How To Perform an OSINT Company Assessment — Part 2
Physical Infrastructure
Now that we have a basic understanding of the digital infrastructure that is exposed to the internet, we must begin mapping out the physical locations of the business. This includes any offices, warehouses and manufacturing plants. The aim of this step is to discover any media containing sensitive images of the premises as well as any blueprints, schematics, or physical security vulnerabilities.
As far as finding the physical locations of companies, most have a ‘contact us’ page on their website with generic details of their head office and smaller state level offices. This information in itself is not all that useful. The real information of interest can usually be found in official documents and leaked PDFs online. The simplest way of looking for these documents is by utilizing the ‘filetype:pdf’ operator in Google. Alternatively, view the country company registry website in which the company you are investigating resides. These registry websites almost always contain a treasure trove of official documents that can leak the physical locations of company properties. Examples of such websites include:
Australia
U.S
UK
If the company you are investigating is not present in any of these countries, you can use the following website to find the company registry of a specific country.
These types of websites can also be beneficial in looking for any signatures of CEOs or senior leadership and any personal details such as dates of birth, addresses and personal phone numbers. This could be valuable information for an attacker to conduct fraud or blackmail and should be brought to attention.
In many cases it is unlikely that you will be in the same physical location as the company you are investigating, however, if you do happen to be in the same city/area, it is a great opportunity to hone your surveillance techniques and do some real-life snooping. OSINT is not only conducted online, it can include anything that is publicly accessible, as long as you are not actively engaging the company property or its employees, it is free rein. This could include activities such as dumpster diving, which involves looking for confidential paper documents that have been disposed of insecurely. However, this is a grey area considering we are trying to remain passive and should be discussed prior beginning your investigation. Although this method of physical surveillance dips into private investigator or penetration testing territory, it is still within a typical OSINT risk assessments scope.
Things to consider while conducting this section of the investigation include determining where security cameras are placed and if there are any blackspots, which type of security gates and access cards are used, as well as determining if the office building is shared — this could pose a threat if the other businesses within the office building have slack security. Taking photos and videos at this stage is encouraged but remember to be discreet and act within the law.
Credentials
Another factor in determining a company’s security posture is identifying how many of its employees have used their internal email address or credentials outside of their network to sign up to non-work related websites and apps. This sometimes indicates non-stringent security policies and is a very serious threat vector should an employee be reusing these credentials on internal systems. Unfortunately, there are no real resources freely available online allowing you to quickly conduct an email suffix search.
The best solution is to create your own internal database by downloading all the major public breaches and leaks that are available online via torrents and websites such as RaidForums, and querying that for a rough number. Taking it one step further you can also scrape paste websites for credentials using a framework such as scrapey (https://www.npmjs.com/package/scrapey), however this requires a decent amount of coding skills. If you are concerned about the legalities of undertaking such actions, rest assured that once a site has been hacked and the database is in the hands of a number of individuals not related to the hack, it is considered public information.
Alternatively you can try using a tool like theHarvester (https://tools.kali.org/informationgathering/theharvester) and Google dorks to find what emails you can, then run them through a service like https://haveibeenpwned.com/ to check if they have been in any breaches.
Social Media
Social media is now a massive part of our everyday lives and as companies and people have embraced the connectivity that it provides, so to has it created a new threat vector that individuals and organizations must protect against. One such risk is the possibility that employees and staff are freely posting confidential information about the company online, this could include photos and videos of the inside and outside of office buildings as well as security badges or ID cards (popular with new staff or employees who are leaving the company). These media posts could divulge sensitive information, including customer data, especially on further inspection if a computer screen can be seen in the background. Threat actors will always be on the lookout for low hanging fruit and social media is just that, an easily accessible database of media ready to be collected, analysed and exploited.
Collecting information only requires you to have pseudonymous accounts on major social media websites. Firstly, you want to identify all the legitimate company accounts, which can typically be done by going on the ‘contact us’ page of the company website. Using username checkers such as:
is also another way of finding accounts that may not have been linked on their website. Secondly, search for any popular hashtags or terms associated with the company. If there has recently been some type of event or conference at the company, search for terms around that. Lastly, if you have the physical locations of the company office buildings, employees will most likely tag themselves at those addresses on social media, particularly Instagram.
Deep & Dark Web (DDW)
This is a tricky topic to cover as it usually involves having access to vetted forums and a high level of technical ability to preserve operational security. This landscape is also ever evolving due to websites being shut down, etc. A significant amount of data from the DDW makes its way onto paste and torrent sites. Conducting simple keyword searches on these types of websites may result in information such as threat actors discussing or selling company access.
General Company Sentiment
Lastly, looking into the general public sentiment of the company will help you to determine the overall security risk towards the company. Using websites that provide employees the opportunity to review the companies they have worked at such as the Australian site ‘Glassdoor’ is a good starting point:
Alternatively, looking through social media and general news sites may provide details.
Conclusion
In conclusion, OSINT is a developing field in which big organizations and corporations are only now beginning to see the benefits. By only partially understanding the dimension of a company’s digital footprint, internal teams are not always aware of their complete exposure and fail to minimise the risks. Conducting an OSINT based organizational assessment will help identify any security gaps and will help a business understand its complete exposure.
I will be posting more helpful articles about OSINT, cyber security, threat intelligence and investigating, so make sure you follow me on here and on my Gab @CassiusXIII
