keywords into the "hopper," which is a daemon that scrawls the Web looking for any mention of the targeted phrases. Once that information comes back, they utilize the big data tool Splunk and some scripts to pull out any relevant info.
The panel emphasized that these tools are neither new nor particularly complex, meaning enterprise security teams could put them in place quickly. Whether enterprises will truly have interest in wading through online resources for potential threat intelligence remains to be seen, but Thompson said his company included information gleaned via these methods in reports for clients, the result of which was new business won under services like "Web monitoring."
As for which information streams tend to work best for security purposes, co-panelists McCall Paxton, an analyst with Rook Consulting, and Joshua Brown, director of security operations with Consolidated Data Services, both noted Twitter as a an excellent starting point. The panel said that hacker groups such as Anonymous will oftentimes utilize Twitter to communicate about attacks, including ones being planned, and brag about ones already committed.
Brown said that mainstream blogs can also be a good resource because "they tend to regurgitate a lot of content downstream too." Brown also likes to look through hacker dumping sites, with Pastebin being the most well-known, for enterprise users' credentials, which he said are often used for personal purposes on sites with weak security measures. Organizations can download dump files and just use string matching via Splunk to see if any of their users' credentials are publically available, adding that if credentials are discovered, they should be "immediately reset" regardless of user complaints.
Even the automated tools advocated by the panel can't sort through the potentially massive amounts of open source data that can be collected and find the relevant bits for a particular organization. Several audience members were curious about how to investigate data points, and particularly how long the panelists look at a piece of info before moving on. Paxton answered that he will generally give himself 12 hours to investigate newly arrived intelligence, and when he hits that point, he either needs to provide a report with actionable advice or let it go.
"If you really don't know what you're looking for or where you're going with it, you're going to drown in a sea of information," Paxton warned.