Transcript
David Littman: Hi, Dave Littman Truth in IT. Welcome to today's webcast Open Source Intelligence OSINT. Learn the methods bad actors use to hack your organization. Today's webcast is sponsored by KnowBe4. And in just a second, I'm going to be handing things over to our presenter today. Today we will be led by Rosa Smothers. Rosa is 20 years of experience in cybersecurity. Currently senior Vice President of Cyber Operations at KnowBe4 and also a former CIA intelligence officer. Very, very excited to have Rosa here with us today to talk about OSINT. Before I hand things over to Rosa in just a second before I do that, a few housekeeping tips. We expect today's event to go probably 40 45 minutes, and I don't know that we're going to go as long as we normally do. But of course, we'll be taking your questions and comments in the chat room. We've got staff standing by to answer any questions you might have about the video feed, or the audio staff standing by from Truth in IT for that. But without further ado, let me now hand things over to Rosa. Rosa, I'm going to let you take it away. I'm not going to interrupt. I want you to get through this, and then I'll be back with the give away. Rosa. Rosa Smothers: Thank you so much, Dave. I want to thank you sincerely for joining us today for everyone logging in. And we welcome your questions. And as Dave said, my name is Rosa Smothers. I'm a senior vice president of cyber operations at KnowBe4. And today we're going to be talking about open source intelligence, OSINT and leveraging OSINT to improve your overall security posture as well as your security awareness training program. So a little bit about me. I'm a senior vice president at KnowBe4 and I've got a I say 20, but unfortunately it's probably over 25 years at this point, years of experience in cybersecurity. Um, and I spent over a decade at the CIA as a cyber threat intelligence analyst and a technical intelligence officer. I also worked at the Defense Intelligence Agency as a cyber threat analyst. And I've got a master's in network security. So lifelong computer nerd. So again, thank you all for joining us today. Um, I wanted to bring you some of the knowledge and experience that I've gained while working in the intelligence community. OSINT is its own intelligence source, and over the years it's become more and more valuable. You can do so much more now with OSINT than you could have even ten years ago, five years ago. So I want to show you some different ways to leverage it and how hackers are leveraging some of these open source tools as well. And you can see, you know, some some of that previously I've done two previous webinars. So if you want some backstory on previous webinars, please check those out. Um. I've provided two previous webinars, one with my dear friend James Mcquiggan and the first OSINT webinar. I strongly recommend checking that out for a number of reasons. I talk about how to have a safe setup for doing your open source intelligence. You know you don't want to infect your computer, so strongly recommend checking that out and I'll explain that to you about I'll explain that to you on the next slide, but also what we're going to cover today. So. Previously on Rose's Ozit webinars. So I've provided two previous webinars, one one with my dear friend James Mcquiggan and the first OSINT webinar. I strongly recommend checking out for a number of reasons. I'll explain to you about that on the next slide, but also what we're going to cover today. How to conduct a cyber investigation. Keeping in mind practical things like will you have to work with law enforcement? What will they expect? What know what about the insurance company, etcetera. Legal ramifications OSINT collection and OSINT collection tools, penetration testing using OSINT tools, and then some apps and analytic techniques that you can use. Problem solving if you want to work more on the cyber threat intelligence realm, or if you're looking for attribution. So going back to that first OSINT webinar I provided. So I always say I want you to maintain a healthy sense of paranoia. It's not if the bad folks are going to be after you, it's just a matter of when. So when you're conducting these open source investigations, it's very important. And I talk about more in depth in the first webinar about making sure that your computer is set up to quarantine and not potentially infect systems based on certain websites. You're going to, especially if you're looking on the dark web. Sub websites are specifically designed to inject malicious code into your browser and subvert your system. So, you know, again, I go into the in the first webinar I provided a couple of years ago. I go into more detail on that. But keep in mind, you want to maintain some sort of quarantine using a VM, using a throwaway laptop just to maintain that safety posture. So let's go on to how do we conduct an investigation. So a couple of aspects to this. Right. So keeping in mind all of those external stakeholders. So like I mentioned on the last slide, you know insurance law enforcement. So there are some basic steps. And you know some people will say there are five steps. Some say six seven. But these are kind of how I group steps of an investigation, what that process looks like. So identification obviously that is of the essence