OSINT in Security and Cyberbullying Investigations

Questions and Answers

What is the primary purpose of cross-referencing information during a social media OSINT investigation?

• To find out who has been viewing the cyberbullying of the victim.
• To ensure that all collected information is anonymous and untraceable.
• To identify the most popular social media platform used by the perpetrators.
• To corroborate identities and gather more context about the perpetrators. (correct)

What is the main goal of collecting screenshots as evidence in a cyberbullying investigation?

• To create a public awareness campaign about the cyberbullying incident.
• To notify the social media platform's support teams.
• To directly confront the cyberbullies and demand accountability.
• To document the cyberbullying incidents for future reference or legal proceedings. (correct)

What is the primary way OSINT supports security operations?

• By offering competitive advantages over rival organizations
• By influencing policy and strategy development
• By providing real-time crisis updates
• By allowing the identification of threat actor activity, tactics, and techniques (correct)

What action should be taken after collecting evidence in a cyberbullying investigation?

Report the cyberbullying incidents to the relevant authorities, such as law enforcement or social media platforms' support teams. (C)

In the context of security investigations, what is a key contribution of OSINT?

Gathering evidence and identifying perpetrators in security incidents (A)

Apart from law enforcement agents, which of the following groups regularly uses OSINT?

Security Professionals (D)

How does OSINT contribute to crisis management?

By providing real-time information and situational updates (A)

How does OSINT contribute to identifying suspects in a criminal investigation?

By gathering information from publicly available sources to identify leads. (C)

For law enforcement, what is the purpose of digital footprint analysis by using OSINT?

To gather information about a suspect's behavior, interests, and activities. (C)

Which of the following is NOT an example of how OSINT benefits security professionals?

Facilitating direct network penetration testing (D)

What specific type of evidence can OSINT help collect in criminal investigations?

Photos, videos, messages, and online transactions used as evidence. (C)

How can OSINT assist security professionals in policy and strategy development?

By supplying information on emerging threats and security trends (C)

Why is OSINT considered invaluable for law enforcement agents?

Because it provides investigative leads and aids in evidence collection. (A)

What is a key advantage of OSINT for cyber criminals?

To more easily identify potential targets for attacks (D)

Which of these is an example of OSINT being used to gain a competitive advantage?

By identifying industry trends and competitor strategies (A)

What type of information analyzed by OSINT analysts in the context of security investigations?

Social media posts and online forums content (C)

What is the primary use of OSINT for cyber criminals in reconnaissance and footprinting?

To gather intelligence about target networks and infrastructure. (D)

Which of the following is NOT a typical piece of information obtained through OSINT for planning cyber attacks?

Employee's encrypted passwords (B)

In the context of a Business Email Compromise (BEC) attack, what is the main goal of cybercriminals using OSINT?

To fraudulently obtain funds or sensitive information. (D)

What type of information is typically gathered during OSINT research on a target company?

Organizational structure and key employees (C)

Which of these is a crucial step in employee profiling and reconnaissance conducted by cyber criminals using OSINT?

Analyzing social media profiles for personal information. (D)

Besides employees, what other entities are cyber criminals interested in identifying using OSINT in a BEC attack scenario?

Vendors, suppliers, and business partners. (C)

Why is 'malicious OSINT' particularly concerning for businesses?

Because it relies on freely available information to plan cyber attacks. (C)

How can cyber criminals potentially use the information gathered through OSINT?

To exploit vulnerabilities and maximize the impact of malicious activities. (C)

What is one way OSINT assists law enforcement in identifying suspects?

By cross-referencing information from various open sources. (B)

How does OSINT contribute to threat detection and prevention for law enforcement?

By monitoring social media and online forums for indicators of illegal activity. (A)

In what way does OSINT aid community policing?

By monitoring social media to identify emerging issues and gather feedback. (D)

How does OSINT facilitate intelligence sharing among law enforcement agencies?

By sharing information obtained from open sources. (D)

What capability does OSINT provide in real-time monitoring for law enforcement?

It enables real-time tracking of unfolding events via public media and alerts. (C)

Why is OSINT considered essential for law enforcement agents?

Because it aids in generating leads, collecting evidence, identifying suspects, and responding to emergencies. (B)

Which of the following is NOT a typical benefit of using OSINT in law enforcement?

Guaranteed access to private data without warrants. (C)

How does OSINT help law enforcement in the context of transnational crime and terrorism?

By facilitating collaborative investigations and coordinated operations. (C)

What is the primary reason cybercriminals gather vendor information during the OSINT phase of a BEC attack?

