Jump to content

About This Club

OSINT Resources, Techniques and Discussions.

  1. What's new in this club
  2. OSINT Tools collections: Verification Toolset : https://start.me/p/ZGAzN7/verification-toolset Mapping & Monitoring : https://start.me/p/7k4BnY/mapping-monitoring Tools: https://start.me/p/Wrrzk0/tools Search Engines: https://start.me/p/b56G5Q/search-engines Social Media Dashboard : https://start.me/p/m6MbeM/social-media-intelligence-dashboard Threat Intel, OSINT and malware investigation resources : https://start.me/p/rxRbpo/ti AML Toolbox : https://start.me/p/rxeRqr/aml-toolbox Technisette collection : https://start.me/p/wMdQMQ/tools Ph055a collection : https://github.com/Ph055a/OSINT-Collection
  3. The man will not be silenced! It IS a thing of beauty already, isn't it.
  4. vendor-myth-busting , should be an after school club for CS students or a scout badge
  5. A wide variety of tasks, from adversarial hunting to footprinting and more recently, vendor deep dives. For example: - Vendor says they use a unique custom container approach to stop all malware from being an issue - Me spends 24 minutes to find out actually they use React, Python, Ruby and ESXi and some bubble gum, an old loo roll and hope and prayers.
  6. The Admiralty System is one I use a lot, but it can be subjective and also a lot of work to get right. Over the years of doing this, I looked for inspiration from those who really pioneered this space and actually shared stuff, such as the CIA and other agencies. The CIA is actually phenomenal in this regard, this document, titled 'A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis' has been hugely influential in helping develop my own approach and methodologies. Using this approach, with the Admiralty System to score each source and piece of intel, I find I ended up with a smaller subset of sources but ones that produced far higher value intel as a result. Page 17 really hammered home the use of contrarian techniques to determine if a source is good or not based upon what it was showing you. As I said earlier, the CIA release many informative articles and papers on the subject, and if you haven't read them yet, I urge you to. For example, Sailing the Sea of OSINT in the Information Age by Stephen C. Mercado which is a great read. I'm keen to hear how others approach this too
  7. Hey folks, I'm sure that everyone in this club can agree that OSINT can be a very powerful force-multiplier in infosec, but how do ya'll manage the collection of OSINT? Specifically, is the collection effort indexed and evaluated in a way that infosec teams (whether SMB or major-enterprise level) can go back and look at the efficacy, integrity, and veracity of said collection effort? Do ya'll use frameworks such as the Admiralty System to evaluated OSINT data?
  8. Hi all, (Thanks Daniel Cuthbert for the invite code) I'm the CEO of Intel 471. I'm happy to answer any questions anyone has here. Yes everything of ours is searchable in our platform which has a portal and RESTful API. 30 day no cost POCs are common throughout the CTI industry. Our website is 100% marketing (no corporate website isn't 😉 ) but there's nothing untrue on there. We have a very experienced and globally dispersed intelligence team which comprises of former security service, military and law enforcement folks. We have folks in Eastern Europe, Western Europe, Middle East, Asia, Latin America and of course the US. My own background is software engineering and I'm former Australian Federal Police and iSIGHT Partners (now Fireeye). Our COO is a former Marine (HUMINT), FBI contractor and iSIGHT Partners as well. Monitoring the underground (I hate the term deep and dark web with a passion) is difficult, time consuming and expensive. Ultimately you need people who are actively in there daily in order to identify threat actors of interest (and engage with them as frequently needed) as well as driving where automated collection (scraping) can be directed. Scraping a website and dumping it to text is very easy but doing it on a large number of criminals forums/marketplaces at scale whilst maintaining the structure is technically and operationally difficult. The team that does this at Intel 471 is the only team with permanent vacancies for the team. Running long term personas in the underground and doing engagments (online HUMINT) is our bread and butter as well. It takes very skilled and experienced people to do this over long periods of time without getting burned. Feel free to contact us via our website and someone will reach out asap. Regards Mark Arena Intel 471
  9. Hunter.io is a decent resource to find email addresses associated to businesses. I have only used the free searches and can't vouch for paid services.
