Rootconf 2019

On infrastructure security, cloud architecture, cloud optimization and distributed systems

From data to decisions - Leveraging OSINT data to take security decisions

Submitted by Bharath (@synster) on Thursday, 22 November 2018

videocam_off

Technical level

Beginner

Section

Full talk of 40 mins duration

Status

Submitted

Vote on this proposal

Login to vote

Total votes:  +1

Abstract

As a companies grow large, they tend to leave a lot of digital trail about their infrastructure on the Internet. This information can be accessed by anyone who knows what/where to look for. The information that is available publicly is known as Open Source INTelligence(OSINT). Attackers love performing reconnaissance and gathering OSINT data about their target organisations. An attacker can use these ‘digital breadcrumbs’ to understand their targets better. This understanding will help them in planning and executing their attacks well. Keeping regulations like GDPR and The Personal Data Protection bill(well..) in mind, it is critical for organisations to keep track of the kind of data that they are exposing publicly.

The objective of this talk is to understand how we can leverage OSINT data to build solutions that’ll help us take security decisions that keep organisations stay secure. To meet our objective, we will alternate between wearing an attacker and defender hat through out the talk but the primary focus is on being a defender.

As an attacker, we will take a look at the kind of OSINT data that is out there and how it will help us plan and execute attacks against a target organisation. We will cover various tools and techniques in this process.

As a defender, we will focus on how we can leverage the same OSINT data to build solutions that will help us make decisions that will help organisations stay secure.

As a defender, just gathering OSINT data isn’t enough. The data gathered is only as good as the insights and actionable decisions that we can gain from it. A lot of research is focused on finding OSINT data but little is done towards converting the data into insights and actionable decisions. We will focus on building visualisation, monitoring and alerting solutions around the OSINT data gathered. Visualisation is an easy and efficient way to gain insights from any the data gleaned. Monitoring and alerting is a good way to make sure that we take actions based on the OSINT data.

We’ll tackle the problem by breaking it into following steps:

  1. Gathering OSINT data
  2. Storing the OSINT data
  3. Processing & visualising the OSINT data
  4. Building alerting and monitoring around the OSINT data
  5. Gaining insights and making actionable decisions

Some specific use-cases we’ll look at during the talk includes but not limited to:

  • Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time
  • Visualising public datasets (scans.io) to gain insights into an organisation’s external posture
  • Building monitoring and alerting solutions using OSINT data that will help us take business decisions

Outline

  • What is OSINT?
  • What can attackers do with OSINT data?
  • Where/How do attackers(or I) find this OSINT data? (Tools/Techniques)
  • What can I do about OSINT data on my organisation?
  • Building visualisation, monitoring and alerting solutions
    • Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time
    • Visualising public datasets (scans.io) to gain insights into an organisation’s external posture
      • Answering business related security questions using visualisations
    • Building monitoring and alerting solutions around various OSINT data
  • Key takeaways and Moving forward

Requirements

This talk will be useful for -

  • Anyone who is responsible for an organisation’s infrastructure/application security
  • Anyone who is curious to understand how attackers using OSINT to target organisations
  • Blue teams (Defenders)
  • Redteams/Penetration testers

Speaker bio

Bharath is a Security Engineer with Appsecco. He has a strong passion for information security and building solutions that solve real world problems.
Bharath is an active member and contributor at various security and developer communities including null open security community and Python Malaysia User Group.
His core interest lies in Infrastructure security, Reconnaissance, Application security and Protocol security.

Bharath has presented at many security and developer conferences including:

  • Defcon 26: Recon Village
  • Bsides Delhi 2017
  • Bugcrowd LevelUp 2017 & 2018
  • FUDCon 2012.

Bharath has conducted trainings at various conferences including:

  • c0c0n, 2018
  • Nullcon, Bangalore, 2018

For more details:

Links

Comments

Login with Twitter or Google to leave a comment