Whitepaper

O PE N S OU RCE
I N T E L L I G E N CE
DECEMBER 2020

By Casey Brooks & Selena Larson

DRAGOS, INC.
[email protected]
@DragosInc
 OPEN SOURCE INTELLIGENCE

E X ECU T I V E SUMM A RY

Publicly and semi-publicly available data, referred to

as open source intelligence, can enable an adversary
to develop targeting, identify access and ingress to a
target, and understand how a target may respond to
disruptive attacks on infrastructure. Adversaries who
target Industrial Control Systems (ICS) for disruptive
purposes seek open source information to plan and
execute attacks that are different from adversaries
targeting traditional enterprise resources. For example,
Dragos observed adversaries conducting ICS-targeting
activities that sought data about energy infrastructure
and physical processes necessary to recover from a
compromise. With this data, an adversary could target
operational functions that are pertinent to recoverability
to further the consequences of an attack.

Dragos created an Open Source Intelligence (OSINT) collection risk framework

to help defenders better identify and restrict openly available information
most valuable to adversaries intending to disrupt critical infrastructure. This
framework helps prioritize countermeasures and mitigations to deny an
adversary the opportunity to use OSINT collection against a victim.

D R AG O S , I n c . 1
 OPEN SOURCE INTELLIGENCE

TA B L E OF CON T EN T S

What is Open Source Intelligence?.......................................................................................3

Key Information Types.......................................................................................................................... 4
Targeting ICS...........................................................................................................................5
Developing an OSINT Security Assessment....................................................................... 6
Scope the Scenarios............................................................................................................................... 6
Collaborate Across the Company....................................................................................................... 6
Detail the System and Network........................................................................................................ 6
Identify Sources and Collect Information........................................................................................ 6
Conduct Analysis and Risk Assessment ......................................................................................... 7
OSINT Collection and Risk Scoring Matrix.......................................................................... 7
Priorities of Defense and Mitigation................................................................................... 8
OSINT Collection Mitigation and Vulnerability Remediation..........................................10
Taking Actions.......................................................................................................................10
Conclusion...............................................................................................................................11
Appendix................................................................................................................................ 12
Definitions............................................................................................................................................... 12
PODAM Worksheet............................................................................................................................. 14

D R AG O S , I n c . 2
 OPEN SOURCE INTELLIGENCE

WH AT I S OPEN S OURCE I N T EL L IGENCE ?

OSINT covers a wide variety of applications. Fundamentally, OSINT refers to the

collection of publicly and semi-publicly available information that is used to inform
multiple functions including intelligence gathering and reporting, business and policy
analysis, and adversary attack development. For the purposes of this report, Dragos
will focus on OSINT from a cyber threat intelligence perspective, with applications for
Industrial Control System (ICS) asset owners, ICS operators, and adversaries.

Adversaries and defenders collect OSINT from a variety of sources. This is not an exhaustive list but demonstrates the
types of publicly available information that could facilitate attack planning:
Reconnaissance tools such as Shodan 1 or Censys 2
Onng engines such as VirusTotal 3
Bn portals such as VendorLink 4
UsingSearch
tools like the OSINT Framework 5
engines Government and regulation authority body
» »
websites
Social media websites
»
1
Reconnaissance tools such as Shodan or Censys 2
Job listings »
»
3
Online scanning engines such as VirusTotal
News websites »
»
Business solicitation portals such as VendorLink 4
Company websites »
»
Usernames and passwords in public repositories
»
Vendor websites and documentation including
» dumped by adversaries or stored in GitHub
installation documentation containing default
passwords Using tools like the OSINT Framework 5
»

Financial and legal resources such as 10-K filings

»
or indictments

1 https://www.shodan.io/
2 https://censys.io/
3 https://virustotal.com/
4 https://www.myvendorlink.com/common/default.aspx
5 https://osintframework.com/

D R AG O S , I n c . 3
 OPEN SOURCE INTELLIGENCE

K E Y INFORM AT I ON T Y PE S

Adversaries may seek multiple types of information in an Recoverability Information: Gives an adversary insight

attempt to conduct reconnaissance on a target and create a into the ability for a target’s process, system, or network

plan of attack. Identifying this information and educating infrastructure to recover from an attack or compromise.

company personnel on the potential risks of public exposure

Example: Information about electric
can enable defenders to proactively assess or remove potential
utility service restoration in the event of
information that can be weaponized.
a disruptive event.
The following definitions can help identify relevant and
potentially exploitable information, based on the United States
(U.S.) Department of Defense CARVER matrix, and assist in Vulnerability Information: Informs an adversary of a

establishing risk language used in the OSINT framework .

