Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,120 --> 00:00:01,140
Presenter: One of the best sources
2
00:00:01,140 --> 00:00:04,740
of open source intelligence these days is social media.
3
00:00:04,740 --> 00:00:06,120
Many people tend to lift their guard
4
00:00:06,120 --> 00:00:08,130
down when they're posting on social media
5
00:00:08,130 --> 00:00:11,396
whether it's Twitter, Facebook, LinkedIn, YouTube,
6
00:00:11,396 --> 00:00:14,460
Instagram, Reddit, or even TikTok.
7
00:00:14,460 --> 00:00:16,260
By analyzing what the organization
8
00:00:16,260 --> 00:00:18,660
or its employees are posting on social media,
9
00:00:18,660 --> 00:00:19,830
you're gonna be able to find a lot
10
00:00:19,830 --> 00:00:22,890
of information that can really help in your engagements.
11
00:00:22,890 --> 00:00:25,650
When you're using social media to search for information,
12
00:00:25,650 --> 00:00:26,483
you should start
13
00:00:26,483 --> 00:00:28,920
with the organization's own social media profiles
14
00:00:28,920 --> 00:00:30,300
and their accounts.
15
00:00:30,300 --> 00:00:32,880
The organization is usually gonna post marketing information
16
00:00:32,880 --> 00:00:34,680
on their social media profiles,
17
00:00:34,680 --> 00:00:37,380
but often companies are now providing some sort of
18
00:00:37,380 --> 00:00:40,050
behind the scenes type of pictures and videos.
19
00:00:40,050 --> 00:00:42,480
These more candid posts can often capture things
20
00:00:42,480 --> 00:00:44,520
in the background that the organization didn't realize
21
00:00:44,520 --> 00:00:46,290
was there when they recorded that video
22
00:00:46,290 --> 00:00:47,790
or took that picture.
23
00:00:47,790 --> 00:00:50,220
For example, I've seen an organization who had one
24
00:00:50,220 --> 00:00:51,930
of their employees making a post
25
00:00:51,930 --> 00:00:53,640
to their Instagram account showing
26
00:00:53,640 --> 00:00:55,230
what an average day looked like,
27
00:00:55,230 --> 00:00:56,520
and when the employees snapped
28
00:00:56,520 --> 00:00:58,740
that picture with their front facing camera,
29
00:00:58,740 --> 00:01:00,510
they didn't realize that people could actually read
30
00:01:00,510 --> 00:01:02,850
the computer screen that was located behind them.
31
00:01:02,850 --> 00:01:04,530
By zooming in on that picture,
32
00:01:04,530 --> 00:01:05,970
people were able to read the contents
33
00:01:05,970 --> 00:01:08,430
of a sensitive corporate document that was being drafted
34
00:01:08,430 --> 00:01:11,220
by the employee at the desk next to the posters.
35
00:01:11,220 --> 00:01:14,310
These days, it seems that everybody is on social media
36
00:01:14,310 --> 00:01:15,930
and that means you can scour
37
00:01:15,930 --> 00:01:18,030
and scrape social media sites for details
38
00:01:18,030 --> 00:01:20,790
about an organization's employees from the CEO,
39
00:01:20,790 --> 00:01:22,320
all the way down to the person working
40
00:01:22,320 --> 00:01:24,270
in the proverbial mail room.
41
00:01:24,270 --> 00:01:25,710
Now, some employees are gonna have
42
00:01:25,710 --> 00:01:27,810
multiple social media accounts as well,
43
00:01:27,810 --> 00:01:29,460
and this is to divide their professional
44
00:01:29,460 --> 00:01:32,160
or work accounts from their personal account.
45
00:01:32,160 --> 00:01:34,530
For example, all of my employees have
46
00:01:34,530 --> 00:01:37,440
a personal Facebook account and a work Facebook account,
47
00:01:37,440 --> 00:01:38,940
and they're gonna use that work account
48
00:01:38,940 --> 00:01:41,040
whenever they're posting on behalf of our company.
49
00:01:41,040 --> 00:01:42,420
While they're personal, one is used
50
00:01:42,420 --> 00:01:44,640
for everything else they do on Facebook.
