Automatically finding new cybersecurity threats with Open Source Intelligence. Author Alan Kerrigan
The world of internet is booming. Every day, hundreds of thousands of new pages are added. The availability of information on the internet is powerful and valuable. So much so, the public data business/sector is also booming across the world. But then again, this is worrisome for the advocates of digital security and data protection.
Many countries are now stepping in to establish corresponding legislation to confront cybersecurity threats. So, what is the role of Open Source Intelligence in tackling digital threats? Well, in this article, we will address this question and tell you how to find new cybersecurity threats with OSINT. Read on!
Many people wonder how they can use OSINT. In more practical terms, OSINT is not just limited to digital security. Many companies use OSINT tools and techniques on a daily basis. Simply put, when you use the search on Google, you are actually using Open Source Intelligence. This way, you perform your own searches to optimize your digital security. Right?
Simple search queries on Google can help you identify data and information that most hackers could misuse. Most attackers use social media profile for information. In the business environment, the major source of information is LinkedIn — this is the favourite platform for cybersecurity criminals.
In LinkedIn, for example, cybercriminals can discover internal company structures, identify potential targets, and detect changes within the company by third parties. Therefore, you must be careful about the visibility of the information on your Linked profile. Make sure you maintain some privacy checks in order to protect your data from the attacker.
In addition, cybercriminals also glean information from public documents available on the company’s website. This data is known as the “Metadata.” Attackers use this data to collect usernames, system information, and software used.
Digital threats and cyber-attacks are now a social problem — causing significant damage in many countries across the world — including the UK. When an organization detects a vulnerability in the company’s hardware or software system, and they don’t take appropriate actions, then there are risks of cyber-attacks — further exploiting the vulnerability.
It can cause a variety of damages such as malware infection, confidential information theft, and misuse of the company’s data. For instance, “WannaCry” — the ransomware caused intense damage worldwide in May 2017. The attackers used “EnternalBlue” tools to spread the ransomware and target Operating System vulnerabilities.
How Open Source Intelligence helps in finding new cyber threats
Governments, cybersecurity organizations, and private businesses are now keenly making efforts to put in place a new breed of tools that would be capable of identifying new cyber vulnerabilities against the emerging technologies.
Open Source Intelligence allows the availability of information on the internet in the form of blogs, security feeds, social media sites, and the dark web.
However, there is a wide range of challenges in collecting this information automatically. It is important to know that finding insightful information about impending threats in the colossal world of information on the internet is just like finding a needle in a haystack.
Another challenge to security companies is that most of the information available on the internet is not structured. So, there is a need for using state-of-the-art natural language process tools to extract and structure the insights.
So, how to address these challenges? Well, this requires more research and work in the field of Artificial intelligence and machine learning. Only then, companies can extract information from big data.
Moreover, the H2020 DiSIEM project is one such initiative that focuses on the development of tools for solving these issues. The project’s objective is the extraction of IoCs (Indicators of Compromise) from Open Source intelligence.
The next step is to feed this data or information as events to the SIEM (short for Security Information & Event Management). The information extracted through machine learning tools will likewise be provided to the intelligence tools, which will allow security companies to correlate externally-extracted information with the internal events gathered from the company’s infrastructure.
There is a tool known as “OSINT Threat Detector,” which is used for the collection of tweets from digital security-related accounts. The tools are capable of generating early alarms about the potential threats that could impact the IT infrastructure.
The developers of this tool selected Twitter as the primary data source. The developers and/or the planning team analyzed and concluded that Twitter is a kind of hub for the digital security community, cybersecurity companies, and software vendors to engage in discussions about vulnerabilities, threats, and mitigation measures.
The tool can likewise inspect and analyze tweets, which help the researchers to discover potential threats days or even weeks before they are published in the “National Vulnerability Database.”
OSNIT Threat Detector accurately performs the data preprocessing and normalization tasks. It uses different keywords to narrow down the set of tweets coming from the accounts. Note: the tool selects the accounts according to the needs and requirements of the company.
Let us give you a simple example: if the attackers are using Windows XP to monitor the infrastructure, then the tool will select it and process tweets about this system. At the same time, the binary classifier will work to identify the tweets that are targeting and/or managing infrastructure security. Note: the tool will discard all other systems.
The next step is to perform the clustering analyses — the purpose of which is to find related events and calculate the dissemination of keywords over time. The last step is the analysis of generated clusters. In this phase, the tool generates IoCs, which are forwarded to the SIEM system or other tools like MISP for processing.
OSINT tools employ various machine learning and artificial intelligence algorithms. For instance, a clustering algorithm is implemented to collect related information and a name-entity recognizer is used for the extraction of structured information from the content to find the potential vulnerability.
The H2020 DiSIEM project is designing several other sophisticated platforms that would be employed by the companies to search and analyze OSINT data on Facebook, Twitter, blogs, etc. The OSINT tools are unique solutions for detecting new cybersecurity threats automatically.
Lastly, OSINT framework is a collection of tools used for the identification, extraction, analysis of the data. These tools are primarily used by security professionals for digital footprinting. Intelligence gathering, research, and reconnaissance. Some private businesses in the UK are also keenly taking interest in employing OSINT tools to automatically find new cybersecurity threats.
Kind Regards
Alan Kerrigan
https://www.linkedin.com/in/alankerrigan/
