Leveraging Open-Source Intelligence (OSINT)...Leveraging Open-Source Intelligence (OSINT) How Social...
Transcript of Leveraging Open-Source Intelligence (OSINT)...Leveraging Open-Source Intelligence (OSINT) How Social...
Leveraging Open-Source Intelligence (OSINT)How Social Footprints Lead to Cyber Risk
Chris Coryea | International Cyber Intelligence Services Manager
©2017 LEIDOS. ALL RIGHTS RESERVED.
The wording LEIDOS used throughout is a registered trademark in the U.S. Patent and Trademark Office owned by Leidos, Inc.
I have Defender DNA.
I am determined to continuously learn from the past.I leverage my relentless drive to understand the ever-evolving threat
landscape and solve the continuous challenges waged by our cyber enemies.
©2016 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY
2.5 Exabytes
data/day
500M
tweets/day
1B
posts/day
400M
users
©2016 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY
©2016 LEIDOS. ALL RIGHTS RESERVED. PROPRIETARY
1 Analyst / 5 Hours
…managing £4m+ project to roll out new
endpoint security across the enterprise in
2016…
…initiative involves a monthly project resource
budget in excess of £200k, entails management
of a team of 3 other Project Managers and
numerous Business Analysts, Architects,
Subject Matter Experts and stakeholders…
© 2016 Lockheed Martin Corporation. All rights reserved.
Project ManagerJune 2014 – Present (1 year 9 months)
Human ResourcesMarch 2009 – Present (7 years)
Lead ArchitectApril 2010 – Present (5 years 11 months)
…the successful candidate will be responsible
for leading a team of 20 analysts located at
SOC based in London…
…overseeing [company’s] 2 year, £15M SOC
transformation…
…currently working on designing the architecture
for a global implementation of FireEye Email
Threat Prevention (ETP) solution inline for 2016…
…working as lead architect on deployment of
FireEye Mandiant solution globally…
Network Implementation Engineer
September 2012 – Present (3 years 5 months)
…..FireEye
Email…
Security Architect
October 2014 – Present (1 years 4 months)
….. £4M
endpoint….
Security Analyst
May 2013 – Present (2 years 9 months)
….. SOC Analyst in
London…
System Architect
January 2009 – Present (7 years 1 month)
…..Global FireEye
Mandiant…
Lead Architect
April 2010 – Present (5 years 11 months)
…..Global FireEye
Mandiant…
Solution Engineer
July 2011 – Present (5 years 7 months)
…2016 endpoint….
Project Manager
June 2014 – Present (1 year 9 months)
….. £4M
endpoint….
….. 2 year, £15M SOC …
Human Resources
March 2009 – Present (7 years)
Security Analyst
January 2016 – Present (1 month)
….. Joined SOC team in
2016…
Initiative Location Time Frame Budget
User Awareness Middle East 1 year £1.5M
Advanced Email Security Global 1 year N/A
Mobile Security United States 2 years £4M
Endpoint Security Global 1 year £4M
Application Security Global 3 years £8M
SOC Transformation (20 staff) London 2 years £15M
Supply Chain Security AsiaPac 3 years £5M
Hybrid Cloud Security N/A 2 years £11M
Cybersecurity Footprint: Exposing your Strategy
Network Implementation EngineerSeptember 2012 – Present (3 years 5 months)
Network Security SpecialistApril 2012 – Present (3 years 10 months)
Working with the Security Operations Centre on a wide range of technologies including:
– McAfee IDS / IPS product suite– BeCrypt Enterprise Manager– Symantec Scan Engine Products– Checkpoint IPS software blade technology– Juniper IDP Devices
My role responsibilities are business-a-usual tasks and small projects:– LAN: Small configurations on Cisco switches and routers
(access and trunk ports, VLANs with HSRP, VPC)– Small projects such as new switch landing and
configuration (Nexus 5K, Nexus 2K)– Firewall: Small firewall changes on Juniper, Checkpoint
and FortiGate firewalls (rules, routes, NAT)– Management of DNS and DHCP services through
Infoblox Grid Manager
Additionally I take a part in organizing knowledge sharing sessions for my colleagues, interns, apprentices.
Cybersecurity Footprint: Exposing your Technology
Network Implementation EngineerSeptember 2012 – Present (3 years 5 months)
My role responsibilities are business-a-usual tasks and small
projects:
– LAN: Small configurations on Cisco switches and
routers (access and trunk ports, VLANs with HSRP,
VPC)
– Small projects such as new switch landing and
configuration (Nexus 5K, Nexus 2K)
– Firewall: Small firewall changes on Juniper,
Checkpoint
and FortiGate firewalls (rules, routes, NAT)
– Management of DNS and DHCP services through
Infoblox Grid Manager
Additionally I take a part in organizing knowledge sharing
sessions for my colleagues, interns, apprentices.