  10. I revisited this discussion, and research Intel 471 a bit. They look cool. Can you tell us a bit more regarding what you know about them, and what prompted you to give them a special mention? They provide "Adverserial Intelligence" and "Malware Intelligence", both could be useful, depending on how the datasets are presented. Adversary Intelligence Data sheet: https://intel471.com/Adversary%20Intelligence%20-%20Mar%202019.pdf Deliverables within Adversary Intelligence includes: - Automated forum/marketplace collection - Intelligence Bulletins - Information Reports - Situation Reports (SITREPs) - Underground Perspectives - Spotlights - Intelligence Briefings - Requests for Information (RFIs) The 'Adversary Intelligence' sounds like it could be useful for what we discuss in this thread... Tracking dark web forum and marketplace activity Gaining insight through context-specific and industry-specific reports on cybercrime activities Unique insight into closed-source datasets (discussions, groups, whatever) I'm really interested to know if they have a searchable database of their datasets, like competitors such as DarkOwl. This doesn't exactly seem clear... I guess I'll have to ask. Malware Intelligence Data sheet: https://intel471.com/Malware%20Intelligence%20-%20Mar%202019.pdf Features include: - Malware intelligence reports - YARA rules - IDS signatures - TTP information - Malware and botnet configuration information including webinjects - Malware command and control (C&C) commands - File and network based indicators - Everything mapped to MITRE's ATT&CK framework Well, I won't get into the 'Malware Intelligence' much on this thread -- this is information that should be discussed elsewhere, perhaps in the near future. But I wanted to say that I really like that they track active malware campaigns, identify the malware (with their TTPs and IOCs), and even map out the malware to MITRE's ATT&CK framework; for a threat intelligence specialist, this is extremely useful. I'm going to definitely take a note of this. Also, the backgrounds that Intel 471 claims that their intelligence operators possess, well, it's incredible. I'm not sure if it's just marketing or what, but if this is legit, then colour me impressed; I hope their product is as good in quality as their claims.
  11. worth watching this page - https://raidforums.com/Announcement-Database-Index-CLICK-ME
  12. I think that we are discussing about different types of credential leaks; I was initially focusing on standard account leaks from various websites, like what we normally see appear on Have I Been Pwned, and others. Although, in terms of validation of data legitimacy, the same constructs apply (i.e. test a subset of credentials, identify correlated users on a website, or whatever). That said, it seems challenging to "scan" for anything beyond this, including alleged internal network access; you comment on this by indicating that it would render these credentials useless. I mean, if you clearly state that you are selling access to a company's network, then they will be tipped off pretty quickly within the same day by threat intelligence analysts; if not that, the media will kindly inform them in the following days via VICE or something. To even identify what is impacted, you'd have to actually buy the dataset or account access. When I commented on the "weak" data leak detection capabilities of these services, I was only referring to what we'd normally see on generic data trading communities and forums. Sorry if I am rambling or misunderstood something here. I want to keep the conversation flowing. Automated scraping definitely won't do the trick, if the goal is to "detect breaches" as an "alert service". Going back to my point earlier in this thread, we still should check what these scrapers find for the sake of due diligence; after all, it would be quite embarassing if we, as threat intelligence analysts, missed something that is seemingly in clear-view to public-ish communities. HUMINT is absolutely necessary to maintain good intelligence capabilities. We need to create and maintain personas, and understand the markets and crime rings that we are monitoring, first-hand. Without this, we won't know what it is that we are actually looking for. When time frees up, I think I'll make another thread about persona creation for the purpose of threat intelligence operations -- this could be another fun discussion, if others are also interested. By the way, I don't blame you for not liking "breach credential alert" services. Externally, looking at data leaks on the web, this isn't terribly challenging. Internally, though, that's a different story. Hopefully with more discussions like these, we as a community, can innovate and more reasonable better services to help protect people and businesses. Thank you for taking the time for your thought out reply; in fact, I prefer this approach to controversial discussions.