identifying the method of entry. Did the perpetrator, did the hacker use social engineering. Was it an unpatched system. Was it a breached password? Those are the three main methods by which hackers and nation states gain access to your network environment and the digital footprints. So we want you from a law enforcement and investigative perspective to preserve the evidence. You know how on on certain like police and investigative shows, they're always talking, you know, not contaminating the physical evidence. Well, the cyber evidence is just as important to keep contamination free in law enforcement. They call it chain of custody, wanting to ensure that if there is a hard drive that, you know, the the perpetrator has gained access to or there's malicious software on it, they need to know that no one else has written to that hard drive since that incursion occurred. So, you know, and typically, especially when you're dealing with a security operation, center speed and time is of the essence because you're talking about incident response. So the faster you can identify that breach, the sooner you can obviously kick the malicious actor off of your systems and begin that recovery process. So the next step is in any process or the next step in any process after the identification is the identification, the investigation process. So I've listed here a number of very well known tools, whether it's digital forensics software. So if you're need to examine a hard drive or you need to examine a phone, Cellebrite is really well known in law enforcement circles for phone examinations in case or forensic tool kit are two other really well known forensic applications. Looking at you can look at deleted files, conduct metadata analysis, whatnot. Network analysis tools most of us know Wireshark Netscout Tcpdump. You know you want to conduct that in preliminary investigation. And the goal is to identify all the systems and services that have been affected by this network incursion. And that way you can kind of scope the level of damage, you know, was it a single. Corporate account that was compromised. Would the hacker have access to anything that the employee viewed? What were the privileges of that account? Was that corporate accounts? You know, someone that works in it, admin who has a lot of privileges on the network, you know, and counter to that, if there was a ransomware attack, they could have, you know, potentially exfiltrated every piece of sensitive information on your network. So that's why the network analysis tools are so important to identify not only the suspicious activity, but those data flows. And then lastly, various social media analysis tools. And that can come into play if, for instance, the network incursion involves a known email address or an email selector, because you can then kind of run down that username or versions of that username across various social media accounts to hopefully conduct attribution at that point. Then we're going to talk a little bit about analysis. Obviously, as a former CIA analyst, this is something near and dear to my heart. Um, you know, a lot of these investigations can encompass an extraordinary amount of data. Now, it might be one hard drive, but if you're talking about gigabytes of data, that's a lot to go through. Certain broader network examinations might incorporate a lot of external data, NetFlow data, for instance. So how do you manipulate and collaborate on all of that data with potentially outside analysts or outside experts and then leveraging various analytic techniques? I'll talk a little bit about structured analytic techniques. These are some things that I was taught at the at the CIA in what was called the Career Analyst Program track for Analytic training. And you can apply some of those training methodologies here when you're conducting this sort of analysis. A remediation. So obviously the risk assessment is so important. Now that you've got a clear understanding, you've pieced together what's happened. You can draw some conclusions about the incident and the incursion and then look for ways to resolve it. You know, the specific actions you're going to take at this stage are really dependent upon the nature of the incident. Again, was it was it a ransomware attack? Was it a social engineering attack? Was it, you know, was it some sort of outdated software on the network that was not anticipated or just had hadn't been accounted for in the inventory? So you've got to have that comprehensive plan for those remediation efforts, and then you've got to have documentation, documentation, documentation again for reporting purposes. That documentation is so important as well as as I mentioned earlier, in some cases your organization may want to involve law enforcement if you think you're being attacked by, for instance, a nation state, potentially, you know, the Lazarus group, the hackers that are typically attributed to North Korea. That would be an instance in which if you suspect that it looks like a lot of the the methodologies are very similar, it's a ransomware attack. You know, you might find that some of the malicious software on a hard drive is the same. Well, at that point, you're going to want to reach out to the nearest FBI field office, or you might want to report that incident to CSA, which is the Department of