To create spoofed emails that closely resemble actual vendor communications. (B)

Which technique do cybercriminals use to hide their activities during a BEC attack?

Employing virtual private networks (VPNs) and Tor to anonymize their online actions. (D)

How do cybercriminals typically use the information from OSINT during phishing preparations?

To personalize phishing emails, making them more likely to deceive the recipient. (A)

What is the main objective of cybercriminals during the execution phase of a BEC attack?

To initiate fraudulent money transfers or steal sensitive information. (D)

When might cybercriminals exfiltrate sensitive data during a BEC attack?

After successfully compromising email accounts, as part of data theft operations. (D)

What is the primary role of email OSINT in cybersecurity?

To provide insights into threats and vulnerabilities associated with email communications. (B)

What disguises that cybercriminals use in fraudulent emails to impersonate company executives or trusted vendors?

Spoofed email accounts that they control and send from directly. (C)

Which of these would not be part of the typical information revealed by an email header analyzer?

Email recipient content. (A)

What actions do cybercriminals take to avoid detection after the attack is executed?

They delete their phishing infrastructure and discard compromised email accounts. (D)

Which tool is useful for gathering email addresses and subdomains from public sources?

TheHarvester (D)

What is a key sign of a BEC attack in the emails that they send?

Emails containing urgent requests for wire transfers or sensitive data. (A)

What is the main function of Hunter.io in email OSINT?

To search for email addresses associated with a domain name. (B)

What is the primary purpose of using Emailrep.io in email OSINT?

To assess the reputation of an email address. (A)

How does Have I Been Pwned contribute to email OSINT?

By identifying email addresses that have been involved in data breaches. (D)

Which tool is not primarily designed for email address gathering or analysis?

Have I Been Pwned (B)

What is a key benefit of integrating email OSINT into an organization's security operations?

Enhance the ability to detect, prevent, and mitigate cyber threats. (B)

Flashcards

What is Email OSINT?

Email OSINT involves gathering information from publicly available sources to understand email communication patterns, potential threats and vulnerabilities.

Email Header Analysis

Analyzing email headers can reveal information about the sender's mail server, IP addresses, authentication details, and routing information.

TheHarvester Tool

TheHarvester is a command-line tool used for gathering email addresses, subdomains, and other data from public sources like search engines and social media.

Hunter.io Tool

Hunter.io helps you find email addresses associated with a domain. It provides information like email format, sources, and related email addresses.

Emailrep.io for Email Reputation

Emailrep.io assesses the reputation of an email address. It helps identify risky or fraudulent email addresses by checking if they have been associated with suspicious activities.

Have I Been Pwned?

Have I Been Pwned is a free service to check whether an email address has been compromised in any known data breaches.

Importance of EmailOSINT

Email OSINT strengthens an organization's ability to anticipate and mitigate cyber risks by providing valuable insights into threats, incidents, and vulnerabilities.

Email OSINT in Security Operations

Integrating Email OSINT into security operations allows organizations to detect, respond to, and mitigate cyber threats effectively.

Open-Source Intelligence (OSINT)

Using publicly available information from sources like social media, news articles, and public records to gather intelligence and investigate.

Cross-Referencing Information

Involves checking information gathered from social media against other reliable sources to confirm identities or gain more context.

Collection of Evidence

Collecting screenshots and other evidence from social media to document cyberbullying, including offensive messages and posts.

Reporting to Authorities

Reporting cyberbullying incidents to law enforcement agencies or social media platforms, providing them with detailed information and evidence collected through OSINT.

Investigative Leads

OSINT helps law enforcement agents discover potential leads and valuable information to start and progress investigations.

Digital Footprint Analysis

OSINT allows law enforcement to examine a suspect's online behavior, interests, and connections, helping them create a profile and develop a strategy for the investigation.

Evidence Collection

OSINT contributes to gathering evidence in criminal cases by using information from open sources like photos, videos, and messages.

Prosecution Support

OSINT can be crucial in securing convictions and prosecuting criminals by providing strong evidence derived from public sources.

How does OSINT help with suspect identification?

OSINT helps law enforcement identify suspects by using open source information to uncover their true identity, track their movements, and locate their whereabouts, aiding in apprehension and prosecution.

How does OSINT help detect and prevent threats?

OSINT helps law enforcement monitor social media and online forums to identify potential threats to public safety, assess their credibility, and take proactive measures to mitigate risks.

How does OSINT support community policing?

OSINT helps law enforcement engage with the public, gather feedback, and address community concerns. By monitoring social media, agencies can identify emerging issues and build positive relationships.