  13. Like I said in my reply, this isn't as clear cut, let me elaborate if I may? I'm a seller of leaked credentials, be it a chap who's just breached a loads of corporate networks and acted in a sleeper fashion, undetected for months to harvest a nice bounty. I now need to monetise this, so I either head to the most popular market to flog them or I hand them off to a number of reputable brokers to do it for me and charge me a fee. These brokers usually test a subset of credentials to confirm they are legitimate and assign a value (higher value target, price goes up etc.). Now here's the tricky part. The TI industry has tipped their hands by being very proactive in advertising their capability to scrape markets for stolen credentials. It's a legitimate worry for all, so many saw a business opportunity and started to do the same. A functional spec was drawn up for a scanner, they registered a load of accounts on these markets, fed those creds into the scanner(s) and harvested away. Thing is, many underestimate the markets and those running them. As Kevin can attest, you can see behavioral patterns from users acting outside of the norm. For example: A newly registered user account, potentially with a randomly generated username, logging in and then performing hundreds, if not thousands of requests impossibe for a human to do. Those user accounts don't act like normal users. There are limited, or no, interactions with other users. The requests themselves often have signatures like that of a script or bot Site owners are well aware of these and indeed so are sellers and brokers, so we have a cat and mouse game in play. What the broker or seller won't do is jeopardise the sale by giving away too much information. They know if they advertise MAJOR org in a thread with known bots or scrapers, it will mostly start a reaction rendering the goods rather useless. What typically happens are deals making use of brokers known to those on either side, buyer and seller, and comms are usually made via introductions to confirm either party is legit and then deals made outside of the main forum. Now I will say, many deals do happen in full view of everyone and that's good as we get some indication by the scrapers as to who might have issues. It's really hard for any provider to effectively perform HUMINT operations at scale without tipping their hand or getting burned. Some are very good at it and have adapted their technology and approaches but at the same time, the criminals themselves are seemingly good at watching what everyone does as no-one really wants to go to jail. As you might have noticed, I'm not a huge fan of said 'breach credential alert' services as I know from experience how hard they are to get right, to build and to keep running. You'd be better off looking at your own credential store(s) and have monitoring capabilities that alert when anything out of the norm happens (such as dumping of many users over X minutes, or concurrent access by a single user and so on) Apologies for the long reply
  14. Peter, thank you for taking the time to thoughtfully provide feedback on this subject! I will address each of your points. 1. h8mail. This looks like a great tool for querying multiple of these APIs at once, I will definitely have to test this out. I like that it has capabilities to query so many different solutions, popular and alternative alike. I'm curious to see if it can take the output of search multiple services (i.e. domain search function), and combine the unique results into one (or if I'll have to do this myself). 2. AIL framework. I immediately like that it posseses capabilities to monitor paste sites like Pastebin (Pro), I wonder how it fares with alternatives like Slexy, etc. Anyway, there is a lot to take in here, so I'll have to do a careful analysis of AIL framework's capabilities and come back around with a new discussion on this. It seems like it does a lot! 3. "Digital Risk Protection" report. Have you actually read Forrester reports before? It is hard to justify a USD$499 price tag unless this is well vetted, and the content seems more clear. If you could elaborate on the contents of this type of report, then maybe it will become justifiable for myself and the other intelligence operators reading this. 4. RecordedFuture services. Did they actually give you a trial period? I contacted them months ago (actually, last year) and they did not want to give me a day to try their services for free. They seemed more inclined on doing an analysis on my behalf, then giving me the report findings for a proof-of-concept, but I prefer to do these things myself. I'd love to hear more about your experience with RecordedFuture, and how they fare in the market. On your point of RecordedFuture having "weak" capabilities on leaked credentials, this is no surprise to me, since this appears to be the same with their competitors as well (i.e. DarkOwl). Can you be truly controversial here? Yes, certainly, we are "professionals" after all. We need to talk about this stuff. In fact, I agree with you that Dark Web intelligence capabilities are overhyped in the market. The other fact of the matter is that businesses still demand these services, and desire the reassurance that there is no sensitive exposures relating to their name on the Dark Web (forums, marketplaces, other communities), so we as threat intelligence specialists must have solutions put in place to realize this reassurance. The purpose of monitoring the Dark Web is more for "due diligence" than "true capabilities" in my eyes, and hey, you never know, it might pay off every now and then. Perhaps non-cybersecurity companies should not blow their budget on Dark Web capabilities, but for cybersecurity-centric companies providing managed services... well, then perhaps it is worth budgeting for Dark Web capabilities so that you can provide this level of "due diligence" for client businesses across the board, at a fraction of the cost of what it would be for them to purchase and operate their own utilities independently. This is just my perspective though, I welcome you, and anyone else, to push back on this - let's debate, since no one else seems to have responsible and knowledgable discussions on this important, expensive matter (FYI, as you probably know, these services normally cost USD$40,000 - USD$500,000 depending on what you are looking for). Monitoring for actual breaches. In short, yes, I agree with your take. We must monitor websites such as Exploit.In, RaidForums, and other breach sharing sites, in addition to traditional paste websites (i.e. Pastebin, Slexy, etc.). I