Homeland Security Cyber Investigation and Cyber Incident Organization, and the whatever documentation that you can provide showing the timeline, showing the tools that you used, your findings, potential attribution, every little bit of that that you can do is going to help you in the investigative process. Because certainly when it comes to especially Department of Justice and FBI, it can take a long, long time because they are inundated, unfortunately, with these hacking cases, whether it's nation state hackers, hacker groups, etcetera, unfortunately. So the more that you can do upfront to build the case for them, document, document, document as best you can, the better off everyone's going to be, the more expedient the approvals process can be for their willingness to jump in on an investigation. So next I'm going to move on to open source collection. You know, it's it's 2023 soon to be 2024. It's increasingly easy to hack technology and even easier to hack humans. Quite frankly. There's so much information out there now. So every day we go to a website and we are inundated by these flags that come up and say, you know, do you accept all of the cookies or do you want to accept none of the cookies? And most of the time we're in a big hurry, so we just do all or none. People rarely take the time to go in and designate necessary cookies only and then turn the rest off. So the thing about these cookies is that they're pulling out all kinds of information out of your web browser, and then that information is sent to companies that are called data brokers. And they're an increasing number of these data broker vendors out there. It's massive. Last time I checked, there were well over 750 of these data broker companies out there. And because we don't have the privacy laws in the United States that our European partners do with GDPR, it is a very large and vast ecosystem. These organizations don't steal your personal information. They gather the information from the public, and they package it nicely and they put it on the market. So there are brokers that are really well known, like Spokeo or Zabasearch. They've been around for a very long time, but there are increasing numbers of these data broker vendors because it's a very large market. They're collecting information based upon your web browsing history. They've got your name, your state, your address, just enough data to confirm who you are, where you're located. And so someone who's looking for you from a hacker perspective, they don't have to pick just one data broker site. So you can go to multiple data brokers and your information has been harvested, and they can build entire profiles of you based upon that information that's been harvested. These data brokers know as much about you as your Amazon cart and your Netflix queue. And again, there are at least 750 of these companies currently. There are some vendors out there from a personal security perspective that actively remove your information from these data broker sites. So it is something that you know from a hacker perspective. I'm going to go to these data broker sites. I'm going to look at my targets of opportunity, who are going to be the individuals in the company that are higher profile, that have great administrative access on the network, because I want those network privileges and those permissions. I'm going to build that profile based on the information that's gleaned from these data vendors. Cost me a couple of bucks to get a membership with these various organizations. I download the information in a report, and at that point I start building my plan, whether it's the hacking plan of technical hacking or social engineering hacking, which is where your security awareness comes in, you can build profiles on social media, on LinkedIn, Facebook, again, going back to the North Koreans and the Chinese intelligence services are often building LinkedIn profiles, and they're trying to engage with people because they want your intellectual property. So this is, you know, a prime example of a huge resource of information out there that a lot of people don't even know. These organizations exist. And there's an enormous amount of information on the key people in your organization. So again, from a security perspective, I strongly recommend a program that allows for at least your what I would call high value target employees to use some sort of a data cleaning service. There are a number of them out there, so please consider that as part of your overall cyber hygiene perspective. So now I'm going to go into a couple of walkthroughs and give you some demos on some what I call very user friendly ways to look for people via social media. And you know, what I like about these is a lot of these tools are just super easy to use. If you're in the middle of an investigation, you don't have time to learn super complex apps. You don't need a PhD to use a lot of these tools. I'm going to show you, and several of them are in fact free. So the the first one I'm going to show you all is it's called What's My Name? So one great tool I wanted to highlight for you all is What's My Name? It's a web based app. Um, a lot of developers were involved in building this app out, and the interface is super easy to use. As you can see, it doesn't require a great deal of explanation. You just copy