“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT
Christopher R. Barber, CISSP, C|EHv7
Threat Analyst
Solutionary Inc.
Security Engineering Research Team (SERT)

Introduction
• Member of Solutionary’s Security Engineering Research Team
(SERT) specializing in threat intelligence and analysis
• Research and discovery of emerging threats and vulnerabilities
• Use of Open-Source Intelligence Techniques(OSINT) for tracking threat actor activities
• Analysis of threat landscape trends monthly and high level analysis annually

Outline
• Challenges
• Establishing Anonymity
• OSINT Tools and Techniques
• Sources
• Information Sharing

Challenges
• Anonymity Challenges
• Source Information Challenges
• Intelligence Sharing Challenges

Anonymity Challenges
• Security policy prohibits the use of 3 rd party VPN providers and access to TOR network
• Lack of funds, resources and personnel for the development of secure anonymous channels.

Source Information Challenges
• Large volumes of information from a diverse collection of sources
• Being able to discern between valid information and injected disinformation
• Personnel and Resources

Intelligence Sharing Challenges
• Conflicts between organizations due to differences in security policies
• Lack of security from collaborating organization leads to pivot point for compromise

Establishing Anonymity
• Having an unknown or unacknowledged name
• Having an unknown or withheld authorship or agency
• Having no distinctive character or recognition factor
• Being able to gather information in a manner that does not reveal your personal, professional, or organizations identity

Digital Paper Trail: The bread crumbs left as we traverse the cyber domain.
• IP Address
• User Agent
• Cookies
• Behavioral habits

Anonymizing Service Providers
• Private Internet Access
• HideMyAss
• BlackVPN
• IVPN
• AirVPN
• TorGuard

Anonymizing Virtual Machines
• Whonix
• Tor Middlebox
• Tails VM

Whonix

Tor Middlebox
• Works as proxy between host machine and
Virtualbox
• Routes all VM traffic through Tor proxy on host machine

Tails Virtual Machine

Open-Source Intelligence
• Collection and analysis of information gathered from publicly available sources
• Sources involve any form of electronic or printed material available in the public domain
• Intelligence is obtained through the statistical analysis of the occurrence and relationships between pieces of information

Tools and Techniques for OSINT
• Collection Tools
• Search Engines
• Social Media
• Intelligence sources

Collection Tools
• Paterva/Maltego
• Recorded Future

Maltego

Recorded Future

Search Engines
• Google Custom Searches
• Iseek
• Addic-to-matic
• Shodan

Google Custom Search

Google Custom Search

iSeek

Addict-o-matic

Shodan

• Facebook
• Twitter
• Google+
Social Media

• Pastebin
• Reddit
• AnonPaste
• PirateBay
• Zone-H
• Pastie
Dump Sites

Honey Pots and Nets
• Provides automated method for distributed traffic analysis.
• Provides early signs of malware or botnet activities.

Intelligence Sources
• Cyber War News
• The Hacker News
• Darkreading.com
• FirstHackNews

Shared Intelligence
• Intelligence Sharing Organizations
• Intelligence Assimilation and Sharing
Applications

Intelligence Sharing Organizations

Intelligence Assimilation and Sharing
Applications
• Structure Threat Information eXpression (STIX)
• Trusted Automated eXchange of
Indicator Information (TAXII)
• Common Attack Pattern
Enumeration and Classification
(CAPEC)

Intelligence in Depth
• Intelligence research and analysis should be practiced with the idea of
“defense in depth”.
• Validity and actionable predictions can only be made with the collective analysis of multiple sources.

Solutionary’s 2013 Global Threat
Intelligence Report http://go.solutionary.com/GTIR.html
Solutionary Minds Blog http://www.solutionary.com/resourcecenter/blog/

Thank You
Questions?