Insights

Are you sharing too much information? 

Author:

Mark Rose

The primary purpose of the internet, since what could be considered its inception in the 1980s, was to allow university researchers the ability to share information with other researchers on the other side of the world. In many ways, this information sharing ‘mission’ has remained, however the scope of the information being shared has expanded exponentially. 

Whether it is through social media, gaming platforms, online forums, etc. People can now share every aspect of their lives online and whether they intend to or not, information can quickly gather attention, both positively and negatively.  

This newfound openness to share information online can, however, have consequences and it can be all too easy for sensitive, or confidential information to leak out into the public domain. 

In this insight, we will look at how threat actors can obtain information which can help them advance their cause and provide examples of how this information could potentially be weaponised.  

Open-Source Intelligence Gathering (OSINT) 

Internet users frequently upload content, such as posts, pictures, and videos, without considering the information they reveal or the potential consequences of making it public. However, once this information is shared, it remains accessible indefinitely. 

The process of gathering such information, whether for security enhancement or malicious purposes, is known as Open-Source Intelligence Gathering (OSINT) 

OSINT involves evaluating, analysing, and collecting data about a target using publicly available resources and targets are typically unaware that they are being profiled, as the process simulates the behaviour of an average internet user. 

Data collection during this process should be intelligence-driven, continuously questioning the relevance of the data. When executed correctly, this approach yields meaningful and relevant information that can be utilised in future. 

The resources used in this stage include any publicly accessible material, such as: 

  • Social media profiles
  • Organisational websites
  • Forums
  • Review sites 

Numerous open-source tools are available to aid in information gathering. A widely used resource is the OSINT Framework, which features an extensive list of tools designed for specific tasks, such as username, email, and domain name identification. Other tools that serve various functions are also included. However, it is important to note that any interaction with these tools should be done at your own risk. 

While OSINT techniques can be exploited by malicious actors, they can also be applied for positive purposes as well. One example of an organisation using OSINT for good is Trace Labs 

According to the organisation, “Trace Labs is a non-profit whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of Open-Source Intelligence (OSINT).”  

Trace Labs conducts Capture the Flag (CTF) events for security professionals and individuals interested in OSINT. These events are gamified, maintaining a core focus on helping locate missing people. Participants can form teams with people they know or be randomly assigned to groups. Each team is assigned a judge to evaluate submitted information, and if the submissions are accepted, points are awarded to the leaderboard. 

At the end of the event, a winner is declared, and awards are distributed. However, the true winners are the valuable insights provided that can assist authorities in the search for missing persons.  

This example highlights the positive applications of OSINT. Nevertheless, there are still threat actors who exploit the information gathered for malicious purposes. 

Information Exposure 

Although similar, information disclosure and sensitive information exposure are distinct concepts. Both can be categorised under the umbrella term “data leakage.” 

Data leakage, whether it involves confidential or non-confidential information, poses risks to individuals and organisations. This risk begins the moment any information is made publicly available, allowing threat actors to gather extensive knowledge about their targets. 

A dramatized example of data leakage can be found in an episode of Brooklyn Nine-Nine, where Terry spends most of the episode trying to uncover how the precinct’s arrest numbers are being leaked, suspecting that there is a mole. However, spoiler alert: it turns out that he is the one inadvertently leaking the information by not realising what was visible in the background of his social media post.

But what other types of information could potentially place your organisation at risk? Examples include, but are not limited to: 

  • Supplier lists
  • Uniform code
  • Staff login portals
  • Employee certificates with candidates’ confidential information
  • ID badges
  • Executive leadership charts
  • Regulatory filings – e.g. Companies House is a gold mine of information. 

Data leakage can occur through various channels, and many organisations and employees inadvertently disclose this information. Threat actors may seek to identify sensitive details through social media posts, blog posts, publicly accessible documents, and YouTube videos. Much of this can be easily found by using search engines and following a rigorous OSINT (Open-Source Intelligence) methodology. 