your username or your email address or email selector, as we say in the intelligence community, and paste into the space bar. So in this case, I'm just going to look for John Doe. Because that's a very generic username. Now you can add multiple accounts in here. You could do also a comma and then a Jane Doe. But we'll we'll stick with John Doe for now. And also to highlight over here on the left these category filters. So for instance if you know that you're suspected hacker is into health, you know is potentially a weightlifter or is a musician plays guitar or is a gamer, you can highlight these specific groups and then What's My Name will focus their search on those specific repositories. But I always like to start out with all and then kind of hone down my search from there. So we'll check this out. Simply hit the search button and then boom, look at all of these results. It's fantastic. And it's great because, you know, this is so much better than doing a general DuckDuckGo or Google search because you're seeing not only the sites, but I like seeing the categories that it's social, financial, hobby related, art related. Because knowing the types of interests that your target has really helps you build out a profile of the individual. And what's a great testament to the What's My Web app is it's actually been integrated into several other OSINT tools. One in particular, Spider Foot, which I'm also a big fan. So yeah, you know, again, I'm a big believer in ease of use because when you're conducting an investigation, often time is of the essence, and it's very easy to have all hands on deck with these very easy to use web interfaces. So what's my name? Web. Definitely check it out for use in your investigations. So another great and more importantly free and easy tool is this name Checkout.com account. It's actually made to check the availability of user names and domain names on social media and across sharing platforms, as you can kind of see here towards the bottom of the screen. But it's great for investigative purposes because you're kind of looking at it from the perspective of process of elimination. So for example, we'll stick with our John Doe. Run that search. And look at the username data that that is populating. So we're really focused on the grayed out boxes. These kind of like pale pink gray boxes because that means there's been a username taken at that social media website. So then you would at that point you would click on GitHub medium, Pinterest and then log into that social media account and then drill down on the username, check out the users activity. Again, you're kind of building that profile of your suspected hacker in this case. So again free and easy to use. Super simple. And it allows you to refine your search. So if you're going on Facebook or meetup or Pinterest, you can drill down. And you know, it's investigations are an iterative process. So you start sifting from that large that large base of information. So in this case, all of these accounts were that John Doe username is at work. And then you start drilling down individually and then looking for commonalities among all of those accounts to see if this is the same Joe John Doe across media, across Pinterest, across periscope and whatnot. So again, it's a free and easy tool and something that is just another easy tool in your toolbox for your investigative needs. So next I wanted to familiarize you all with ozone framework. It's kind of a great bridge between talking about ozone collection. And then we're going to transition next to Pentesting and attack surface, because this does a little bit of all of that. It was really designed to gather information from free tools or resources. But over time, the more information he gathered, some of them did require registration or payment. So you'll see the legend up here at the top of the screen. Which ones require registration? There may be some sort of payment required, or if you have to install something locally. Not everybody wants to do that. Most folks really prefer to do web based only instead of running code on their local machine. So the great thing about Ozone Framework is, you know, again, it's very point and click and category based. So it makes searches incredibly easy. Username, email address, domain name. Lots of useful resources appear in the form, as you see, of a subtree. For instance, like when you're looking under IP address, you can see, you know, all kinds of things like protected cloud services, general registration information, border gateway protocol, network analysis tools. And the same thing happens with other locations like email address. Let's see where's email address. Here we are. Email address. Information to include. Breach data so no before use is a really great website called have I Been Pwned, and this is one of the information websites that they collect information from as well. Breached data information. So it's just a great all around tool. And again it's both technical and non-technical images, videos and docs, social network information people search engines but also more technical information available as well like metadata dark web information. Very valuable because again it keeps you off. Anything that keeps you off the dark web is going to keep you safer. So if you can leverage these sorts of collections