How hackers find your vulnerabilities hidden in plain sight

Learn how OSINT is used by hackers to find of your organization’s vulnerabilities

Hackers use OSINT to find and exploit vulnerabilities in your organization. This information can come from many different sources, such as those under your own control, from your employees, from leaked/stolen data and from search engines that index devices connected to the open internet. 

Before adversaries attempt to breach your organization, they start acquiring intelligence to map your attack surface. Intelligence agencies estimate that 80-95% of intelligence comes from publicly available sources, known as Open-Source Intelligence (OSINT) . More specifically, OSINT1 is any information that can be gathered from publicly available sources in a legal manner2

OSINT sources used by adversaries

From sources your organization controls

With the increasing adoption of cloud services many cloud storage configurations could accidentally or intentionally be set to public, revealing internal confidential information. Worldwide, more than 11.6 billion3  files from organizations are publicly available.   

We have seen public files containing personal data of employees, their passwords and even maps of facilities containing locations of critical business assets such as Operational Technology (OT) and server rooms. These files can be found with a method called Google dorking. Even if a file doesn’t contain any sensitive information, its metadata could reveal the name of the person who edited it and their location. 

In addition, the job ads you post online may reveal the technology you use – useful information for adversaries to tailor their exploit. 

Also, your promotional photos or videos online showing offices or factories could show vulnerable information such as OT, software or your facility’s physical security measures.

Social media
A very valuable social media platform for adversaries is LinkedIn, as employees use it to share their job positions and experiences. Such information can reveal organizational structures, personal information to be used for phishing, and technologies used within the organization as described in the work experience section of employee profiles4.

Leaked/stolen information
Third-party platforms used by your employees or your organization may have already experienced a data breach involving user credentials. When sites like haveibeenpwnd.com obtain these leaked credentials, adversaries can check your employee’s email address to see if their password has been compromised. If the password is similar to the password they use within your organization, adversaries can gain an initial foothold5

Other unusual sources are 'pastebin' sites, which host plain text that users have pasted to share large texts. Such sites may also contain breached data such as credentials and other sensitive information obtained by adversaries6.

Finally, credentials from breaches, unknown vulnerabilities and exploits for software you use could also be sold on the dark web7.

Network and subdomain search engines
Furthermore, sites like shodan.io and censys.com index IP addresses of devices such as routers, webcams, servers and even OT-systems connected to the open internet and scan for software versions on their open ports. This information can be exploited to gain initial access8.

Another way to find hidden networked resources is via domain name enumeration. Your organization most likely owns a domain name and has probably created many forgotten subdomains such as 'blog.yourdomain.com'. Systems hosting these subdomains could have vulnerabilities that can be leveraged by adversaries to move laterally or escalate to higher domains9.

Recommendations

In order to minimize the impact of adversaries exploiting information or system vulnerabilities found with OSINT, we recommend to:

1. Ensure you have clear internal policies on what information can be publicly shared and include it in regular training. 

2. Make sure that anything that is publicly accessible is free of sensitive or critical information, including metadata. One way to accomplish this is by using Data Loss Prevention (DLP) policies or specialized solutions such as a Content Management System (CMS) that automatically remove sensitive information before publishing it. 

3. Use services such as Red Team exercises, Cyber Due Diligence and Internet Footprint Analysis from third parties such as our Cyber Defense Services to simulate how attackers can identify your attack surface.

4. Ensure that robust Cyber Threat Intelligence (CTI) and organization-specific processes and solutions are in place to receive early notifications about possible exposure of sensitive information and attacks against the organization.

Conclusion

In short, adversaries can discover a great portion of your attack surface by combining a wide variety of OSINT sources. Determining what sensitive information is accessible and how to contain it, creating security policies, implementing data classification, DLP, CTI and other safeguards are daunting tasks. If your organization does not have the in-house expertise or capacity to adequately address these critical measures, feel free to catch us for a coffee at our office in Zürich, or just reach out via the contact buttons on the right.

Michele Daryanani

Partner, Cyber Security

KPMG Switzerland

Sebastiaan Berting
Sebastiaan Berting

Expert, Cyber Security

KPMG Switzerland