As mentioned earlier, data leakage is often unintentional; it typically happens because employees and organisations are unaware of the risks associated with certain types of information. There are several ways organisations can protect themselves and mitigate risks. Regular security awareness training can help employees identify information that should remain private and provide clear definitions of what is acceptable to post publicly. Additionally, implementing or updating a comprehensive social media policy can specify what types of information are appropriate for public sharing. This not only protects the organisation but also safeguards employees. Additional measures could also be taken by IT staff in restricting access to social media on company equipment and if exceptions were required these could be allowed by manually specifying groups/users. 

While leaked information poses a security risk, the real danger lies in how this data could be exploited. The process of using this information for further attacks is known as weaponization. Weaponization is a critical step within the Cyber Kill Chain and plays an essential role in a threat actor’s exploitation process. 

The next section will discuss how the collected information could be used. 

Weaponizing Information 

As Sir Francis Bacon said, “Knowledge is power.” in this case, the knowledge gained by threat actors can be weaponized to help them achieve their goals. 

Weaponization, as previously discussed, refers to the creation of malicious payloads. After gathering Open-Source Intelligence (OSINT) and compiling a dossier of useful information, a threat actor can now craft targeted attacks that are more likely to succeed.  

The nature of these attacks varies based on the situation, as different threat actors will have different motives. For example, in the Brooklyn Nine-Nine scenario, the leaked information allowed a reporter to publish an article revealing arrest statistics. This breach of confidentiality turned classified information into public knowledge.  

In real-life situations, threat actors aim to execute similar actions, tailoring their behaviour to achieve specific goals. Consequently, weaponization seeks to use information in ways that can cause more significant harm. 

Phishing 

Phishing involves sending a maliciously crafted email to trick users into taking unwanted actions.  

For instance, if a threat actor identifies a login page for employees, they could replicate that page and connect it to a database they control. This phishing page would request user credentials, and if users submit their information, the threat actor could capture it and impersonate the accounts, thereby compromising confidentiality and integrity.  

To increase the success of such an attack, the threat actor might use enticing subjects like salary increases or details about new benefits. These intriguing topics can lure in unsuspecting users who may not be particularly security conscious.  

Physical Intrusion 

Physical intrusion involves breaking into areas that are supposed to be access restricted.  

During the OSINT phase, if a threat actor manages to compromise information about staff badges, uniforms, and office locations, they could potentially impersonate employees. By donning appropriate attire, the threat actor could navigate the organisation’s office undetected, blending in with legitimate staff.  

Techniques like tailgating – where one individual follows another closely through a secure access point – can be employed to bypass security measures and gain entry to unauthorised areas.  

Once inside, the threat actor could compromise employee devices, particularly if computers are left unlocked. They might also deploy “drop boxes” around the office to establish a connection with an external machine they control. From there, the threat actor could aim to capture user credentials, pivot across the network to access different VLANs, view network shares to breach data confidentiality or elevate privileges to attain domain administrator access.  

Other forms of attacks could also be executed based on the information obtained, including vishing and password-guessing attacks. The strategies mentioned are just a couple of examples among various techniques. 

In conclusion 

It is crucial to maintain awareness regarding the information being shared online, as excessive posting can enable threat actors to carry out attacks more effectively.  

Increasing employee security awareness and establishing social media policies are good initial steps. However, it is also important to regularly assess the available information.  

These assessments can be conducted internally or as part of a security review by a third party. Many companies specialise in conducting open-source intelligence (OSINT) to understand the information available to the public. At Pentest, we incorporate OSINT into our Red Team engagements, not only helping organisations evaluate what information is publicly accessible but also demonstrating how this information could be used by real-world threats to compromise your organisation. 

If you are worried about how publicly available information could impact the security of your organisation or would like to discuss how our services can help enhance your security defences, feel free to contact us to discuss how we could help. 

The latest Pentest research and insights

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.

Contact us today >
Pentest-CREST-Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation
Pentest-CRTO-Accreditation

/contact Us

/connect

X-twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.

  • A Shearwater Group plc Company