Network Security SpecialistApril 2012 – Present (3 years 10 months)
Working with the Security Operations Centre on a wide range of
technologies including:
– McAfee IDS / IPS product suite
– BeCrypt Enterprise Manager
– Symantec Scan Engine Products
– Checkpoint IPS software blade technology
– Juniper IDP Devices
Firewalls
• Palo Alto• Checkpoint
(includes some Nokia appliances)
• Fortinet• Cisco ASA• Lucent
• Juniper NetScreen• McAfee
Sidewinder• Imperva
SecureSphere(WAF)
• FortiGate• Huawei
Load Balancing & Application Delivery
• F5 BIG-IP: LTM/GTM, Enterprise Manager, VIPRION (hardware)
• Citrix NetScaler• Foundry ServerIron Intrusion Detection & Prevention
• McAfee IDS, IPS Suite
• CheckPoint IPS• TippingPoint
• Juniper IDP• SourceFire
Antivirus & Endpoint Protection• Symantec
Scan/Protection Engine
• Symantec Endpoint Protection
• Lumension
Email & Messaging Protection
• McAfee IronMail• FireEye Email MPS
• Symantec BrightMail
Proxies
• BlueCoat• WebSense
• McAfee• VMWare ESX
Security Monitoring & Management• LogRhythm• Netbrain• Zabbix• Corvil• Observium• F5 Enterprise
Manager• Palo Alto Panorama
• Firescope• RSA Envision• inMon Traffic
Sentinel• CA eHealth• Infoblox• ArcSight
Authentication• BeCrypt• Cisco Identify
Services Engine (ISE)
• Aruba ClearPass
• Catapan• Vasco• CGX InfoExpress
NAC
Adversaries can:
(1)
learn where current TTPs
will be most effective
(2)
construct attacks to avoid
or subvert known security
measures
(3)
exploit vulnerabilities
Firewalls: Palo Alto, Juniper SRX
Load Balancing: F5 LTM & GTM
External Proxies: BlueCoat 5G
IDS & IDP: TippingPoint
Antivirus & Endpoint Protection: FireEye WebMPS(malware), McAfee Endpoint Protection Suite
Emails: McAfee Endpoint Protection Suite
+ Nexus Cisco Routers and Switches
+ ArcSight for analysis of external security threats
ACMEan Anvil Corporation
Cybersecurity Footprint: Exposing your Technology
© 2016 Lockheed Martin Corporation. All rights reserved.© 2016 Lockheed Martin Corporation. All rights reserved. MEDIUM RISK HIGH RISK
Private
social media accounts
Separation of work &
personal life
Private & public
social media accounts
Mix of work &
personal life
Public
social media accounts
Association between
work & personal life
© 2016 Lockheed Martin Corporation. All rights reserved.LOW RISK
Executive Footprint: Exposing your Company & Family
© 2016 Lockheed Martin Corporation. All rights reserved.
16 Executives, 30 Accounts:
• 94% LinkedIn
• 63% Twitter
• 31% Facebook
© 2016 Lockheed Martin Corporation. All rights reserved.LOW RISK MEDIUM RISK HIGH RISK
Exposure:
• Detailed information on conferences and business travel
• Detailed resume/CV public on LinkedIn
• Friends public on Facebook
Executive Footprint: Exposing your Company & Family
ACMEANVIL
CORPORATION
© 2016 Lockheed Martin Corporation. All rights reserved.© 2016 Lockheed Martin Corporation. All rights reserved.
Jane consistently
tweets her location
and activities
Account is public,
bio list numerous
interests, friends
are also public
Account is public
and links to
Facebook account
Account is private
but links to
Facebook account
Twitter Facebook Pinterest
LOW RISK MEDIUM RISK HIGH RISK
Father tweets
daughter from his
work account
Detailed
CV/resume
information listed
publically
John Doe
CEO
Friends list is
public and using
same picture as
business profile
Facebook YouTube
Jane @janedoeJohn @johndoe
HIGH
Jane Doe
John DoeCEO
Jane Doe
Executive Footprint: Exposing your Company & Family
Technology and
Strategy Exposure
Executive
Footprint
Geopolitical
Predictions
Supply
Chain
Open-Source Intelligence (OSINT): Scope of Capabilities
Internet of Things
(IoT)
• Know the scope of intelligence
publically available to your
adversaries
• Understand how the aggregation
of this intelligence can expose
your vulnerability landscape
• Leverage OSINT to monitor and
mitigate your exposure
Thank you.Questions and Discussion