was thinking that PasteHunter (thanks Kev) would be a good solution for paste collections and analysis, per the thread here (and my own research): As for RaidForums, other breach sites, and ExploitIn, we will have to find another method to automate the collections of data from these websites to turn them into actionable intelligence. To some degree, manual analysis is OK, but not ideal long-term. And I'm something of a glorified script kiddie, so I'm just doing my best here! Scraping all the things! (forums and markets). Yep, we gotta be careful about these operations... and also, come on, have some respect that real administrators gotta deal with spam! Just because they're crime ring operators doesn't mean they need us DDoS'ing them! Haha. I have a pretty good set of lists available, but yeah, keeping up with them is hard and the search engines (special mention to Ahmia and their competitors) are helpful, but not fully complete. Commercial Threat Intelligence feeds. Thank you for the special mention of Intel471, I will give them some time of day and do a bit of research. I'd love to try RecordedFuture, but I need to justify buying their services. I would really like a trial period with them. Anyway, I'll take note of both of these. Additionally, I'm looking at a local commercial TI feed solution, they're newer, so I'm a bit nervous; what concerns would you personally have with trying a local solution for commercial threat intelligence services (for Dark Web specifically)? I am going to demand a trial period (even if we have to pay), so hopefully I'll be able to comment on my experience later. RecordedFuture and other popular solutions are great, but helping the local businesses and local economy (and keeping your information within your country's jursidiction) is a nice formality as well. I have more to say, and may speak more on your discussed points later, as I left some things out. But Daniel, I sincerely thank you for the time that you've spent discussing this subject with me.
  15. You say that this is only a work in progress? This is incredible! This looks pretty complete to me, but if it is not, then that is even better since it is an indication of there being more to come!
  16. Can I be truly contraversial here? The whole darkweb as a criminal platform is grossly overhyped, mostly by threat intel firms who tried, and often failed, at building scrapers to look for information. As someone who spent years tracking and mapping onions, I can say that those involved in wholesale breach data collection and disseminating, the onion route is not the place you use. Mostly for a number of reasons, but mainly: It's mostly full of TI firms scraping the crap out of what you do It's a bitch to use, no matter what anyone says The criminal communities already have well-established places to sell this, with structure and heritage Now, your request to monitor for details about breaches would be better directed to places where that actually occurs https://exploit.in/ The daddy of all criminal networks. Yes you need to speak Russian and yes it is membership driven. Be warned, levels 1-9 are mostly threat intelligence analysts all chatting to each other with their carefully curated personas whilst thinking they are deep inside a criminal conspiracy and scraping the shit out of the site looking for actors. It's only when you go above the higher levels do you actually see real stuff and that requires vetting from those with a high reputation, a fee and you to be an actual criminal with proof. there are others, they come and go and whilst some are on the dark web, they aren't really big players, but for reference http://omertavzkmsn6tp6.onion/ 100 USD to join, a mix of finance and creds but mostly more finance now as easier to monetise in a shorter period than creds. http://wallstyizjhkrvmj.onion/ Wall Street Market was pretty good but they found out that OPSEC is hard and web application security even harder and they got a visit from LE. The biggest issue with scraping the dark web is that you need a list of every forum offering said services. You can use Ahmia to see who is leaking it via headers and titles, and then write a scraper using Python and Scrapy, register an account, don't go all gung ho and scrape the shit out of the site (hello TI peeps, learn to randomise your scraping so as to not look so blatant) but again this requires a considerable amount of effort, trust me Now there are plenty of other scam sites and most of them are honeypots, or ones created by TI firms or just flat out scams, so I'd spend a month writing them all with no value if I'm honest. Why most use exploit.in is that it has structure, it has verification of sellers and their warez and it also has tribunals one can go to if they purchase bad goods and want to make a complaint. This is something that others do not have and whilst many report on the fact that the criminal markets are the wild west, there is structure and organisation and buyers and sellers need to be able to trust each other to a degree. So if I was to use a TI feed to do all the scraping, collating and analysing, there would really be only one, and that's https://www.recordedfuture.com/. I have known them for a very long time, I've helped them with their dark web datasets and also use them so know the quality of the intel they have. Another firm who specialises in the criminal markets, Intel471 deserves a mention To sum up, I hope this was somewhat useful? A lot of FUD and utter crap has been marketed by many who offer such dark web monitoring and it's all mostly shit. They either use commercial feeds such as RF or Intel471 or they've thrown together a tool based upon the amazing work Sarah has done with https://github.com/s-rah/onionscan/graphs/contributors
  17. There are many points that I can suggest: If you're looking for a way to identify and verify leakage of credentials, khast3x/h8mail is already includes APIs that you're talking about. A bit difficult to properly setup, but CIRCL/AIL-framework will help you identify a surface of darkweb. It automatically scrape pastes from many sources to identify `.onion`, and roughly scrape each page again to find specified keywords. There are a research about "Digital Risk Protection" market by Forrester which will help find and compare each vendor on the market. Just had a small session with RecordedFuture a little while ago and found that it didn't find the same amount of leaked credentials based on email address compare to HaveIBeenPwned. So, you must request for a PoC or trial if you need to know its true capabilities of the platform.
