CompTIA CySA+ (CS0-002) (In Production)

CompTIA Cybersecurity Analyst19 H 4 M

  • Threat and Vulnerability Management
    • Intelligence Sources
    • Indicator Management
    • Confidence Levels
    • Threat Classification
    • Threat Actors
    • Intelligence Cycle
    • Commodity Malware
    • Information Sharing and Analysis Centers
    • Attack Frameworks
    • Threat Research
    • Threat Modeling Methodologies
    • Threat Intelligence Sharing, Supported Functions
    • Vulnerability Identification and Validation
    • Vulnerability Remediation and Mitigation
    • Vulnerability Scanning Parameters and Criteria
    • Inhibitors to Remediation
    • Web App Scanners
    • Infrastructure Vulnerability Scanners
    • Software Assessment Tools and Techniques
    • Vulnerability Enumeration
    • Wireless Assessment Tools
    • Mobile Technology Threats
    • Premises and Vehicle Systems Threats
    • Controller System Threats
    • IoT and Embedded System Threats
    • CVSS Metrics
    • Cloud Deployment Model Threats
    • Cloud Service Model Threats
    • Mitigate Specific Attack Types
    • Other Cloud Service Threats
    • Mitigate Vulnerability Types
  • Software and Systems Security
    • Asset Tagging and Change Management
    • Network Architecture and Segmentation
    • Identity and Access Management
    • Virtual Desktop Infrastructure, Containerization
    • Honeypots and Active Defense
    • Cloud Access Security Broker
    • Certificate Management
    • Hardware Assurance
    • Software Assurance and Secure Coding
  • Security Operations and Monitoring
    • Trend Analysis
    • URL Analysis
    • DNS Analysis
    • Packet and Protocol Analysis
    • Flow Analysis
    • Endpoint Behavior Analysis
    • Malware Analysis
    • Log Review
    • Impact Analysis
    • SIEM Review
    • Email Analysis
    • File System Permissions
    • Blacklisting and Whitelisting
    • Firewall Configurations
    • Data Loss Prevention
    • Network Access Control
    • Blackholes and Sinkholes
    • Malware Signatures
    • Threat Hunting
    • Scripting
    • AI and Machine Learning
    • Continuous Integration and Deployment
  • Incident Response
    • Incident Response Communication
    • Incident Response Phases

Intelligence Sources

15 M

itprotv course thumbnailitprotv course thumbnailitprotv course thumbnail
  • Episode Description
  • Transcript

Securing your environment is a mulit-faceted job and one of those functions is to explore the common intelligence sources to better understand your digital footprint in the online world. In this episode, you will evaluate open-source intelligence(OSINT) and proprietary intelligence as well as break down the attributes of quality intelligence sources.