6
vulnerability that exists in the target’s infrastructure,
processes, or response actions.
Personal/Personnel Information: Allows for identification
of critical personnel, general personnel, or outside source Example: An unpatched vulnerability
personnel (e.g. contractors, third-party operators) affecting Virtual Private Network (VPN)
appliances that enables initial access.

Example: LinkedIn profiles or

construction contractors building a Effect Information: Information about the amount of
new facility for the target. direct or indirect loss a target would have from an attack or
compromise. Information on the effects that losses would have
on the target, its organization, processes, or operations.
Criticality Information: Informs an adversary of the impact
of an attack for a target’s continued operations. A target’s Example: Physical effects of a

criticality is determined if its compromise or destruction has disruptive cyberattack targeting a

a highly significant impact in the overall organization and its Safety Instrumented System (SIS);

ability to conduct business or operations. financial losses accrued from multiple

days of downtime.
7
Example: “Crown Jewels” of
operations, like safety controllers in oil
Recognizability Information: Assists adversaries in the
and gas operations or data historians in
ease of identifying targets for operational gain and the level
manufacturing.
of obscurity that the target has from internal and external
sources.
Accessibility Information: Informs the adversary of the
ability or method to remotely/physically access or egress from
a target.
Example: MAC address of target
workstation within the ICS.
Example: Remote Desktop Protocol
(RDP) exposed to the internet.

6 https://en.wikipedia.org/wiki/CARVER_matrix
7 https://dragos.com/blog/industry-news/combating-cyber-attacks-with-conse-
quence-driven-ics-cybersecurity/

D R AG O S , I n c . 4
 OPEN SOURCE INTELLIGENCE

TA RGE T ING I C S

When mapped to the ICS Cyber Kill Chain, 8 OSINT largely in downtime. In these cases, an operator may be more willing
represents Stage 1 reconnaissance activity that can support to pay a ransom to unlock computers and limit downtime,
Stage 2 objectives. It can be used to identify potential especially if proper backups are not maintained. For example,
vulnerabilities, identify detections, implement persistence in July 2020, wearables manufacturer and Global Positioning
mechanisms, or reduce the time required to achieve objectives System (GPS) service provider Garmin experienced a
and avoid detection. Details on equipment, vendors, and ransomware attack and opted to pay an undisclosed ransom to
processes can be used for later malware or malicious tool get its operations back online.10
development.
ICS environments may also be more insecure than
Adversaries target industrial entities for a variety of traditional enterprise systems, especially for entities with
reasons. Attacks on ICS entities that serve critical functions immature cybersecurity postures. This can be due to legacy
within society can be used to further political, economic, or operating systems in use across various environments and
national security goals. Depending on an adversary’s objective, inadequate segmentation. It is not uncommon to observe
attacks can be used for messaging purposes or retaliation. The outdated Windows operating systems, such as Windows XP
potential impact may extend to citizens of a target’s community. or Windows 7, within ICS due to interoperability of some ICS
Understanding critical infrastructure can put an adversary at a devices and limitations on patch management. ICS systems are
tactical advantage in times of conflict to establish a foothold as fundamentally complex, and security mechanisms like patching
a contingency option when conflict occurs. are conducted based on weighing the risk of compromise
against the outcome of a potential cyberattack. Practicing
Targeting ICS can provide monetary value to an adversary.
defense in depth, including conducting OSINT risk assessments
ICS entities increasingly experience ransomware attacks that,
to strengthen external security postures and limiting the
in many cases, disrupt operations. 9 For some companies,
ability for adversaries to operationalize public information,
disrupting operations can have significant daily financial
can prevent initial access and movement within an operational
impacts, costing thousands and sometimes millions of dollars
environment.

