Brianne Fahey

osint

I Think, Therefore I Am An Analyst

by

There are a lot of tools to learn in the cybersecurity trade. There are a lot of sources willing to teach you about those tools.  There are not many people interested in teaching you how to think like an analyst.

I just finished the 3rd course in my Chris Sanders’ Applied Network Defense trilogy: Investigation Theory. Before this course, I’d taken and reviewed Chris’ Effective Information Security Writing and Practical Packet Analysis.

Investigation Theory is a course designed to help an analyst develop a mindset to investigate any type of security event or alert. The course is built to take roughly 10 weeks and you can pace yourself to finish faster or slower.  Although it is offered fully online, Chris organizes the course so that a new group starts it together every few months.  The benefit of this is that no only do you have the ability to interact with the instructor Chris Sanders in the online course board, you also have the opportunity to post thoughts to and respond to questions from other students.  I definitely took something away from reading other students’ answers to Chris’s posted questions at the end of many lectures.

In addition to lectures, the course includes student community discussion, recommended reading, bonus lectures, and interactive investigation labs.

Nothing helps ideas stick better than hands-on practice.

The labs were challenging. I had to try most of them several times before I submitted the correct answer.  But I learned ideas of questions to ask and places to look for leads to those answers.

One of my favorite sections in the Investigation Theory course was built around explaining the value provided by different types of analysis data. It focused on the likely available sources in an investigation like packet captures, netflow data, IDS alerts, OSINT, and an armful of different log types. The lecture described the pros and cons of the source and highlighted opportunities to aggregate and pivot on data attributes provided.

I’m proud to have finished this course.  I would recommend it.  It is less technically specific than Practical Packet Analysis, but it is full of insights that will work for a security analyst no matter what tools and tactics you have experienced.

You can a course description, pricing, and registration information at the Applied Network Defense site.

Reputation by Site

by

Websites can get a reputation from the material they contain, the company they feature or attract, as well as from the internet reputation machines that scan and crawl them. My hypothesis is that if I can do some legwork to positively impact the machines and databases of the internet, it will help buy goodwill and trust that helps bridge into a more positive personal reputation.

What do the internet respectability engines think about BrianneFahey.com?

I like to come to a conclusion from an aggregate of data, so let’s check a few different options and put together a story of my website’s reputation. Two of the common sources of website safety information are included in the anti-virus and computer protection packages from McAfee and Symantec/Norton.  Having one of these programs installed allows you to see some immediate feedback when you search for a website before you go to that site. It’s like looking through the peephole before deciding whether to open the door.

I would definitely be more comfortable visiting a site with a green check mark than a grey question mark or that evil red x. I installed the browser extension for both McAfee WebAdvisor and Norton Safe Search and navigated to BrianneFahey.com.  Both plugins are greyed out, and when I mouse over them, they indeed say they are registering no reputation feedback. I’m relieved to not have to overcome any negative reputation marks, but to get to green we need to fill in this blank slate with facts.

The good news is that my reputation is mine to influence at this point.

Web crawlers can use the information posted on the site including text and images and other files to rank you, but they are not sentient so they may not be able to determine the intent of your site.  It’s up to you to convince them that you have good intent and wish no harm on the people of the internet and you deserve a green check mark. My plan to establish a good reputation involves visiting the machines that are generating, collecting, and providing this information to make sure they are understanding my intent.

Review and Correct the Reputation and Categorization

Internet filters and proxies can rely on website categorization to determine what blocks of URLs to allow and what block to deny. You can review what the engines have categorized your site as and suggest a more appropriate category.  If you start a small business and create a quick website – you need to be aware of whether entire enterprises are being blocked form viewing your website inside their corporate network because it is misclassified as Gambling or Adult/Mature Content or worse. There is some risk in being unclassified as well because some filters might be set to default block unclassified or very new sites to protect themselves from domain generating algorithms (DGA) that spin up and disappear within weeks to facilitate phishing attacks. You’re going to want to review the available categories and their definitions to make the most appropriate choice as any petitions to recategorize a site will be reviewed before they are accepted.