You've been tasked with determining what the current threats are out in the wild. Do you know what sources to check? Stay tuned to find out. >> You're watching ITProTV. [MUSIC] >> Thank you for tuning in to ITProTV, and we are talking intelligence sources today. Now Dan, I have to tell you, I've heard this term, OSINT, right? Are we talking a new Linux distro? >> No, I wish. >> [LAUGH] >> I love new Linux distros, they're always a good time. Cuz who knows what cookie thing they put in there? But no, OSINT, it stands for Open Source Intelligence. And if you are that analyst that has been tasked with trying to figure out what your threat surface looks like, your attack surface, what are the threats, what are our risks? How can we do that? OSINT is a great way to do that. Because when you're threat modeling, guess what? That's what attackers are gonna do. They're gonna look at what's, cuz what do we mean by OSINT, right? What we mean is, what openly-disseminated information about our organization is out there for people to know, right? That's the idea behind OSINT, open source, we want you to know this. Maybe if your company has a website, it's very common nowadays. Also a very common thing is on that website maybe there's an About Us page. Maybe Meet the Staff, that kinda thing. And starts to tell you about your organization, the people that work there. Now, there's other places you can go, things like job listings, other great places to grab some open source intelligence. Cuz then I can start looking into what kind of technologies are you using. Cuz if you're hiring an IT, hey, we need a systems administrator that is prolific in Windows Administration, Azure Cloud, maybe a little Linux, Apache. I'm starting to get an idea of the technologies that are being used in your organization. That's what an attacker would do. So that's what we need to do as a security specialist for that organization. To figure out what information are we leaking out to the world so that we have a better idea of where threats might come from. So that's the idea. Now, that being said, how do we do that? Well, you can manually start looking. And you should do that kind of thing, you should check your job listings and see what you have available that's out there in the world. Look at your website, look at what kind of information is available. But that is time-intensive and time-consuming. So good news is is we love automation in IT, and for good reason. It makes things go fast and easy, or at least easier. And so this is no stranger to that. We had a couple of tools that we can leverage to help us with OSINT. Couple of them, specifically, that have been called out for by CompTIA. Well, we'll start with the Harvester. Now, Harvester is a great tool, it gathers a lot of information. Let's jump into my computer, take a look at what that looks like. If I just type in the harvester, it's probably gonna yell at me. Here we go, yeah. So hey you forgot a few options, but that's what I want. And it gives you a few of the things that you need. Especially, the following arguments are required, a -d/--domain, letting me know this is the domain I want you to look for. And what I'll do is I will just type in theharvester. There we go, I can type, I can do it. -D, and I'll use ITProTV, Another one that's really good to use is this -b for your sources. So I do a -b, I can give it a list of sources. You can go into further documentation of this to see what sources are available for it. But I'm gonna use, why not? Bing, Google, and I'll throw LlinkedIn on the fire. Not fire, LinkedIn, [LAUGH] typing what I'm saying, there we go. Now it's gonna fire up. Now, this will take a second for it to run, but it's gonna give us a lot of really good information once it's finished. >> Now Dan, so I can imagine that we got a lot of different options here, and this has got some kind of built-in engine that it's using. And I know there's a lot of different networking utilities that do this. So what kind of output can we expect to see in something like this? >> Yeah, the Harvester typically looks for things like email addresses that are associated with that domain. If it's looking into LinkedIn, it's gonna find any kind of reference to ITProTV and try to pull that back as a result. It will also look for what's called subdomains, if we have any kind of subdomain activity. So we got, maybe we've got or, that kind of thing where you have subdomains. It'll look for those as well and see if it can grab an information out of that. Always good information for us to just, again, see what it is that we are putting off the while. Now, as we can see, the Harvester is now complete and we are seeing things like there's an email address, Wes and I both know Val, she is our head of our marketing, cool. I found somebody maybe I didn't know that person. Maybe I wasn't realizing that her email is probably pretty ubiquitous because they handle a lot of marketing for us since that's what they do. We have a couple of IP addresses for ITProTV. We've got forums.itprotv right here. We got a www and then the IP addresses that are associated with that. Good info right there, letting me know these would be in scope for me if I were a threat actor to come after this company. Or if I were security personnel, I know what is being shown to the wild and of course, this is our LinkedIn results. We see Val again showing up right there, director of marketing. We see Tyler, he is a customer success manager. You'll see a Tim Broom. We got a lot of Tim Brooms in there, but he's the boss, right? And as you can see a lots of stuff came back from LinkedIn. I can start now to build a profile of ITProTV to understand what kind of business associations maybe we have. Because they've been referenced in this through LinkedIn. Again, not the only sources, plenty of other sources for the Harvester to look through but those were just simple easy wins for us to kind of look and see what might be out there in a while to show off for the camera here. Now, not the only tool in the tool bag. We also have a cool tool called Showdown, Showdown is a great tool. I'm going to jump over here got their website open. Showdown can basically look for just about anything on the Internet. If it's connected to the Internet, Showdown is trying to make an index or a list of it or we'll search for it and find you all sorts of stuff. You can have a lot of fun with Showdown. I highly recommend that you get a login for this. It is a free utility to some extent, you can get a free key for it or feed login that will give you a little more activity. And then if you want to pay for service, it'll give you the keys to the kingdom from what Showdown can do which is a lot, it's really not that expensive. So if you are engaged in this activity, I highly recommend you spend on Showdown, right? To get that resource. So let's just type in some stuff and see what happens. Let's take a look. If I go up here in the search. You can see it's give me a drop down for stuff over to search for, what I'm going to do a filtered search are going to org: and I'll say Sony because I know it's going to have some results and here we go. We have a lot of results from Sony. See if I can't blow that up a little better so we can kind of play around with it. And we see this is Sony Pictures Corporation. We got a 302 not found for an SSL certificate, but you can see it's giving us a bit of information about this that it's running Apache. All right, that's good information. I need to know, are there any Apache exploits that I need to be aware of if I'm the security personnel that works for Sony? We know that they've had trouble in the past. So this is probably something they should be doing, right? Understanding where their vulnerabilities may lie. I'm getting great intelligence right here just from doing this Showdown search to start pointing myself toward Apache, okay. I know that people can see that we have Apache servers. I need to make sure that they are as tight as they can be when it comes to our security, the versioning, the patching, that kind of stuff, right? IP addresses that are associated with that. This is Sony Network