Any mid-sized to large-sized organization with security ops continuously uncovers a wide range of cyber risks and threats. Some of the things that are discovered can be relatively innocuous, while others can be downright devastating.
It is not uncommon, for example, for our researchers here at CyberProof to come across major databases with leaked information hosted on random servers. In fact, we’ve seen many incidents like these – most of them don’t make it into the media.
Let’s have a look at a few examples of the expert methods that threat intelligence analysts use to uncover this and other types of information.
Threat Intelligence Researchers find 43 million exposed email addresses
Earlier this year, a researcher from Vertek Corporation uncovered 43 million email addresses leaked by the command & control server of the Trik spam botnet. In this case, the researchers used automated data gathering techniques and found that one of the groups behind this operation misconfigured its server and left its content accessible to anyone with the ability to gain access to the IP directly.
A different method of finding similar information is using a technique of analyzing dedicated malware drop zones,. A drop zone is a publicly writable directory on a server in the Internet that serves as an exchange point for keylogger data: the malware running on a compromised machine sends all stolen credentials to the drop zone, where the attacker can acquire the stolen data and abuse it.
Alternative approaches to information gathering
At CyberProof, we utilize several approaches to uncovering hidden information. Researchers and threat intelligence analysts monitor the Internet and Darknet for sources of information. For example, CyberProof’s team uses crawlers that automatically search the Internet for specific keywords. These crawlers are based on a variety of sources, e.g., Social media, Telegram hacker groups, QQ,s and Darknet sources like IRCs and marketplaces, forums, and file sharing platforms
We also leverage CyberProof’s AI-augmented automation capabilities to find out in real time whenever someone is talking about any of our clients. This allows us to identify leaked information as it happens. For example, if a hacker on any forum, blog, or other platform speaks about a client and there’s any association with data dumps, exploits, or leaked information (in any language), CyberProof identifies it as soon as it is posted by a potential cyber attacker. The automation is based on techniques using the Google search engine or others such as Yandex, Baidu, etc., which ensure that we are not limited to a specific set of sources – and also allow us to us to oversee the different platforms, providing our clients full coverage.
Think like a hacker
CyberProof makes use of in-house crawler tools to investigate whether clients have exposed information on their servers. Our researchers conduct advanced reconnaissance activities and investigate aspects of a client’s digital footprint externally – both from the classic threat intelligence perspective, and from a hacker’s perspective on potential vulnerability points of our client.
We’ve also developed a number of unique techniques that provide us with enhanced cyber threat intelligence insights. For example, one of our crawlers searches for information within old communication protocols – which hackers sometimes use for storing and sharing information.
We comprehensively map out and identify what assets the client has – domain names, external IP addresses, subdomains, and the technologies they use and more – and then perform reconnaissance activities, just as a hacker (potentially) would.
These activities help us figure out the client’s vulnerable web facing assets, which commonly include:
- Misconfigurations within the servers of the client that potentially expose information
- Open directories of critical servers (like the file server) that use default credentials – giving hackers access to files
- Technologies with publicly available vulnerabilities that hackers could exploit and much more
Threat Intelligence that board members will understand
CyberProof’s goal is to provide each of our clients with a complete and customized perspective on cyber security threat intelligence. Our goal is to let the CEO and CISO/CIO see the full picture of their vulnerabilities and address any of their concerns by attacking the question of threat intelligence from two different points of view:A classic approach to threat intelligence:
- Who is talking about me?
- Who is targeting me?
- Is anyone selling my information?
A targeted approach to threat intelligence:
- How do my digital footprint and assets look – in the eyes of malicious players?
- What information would hackers be able to find If they targeted me, or my key executives and employees?
- How exposed and vulnerable am I?
While most intelligence companies focus only on the classic approach to threat intelligence, we provide a targeted approach, offering our clients a proactive defense methodology that reflects CyberProof’s unique approach to CTI.
This is the first in a series of posts touching on the different methods used by cybersecurity professionals when conducting technical research.
For an in-depth look at how the CyberProof combines HUMINT (Human Intelligence) tactics with OSINT (Open Source Intelligence) to contribute to a proactive cyber security strategy, download our whitepaper, Why Virtual HUMINT is Vital to Effective Threat Intelligence.