  • Symantec Norton SafeWeb
    • I registered as the owner of my site and Norton sent me an email with a method to validate.
  • Symantec BlueCoat Web Pulse
    • BrianneFahey.com was initially categorized as “Search Engines/Portals”.  I submitted a request to have it classified as “Personal Sites” and “Computer/Information Security”.
  • WebSense ForcePoint
    • BrianneFahey.com was initially uncategorized. I submitted a request to have it classified as “Societies and Lifestyles: Blogs and Personal Sites”
  • Trend Micro Site Safety Center
    • BrianneFahey.com was initially categorized as “Untested” and “Newly Observed Domain”. I requested the site be retested and submitted that it be classified as “Personal Sites” and “Computers/Internet”.

Check the Pulse

Websites change and reputations evolve.  It’s a good idea to regularly check in on your site’s ratings and feedback. A simple way to generically have the web checked for you is to setup Google Alerts for your domain and name.

Beyond the sites and tools mentioned above, here are a few other open sources of intelligence (OSINT) tracking website reputation and safety.

Website Name Potential Feedback
URL Void
Virus Total
Google Safe Browsing
RiskIQ Passive Total

Good luck protecting your web domain’s reputation!

I like to go through an exercise of putting thoughts into a visual model that makes sense while I’m working through something.  Time does not always allow (and alert queues are not always forgiving) but it leaves me with clarity and the easier ability to repeat a procedure if needed.  I’m utilizing a 30-day free trial of Mindjet MindManager 2018.  It is fantastic, but pricey for individual home use so I’ll evaluate my needs and priorities and I will miss it when it’s gone.  Made use of MindManager by assembling a visual procedure to summarize the steps described in this post.

 

EXIF Interview

by

I realized what I did immediately.

Upon publishing my previous blog entry and viewing the refreshed page in my browser, one of my plug-ins alerted me to a personal operational security (OPSEC) lapse. I took that picture of my visual training map on my phone and did not bother to check the image for any personal or descriptive information before posting it.

Blog Image with Browser EXIF Viewer

What is my EXIF Telling the World?

I have an EXIF viewer plug-in installed in my browser which shows me available EXIF data for any image I mouse over.  EXIF stands for exchangeable image file format (per the Wikipedia article) and is basically an image standard for digital cameras. EXIF data attached to a digital photo can include quite a lot of information about the camera settings, date and time, and image attributes.

To find out more about the EXIF in my image, I needed to dig into some Open Source Intelligence (OSINT).  I utilized the fantastic OSINT Framework site.

OSINTFramework.com for Research

The OSINT Framework led me to Jeffrey’s Image Metadata Viewer. I entered the URL for the image on my site and took a look at the results.  The results are detailed, and not particularly overwhelming except for the details about the camera itself.

Jeffrey Image Viewer Results

Hiding in Plain Sight

The EXIF data clearly shows that my camera is a Samsung, which you can extrapolate is likely a mobile phone.  In fact, if you look up the model and software on Google, it will tell you exactly which model of phone I am using and which version of firmware is installed. This might not seem like much, but if someone was looking to target me, they could certainly customize their exploit to take advantage of something I have exposed that I use.

So What’s the Learning Opportunity?

You can’t remove all EXIF metadata from images, but you certainly can cleanup some of it.  Right click on the image file o your computer and go to the properties menu, then look at the details.

  • See the listing of the data embedded in the image file.
  • Select the link to “Remove Properties and Personal Information”.
Right Click Image to Cleanup EXIF Data

I cleaned up the camera model and software from my file and replaced the initial image in my blog post.

People Are Very Creative

One of the reasons I am aware of EXIF data is because of an online project called Stolen Camera Finder. This site uses uploaded images to create a database of EXIF attributes and then crawls the web to match images taken to the EXIF data.  Let’s say you leave your camera on vacation in Key West, someone picks it up, uses it to take some photos of their friends, and posts them with a location tag to Instagram. When you upload the image EXIF from a photo on your computer taken with your camera, Stolen Camera Finder crawls Instagram and attempts to match the EXIF data.  In some cases, the match can yield location data as well.

 

Stolen Camera Finder Map

Everyone knows that once information is available online, it can and will be used.  I believe there is good in the world and that data can be used to do positive things – like helping people reunite with a lost camera.  It doesn’t take much for someone to use the same information for nefarious purposes though.

Think Before You Click

The oldest advice is the best advice.  This was an excellent reminder for me to be careful with my personal operational security.  For some reminders on ways to protect your online presence, visit the National Cyber Security Alliance’s Stay Safe Online website.