The aim of this thesis is to provide tools to support the common task of security researchers evaluating/testing the security of organizations; here for Danish organizations. The “security” to be tested is specifically the exposure of the client organization by OSINT-data.
We will survey the context in which such tools will enter into in “the real world” and what requirements need to be setup to enable this.
From this, we will seek toThe scenarios are based around modern cyber-crime methods ((spear-) phishing, ransomware, APT’s (with e.g. political or economic motives) and other OSINT- and social engineering-techniques).
The tools are to be built as transforms for Maltego3. It is a well-known, de-facto industry standard program for aiding security assessments (e.g. pen-tests), especially for case management of pen-tests and for performing passive reconnaissance on target organizations or individuals by both security researchers and adversaries. The transforms4 should be distributed through the official “hub” integrated into the Maltego GUI; they are thus recognized and usable by most researchers5.
The auto-generated report should automate part of the report creation process, which is an integral part of a commercial pen-test, to provide results in a uniform way and demonstrating violations of regulations or standards as applicable. It should be usable to the researcher to guide the organization on how to reduce their attack profile by showing critical data found in the pen-test.
This typically includes evaluating the organization’s compliance with current standards and/or guidelines (scoped with respect to primarily Danish organizations, but will also include reputable international sources) as well as use cases of current attackers and their methods searching for essential information to gain privileged access to an IT-system or the trust of their target to exploit them. The overview should be structured in a way such that the researcher/organization can readily identify where to best spend their man hours (in accordance with their own risk assessment and relevant standards and regulations) in order to mitigate OSINT- and social engineering-enabled attack types.
It should be easy to interpret for IT-professionals.
Data input for the auto-generated report could come from many sources, which requires a lot of development time. To make use of the fact that the are transforms already being developed for the Maltego platform, the report input can come from there too. Both data gathering and reporting can thus be done using a known platform such that any capable IT security professional can perform the analysis. This will allow IT security consultant companies and other professionals to use the products developed in this thesis.
The collection of OSINT is already a discipline integrated in many platforms, so emphasis here is put on the large number of publicly available sources of data in Denmark being made available for free as a part of the strive to induce economic growth6 and Denmark’s commitment to the G8-countriesOpen Data Charter7. This is to my best knowledge a novel approach to include queries towards these sources8.
3The choice is further discussed in Chapter 3.
4May consist of a custom configuration, entities (data types) and transforms (functions to perform some action on an entity), but often calledtransformsas a whole in the Maltego documentation
5Guidance and tutorials are widely available online in both video and text if the security professional is unfamiliar with Maltego.
6See e.g. http://www.opendata.dk/om/hvad-er-open-data-dk
7Acceded June 18th 2013: https://www.digst.dk/Servicemenu/Nyheder/Nyhedsarkiv/
Digitaliseringsstyrelsen/2013/Open-Data-Charter
8An e-mail conversation with the Head of Development at DK Hostmaster medio March 2017 supported this view.
It is acknowledged that IT security professionals have varied approaches to performing vulner-ability assessments/pen-tests like the above. This is sought countered by consulting a variety of different sources for the methods and standards, selecting the most evident data sources, best practices and informal, continuing conversations with IT security professionals I have the privilege of working together with.
1.1.1 Goals
In short, this master thesis delivers the following products (besides this report):
Product Description and goals
Maltego seed with transforms and custom entities
A complete, production-ready seed to add to the transform hub of Maltego of transforms for querying a range of Danish OSINT-sources relevant for acquisition of information on Danish organiza-tions and necessary entities in accordance with Maltego developer guidelines such that the transforms can be used in combination with other activities of the pen-test performed in/with Maltego.
The transforms should in particular help to reduce part of the manual work to gather OSINT from Danish sources on the client organization.
Auto-generated re-port
A report auto-generated from the findings of an investigation (e.g. a pen-test) conducted in Maltego. The report compares the findings to common cyber attack scenarios, relevant legislation and standards (Danish context) for the researcher to use in the final pen-test report to be delivered to the customer. In particular the report enhances this task by linking the findings to the relevant scenarios and legislation/standards and outputting the results in a well-formed report.
Table 1.1: Product specification of the products of this thesis.
The requirements of each of the two deliveries are based on an analysis carried out in Chapter 3 and put in detail there.
1.1.2 Risks
While it is not possible to know all aspects of the risks initiating a larger project like this, it is important to consider what kind of risk there are, how they may affect the project and mitigative steps. Before project initiation we identified the following risks:
• The products are open-ended which can make the work go off track. A direction of the work should be established early by examining relevant sources to guide further process.
• How can we automate a manual report-generation? Developing can possibly be done, but understanding the data behind may require some intelligence.
• The availability of adequate sources and offered API’s for Danish OSINT-sources are important to the project. A lack hereof has to be discovered early to allow for different possibilities to be explored (e.g. international sources).
• Developing for Maltego is a new field to the author. We do not know which possibilities exist for exporting besides regular pdf-files and how we can interface with the program at all.
• What is the availability of standards/guidelines pertaining the specific types of data outside the regular assets-models that we have met in literature on the university? How does guidelines look when they are not directing on how to update the organization’s systems?
The risks are concluded on in the conclusion of this report (Chapter 7).
1.1.3 Work methods
To form an effective process for the author, the work was planned as 2-week “sprints” (like used in the Scrum software development-method) with bi-weekly supervisor meetings to update on the current work and discuss what work to be carried out in the following 2-week period. Online tools to manage the work process were experimented with using trello-boards9 to maintain a backlog of tasks and assignment to each sprint, but for a single-person project, this was an unnecessary work-load to keep updated through-out the project. It was however an intriguing process found very usable for cooperating with others.
To discover papers for the state-of-the-art chapter, we went through literature presented in previous courses as well as resources from government cyber security entities and news articles.
We also considered standards and guidelines from Danish and international official sources, which are all sources we have either had referenced as part of the lectures, in related material or in the study job.
The report was typeset with LATEXand edited in Texmaker10, which again proved to be a two-edged sword offering both easy, straight-forward writing and numerous difficulties with getting a few exotic features just right. It does look nice though.
Versioning and backup were done using the DTU-providedsubversionservers and the TortoiseSVN-client11. It proved useful a couple of times to revert slippage in coding and editors.
The work flow has been steady and consistent, but in the early phases it was influenced by my whiplash/concussion having now passed its three years “jubilee”. After taking 11/2 week out of the project to get a treatment, this improved somewhat.
9https://trello.com
10http://www.xm1math.net/texmaker/– just released a new version.
11https://tortoisesvn.net/
I am pleased with the bi-weekly meetings with my supervisor, Christian D. Jensen, which helped to keep focus on the assignment and resolve blocking issues.