8 https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-sys-
tem-cyber-kill-chain-36297
9 https://dragos.com/blog/industry-news/assessment-of-ransom- 10 https://www.bleepingcomputer.com/news/security/confirmed-garmin-re-
ware-event-at-u-s-pipeline-operator/ ceived-decryptor-for-wastedlocker-ransomware/

D R AG O S , I n c . 5
 OPEN SOURCE INTELLIGENCE

DE V ELOPI NG A N O SI N T SECUR I T Y A S SE S SMEN T

By identifying and prioritizing data that could be policy functions the information serves.
used in OSINT collection, defenders can establish
methods to reduce the availability of potentially Detail the System and Network
high-risk company and user data and limit the A detailed map of the network should be developed and
information an adversary can use in a potential attack. maintained to visually describe where information is hosted,
stored, and maintained via system diagrams, flow charts,
Scope the Scenarios
or network maps. The map should also detail context of the
Defenders should begin by scoping multiple scenarios and
information hosted. For example, when evaluating a web
potential for attacks. These can be identified from examples
portal that hosts contractor information and third-party
of known cyberattacks, results of tabletop exercises and
network access, the content of the information hosted
red team activities, and scenarios developed by internal
should be as detailed as the technical specifications of the
security teams. The goal of this step is to identify the type
actual hosting server. The quality and quantity of useful
of adversary or attack that defenders try to prevent.
data should be noted and assessed if additional intelligence
Dragos advises leveraging consequence-driven security can be generated from it in aggregate.
assessments to identify adversary objectives and how to
combat them. The Dragos Crown Jewel Analysis model
Identify Sources and Collect Information
of consequence-driven ICS cybersecurity scoping helps Source identification is an important step in the collection
defenders visualize how an adversary would access the process. Defenders can use the resources described above
system to achieve a specific consequence 11 . By identifying to find relevant, publicly available information. However,
assets within the system and the functional outputs sources will vary for individual companies. Asset owners
and dependencies, the level of exposure, and interaction and operators should also consider information exposed
between each network layer, organizations can visualize by third-party entities that could be used in reconnaissance
how an adversary may achieve a specific consequence by operations. For example, a vendor may publish case studies
targeting different elements within the system. or press releases describing how customers implement
specific products or services within their operations

Collaborate Across the Company environment, which could provide adversary insight into
what technologies are used in a target environment.
It is important that OSINT assessments leverage experience
Information collection should focus on publicly available
and data across multiple teams. Security operators and
information that could be used to facilitate reconnaissance
network technicians from Information Technology (IT),
or attack development. This includes information about
incident responders and forensic specialists, security
vendors and partners; documents, schematics, and data
operators and engineers from ICS environments, and
sheets; job advertisements; information about system
physical security specialists should be consulted while
operations and recovery processes; geographic data like
conducting the assessment. These individuals can provide
maps detailing plant locations; ports and services identified
insight on the value of information from an adversary
via Shodan; and credentials in public dumps. Security teams
perspective and how OSINT can enable potential attack
should also identify gaps in security architecture, like remote
scenarios. Additionally, business units including human
login portals that lack strong passwords and multi-factor
resources and legal should also be consulted to identify
authentication including RDP and VPN services.
publicly available information and the requirements or

11 https://dragos.com/wp-content/uploads/ConsequenceDrivenICSCybersecurity-
Scoping_Dragos.pdf

D R AG O S , I n c . 6
 OPEN SOURCE INTELLIGENCE

Conduct Analysis and Risk Assessment

Once data is collected, users should determine how an adversary may operationalize data to achieve objectives outlined in
potential attack scenarios. Data should be assigned severity scores on the risk that data poses to the organization, based on the
matrix in Figure 1. For example, information that could facilitate initial access and is easily accessible to the adversary should be
assigned a higher score compared to information that does not enable an adversary to fulfill an attack objective and is difficult
to obtain.

Example: A piece of information (e.g. error logs, system headers, etc.) describes a server running a vulnerable piece
of software, but it is unknown how or if the adversary uses the information. The information is highly accessible
and recognizable, and likely easy for the adversary to use. In combination with other collection by an adversary,
this software vulnerability information has a higher score than just the individual piece of information.