from the dark web collection here, or from the hashed, or have I Been Pwned, the safer off, safer you will be. Exploits and advisories. So this is just a great information resource. It's, you know, again, it's kind of similar to Shodan or Xuemei or some of the other Internet of Things devices. But you know, the having the social network data incorporated, that really helps to make it a truly holistic tool. So even when it comes down to phone numbers and whatnot, so it's a great overall resource. I highly recommend folks leveraging this because it's just almost unlimited, the ways that you can get some data out of any target that you're investigating, because that is certainly what the hackers there are doing right now. They're using tools just like this to investigate you and your organization. Right. So, you know, keeping in mind a lot of this is very much involved with the collection of it's not just social networks in the way that we typically think of them. It's also media sharing networks, discussion forums, curation and content environments, blogging, things like that. So, you know, it's a huge collection of information, incredibly beneficial. So I wanted to move on to next talk a little bit about. Everyone's favorite Kali Linux and Metasploit, so I'm not going to go into a big demo. I'm just going to talk about it briefly, because really, these require the need for the end user to know how to leverage Linux, likely how to write with Python. Now, I would highly recommend if anyone really wants to get into the nitty gritty to go to Kali. Org Kali Linux. It's an open source Debian based Linux distribution and it's really geared, you know, structured from the bottom up for security tasks, you know, penetration testing, security research, computer forensics, as I mentioned earlier, and even reverse engineering, if you really want to get into the weeds with your malware and you can buy, you know, VM based, USB based, you know, all kinds of different versions of it. It comes prepackaged, which is incredibly helpful. Um, now I want to talk to you briefly about Sherlock, which is a social media tool that's available on Kali, and you can also get it off of GitHub if you have a GitHub account. But it's great because it finds usernames kind of similar to the open source tool I just showed you. At a framework, it can pull usernames from upwards of 300 different sites. It's, you know, it's free, it's open source, it's written in Python, but it's a really great, powerful way to correlate usernames across so many different media. And then lastly, Metasploit, I am asked pretty frequently actually, you know, does the intelligence community use Metasploit. Do hackers use Metasploit? Yes, hackers, whether they're in the intelligence community or wherever they're living, are going to use the best tools at hand. Some of them are going to be written, you know, by the organization, but some of them are public and available. And Metasploit is a great, great tool. It's a it's a great pentesting framework that I can guarantee you the adversaries are using to check your environment out. Security engineers use it, red teams use it as a pen testing tool and as a development platform. So it it allows for the creation and building of both security tools and exploits. So it works for both attackers and defenders. So I would recommend if you've got, you know, the time and the willingness to do it and you want to learn some command line or you already have if you already have a master of it, I'm sure you're already using Kali and Metasploit and Sherlock, but if you don't, these are. This is an operating system, Kali Linux and these two tools Metasploit and Kali. I highly recommend looking into all three of these if you want to really dig deep into the command line for both pen testing and for just general OSINT work. So speaking of pen testing. So I want to talk a little bit about the attack surface planning and how that works in terms of the OSINT tools. So several of these tools that I've already shown you, obviously it's not just about the social engineering aspect, it's also the network attack surface environment that a lot of these tools are helping you locate. Um, and, you know, again, whether it's Metasploit or whether it's, you know, OSINT framework, a lot of those are going to help you with some general attack surface stuff. You know, I mentioned the previous shodan census, um, or some other examples that I've shown in a previous webinar in my second webinar with James. So I want to show you now a one of my favorite websites that I've, I've, I'm quite a fan of, and I don't think nearly enough people are taking great advantage of it. It's called Central Ops. So thinking in terms of the hackers perspective when it comes to pen testing, and again, in keeping with looking for tools that are preferably free and easy to use, not all of them are, but I'm trying to show you some of the some of those in that vein. A Central Ops is a great website. I've been using them forever. They are very much to me like the Wayback Machine, the Internet Archive, archive.org. They're just an oldie but a goodie. They provide free online network tools, you know, tools that I'm sure most, if not all of us are aware of. You know, traceroute, nslookup ping. We we all know those from, you know, back in the early days of the