51
00:01:44,640 --> 00:01:46,920
Now, that means that most employees will be proper
52
00:01:46,920 --> 00:01:48,870
and professional on their work accounts,
53
00:01:48,870 --> 00:01:50,670
but if you find their personal account,
54
00:01:50,670 --> 00:01:52,020
you can find the real person
55
00:01:52,020 --> 00:01:55,320
behind that employee, including their interests, habits,
56
00:01:55,320 --> 00:01:59,700
behaviors, friends, spouses, children, and much more.
57
00:01:59,700 --> 00:02:02,160
Now, some employees even publish their own personally
58
00:02:02,160 --> 00:02:03,930
identifiable information online,
59
00:02:03,930 --> 00:02:05,730
including things like their full name,
60
00:02:05,730 --> 00:02:08,460
their birthdate, their address their phone number,
61
00:02:08,460 --> 00:02:09,660
and much more.
62
00:02:09,660 --> 00:02:12,570
When it comes to social media sites, my personal favorite
63
00:02:12,570 --> 00:02:15,630
for open source intelligence research is LinkedIn.
64
00:02:15,630 --> 00:02:17,400
And this is because I can find out so much
65
00:02:17,400 --> 00:02:20,610
about an organization by reviewing their pages there.
66
00:02:20,610 --> 00:02:24,030
First, you can find the company's own page on LinkedIn.
67
00:02:24,030 --> 00:02:25,680
Let's take for example Udemy,
68
00:02:25,680 --> 00:02:28,380
the massively popular e-learning company.
69
00:02:28,380 --> 00:02:29,580
From their LinkedIn page,
70
00:02:29,580 --> 00:02:33,930
I can see they have 5,562 that have claimed a relationship
71
00:02:33,930 --> 00:02:35,730
with Udemy on LinkedIn.
72
00:02:35,730 --> 00:02:38,760
Now, if I go to the post tab, I'm gonna find a lot
73
00:02:38,760 --> 00:02:41,820
of marketing things in press releases and things like that.
74
00:02:41,820 --> 00:02:43,290
Now, this could be helpful,
75
00:02:43,290 --> 00:02:45,120
but usually it isn't really what I'm focused
76
00:02:45,120 --> 00:02:45,953
on when I'm looking
77
00:02:45,953 --> 00:02:48,150
at LinkedIn for open-source intelligence.
78
00:02:48,150 --> 00:02:50,810
Instead, I like to focus on the insights tab,
79
00:02:50,810 --> 00:02:54,570
the life tab, the people tab, and the jobs tab.
80
00:02:54,570 --> 00:02:57,270
First, let's look at the insights tab.
81
00:02:57,270 --> 00:03:00,480
Under this tab, we can see some key data about the company
82
00:03:00,480 --> 00:03:03,000
including its total number of employees and the growth
83
00:03:03,000 --> 00:03:05,700
of that employee number over the past two years.
84
00:03:05,700 --> 00:03:07,080
Now, in this case, I can see
85
00:03:07,080 --> 00:03:10,620
in the last two years that the company has grown 62%,
86
00:03:10,620 --> 00:03:13,830
but in the last six months, they've only grown 5%.
87
00:03:13,830 --> 00:03:16,470
Now, why is that important to understand?
88
00:03:16,470 --> 00:03:19,050
Well, if the company is rapidly growing
89
00:03:19,050 --> 00:03:21,390
that's usually a time when they have worse security,
90
00:03:21,390 --> 00:03:22,590
especially, due to the number
91
00:03:22,590 --> 00:03:25,740
of new users who aren't fully or properly trained.
92
00:03:25,740 --> 00:03:28,260
Additionally, if they have a very high growth rate
93
00:03:28,260 --> 00:03:29,250
that means it's common
94
00:03:29,250 --> 00:03:31,680
that new people are joining the team all the time.
95
00:03:31,680 --> 00:03:32,790
And this could be a good chance
96
00:03:32,790 --> 00:03:35,520
for you to conduct a social engineering campaign that relies
97
00:03:35,520 --> 00:03:38,220
on impersonation where you might pretend to be a new hire
98
00:03:38,220 --> 00:03:39,420
at the company.
99
00:03:39,420 --> 00:03:41,610
As you continue to look through the insights tab,
100
00:03:41,610 --> 00:03:44,580
there's other valuable information here for you to see too.