OSINT Collection and Risk Scoring Matrix

To enable asset owners and operators to better understand the risk that openly collected information poses to an organization,
Dragos developed the OSINT Collection and Risk Scoring Matrix. With this matrix, users can quickly apply scores to identified
information and the risk of an adversary operationalizing it against them.

The data is rated from one to three and by color, including green, orange, and red. The higher the number, the greater the value
of the OSINT to an adversary. Green indicates a low value item and red indicates a high value item. The colors help an analyst
determine how to quickly prioritize remediation and defense. This is explained in the Priorities of Defense and Mitigation section
below.

OSINT Collection Risk Information is of Low Information is of Medium Information is of High

and Vulnerability Relevance/Importance for Relevance/Importance for Relevance/Importance for
Matrix Intelligence Collection Intelligence Collection Intelligence Collection

Adversary utilization 2 3 3
requires little to no analyt-
ical effort for operational
integration

Adversary utilization 1 2 3
requires moderate to spe-
cialized analytical effort for
operational integration

Adversary utilization 1 2 2
requires highly technical
analytical effort for opera-
tional integration

Figure 1: OSINT Collection and Risk Scoring Matrix

Example: An OSINT assessment identified a document containing engineering diagrams of an oil production
facility. The document included device type and implementation information of safety systems and integration of
Enterprise Resource Planning (ERP) software. This document was found in a vendor Request for Proposal (RFP)
repository.

D R AG O S , I n c . 7
 OPEN SOURCE INTELLIGENCE

This document is scored as a 3 and is of high value and importance of each piece of information is designated by
relevance to an adversary interested in infiltrating or color, like Figure 1 above. Different characters represent the
disrupting operations. It requires specialized analytical ability for an entity to mitigate the potential risk, and if risk
effort for intelligence value for an adversary. This means mitigation is an issue of policy or prioritization.
to use information from this document, an adversary must
establish knowledge of the ICS environment, devices, and
The table is an example of how an analyst can determine the
software used.
priorities of defense and mitigation based on open source
data collected. The legend icons represent requirements
Example: An OSINT assessment of 10-K and the ability for the company to implement defensive
financial filings identified an automotive measures to prevent exploitation of the data, what actions
manufacturing organization working should take priority, if a network policy configuration is
with Accounting Firm X to facilitate the required to fix, and if data came from threat intelligence
acquisition of an additive manufacturing reporting. The colors represent the value of the intelligence
startup. A LinkedIn search identified the gathered to adversary operations.
name of the accountant at Accounting Firm
X likely working on this acquisition.
Example: An analyst collects three
different types of information: the
This information is scored a 2. The adversary requires location of facilities, names and emails
moderate analytical effort to operationalize this data, and it of engineers, and vendor names and
would be straightforward to create phishing lures based on contract information of companies
the information identified. The adversary requires additional they work with. An adversary
access, like to the accountant’s email directly, to launch a uses this information in different
likely successful phishing attack. This information is also of ways for targeting, exploitation,
low importance for intelligence collection because it is only and infrastructure development
tangentially related to the target organization. operations. An analyst must identify
how it may be used, the importance
of the data based on the Risk Scoring
Priorities of Defense and Mitigation
Matrix above, and if the organization
As information is assessed and scores assigned, defenders has adequate visibility, defensive
can leverage the Priorities of Defense and Mitigation measures, and security policies in
(PODAM) table to visualize how collected data could place to prevent exploitation of the
be operationalized, the value of the information, and if information. The analyst completes
protections and mitigations are in place to address the the table as provided in the example
potential risk. below.

The PODAM table used to assess OSINT collection

contains multiple examples and potential use cases for Analyst Note: A full list of definitions detailing the data
operationalizing OSINT including target identification, types and how information can be used is available in the
exploitation, infrastructure development, delivery, appendix. An empty PODAM worksheet is also provided in
capabilities development, and actions on the objective. The the appendix for use in security operations.

D R AG O S , I n c . 8
 OPEN SOURCE INTELLIGENCE

Table 1: Sample Adversary OSINT Collection PODAM

By using this table, an analyst can determine the highest priority items to address. In this case it is publicly available vendor names and contracts. The following are recommended steps
for remediation plans to begin addressing the issues:

• Remove sensitive information from public sources where applicable.