Taiwan, Taiwan Limited and we're seeing the HTTP headers. This is a 200 so I actually got there and you can click on these links and it will take you to further information. You can see it's running on port 8080 HTTP simple news. So that's interesting. That lets me know this not running Apache or nginx, probably. It's running some other version of HTTP, but it does seem to be working very well and I'm getting hostnames, IP addresses, a lot of great stuff associated with it. Now, I can start really fleshing out my profile for our company if I did work for Sony and to see what is available for and this is open source intelligence. It's freely available. Anybody could grab this information. >> That's awesome too because you can see I would be may be able to deduce as well that if they're running apache, those of you that are from the Linux world or maybe the server administration world. Now, they're probably running a lamp stack so you can probably base that on and do additional. Now, I know that that's out there in the wild and I know it seemed like a pretty easy lift, but it's not always so easy. So the opposite of open, I would say is closed and my question is what happens if we're guarding all those keys to the kingdom and its proprietary. How would we attack it from that vector? >> Yeah, that's a great question because there is information that is closed-source that we would not want to maybe proprietary to our organization. We wouldn't want people to know and we should not be disseminating out for the public at large. This kind of stuff is while could be useful to an attacker, isn't a huge burden. We just need to be aware that that's out there. Now if things like financial information or intellectual property, that kind of stuff we definitely do not want running around in the wild that would be considered closed-source, that would be considered proprietary. And to Wes's question of how would I get that information? Well good old-fashioned ways. One of the things that we can do is maybe human intelligence. Go back to that, go back to I am going to engage in some form of espionage. I'm going to engage in asset gathering to where I will approach people that work for that company in various and sundry ways to try to elicit that information from them, maybe through a friendly conversation. Maybe through blackmail or pressure of some sorts if I were a threat actor, that's how I would approach that. Now, how do we do, this is security personnel. Well, we just need to be aware of what are closed-source intelligence is, what are those things and then we need to be looking for them out in the while. We need to be understanding maybe Bob and accounting isn't as happy with his job and he has access to financial information Insider threats are a really real thing. So you just have to be checking out there in the wild. Using open source and tells to see if any closed-source intelligence is running around out there. Now a threat actor like I said, we're probably be using human intelligence. They can also acquire via the dark web. Maybe you've been compromised and don't know it and intellectual property or sensitive information about your organization has been gathered a lot of times that stuff is sold on the dark web. Every now and then it doesn't hurt to peruse those areas in a safe way to see if any, again, if any of your closed-source information is lurking about in there. Surveillance will be another great way- >> You know, Dan, let me let me stop you there real quick cuz I got a concept that's in my mind. And I don't know if it applies to this but, reconnaissance, how does reconnaissance and surveillance kind of tie in because it almost seems like it would be the same? >> Yeah, they're very closely related. I would say that reconnaissance is more of the umbrella term of gathering information where surveillance would be a part of doing reconnaissance. So, yes extremely connected and I could see where you would see them as a synonymous term because they are and even could be used interchangeably in some circles. So very good question though because there is a bit of a difference but not a whole lot. So great surveillance is a good way to go to gather some of that closed-source information. >> Now, I know this just by paying attention to things like the media and public knowledge there that not everything is really good sources of information. So I have to ask you what are the attributes or the qualities of intelligence? How do we determine, is it good or is it bad? >> Yeah that is also a great question because there's going to be a lot of info out there. That could be useful but not be useful. How do we know? How do we know what's good? There's a couple of attributes like Wes has mentioned there that could help you understand what is going to be useful for you as a security professional. One of them is going to be that there it's timeliness that it is in within relative time of what's going on. Of course that's going to be up to you to figure out whether or not that what that timeliness looks like. It's very subjective according to your organization and what you're looking for and how that works out. But it needs to have that air of this is still has a usefulness to me because it is within the scope of being still relevant. >> So maybe an archive page of a company from ten years ago. Well might have some information and it probably not going to be likely if that company is pivoted it in any way from whatever their offer. >> Yeah, exactly. It could be that It completely but we'll take our company. For example, I see pretty view when we started. We were a WordPress shop. We just ran everything on WordPress because we weren't very big at the time and that was a great platform for getting off the ground. Now, that we're what six years into this. Is that where we're at now at this point? We have definitely evolved into newer and more modern technologies and more heavier technologies that will help guide and make our site useful to people. WordPress cease to be as useful to us as it once was, we needed a little more horsepower underneath the hood. So yes, that's a great example for that. Another one will be relevancy, right, kind of moving from timeliness into relevancy because if it is timely, it is probably also relevant. That information needs to be relevant to you and not just in the timeliness factor. If I'm running Apache web servers, it doesn't make sense for me to have threat feeds come in about because it's not relevant to my organization. So we need to wade through the things that we don't need and only focus on the things that we do need. So that's gonna help with making sure that we are getting the things that we need when it comes out of what is good intelligence. So we want to find some good websites and things of that nature that moves us right into our next one which is basically the reliability or what we call accuracy of the information itself. So all this information needs to be timely, it needs to be relevant to you and it needs to be accurate. Find some good reliable threat feeds, threat intelligence feeds about the technologies that you are using about your company so that it is actually useful to you as far as threat modeling your organization. So there you go. That's intelligent sources walk through a couple of different things open source intelligence. Don't forget closed-source intelligence. Make sure that your proprietary information isn't lingering out there on the web. And of course making sure your threat feeds are timely, accurate, and relevant to your organization, Wes? >> All right, I'll tell you what. This has been a great episode and like Dan says, unlike the information we're giving you here, not all information is good information but keep in mind, we've got more to come in the size of plus certification course. And we hope to see you in those upcoming episodes. [MUSIC] >> Thank you for watching ITProTV.

Just you? Training a whole team? There's an ITProTV plan that fits.

With more than 5,800 hours of engaging video training for IT professionals, you'll find the courses you and your team need to stay current and get the latest certifications.