How does OSINT support intelligence sharing and collaboration?

OSINT facilitates intelligence sharing and collaboration among law enforcement agencies. Agencies share information obtained from open sources to coordinate investigations and address transnational crime and terrorism threats.

How does OSINT support real-time monitoring and response?

OSINT provides real-time monitoring capabilities for law enforcement to track unfolding events, emergencies, and incidents. By monitoring social media and news feeds, agents can stay informed about developing situations and deploy resources accordingly.

What are the key benefits of OSINT for law enforcement?

OSINT is crucial for law enforcement as it provides investigative leads, evidence, suspect identification, threat detection, community engagement, intelligence sharing, and emergency response capabilities.

OSINT for Target Company Research

Cybercriminals use OSINT to gather information about a target company's organizational structure, key employees, business partners, vendors, and financial activities.

OSINT for Employee Profiling

Cybercriminals use OSINT to gather information about key employees, including executives, finance personnel, and IT administrators.

OSINT for Vendor and Partner Identification

Cybercriminals use OSINT to identify vendors, suppliers, and business partners associated with the target company.

OSINT for Financial Intelligence

Cybercriminals use OSINT to find out about the company's financial activities, including transactions, payment methods, and bank details.

OSINT for Vulnerability Assessment

Cybercriminals use OSINT to gather information about the company's security posture, identifying potential vulnerabilities.

OSINT for Communication Analysis

Cybercriminals use OSINT to analyze the target company's communication channels, looking for ways to manipulate communication.

OSINT for Social Engineering

Cybercriminals use OSINT for social engineering, manipulating employees to gain access or reveal sensitive information.

OSINT for Target Company Profiling

Cybercriminals use OSINT to create a detailed profile of the target company, which helps them to plan and execute the attacks.

OSINT in Security

Gathering information from publicly available sources to understand cyber threats, vulnerabilities, and attacker tactics, methods, and tools.

Identifying Security Vulnerabilities using OSINT

OSINT helps security professionals identify weak points in an organization's defenses by analyzing publicly available information.

Understanding Attacker Tactics with OSINT

OSINT allows security teams to learn what attackers are doing, how they operate, and what techniques they use.

Predicting and Preventing Attacks with OSINT

OSINT enables security professionals to gain insights into the intentions and actions of adversaries, helping in the development of proactive security strategies.

OSINT in Security Investigations

OSINT supports investigations by providing leads, evidence, and information about suspects.

OSINT in Competitive Intelligence

Gathering competitor intelligence through public sources like websites and press releases to understand their strengths and weaknesses.

OSINT for Security Policy Development

OSINT helps build better security policies by highlighting emerging threats and trends in the cyber security landscape.

OSINT in Crisis Management

OSINT can provide real-time updates on emergencies and critical incidents, helping security professionals coordinate responses.

Vendor Impersonation

Cybercriminals gather information about a target company's vendors, including contact details, invoicing procedures, and payment terms, to create convincing impersonations for their attacks.

Spoofed Email Attack

Cybercriminals send spoofed emails, appearing to be from company executives or trusted vendors, to employees of the target company. These emails typically contain urgent requests for wire transfers, payment updates, or sensitive information.

Personalized Phishing

Cybercriminals use OSINT to gather information about a company's executives and employees, including their names, job titles, and communication habits, to personalize phishing emails and increase the likelihood of success.

Anonymization Techniques

Cybercriminals utilize techniques like virtual private networks (VPNs) or Tor to disguise their online activities and hide their location during the attack.

Covering Tracks

Cybercriminals delete any evidence of their malicious activities, such as phishing infrastructure or compromised email accounts, to avoid detection and attribution.

Exploiting Trust and Authority

The success of a BEC attack hinges on the ability of the cybercriminals to exploit trust and authority within the target company. They leverage the perceived legitimacy of their impersonations to persuade employees into taking actions that benefit the attackers.

Fraudulent Transactions and Data Theft

Once an email account is compromised, cybercriminals can initiate fraudulent wire transfers, diverting funds to their own accounts or exfiltrating sensitive information like financial records, customer data, or intellectual property.

OSINT in Cybercrime

The incident illustrates the need for organizations to be vigilantly aware of the threats posed by OSINT-based BEC attacks and to implement strong security measures to mitigate these risks.

Study Notes

Open Source Intelligence (OSINT)

• OSINT is the collection and analysis of publicly available data to produce actionable intelligence.
• It is used in national security, law enforcement, and business intelligence.
• It's a modern method for gathering information about a specific target for a specific purpose.