  18. What solutions exist for dark web monitoring? Both commercial and open-source (regardless of cost). I'd like to monitor for threat detections that may exist in dark web oriented communities by searching for any mentions of a company's name in third-party data breach leaks, dark web search engines, dark web forums, and dark web marketplaces. Money is no issue. For data dumps + credentials (don't shame me for calling these 'dark web' oriented): Have I Been Pwned API WeLeakInfo API DeHashed API SnusBase API For general dark web forums and marketplaces, it seems that commercial solutions are the way to go: DarkOwl RecordedFuture (Kind of) Flashpoint-Intelligence as well I'd like to emphasize on third-party commercial platforms that are capable of monitoring dark web forums, marketplaces, and ideally more community types that I did not mention. I haven't seen any discussions in security communities covering this, and this discussion will help some threat intelligence analysts and leaders somewhere in the world, surely. What other solutions exist for "dark web" monitoring solutions, based around the topics discussed in this post? How does your company monitor for "dark web" threats? Let's get creative!
  19. Personally, I believe that marketing platforms are great for social media intelligence (SOCMINT) operations. I've used Mention.com and Brand24.com, and while they may require some paid subscriptions for good features, they are fantastic for monitoring social media mentions. To compare the options available, view this community spreadsheet: https://docs.google.com/spreadsheets/d/1Jb47lzecX0D-ZCs5oh-9SqClFOjme1g9tjiCHpPO7BY/edit#gid=0
  20. Mike Bazzell is working on a new OSINT packet. It's pretty great already but is a work in progress. https://inteltechniques.com/JE/OSINT_Packet_2019.pdf
  21. these popped up in my LI feed today - looked interesting https://start.me/p/ZME8nR/osint https://start.me/p/8yN1wM/cyber-investigations-research
  22. For (getting around the recent changes on) Facebook I highly recommend reading through the long but comprehensive post on Osintcurio.us about the changes and techniques behind the tools. Facebook is going to continue disrupting the easiest and most popular tools in the name if their new 'Privacy' campaign. But with an understanding of the searches we should be able to keep rebuilding our techniques after they make these annoying changes: https://osintcurio.us/2019/08/22/the-new-facebook-graph-search-part-1/ https://osintcurio.us/2019/08/22/the-new-facebook-graph-search-part-2/ Since Inteltechniques search tools went behind the paywall I updated my own go-to collection of resources on my blog (has a little bit of everything): https://www.learnallthethings.net/osint-resources -J
  23. This may go off way in the weeds but I'm currently researching the Tenebris Linken Sphere browser for OSINT purposes. Cyber criminals are using this browser against anti-fraud measures by simulating compromised users digital fingerprint of their device. In theory if they have a users digital fingerprint and credentials they have more of a chance of bypassing antifraud measures for committing online fraud. (https://securelist.com/digital-doppelgangers/90378/) <--info on how threat actors are using the browser at that link. In theory the same detection measures that are likely to flag a sock puppet account you have created for research could essentially be bypassed by saving the device configuration you have created the account on (a setting in the Sphere browser) and using that fingerprint specific to your research account. There should also be plenty of general opsec benefits to this browser as well. I have NOT VETTED the security of the browser itself and have it downloaded on a research machine only so explore at your own risk. (https://sphere.tenebris.cc) <-- link to browser Given the nature of it's general usage I am cautious, but criminals sometimes opsec well so I think it's worth researching. -J

  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy