DECEPTICON: OPSEC to Slow the OSINT

Abstract

 When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception.

 Detailed Description

 • Intro (1:00)

 • What is Open Source Intelligence (OSINT)? (6:00)

 o Outlets/Sources Starts by giving definition of OSINT and introduces Michael Bazzell. This moves on into places to gather and discusses software like Datasploit and Recon-ng (demonstrated later) as sources per se.

 o Methods This discusses things on the internet: job boards, forums, Google, Intel Techniques and OSINT Framework (demonstrated later) as well as other outlets. From here we discuss automation in terms of tools, prextexting, and search parameters.

 o Aims and goals Simply put, is to gather as much information about our target as we can. I talk about timing for the purpose of explanation. We look at some examples of easy wins and start the integration.

 • Collecting OSINT (10:00)

 o Company Data Here we enumerate locations, presence, affiliations, and people.

 o Social Media The obvious place to start. We start to target key employees such as C-Levels and those in sensitive roles.

 o Google We gather data and refine what we know and where to look next.

 o Tools We will discuss tools, but rely less on them and more on philosophy and technique.

 o Less Conventional Places I will provide examples of places I found to be “gold mines” in the DerbyCon SECTF.

 • Potential Threat Vectors/Scenarios (15:00)

 o Troll or Hater

 o Infatuated Stalker

 o Ex-Lover

 o Nation State

 o Cybercriminals

 o Abusive Partner

 o Estranged Family Members and Ogres

 • Social Media (22:00)

 o Best Practices and considerations What do you need to think about when establishing and using social media. What are the outcomes if you delete your social media? Do you have to have any accounts?

 • Decoy Accounts (26:00)

 o The type of information used to create and maintain such accounts If you decide to use decoy and canary accounts, what must you consider and do to ensure they are valuable and not a waste of your time.

 • Getting Data Removed (30:00)

 o The steps and difficulty in getting one’s data removed You have control over (some) sharing of your data. We discuss how to initiate the process of getting the data removed.

 • Encryption (36:00)

 o Cloud Storage

 o Email

 o Streisand Effect (Tool)

 o TOR

 o VPNs

 o Full Disk Encryption

 o Virtualization

 • Case Study (38:00)

 o An OSINT blunder that I personally observed unfold while I enjoyed my dinner.

 • Questions (42:00)