101
00:03:44,580 --> 00:03:45,780
For example, we can look
102
00:03:45,780 --> 00:03:48,600
at the distribution of their workforce, and I can see here
103
00:03:48,600 --> 00:03:51,210
that the majority of their employees are in education
104
00:03:51,210 --> 00:03:53,760
and the next highest area is engineering.
105
00:03:53,760 --> 00:03:55,830
This could indicate that they're spending a lot of money
106
00:03:55,830 --> 00:03:58,260
on their technical employees who might be better trained
107
00:03:58,260 --> 00:04:01,290
and less likely to fall for things like a fishing attempt.
108
00:04:01,290 --> 00:04:03,570
Next, I'm gonna move on to the life tab.
109
00:04:03,570 --> 00:04:06,270
Now, this tab is used by the company to tell their own story
110
00:04:06,270 --> 00:04:08,043
about why somebody would wanna work for them
111
00:04:08,043 --> 00:04:10,080
what their culture is like, and even some
112
00:04:10,080 --> 00:04:13,050
of the employee testimonials and company photos.
113
00:04:13,050 --> 00:04:15,210
Next, I'll move over to the people tab.
114
00:04:15,210 --> 00:04:16,380
From here, I can find
115
00:04:16,380 --> 00:04:18,180
out the breakdown of where people live,
116
00:04:18,180 --> 00:04:20,610
what colleges they went to, and more importantly
117
00:04:20,610 --> 00:04:23,670
a list of the people who are currently working for Udemy.
118
00:04:23,670 --> 00:04:25,800
This can be your springboard into a deeper dive
119
00:04:25,800 --> 00:04:27,810
on an individual that you might wanna target
120
00:04:27,810 --> 00:04:29,220
as part of your engagement
121
00:04:29,220 --> 00:04:31,980
or you might try to identify their system administrators,
122
00:04:31,980 --> 00:04:34,290
their engineers, and their security professionals
123
00:04:34,290 --> 00:04:36,630
and see if they regularly post to LinkedIn.
124
00:04:36,630 --> 00:04:39,060
Now, many people in technical careers like to post
125
00:04:39,060 --> 00:04:41,670
to LinkedIn about the challenges they're facing at work,
126
00:04:41,670 --> 00:04:43,200
and if they're having a work-related project
127
00:04:43,200 --> 00:04:44,130
that's challenging
128
00:04:44,130 --> 00:04:46,530
or they overcame it, they may go ahead and post
129
00:04:46,530 --> 00:04:49,080
about that to celebrate how they overcame that challenge
130
00:04:49,080 --> 00:04:51,600
and maybe even detail the solution they used.
131
00:04:51,600 --> 00:04:52,860
This can be great information
132
00:04:52,860 --> 00:04:55,052
for a penetration tester to have, especially when it comes
133
00:04:55,052 --> 00:04:58,950
from the technical personnel of that targeted organization.
134
00:04:58,950 --> 00:05:00,642
Finally, I'm gonna move into the jobs tab
135
00:05:00,642 --> 00:05:03,240
and this is my favorite tab.
136
00:05:03,240 --> 00:05:04,800
As we look at the jobs tab,
137
00:05:04,800 --> 00:05:07,950
we can see every job posted by this organization.
138
00:05:07,950 --> 00:05:11,280
Currently, there are 307 job openings available
139
00:05:11,280 --> 00:05:12,600
and I can search through all of them
140
00:05:12,600 --> 00:05:15,390
with a few keywords to find what I'm looking for.
141
00:05:15,390 --> 00:05:17,460
For example, let's say I want to determine
142
00:05:17,460 --> 00:05:18,870
which cloud service provider
143
00:05:18,870 --> 00:05:21,690
Udemy is relying on to provide their infrastructure.
144
00:05:21,690 --> 00:05:23,029
I can simply type in the word cloud
145
00:05:23,029 --> 00:05:26,400
and see that it filters down from 307 postings
146
00:05:26,400 --> 00:05:29,730
down to a more reasonable number of 29 postings.
147
00:05:29,730 --> 00:05:32,550
Next, I wanna start clicking through some of the positions.