OSINT Tools (Email)

• Email Header Analyzer: Tools like MXToolbox's Email Header Analyzer and WhatIsMyIPAddress allow analysis of email headers to extract information about the sender's mail server, IP addresses, authentication details, and routing information.
• TheHarvester: An open-source tool for gathering email addresses, subdomains, and other information from public sources like search engines, social media, and PGP key servers.
• Hunter.io: Offers a free plan to search for email addresses associated with a domain name, providing email format, source, and related email addresses.
• Emailrep.io: A free email reputation assessment tool that provides information about the reputation of an email address (whether malicious or associated with suspicious activities).
• Have I Been Pwned: Free service to check if an email address has been involved in a data breach.
• Google Advanced Search: Advanced search features to find publicly available information associated with an email address (e.g., online profiles, social media accounts, forum posts).

OSINT Framework

• A framework with links to various tools and resources for email investigations: email header analysis, tracking, verification, and other related tasks.
• While not as sophisticated as commercial counterparts, free tools remain valuable for publicly available information.

Email Case Scenario: Phishing Attack Investigation

• Background: Employees report suspicious emails resembling IT department communications, requesting sensitive information (logins, financial details). The incident raises concerns about security breaches and data leaks, suggesting a coordinated cyberattack.
• Objective: Employ email OSINT to determine the phishing email source, gather intelligence on attackers, and mitigate the ongoing threat to cybersecurity.

Email Case Scenario: Investigation Steps

• Email Header Analysis: Analyze phishing email headers to extract information on sender's infrastructure (IP addresses, domain names, and mail servers).
• Domain Analysis: Investigate domain names, links and URLs in the phishing emails to understand registration, ownership, hosting providers, and historical activity.
• Sender Attribution: Attempt to attribute the phishing email sender by tracing email infrastructure to the source (potential threat actors).
• Content Analysis: Analyze phishing email content including language, formatting, and embedded attachments/links, looking for common phishing tactics.

OSINT in Law Enforcement

• Investigative Leads: OSINT provides leads for investigations by gathering information from social media, news articles, and online databases to identify suspects, uncover criminal activities, and connect individuals within criminal networks.
• Digital Footprint Analysis: Examining digital footprints of suspects (social media profiles, online forums) to understand behaviour, interests, associations, and activities, supporting profiling and investigative strategy development.
• Evidence Collection: OSINT contributes to evidence collection using photos, videos, messages, and online transactions to support cases and obtain warrants, crucial for securing convictions.
• Suspect Identification: OSINT supports identifying suspects operating under pseudonyms or false identities by cross-referencing information from various sources to identify true identities, and track movements.
• Threat Detection and Prevention: OSINT helps in detecting and preventing threats to public safety by monitoring social media, online forums for indicators of criminal or terrorist activities, assessing their credibility, and taking proactive measures.
• Community Policing and Engagement: Facilitating community policing efforts by engaging with the public, gathering feedback, and addressing community concerns.
• Intelligence Sharing and Collaboration: Sharing intelligence and collaborating among law enforcement agencies.
• Real-time Monitoring and Response: Using real-time monitored social media, news feeds, and public alerts to provide timely and effective responses to developing situations.

OSINT for Security Professionals

• Threat Intelligence: OSINT provides valuable insights about emerging threats, vulnerabilities, and potential risks to security.
• Risk Assessment: OSINT enables comprehensive risk assessments (analyzing geopolitical developments, criminal activities).
• Situational Awareness: OSINT enhances situational awareness by providing real-time updates of events, providing security professionals with ability to respond timely and effectively.
• Security Operations Support: Supporting security operations by providing intelligence into threat actors’ actions (hackers, criminals, hostile actors), identifying attack vectors, and developing countermeasures.
• Investigative Support: Supporting security professionals conducting investigations into security incidents, breaches, and suspicious activities.
• Crisis Management: Facilitating real-time information and situational updates during emergencies and critical incidents.
• Competitive Intelligence: Gathering insights into rival organizations, competitors, and industry trends.
• Policy and Strategy Development: Informing security policies, strategies, and best practices, identifying gaps in existing measures and developing proactive strategies.

Malicious OSINT

• Cybercriminals use OSINT for target identification, attack surface enumeration, vulnerability discovery, social engineering, phishing and spear phishing, credential harvesting, exploit development, and reconnaissance/footprinting.
• The process for Business Email Compromise (BEC) attacks involves OSINT research, employee profiling, vendor/partner identification, email spoofing and phishing preparation, execution, and fraudulent transactions.