Introduction to using open source information to defend against Network Attacks

Comments: Powerful defense does not necessarily mean high costs. Enterprises should start with evaluating public information and try to protect such public information from attacks. At present, IT is facing a major dilemma: security tools are like a black hole, absorbing the time and money of enterprises, and how enterprises should properly protect their information systems and assets. Powerful defense does not necessarily mean high costs. Enterprises should start with evaluating public information and try to protect such public information from attacks.
Enterprises are prone to hype about who is attacking enterprises and why they are launching attacks, which leads to misunderstandings about the requirements and costs related to effective security. Enterprises need to select security methods at the root and strategic level. They need to look at the problem from the attacker's perspective to determine what data attackers can steal and how they can launch attacks. The answers to these questions can help enterprises well plan their defense systems.
Marc Maiffret, chief technology officer of BeyondTrust, said during the group discussion at the May Security Summit of ISSALA, the ways in which media and suppliers transmit security trends and public interests will affect enterprises' assessment of their risks and security needs.
Maiffret pointed out that distributed denial of service (DDoS) attacks can immediately attract media attention because these events are visible to the public. The world is highly concerned when DDoS attacks take offline services from hosting service providers, financial institutions, or social network services. This kind of event is easy to detect, and the result of downtime is often of news value, and the human part of the event attracts people's attention.
When the public and the media focus on the equation of who initiated the attack and why the attack, the supplier made full use of consumer panic and publicized their products around the news hype. This marketing strategy attracts the attention of the media and the public, and leads to a loop like a snowball. All of this scared enterprises to invest constantly to defend against attackers.
If enterprises do not know what to protect or how vulnerable they are, it is best for them to choose a reliable security solution, whether expensive or cheap.
Each enterprise has different security requirements, just like the functions of each security product. Therefore, the same products suitable for one enterprise may be useless in another enterprise. In addition, each enterprise has its own unique situation. However, all enterprises face the same simple fact that all their public access information can also be exploited by attackers. No security products in the world can change this reality, no matter how vendors boast about their products.
If enterprises are ready to effectively protect their systems, business data, and intellectual property rights, they need to face a lot of tough issues. Although it is very important to establish a successful security plan who will attack its system and why the attack is initiated, however, these two problems can only be solved after determining the attacker's attack target and how to execute the attack.
Many ISSALA meetings cover this topic. McAfee's Security Research and Communications Director David Marcus talked about how attackers can use open-source intelligence (OSINT) to obtain information about Enterprise infrastructure, technology, and operations.
Marcus lists the tools used by these innovative and collaborative attackers, including Twitter, Pastebin, SHODAN, and Metasploit. From the results of using these tools, Marcus shows the audience how to easily obtain
Obtain valid information that can be used to attack an enterprise.
To further illustrate this, Marcus describes how to use these same methods to attack critical infrastructure, more specifically, SCADA systems.
For example, the Pastebin clipboard can be used to search for tags # SCADA and # IDIOTS to find public information about SCADA devices around the world, including public IP addresses that have been identified for the vulnerability SCADA system. These search results may be uploaded by attackers and hackers. Then, we can search these results on Google to find SCADA websites that are vulnerable to attacks of the same or similar vulnerabilities.
Marcus also introduced how we can log on to these websites as administrators, which is completely unrestricted. After successful login, we can read the system database content, change the device configuration, install malicious code, and even click a button to restart the system.
So, how can we break the equation of who is launching an attack and what is instilled in the media and suppliers? Attack is the best defense. Marcus shares the following five tips:
1. Use and operate OSINT: Use Twitter, Pastebin, and SHODAN to identify and capture public information about your enterprise and system. This open source public information can provide us with useful information to help enterprises understand how attackers view their infrastructure and operations.
2. Do not make decisions based on industry or marketing buzzwords: Do not worry too much about advanced persistent attacks. you should understand the target of such attacks and how attackers will approach them.
Marcus said they should focus on the basics. During the demonstration of Marcus, the basic security measures for all SCADA systems identified and accessed by him were invalid, although the intrusion defense system (IPS) was deployed in the system), Intrusion Detection System (IDS), and other techniques used to defend against APT. "These protection measures are not properly configured or cannot defend against known vulnerabilities," said Marcus ."
3. penetration testing: Use the red team ). There is a big difference between the red group action and the penetration test results. When a system is very important to the business, the Red Team removes the system, and penetration testing only points out that "there is a vulnerability to be repaired ".
Enterprises that really care about their environmental security should move from traditional penetration tests to Security Solutions integrated with red groups. Enterprises need to find out the real vulnerabilities in their environments and then solve them.
4. Leverage knowledge from partners and suppliers: Enterprises should seek help from trusted security partners and solution providers. Marcus said, "do not regard your suppliers as suppliers of a product, they know a lot about malware and other attack methods and make full use of their knowledge, expertise, and manpower ".
5. Establishing partnerships for information sharing: The next explosion in network security will focus on intelligence and attributes. Enterprises not only need to detect that they are under attack, but also need to know who is writing the attack, so that the authorities can find out the source behind the attack.
Information is gold, although many companies fail to take advantage of the available information. Obviously, enterprises can use open source intelligence to build powerful network defense lines. This raises a question: When was the last time your company checked the public's knowledge about your environment?