OSINT for Network Defenders

The benefits of using Open Source Network Intelligence for those defending an organisation is not as obvious as for those working on the offensive side.

Understanding the network footprinting and reconnaissance methodology can help to inform your security posture, discover assets that you may not have even been aware of and allow for prioritised mitigation against the most likely systems to be attacked.

Network Reconnaissance for Asset Discovery

Performing an open source intelligence based assessment of your organisations network can inform a number of different security related objectives.

Of course any mature security practice should have up to date and accurate asset records, that provide all of this information. The important thing to note is that often these asset registers are not accurate or even exist and by performing assessments from the attackers perspective you can focus on the same areas as the attackers.

Identify Gaps in Security Architecture

By having a map of your attack surface from the attackers perspective you are able to identify gaps in your security architecture. Be they Security Logging, Network Monitoring Systems (IDS / IPS) or Firewalls. Identify the gaps and mitigate.

Now for a hasty security analogy; It is no good having a big lock on the front door if the side window has been left open.

Use Network Based OSINT to Map Attackers Infrastructure

Defenders can gather network focused open source intelligence on IP addresses that are attacking (or have successfully compromised) their organisation. The intelligence could include operating systems, web applications, DNS related data and even patch levels from banners. All gathered passively. This can be combined with threat intelligence feeds to develop a profile on the attacker.

As a simple example perhaps you are responding to a number of security incidents. When analysing the TTP's (tactics, techniques & procedures) of the attackers you notice that while the separate incidents have been sourced to separate network blocks there are characteristics in network OSINT of the attacking servers that may actually link the attacks.

With a major advantage being the fact that by using these techniques your reconnaissance is passive in nature. Ensuring that the attacker will not be aware of your investigation.

Assess Network Perimeter without the Paper Work

Defenders using open source network intelligence have the advantage of assessing networks without having to go through any lengthy change approval process. Many organisations have strict approvals required for any active scanning of perimeter systems, so the clear advantage is that your OSINT based reconnaissance has no impact.

It is of course highly recommended that you have approval to assess the network in question from your management to ensure there are no awkward meetings where you have to explain why you were assessing the network when you are the company accountant.

For organisations whose security practice is less mature, you may be able to develop a detailed open source intelligence based report on your organisation with minimal approval. Using the report to push for further more active testing either by your internal teams, external service providers or maybe even get a bug bounty program off the ground.

More to Come - Sign up to the mailing list for updates.