• Conduct an assessment of third-party and vendor integrations within the operations environment.

• Ensure third-party connections are properly secure with access restrictions, Multi-Factor Authentication (MFA), segmentation, and defense in depth measures.

• Work with vendors and contractors to identify and acknowledge maintenance and related operations in advance to determine schedules and baseline legitimate activity.

D R AG O S , I n c . 9
 OPEN SOURCE INTELLIGENCE

OSINT Collection Mitigation and Vulnerability

Remediation Regardless of the issues identified, all mitigation efforts
should include defense in depth approaches to prevent
Once defense and mitigation priorities are established, a single point of failure within the system or network.
users should identify corrective actions to prevent or Visibility of assets is crucial to implement effective defense
lower the risk of adversaries exploiting vulnerabilities or in depth approaches to establish barriers to entry, secure
operationalizing information identified in the previous or restrict communications between assets, and identify
stages of the assessment. These can include issuing patches anomalous behaviors. This requires a complete view of an
to vulnerable hardware and applications, removing sensitive organization’s assets.
data from public websites or databases, implementing MFA
to access documentation on cloud storage systems, and
Taking Action
changing default passwords on devices within the ICS.
Based on the information gathered and the assessed risk to
Users should conduct this section of the assessment in two the organization, users should implement remediation plans
parts: one for hardware and physical systems and the other that focus on the most critical to least critical information for
for software and user policies. Each assessment should adversary operationalization. Plans should be documented
include a description of the vulnerability or issue identified, and include realistic timelines required to address issues and
how the company can correct it, and the resources required identify the entity responsible for addressing, removing, or
to do so. The assessment should include any potential correcting information and vulnerabilities.
obstacles that prevent the company from implementing the
recommended fixes. Once an assessment is completed, the results should be
shared across teams. This includes entities like human
To illustrate the potential risk the vulnerabilities or resources, who may need to alter job descriptions based
information pose to an organization, defenders are on feedback, and public policy teams, who regularly share
encouraged to leverage threat intelligence reporting that publicly accessible data with regulators, municipal, state,
provides examples of adversaries operationalizing identified and federal agencies.
issues and consequences of activities.

D R AG O S , I n c . 10
 OPEN SOURCE INTELLIGENCE

CONCLU SI ON

Conducting regular OSINT collection risk assessments as part of quarterly or

bi-annually scheduled cybersecurity reviews can improve an organization’s de-
fense against adversary operationalization of publicly available information and
exploitation of known vulnerabilities. By following the framework introduced
above, defenders can better identify potential risk to an organization, under-
stand the risk of publicly exposed data, and create mitigation strategies that
effectively reduce risk.

TO LE ARN MORE
ABOUT DR AGOS AND
OUR TECHNOLOG Y,
SERVICES , AND THRE AT
INTELLIGENCE FOR
THE INDUSTRIAL
COMMUNIT Y, T HA N K YO U
PLE A SE VISIT
W W W. DR AGOS .COM .

