By: J.T. Webb
In the digital age, where information is abundant and interconnectedness is the norm, Open-Source Intelligence (OSINT) and social engineering pose significant threats to cybersecurity. OSINT refers to the practice of gathering information from publicly available sources such as LinkedIn, Facebook, and X (formerly Twitter), while social engineering involves manipulating individuals to divulge sensitive information or perform actions that compromise security. Together, they form a potent combination that can exploit vulnerabilities in both systems and human behavior. Understanding these threats and their risks is crucial for safeguarding against cyber attacks.
The internet has democratized access to information, enabling anyone with an internet connection to gather data on virtually any topic or individual. OSINT leverages this wealth of publicly available information to gather intelligence that can be used for various purposes, including cyber attacks. Techniques such as web scraping, data mining, and social media analysis are commonly employed to collect information ranging from email addresses and phone numbers to organizational structures and technological infrastructures.
While OSINT itself is not inherently malicious, when used by threat actors, it can facilitate reconnaissance for more targeted and effective attacks. For example, threat actors can use OSINT to identify potential vulnerabilities in a company's network infrastructure, gather personal details for social engineering attacks, or even track the movements and activities of specific individuals for surveillance purposes.
Social engineering exploits human psychology and interpersonal dynamics to manipulate individuals into divulging confidential information, clicking on malicious links, or performing actions that compromise security. Unlike traditional attack methods that target technological vulnerabilities, social engineering targets the weakest link in any security system: people.
Common social engineering techniques include phishing emails, pretexting (creating a fabricated scenario to elicit information), baiting (luring victims into a trap), and tailgating (physically following someone into a restricted area). These techniques prey on human emotions such as curiosity, fear, or eagerness to help, often resulting in individuals unwittingly compromising security protocols.
For example, in a recent Social Engineering engagement, the Elliott Davis Penetration Testing team was able to obtain an employee’s organizational password. This was done by using a known application to create a temporary, disposable phone number originating from the company’s location and creating a pretext claiming that we were “James” with the IT department. We stated that we had received some detection alerts regarding unusual activity from the employee’s account and wanted to verify if the employee had noticed anything suspicious during their workday or had any issues with anything such as Outlook or SharePoint.
The employee stated that they didn’t notice anything unusual but had received a phishing e-mail earlier that day but had deleted it. We stated that we were looking at the alert logs and could see the following password being used to log in, and called out a random, fake password developed by the tester. The employee stated that that was not their password but that it was close, so we then asked if they could provide their current password so we could update our records and reset their account on our end in case someone was trying to do anything malicious. The employee proceeded to provide their password, in which, the tester repeated the password back to the employee, and the employee confirmed that it was correct.
The tester proceeded to log into Office 365 with the employee’s credentials and told them that they would be receiving a text message with a code and that this would let us know that our changes had taken effect, and they verbally provided the MFA code. The tester successfully logged into the employee’s Office 365 account, told the employee that the account changes had been updated successfully and that they were good to go, and ended the call.
The convergence of OSINT and social engineering amplifies the risks posed to individuals, organizations, and even governments. By combining information gathered from publicly available sources with psychological manipulation tactics, threat actors can craft highly targeted and convincing campaigns that bypass traditional security measures.
For individuals, the risks include identity theft, financial fraud, and reputational damage. Cybercriminals can use OSINT to gather personal information from social media profiles, online forums, and public databases, which they can then leverage in social engineering attacks to gain access to sensitive accounts or manipulate victims into transferring money or disclosing passwords.
Organizations face even greater risks, as a successful OSINT and social engineering attack can lead to data breaches, financial losses, and damage to their reputation. By gathering intelligence on employees, suppliers, and partners, threat actors can tailor their social engineering attacks to exploit specific vulnerabilities within the organization's security infrastructure, such as weak passwords, unpatched software, or inadequate training and awareness programs.
Elliott Davis’s approach is different than the phishing platforms that are widely known and used today. Our Penetration Testing team specializes in tailoring social engineering engagements to suit the unique needs and vulnerabilities of each client. Unlike standardized approaches, we meticulously craft scenarios that mimic real-world threats specific to your industry, technology infrastructure, and human factors. By customizing our social engineering tactics, we effectively uncover weaknesses in your organization's security posture, providing actionable insights to enhance your defenses against targeted attacks.
Addressing the dual threats of OSINT and social engineering requires a multifaceted approach that combines technological solutions, robust security protocols, and ongoing education and awareness efforts.
Technological Solutions: Implementing advanced threat detection and prevention systems can help organizations identify and thwart OSINT and social engineering attacks before they cause harm. This includes deploying email filters to detect phishing attempts, using endpoint protection tools to detect malware, and employing network monitoring systems to detect suspicious activity.
Security Protocols: Establishing strict access controls, enforcing strong password policies, and conducting regular security audits can help mitigate the risks posed by OSINT and social engineering attacks. Additionally, organizations should implement encryption protocols to protect sensitive data both in transit and at rest, and regularly update software and security patches to address known vulnerabilities.
Education and Awareness: Educating employees about the risks of OSINT and social engineering is paramount to building a resilient security culture within organizations. Training programs should cover topics such as recognizing phishing emails, verifying the authenticity of requests for sensitive information, and reporting suspicious behavior to the appropriate authorities. By empowering individuals to identify and respond to potential threats, organizations can significantly reduce their susceptibility to social engineering attacks.
Today, creating a secure organization requires specialized knowledge, and expertise in order to stay at least one step ahead of hackers. Hackers are constantly enhancing their skillsets to identify weaknesses to exploit. Using the same adversarial mindset used by hackers, Elliott Davis can help organizations identify weaknesses on their networks and help secure them. Elliott Davis’s penetration testing services will emulate real-world attacks and highlight areas needing improvement and/or additional investment.
Contact a team member to learn more about our penetration testing services.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.