Just read, or re-read “Sailing the Sea of OSINT in the Information Age” by Stephen C. Mercado from the Studies in Intelligence Volume 48, number 3. I’ve had this for a while, I bought it 2013. Which is part of why I don’t remember if I read it before. It’s available from the CIA’s Library. It’s an article from the CIA’s Peer Reviewed Journal.
I found it very informative, even for something originally written in 2007. While today, I think most of us in IT, think of OSINT as mainly tracking social media accounts (what some call SOCINT), it really goes beyond it.
The main points that were brought up:
OSINT has been there for a very long time, since the beginning of Intelligence programs in the United States. It just hasn’t ever been formally given a department like others.
It’s based off public media like magazines, books, news papers, radio and TV broadcasts.
There are not enough people who understand foreign language / culture to get proper use out of OSINT.
There is things in the public space where OSINT lives that comes out better than in some of the other sources of intelligence. An example was information gathered by the Japanese about a former KGB officer. “The resulting book and Levchenko’s press conferences were, according to a US intelligence officer, more revealing than his CIA debriefing”.
Which oddly ties in to something I saw on my Firefox browser recently.
So I’m curious, do we as a mono-langauge culture really have the skills we need to do intelligence. How many data leaks are found on foreign language hacking forums?
The article is worth the read, and brings up some good questions. I liked Mercado’s recommendation on making the Foreign Broadcast Information Service an intelligence service again, put OSINT under it, like how the NRO has IMGINT, and create incentives for people to study things like language and culture to increase the ability of the agency.
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’sfavorite tweets of 2016, I finally decided to sit down and write.
So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.
Companies are selling data feeds while calling it intelligence.
I re-wrote a script I use at work. It was a messy bit of Python 3 previously. While it’s still not the cleanest of python scripts, it scratches my itch. It was originally just a straight line of commands with lots of repeated code. I made some functions and made it a little more modular. I know I need to learn PEP8, and start following it. This was just to improve something that I wrote previously with things I learned from Automate the Boring Stuff with Python.
I’ve shared it via my GitHub repository for DFIR scripts. They’re clean (not tied to any company). There is only Computer Ping for right now. There are 3 scripts all based on the same idea.
Ping a computer, if it is down, keep trying every 10 minutes for 1 hour. Pop an “alert” if the target is up, or the script finished before it came up.
1 version for Windows running python (wComputerPing.py)
1 version for Windows running Cygwin (cwComputerPing.py)
1 version for boxes running Linux. (lComputerPing.py).
I’ll write others and upload to the repository as I have time / re-write stuff I use. They might not all be Python, but my goal is to be more Python than not.
An industry mailing list I’m on recently had a conversation that started asking about Master Degrees but had some hiring managers chip in. They said a question they tend to ask is to have the candidate tell about their home lab.
I’ve been asked this question a few times in the past, and I’ve asked people this question in job interviews. I know it’s to find out what kind of passion the candidate has for the job, but I think it’s starting to become a bad question to ask.
Has anyone else noticed that Bing has lots of Domain Generation Algorithm (DGA) links in the search results? it isn’t on every search, just some searches. But the same search result at Google doesn’t return the DGA links.
I’ve made it through the June and July 2013 posts on Malware Traffic Analysis. I’m starting to understand his process more, and partially how he came to follow that process.
Mainly from what I could tell, and was confirmed in the blog posts, and via twitter, The site explodes malware on systems and gets pcaps for those systems. Then looks to see what call outs are there. The exercises and blog posts, so far, have only shown 1 ip address. Which makes it easier than a full corporate network to find the traffic.
Something I noticed. While Malware Traffic Analysis says to configure Wireshark one way, the blog posts of late show it’s now configured a little differently.
Click this Panic button to reset everything. Go look at this pcap in Wireshark. Run this command in cmd.exe (and even walks the student through opening a term window by go to the start button, type cmd in the run box).
Run Snort with the test option on a pre-defined rule set using the pcap you looked at. Modify the same rule multiple times, enabling and disabling an alert each time. Run to see the difference.
Answer these 10 questions.
The last question was how to improve the class… I forgot to say use a Linux VM instead of a Windows VM. Since one of my answers did require Grep. Which means copy and paste from the VM lab to my box connected to the lab.
I’m working through Violent Python. I’m still working on the Automating Python stuff to, but that requires WingIDE and I only have 1 license for that. Which means run on a VM at home.
Violent Python suggested an IDE at the beginning, but the examples are written in a way (at least in the first 2 chapters) so I can SSH to my multi-purpose server and do everything via VIM and the CLI.