B.3 Example of an auto-generated report
3.1 Statistics on findings
In the tables following, statistics of the findings made during the investigation is given. A bar graph giving an overview of the data within the 5 categories of information, is found in Figure 1.
Page 4 of 17
Intelligence gathering on ACME A/S “Summer” 2017
Figure 1: The distribution of findings within the 5 categories of information used in this report.
3.1.1 Employee
Data label Count
Name/job positions 1
Personal information :: Other private associations (school,
hobby, sport, policical) 1
Table 1: The count of all findings within the category Employee
3.1.2 SoMe
There are no findings within this category.
3.1.3 Non-personal internal
Data label Count
Physical/virtual infrastructure :: Type/versions 1 Physical/virtual infrastructure :: Names (DNS, nicknames) 3 Physical/virtual infrastructure :: Manufacturer/provider 1 Physical/virtual infrastructure :: IP’s :: External IP 1 Table 2: The count of all findings within the category Non-personal internal
3.1.4 Supplier
There are no findings within this category.
3.1.5 Customer
Page 5 of 17
Intelligence gathering on ACME A/S “Summer” 2017
Data label Count
Customer names 2
Other customer information 1
Table 3: The count of all findings within the category Customer
Page 6 of 17
Intelligence gathering on ACME A/S “Summer” 2017
4 Scenarios
This section relates the findings of Section 3 to 5 common OSINT-enabled cyber attack scenarios.
The scenarios are created as a part of a master thesis project. They seek to cover a wide variety of OSINT-enabled attacks, but is important to understand that it is impossible to describeall attack scenarios enabled by the findings used as input to this auto-generated report. These attacks (and the persons behind) employ a vast range of knowledge and information; if some information were not acquired during the research, a specific variety of a scenario could go completely overlooked.
The findings in this section should instead be used as guideline to understand which circumstances or specific data can enable a OSINT-enabled attack against ACME A/S.
5 common cyber attack scenarios were considered. ACME A/S are considered vulnerable to them as shown in Table 4. Details of each of the 5 scenarios and the findings that lead to this conclusion, are found in the following subsections considereing each scenario individually.
Cyber attack scenario Vulnerable?
Table 4: The cyber attack scenarios considered in this report and whether ACME A/S are considered vulnerable towards each of them.
4.1 Spear-phishing
Carried out mostly through emails as the easiest attack vector, but also phone calls, face-to-face or through other means of communication (as people may recognize voice or biomodalities of the impersonated person/organization); also calledpretexting.
The goal is information disclosure for further attacks, directly for e.g. monetary gain (through encouraging bank transfers, acquiring passwords, (bank) account information or NemID-keys) or delivery of a attack payload for e.g. espionage or activism or any other goal.
The most important differences from un-targeted phishing attacks, is that they target a few, specific receivers, put more work into creating a credible email/relation through language, logo’s, current activities/contacts of the organization and non-threatening content. However, while they may seek to imitate language of e.g. a professional email or invoice, another trait used in the emails is a sense of urgency and/or secrecy to convince the receiver to perform the task fast (e.g.
a bank transfer) and without disclosing anything to colleagues.
To improve credibility, the attacker can employ OSINT to discover:
• Current professional relations (e.g. suppliers, collaborators or customers) found on e.g.
LinkedIn, Facebook, public forums, job advertisements (describing technical qualifications needed of new hires) or homepage of the organization or their vendors/customers.
• Private relations or economic interests found on the aforementioned sources or through e.g.
public leak data including company domain email addresses.
• Employee names and private e-mail addresses (from e.g. social media accounts) to deliver a malicious payload circumventing organizational countermeasures.
• Specifics of the organization’s structure from e.g. informative organizational chart, job postings, points of contact (for homepage, support or legals) or meta-data from documents
Page 7 of 17
Intelligence gathering on ACME A/S “Summer” 2017
on the organization’s homepage. Specifics can include names, positions, job titles, phone numbers, location (e.g. for using the target’s national language or TLD) etc. Phone numbers can also serve as an alternative contact medium, where the attacker will then employ other parts of the collected OSINT.
• Knowledge of organizational operations (in addition to the previously mentioned) like travel plans, current issues (from public forums or bug reports).
The attacker can of course also employ technical solutions to increase credibility by e.g. acquiring access to email servers. This requires prior use of social engineering to gather passwords, deliver malicious payloads or similar.
Examples of attack are invoice fraud with fake invoices looking to come from real vendors, coaxing employees into sending money to “colleagues” or trying to get further information on the organization/employees. The most repeated advice in government guidance to hinder these kinds of attacks, are to implement specific procedures of double-checking e.g. money transfers and information disclosures by calling the responsible or the sender and general vigilance of employees.
4.1.1 Summary of findings
Overall it is found that ACME A/S is vulnerable to this common social engineering attack scenario.
This scenario consists of 6 requirements of which it is expected that 3 of the requirements need to be satisfied in order for ACME A/S to be vulnerable.
During the investigation on ACME A/S, data satisfying 4 of the scenarios’ requirements were identified.
In Table 5 each requirement for the scenario “Spear-phishing” is listed. In the following subsections, all data found to be contributing to satisfying the specific attack scenario requirement are listed, s.t. it is possible to gain an insight into exactly what piece of OSINT-data contributed to these findings.
Requirements for this scenario Satisfied?
Employee names/position True
Organizational structure True
Supplier/customer or other professional relations True Personal/corporate email addreses, phone numbers False
Relations (friends, hobbies) True
Typosquatting domains False
Table 5: The individual requirements for the cyber attack scenario “Spear-phishing” and the findings of the intelligence gathering satisfying them.
The individual requirements satisfied are considered so by the following findings:
4.1.2 Individual requirements
• ‘Employee names/position’ is considered satisfied due the following findings:
– ‘Lars Estes Henriksen’(found from/in/on “ESTES”)
• ‘Organizational structure’ is considered satisfied due the following findings:
– ‘Lars Estes Henriksen’(found from/in/on “ESTES”)
• ‘Supplier/customer or other professional relations’ is considered satisfied due the following findings:
Page 8 of 17
Intelligence gathering on ACME A/S “Summer” 2017
– ‘djoef-dk.mx1.comendosystems.com’(found from/in/on “djoef.dk”)
• ‘Personal/corporate email addreses, phone numbers’ is not considered satisfied based on the findings.
• ‘Relations (friends, hobbies)’ is considered satisfied due the following findings:
– ‘Nissan X-Trail DIG-T 163 SUV 2WD 6 M/T’(found from/in/on “ESTES”)
• ‘Typosquatting domains’ is not considered satisfied based on the findings.