Any mid-sized to large-sized organization with security ops continuously uncovers a wide range of cyber threats. Some of the things that are discovered are relatively innocuous, while others are downright devastating.
It is not uncommon, for example, for our researchers here at CyberProof to come across major databases with leaked information hosted on random servers. In fact, we’ve seen many incidents like these – most of them don’t make it into the media.
Let’s have a look at a few of the expert methods that researchers use to uncover this and other types of information.
Researchers find 43 million exposed addresses
Earlier this year, a researcher from Vertek Corporation uncovered 43 million email addresses leaked by the command & control server of the Trik spam botnet. In this case, the researchers used automated data gathering techniques and found that one of the group behind this operation misconfigured its server and left its content accessible to anyone accessing the IP directly.
A different method of finding similar information is using a technique of analyzing dedicated malware drop zones, i.e., A dropzone is a publicly writable directory on a server in the Internet that serves as an exchange point for keylogger data: the malware running on a compromised machine sends all stolen credentials to the dropzone, where the attacker can pick them up and abuse them.
Alternative approaches to information gathering
At CyberProof, we utilize several approaches to uncovering hidden information. Researchers and threat intelligence analysts monitor the Internet and Darknet for sources of information. For example, CyberProof’s team uses crawlers that automatically search the Internet for specific keywords. These crawlers are based on a variety of sources, e.g., Social media, Telegram hacker groups, QQ,s and Darknet sources like IRCs and marketplaces, forums, and file sharing platforms
We also leverage CyberProof’s AI-augmented automation capabilities to find out in real time whenever someone is talking about any of our clients. This allows us to identify leaked information as it happens. For example, if a hacker on any forum, blog, or other platform speaks about a client and there’s any association with data dumps, exploits, or leaked information (in any language), CyberProof identifies it as soon as the attacker posts it. The automation is based on techniques using the Google search engine or others such as Yandex, Baidu, etc., which ensure that we’re not limited to a specific set of sources – and also allow us to cover the different platforms.
Think like a hacker
CyberProof makes use of in-house crawler tools to investigate whether clients have exposed information on their servers. Our researchers conduct advanced reconnaissance activities and investigate aspects of a client’s digital footprint externally – both from the classic threat intelligence perspective, and from a hacker’s perspective on the client.
We’ve also developed a number of unique techniques that provide us with enhanced intelligence insights. For example, one of our crawlers searches for information within old communication protocols – which hackers sometimes use for storing and sharing information.
We comprehensively map out and identify what assets the client has – domain names, external IP addresses, subdomains, and the technologies they use and more – and then perform reconnaissance activities, just as a hacker (potentially) would.
These activities help us figure out the client’s vulnerable web facing assets, which commonly include:
- Misconfigurations within the servers of the client that potentially expose information
- Open directories of critical servers (like the file server) that use default credentials – giving hackers access to files
- Technologies with publicly available vulnerabilities that hackers could exploit and much more
Threat Intelligence that board members will understand
CyberProof’s goal is to provide each client with a complete and customized perspective on intelligence. Our goal is to let the CEO and CISO/CIO see the full picture and address any concerns by attacking the question of threat intelligence from two different points of view:
- A classic approach to intelligence
- Who is talking about me?
- Who is targeting me?
- Is anyone selling my information?
- A more targeted approach
- How do my digital footprint and assets look – in the eyes of malicious players?
- What information would hackers be able to find If they targeted me, or my key executives and employees?
- How exposed and vulnerable am I?
Most intelligence companies focus only on the classic approach to intelligence. It’s this proactive methodology that reflects CyberProof’s unique approach to CTI.
This is the first in a series of posts touching on the different methods used by cybersecurity professionals when conducting technical research.