internet, but they also have some great tools like domain dossier. The domain dossier tool generates reports from public records about domain names and IP addresses. And that can really assist in cyber crime investigation. So there are a couple of applications that can be leveraged using these tools available. So network troubleshooting obviously ping trace out DNS lookups. Those goes without saying right. Domain name research the who is lookup tool is always going to be very handy in that regard. Also network security an email analysis. So email dossier I really like this one. So I put in my email selector my KnowBe4 account here rosa@knowbe4.com. And I select go, and I can see in no time flat that we are in fact a G suite based company. Now that helps me from a hacker perspective, because that already tells me certain things about your network environment. The rules that might be in place in terms of phishing attacks, whitelisting things along those lines. So super helpful in terms of kind of building the overall profile of the target from the hackers perspective. Central ops does have APIs that you can also leverage. And I would note that it was back in oh six or oh seven, fairly early into my agency CIA career, actually. I remember Central Ops was purchased by this organization, Hexylene. So Hexylene supports a lot of organizations in conducting and providing tools for investigating and exploring and troubleshooting internet address information. And you can see here the whois API is available. And I strongly recommend for those of you that want to dig a little deeper into these network tools to set up an account with Hexylene, you'll learn a lot. And you know, Central Ops obviously remains a standalone website, but you can utilize Hexylene tools as well if you want to. And they they, they run that for a small fee, I believe. So as I mentioned at the top of our webinar, my dear friend and colleague James Mcquiggan and I, we did an open source intelligence webinar last year. And at that point in that webinar, I talked about two Internet of Things cyber intelligence search engine related tools called Shodan and census. So in keeping with that, and in keeping with, you know, wanting to maintain a degree of relative simplicity to hasten investigations and also kind of to show you the ease with which hackers can assess vulnerabilities. I wanted to show you a criminal IP, again, similar to Shodan and census. Sometimes it just comes down to which user interface you prefer. So criminal IP, it's you know, as I mentioned, it's a cyber threat intelligence search engine. It detects personal or corporate cyber asset vulnerabilities in real time. It facilitates, you know, responses accordingly. So if you can see those vulnerabilities on your website, you know how to respond to them. With this sort of tool and functionality, you can find all types of internet facing information on malicious IP addresses, phishing sites, malicious links, bad certificates, servers, IoT devices, CCTVs, all kinds of stuff. So I wanted to kind of give you a little walk through on just how some of this functionality works, just how easy it is to find this information. So for instance, the asset search, this is just a list of recent scans that the, you know, the these various search engines have bots that are going out and looking for all of these internet connected devices. So the scan will show the as you can see here the IP address, the scoring information. So the scoring information basically is just telling you literally just the triage the inbound outbound IP risk scores safe low moderate dangerous critical. Now you see here these are mostly moderate to critical in range. The known vulnerabilities, the number of vulnerabilities associated with the IP address. And then a summary of open ports running if there's past abuse history. Um also you know any vulnerabilities that are hidden. So and you'll see a lot of these tend to be webcam and CCTV related. So the next. I wanted to highlight for you is domain search. So here we are. So domain search. It's a feature that scans the target domain. So if the hacker is focused on your domain and your IP range that's what they're going to plug in here. Or a hacker just based on target of opportunity are just going to look in here and see which ones have high critical vulnerability. Because as you can see, there are a lot of them available and still very active. This was 39 minutes ago. Um, so, you know, again, it lets you target your specific domain in real time. It provides comprehensive information. It's got a risk score based on whether the website might be used as a phishing domain, whether the website contains malicious links, if it has valid certificates. So this would be helpful from an admin perspective. If you're getting consistently phished from a certain a certain IP address, a certain URL, then you can go and safely check out that URL or IP address from this console instead of going directly to the website itself. Because as we know, a lot of websites can contain malicious software that are literally just trying to inject themselves into your browser. So this is a safe way to check out those potentially dangerous websites. And then from a hacker perspective, it's a great way to shop around for highly vulnerable websites. And another really, this is my personal