OSINT Combine’s Emerald Sage recently published a whitepaper exploring how OSINT can help manage risk for critical infrastructure. In a series of blogs, we will take a more in-depth look at some of the tradecraft and techniques that organisations can use to manage their security posture and risk profile.
The whitepaper notes that OSINT can help organisations conduct fast and effective screening of personnel to help manage personnel security hazards. This blog will look at the practical steps organisations can take to apply open-source tools and tradecraft to personnel vetting, as well as maintain awareness of their organisation’s broader security posture.
Information about Employees’ Online Footprints
As always, there are ethical considerations when it comes to screening current and prospective employee data online, which need to be weighed against the risks. Each team and organisation should consider the frameworks, policies, and legislation under which they operate to develop the correct scope for investigations.
Conducting open-source research on employee profiles may involve identifying and viewing public social media profiles, accounts on professional networking sites, breach data, code repositories, and personal websites.
Professional Networking Sites
Professional networking sites, such as LinkedIn, can reveal a vast amount of information about an organisation’s security posture, infrastructure, personnel footprint, and technologies. While the specific details on a single profile might seem innocuous, bad actors can use aggregated data from multiple accounts to identify potential vulnerabilities—both technological, and human.
LinkedIn is the world's largest professional network on the internet, and Five Eyes intelligence agencies have previously warned of attempts by foreign intelligence services to cultivate relationships using the platform. LinkedIn accounts effectively function as online resumes that contain information about:
Current and former roles
Education and qualifications
Location
Interests
Contact information
Security teams can use LinkedIn profile information to better understand the breadth and depth of publicly available information about a company’s infrastructure, personnel, and activities and, if necessary, request the removal of sensitive information.
LinkedIn does, however, present challenges for open-source researchers. Only LinkedIn members can use the in-built search functions, and, even then, the amount of information displayed about individual profiles depends on the user’s settings and the degree of connection between profiles. It is not unusual to see a set of results like the picture below when conducting in-site LinkedIn searching:
LinkedIn also raises issues around attribution—viewing profiles while logged into a LinkedIn account, depending on account settings, will let a user know who has visited their profile. At the very least, there will be a record that someone has viewed a profile page. For security teams who are conducting audits of employee information online, this risks revealing tactics and audit procedures.
LinkedIn is, however, heavily indexed by search engines. While not all profiles will appear in search results (it depends on user account settings), conducting a targeted search for profiles linked to companies can give security teams a good overview of the online footprint of employees.
Using advanced search operators (‘Google dorking’) enables quick retrieval of profiles that list an organisation or topic within the title/current position. Adding keywords for locations, roles, experience, and educational institutions helps to further refine results.
Use the ‘site’ operator to target a particular platform, for example:
site:au.linkedin.com
Adding the filepath ‘in’ to the end of the domain helps to filter out irrelevant results (like job postings and company pages). If your company uses particular technologies or security mitigations, then adding these as key words can help to identify where employees may have added details about these to their profiles. For example, we could search for employees at ‘Widgets R Us’ who list a ‘Sensitive Widget Clearance Level 4’ in their profile:
Remember that different search engines will index different content from websites. A search result that does not appear in Google’s set of results might have been indexed by Yandex or Bing, for example. While advanced search operators are slightly different across search engines, all the major engines support the ‘site’ search.
If search results highlight employees who have listed sensitive information on their professional profiles (which is in turn shared with anyone in their LinkedIn network), then this can reveal vulnerabilities and weaknesses in your organisation’s online footprint.
Company Domain Investigations
Conducting checks for company domain emails across breach data websites and WhoIS registration data can reveal potential breaches of employee data, as well as unauthorised website registrations by employees using corporate networks and emails.
Commercial software like NexusXplore can help to streamline investigations of breached data for domains and entities of interest. When your organisation does not have access to specialised tools, however, there are publicly available, browser-based options that can still assist in filling in the gaps in a company’s understanding of its online footprint.
Intelligence X’s tool Phonebook.cz requires a free account (register with an email address), but it allows domain-based searching across its billions of records, including breach data and public leaked records. Searching with an organisational domain can quickly identify corporate email accounts that may appear in breached data sets.
To find out where an email address has appeared in a record, click through to the record and then choose ‘Full Data’. Some data is likely to be redacted, but other results may list document information and metadata, full text, and other selectors or identifiers found in the document.
As with most free open-source tools, there are dataset limitations, but for security teams who need to understand the scope of freely available information about their employees and networks, Phonebook.cz is a useful resource.
Conducting Reverse WHOIS look-ups is another means of identifying potential vulnerabilities related to personnel and an organisation’s online presence. A WHOIS check is simply a way of asking ‘Who is responsible for this website?”. Reverse WHOIS look-ups let us search on an email address or name, rather than the domain itself. While privacy proxies and regulations like the EU’s General Data Protection Regulation limit the amount of personal data we can retrieve, there is still a vast amount of both current and historical information in WHOIS records.
Some WHOIS retrieval tools limit or redact information (or require payment/registration for full results). It is also worth noting that different tools may retrieve slightly different data, depending on the age and completeness of the data sources they draw from. We recommend using a combination of tools in order to retrieve the most comprehensive results.
Reverse WHOIS tools:
ViewDNS is particularly useful, as it allows wildcarded domain searches to identify any websites registered using a company domain.
Searching for websites linked to a company domain can also identify where legitimate online assets may inadvertently reveal more information about an organisation than intended (for example, domains used for testing purposes).
Monitoring Search and News Results
There are software solutions for monitoring open-source information based on keywords and names of interest, but a free option that anyone with a Google account can use is Google Alerts. While Google does not capture everything (for example, Google does not index most content on social media profiles), this may be a simple way to remain aware of the conversations and mentions of your company, industry, and personnel. Refining your alerts with keywords, advanced search operators, and region-specific options can help to reduce the amount of unrelated information in your feed.
Summary
In this blog, we have explored some of the approaches that security teams might take to gain insight into the digital hygiene of an organisation and its personnel, including:
Conducting targeted searches for sensitive information on professional networking sites
Investigating company domains in breach data sets and WHOIS records
Monitoring keywords and topics using Google Alerts
Remember, though, that bad actors can (and do) use the same tactics and techniques to retrieve information about an entity!
To support your OSINT collection and analytical capability uplift, contact us at training@osintcombine.com to learn about our off-the-shelf and bespoke training offerings.