D R AG O S , I n c . 11
 OPEN SOURCE INTELLIGENCE

A PPENDI X

Definitions spoofing domains, supply chain compromise, or for

information on trusted party relationships involved with
The following definitions describe the various types of
business operations that can enable phishing opportunities.
information associated with the PODAM.
Establishment - An adversary’s operational process of
creating infrastructure, developing and testing capabilities,
Personnel - Individual people who have an OSINT footprint.
and performing the initial planning stages for reconnaissance
This can help an adversary identify targets that could be a
and targeting.
likely source for access and exploitation.
Staging - An adversary’s operational process of preparing
Technology - Information about specific technology that is
infrastructure and capabilities to act in unison for use in
present in the defended environment. This information can
delivery, exploitation, or command and control functions.
come from personnel profiles, job listings, or fingerprinting
Staging can also be initiated when a part of infrastructure
by the adversary.
is transferred from inactive to active hosting.
Organizational - Information about the organization’s
Phishing - An adversary can use a combination of
physical location, partnerships, business details, etc. that
either adversary controlled or legitimate compromised
can be used to develop targeting.
infrastructure and phishing themes to lure victims into
Vulnerability - A vulnerability existing in a business or
a false sense of security and evade scrutiny. This can
operational process that informs an adversary for a likely
often lead to having victims visit watering holes, avoiding
avenue of exploitation.
immediate detection by security operations or technologies,
Social Engineering - A method used to trick a user to and creating a trust relationship with the adversary sender.
activate or download a delivered capability, or to provide
Watering Hole - An adversary-controlled or legitimate
information to the adversary as a trusted party.
but compromised domain that the adversary uses to lure
Supply Chain - An entity or entities that enable the victims to gather information, deliver capabilities, or collect
production or operation of a business process. It acts as an credentials for legitimate access.
avenue into a victim environment via trusted channels or
Downloader/Dropper - A capability that enables the
connections.
delivery of additional capabilities without need of victim
Domain Spoof - A tactic of establishing infrastructure interaction.
that mimics or closely matches a trusted domain or entity
Credential Capture - A method an adversary uses to collect
infrastructure. This can be used for delivery, command and
legitimate credentials that enables access to targeted victim.
control, or for social engineering.
Legitimate Access - A method in which an adversary uses
Legitimate Compromise - A tactic adversaries use to
captured credentials, harvested credentials from OSINT
gain access to an indented victim by exploiting trust or
information, or brute force authentication to achieve
the legitimate nature of another domain or organization.
access as a trusted, legitimate user. This also occurs when
This is most often observed as a command and control
an adversary is able to create user personas in a victim
point for interaction with a victim, avoiding the necessity
environment to allow for persistent access without relying
of establishing and maintaining adversary created
on backdoors or other capabilities that enable illegitimate
infrastructure.
access.
Vendor Supply Chain - This informs an adversary of
Authentication Bypass - This technique involves finding
potential targets for legitimate compromises, crafting
infrastructure that allows for access behind an authentication

D R AG O S , I n c . 12
 OPEN SOURCE INTELLIGENCE

A PPENDI X

control, but a vulnerability exists in either the technology or performing offensive tasks without automation or
or organizational process for access approval, or a valid user the use of capabilities to achieve information collection,
account was compromised to let an adversary bypass this reconnaissance, persistence, or exfiltration.
authentication gate.
Command and Control - The channels an adversary uses to
Research and Development - A business function that direct its operations, enabling bi-directional communication
generates new information of value for an adversary or of information.
that contains intellectual property that is either not publicly
Persistence - The method of maintaining access and
available or patented.
command and control within a victim environment.
Automation - A process that follows specific steps without
Maneuver - The method used to move within a victim
manual or user interaction.
environment.
Evasion - A capability design, tactic, or technique taken by an
Cyber Key Terrain - Infrastructure, processes (either
adversary for avoiding detection by security infrastructure,
business, technical, or personnel) or technology that is
technology, or defender manipulation.
essential to the operational integrity, confidentiality, and
Obfuscation - A capability design, tactic, or technique taken availability of a network.
by an adversary to avoid scrutiny.
Defense Capability Gap - A gap in organizational structure,
Installation - The process in which an adversary is able network architecture, cybersecurity, or user policies
to load a capability into a victim environment and gain that would be required for defense against adversary
successful execution of the capability to allow for further exploitation.
access or continued interaction operations.
Missing Dependency - A security feature or mechanism
Environment Awareness - The ability for an adversary to that enables a core security function but is not present
determine where in the victim network they are located, within the environment.
identifying infrastructure for pivoting or information
Requires Implementation - A security feature or mechanism
that better enables capability selection in compromise
that is present within in an organization, but is not yet
operations.
implemented, and is required for defense against adversary
Weaponization - The activity performed by an adversary exploitation.
to take a vulnerability or benign software or documents
Intelligence Data - Information gleaned from threat
and turn it into an operational capability that can lead to
intelligence data, either from a third-party or an
satisfying adversary intent.
organization’s internal threat intelligence team.
Interactive Operations - The activity wherein the actor
Policy Issue - An item that requires a change in
accesses the victim environment through manual means
organizational or user policy to address.

D R AG O S , I n c . 13
 OPEN SOURCE INTELLIGENCE

D R AG O S , I n c . 14