favorite. This is an exploit search, and just as it sounds, exploit, this exploit feature allows you to come through all the known vulnerabilities the top CVE IDs. So take a look at this. This is amazing. And and how you look at some of the look at how some old some of these are, some of these vulnerabilities are going back to 2006. So you know this is it's just old software. It's unpatched software. One of the easiest ways for a hacker getting getting into an organization. You're essentially leaving your front door unlocked. So it allows you to come through those vulnerabilities globally and get the details on the actual exploit code for each corresponding service. So again, from a hacker perspective, if I have a tool. And I have some malicious this malicious software and there's a known vulnerability I can apply it to. I want to leverage that malicious software against that vulnerability. I simply look for the vulnerabilities associated, you know, it's the right tool for the right job. So I can leverage the exploit, leverage my tool, and find the right vulnerability against my intended target. So it's it's just as simple as shopping around based on the CVE ID. So a lot of you can, you know, use almost if you will do it. A red team would do. You can check out your domain safety, use your IP ranges, check for internet connected devices, etcetera. But you know, the lesson here is also just how easy it is for the bad guys and bad gals to look for targets of opportunity. So again, they might be targeting your organization specifically. This could be, you know, a disgruntled former employee, something insider threat, something like that. Or it's simply individuals looking for targets of opportunity. And lastly, just very quickly also this image search, this is a little different than a Google image search. I mean it's similar in that yes, it is an image search. But after you conduct image search using terms like phishing webcam, you can view the specific images of those assets that are vulnerable to cyber threats. So it only retrieves images that indicate potential cyber threat based upon your reference. And also there is this is paid with the organization. But you can also leverage criminal IPS attack surface management software as well. So again, in keeping with trying to keep things as simple and straightforward as possible, this is another quick and easy way that hackers check for vulnerabilities and an attack surface. But it's also a way that you can use these same tools to also check for vulnerabilities and get them patched as quickly as possible. And lastly I wanted to review IP info.io. It's a great little website. Again it's very straightforward. You don't need a PhD to use it, but it's great for cybersecurity use cases. You can leverage this for managed detection and response, identity access management, security operations centers. You know, to monitor traffic, log in attempts, identify malicious traffic things along those lines, and even looking at your overall cloud security management and posture, you can identify risks or misconfigurations. You know, some of the biggest cloud based risks are just the the non configured containers. You know, that's typically when we see issues with cloud security. So this helps map assets and discover vulnerabilities for your security teams as well. But again if it's going to do that for security teams it's going to do that for hackers also. So another great very easy to use simple web based tool for that that security and attack surface work. So now let's transition. We've talked about all kinds of ways to collect social media and network data. So let's talk about now that you've gotten all of this information gathered, what on earth do you do with it. So. You need apps and you need to think about how to work with the data. Um, so whether if you don't have like a cyber threat intelligence shop or if you don't have a lot of in-house expertise on this, it can get really in the weeds on various methods of analytic techniques. So I think I'm going to just keep it very broad based and talk about, uh, structured analytic techniques. So yes, of course I'm going to have to mention some CIA analytic stuff because, hey, that's my background. Um, so this is a great book and it's well, it's a PDF available on Sears website. It's about 40 plus pages long, so it's pretty dense reading. But if you want to learn about analytic methodologies and these work for cyber intelligence and analytic work as well as non cyber real world things. But these structured analytic techniques, they're methods for analyzing intelligence data and reaching conclusions. So in this case you know a lot of that's going to be attribution related from the cyber context. Um you know they were built to help avoid bias and unchallenged assumptions. And intelligence analysts in a number of fields, including cyber threat intelligence, can use the lessons that are in this tradecraft primer. So I would highly recommend checking it out. It talks about diagnostic techniques. There's like a key assumptions. Check. Quality of information check. Um indicators of change check. And then a big one that we that we were worked on when I was in the career analyst program was the analysis of competing hypothesis. So a lot of these techniques or things that we were pretty familiar with, like Devil's Advocate or red teaming team A, team B really challenging assumptions and suppositions. So again, this is very helpful when it comes to the potential attribution portion of your investigation. In those findings and the documentation you may be providing to law enforcement or insurance. And also wanted to give a brief shout out to a really great book attribution of advanced Persistent Threats. Dr. Steffens wrote this amazing book. It's a very, very dense book, but it talks about apts, advanced persistent threats, the attribution process. It goes into more detail. We've talked a little bit about it here, but he really gets into the meat of the subject malware analysis, geopolitical analysis, telemetry data, doxing, false flags, all kinds of things. Even even talks a bit about the ethics of attribution because it is cyberspace and things like geolocation are very difficult to do. So that is always something important to keep in mind. So those are the analytic techniques, some general ideas I wanted to raise to your attention. Okay. So what do you do with all the data itself, the data collected from the hard drive, the NetFlow data, the data you've pulled off of your routers? Well, there are a host of software applications out there. So I just wanted to raise some of the major tools that I'm familiar with. So Analyst's Notebook is really the one of the analytic tools I've used the most when I was at CIA in law enforcement uses it a lot, police officers and FBI at the federal level. It's a visualization tool, and it's got some, you know, great data import features. Um, there is a timeline functionality. The the design is a little bit could use some updating, but it's, it's but it's a very reliable piece of analytic software. You can build again mapping data timelines things like that. And and very easy to use. Again you don't need a PhD to use it. And then Maltego, um, it's really nice if you have the ability to sort of write your own transformations. I don't believe it has a timeline feature, but I know a lot of OSINT data vendors have written a lot of transformations for their their data sets, which is really great. So you can use Maltego for both the analysis of already collected data, or you can use it to collect data directly from the tool. It just depends on what your needs are in that moment. So those are two two big players in the space. And you know they are not the most inexpensive options, but they're very functional for what they do. Now here's the part where you're probably. Really going to want to throw virtual tomatoes at me for saying this, but. Another tool. Microsoft Excel. Look, most of us already have it. I know a lot of amazing data scientists that reliably use Excel for data analytics, and there are a lot of examples out there that people can use and safe non malicious macros out there that people can use for their data analysis. It's probably already on your desktop. And a lot of people when you have Microsoft Excel jitsu you're invaluable to the organization. So it's a tool I consider as part of your overall analytics suite. And with that, in summary, you know, stay vigilant. Remember protect and preserve all of that data. Make copies, preserve the originals. Make sure that when someone's using EnCase or File Forensic Toolkit or Cellebrite that everything is right protected so they can make a copy of the master. But the master remains untouched. That's vital to any investigation. Use a wide variety of tools because you know it's going to give you varying degrees of and different types of information. You're going to get different returns, and that's going to help you in your overall investigation. And then you want to marry all that information together and see what the inconsistencies are or the consistency. See where things overlap, see where the outliers are in terms of differentiation of data collected. Um, really consider all of your options. Don't make any assumptions about it. You know, don't assume it must be a competitor company trying to steal your intellectual property. It could very well be North Korea trying to steal your intellectual property. They do that as well. So does China. So allow for different analytic conclusions and different points of view. And beware of the threats that we've talked about, both to your network and to the individuals that allow for the that allow for these network attacks within the organization, these social engineering attacks that we're always talking about, training your users to get smart on, to resist those attacks and report those attacks, keeping in mind that leveraging security culture from both a network perspective and a purely cultural social perspective is so important to maintain that vigilant posture. So I hope some of this was new and beneficial to you all. And with that, I thank you for attending and have a great rest of your day. And I'm going to send it back to Dave. David Littman: Okay, Rosa, great job. Thank you so much. It was such an honor to have you here today. Thank you again. Thank you for your service. Many thanks to KnowBe4 for sponsoring today's webcast. And of course, many thanks to you, our audience, for being here with us today. Thanks again for coming. We want to wish you a great day ahead, a great Thanksgiving. Thank you again. Be well. We'll see you at the next event.