148
00:05:32,550 --> 00:05:36,000
The first position is listed as a senior systems engineer.
149
00:05:36,000 --> 00:05:37,800
As I look at that job description,
150
00:05:37,800 --> 00:05:39,270
I don't see anything that mentions
151
00:05:39,270 --> 00:05:42,750
whether they're using AWS, Azure or Google Cloud,
152
00:05:42,750 --> 00:05:45,870
but I do see that they're using JAMF and Intune
153
00:05:45,870 --> 00:05:47,430
for Windows OS patching
154
00:05:47,430 --> 00:05:49,200
and that they're seeking somebody who has experience
155
00:05:49,200 --> 00:05:51,510
in Mac OSX device management.
156
00:05:51,510 --> 00:05:54,570
And this tells me they're not just a Windows only company,
157
00:05:54,570 --> 00:05:56,490
so, we're gonna have to conduct some vulnerability scanning
158
00:05:56,490 --> 00:05:59,580
and exploitations against their Mac systems too.
159
00:05:59,580 --> 00:06:01,770
All right, let's move on to another position.
160
00:06:01,770 --> 00:06:02,730
Let's say, for example,
161
00:06:02,730 --> 00:06:05,130
we look at the security architect position.
162
00:06:05,130 --> 00:06:06,600
In this position description,
163
00:06:06,600 --> 00:06:08,280
I can see they're focused on programming
164
00:06:08,280 --> 00:06:11,232
and development experience, but they're not very specific
165
00:06:11,232 --> 00:06:13,680
in which single language they're using.
166
00:06:13,680 --> 00:06:16,020
Instead, they list out things like Python,
167
00:06:16,020 --> 00:06:19,830
Go, Ruby, Java, JavaScript, et cetera.
168
00:06:19,830 --> 00:06:21,540
Now, this isn't as helpful unfortunately
169
00:06:21,540 --> 00:06:22,830
because it's really too vague
170
00:06:22,830 --> 00:06:24,690
for me to know exactly what they're using
171
00:06:24,690 --> 00:06:26,370
in their system development.
172
00:06:26,370 --> 00:06:27,720
As we keep looking though,
173
00:06:27,720 --> 00:06:29,490
we're also gonna see they want experience
174
00:06:29,490 --> 00:06:31,470
with cloud service provider platforms
175
00:06:31,470 --> 00:06:35,700
such as AWS, GCP, Azure, and automation tools.
176
00:06:35,700 --> 00:06:37,950
Now, again, this is really vague as well,
177
00:06:37,950 --> 00:06:39,780
so, it's not that helpful.
178
00:06:39,780 --> 00:06:41,790
Now, there's really two reasons a company would be
179
00:06:41,790 --> 00:06:43,950
this broad on their job description.
180
00:06:43,950 --> 00:06:46,470
The first is that they are very security conscious
181
00:06:46,470 --> 00:06:47,760
and they don't wanna let attackers
182
00:06:47,760 --> 00:06:49,170
and penetration testers know
183
00:06:49,170 --> 00:06:50,880
what type of tech stack they have,
184
00:06:50,880 --> 00:06:52,590
and what all their different languages look like
185
00:06:52,590 --> 00:06:54,750
that they're using in their software development,
186
00:06:54,750 --> 00:06:55,920
and so, they're trying to prevent us
187
00:06:55,920 --> 00:06:57,360
from gaining enough information
188
00:06:57,360 --> 00:06:59,310
by looking at these job postings.
189
00:06:59,310 --> 00:07:01,380
Now, personally, I don't think that's the reason
190
00:07:01,380 --> 00:07:03,660
because most companies aren't that smart,
191
00:07:03,660 --> 00:07:06,120
and so, as we continue to look at other job postings,
192
00:07:06,120 --> 00:07:08,370
we can probably find one that tells us a little more
193
00:07:08,370 --> 00:07:10,140
about what we're looking for.
194
00:07:10,140 --> 00:07:12,390
Now, the second reason that they're gonna be this broad
195
00:07:12,390 --> 00:07:14,550
and vague, and this is probably the more accurate one
196
00:07:14,550 --> 00:07:15,810
in the case of Udemy,
197
00:07:15,810 --> 00:07:18,090
is that finding security architects and programmers
198
00:07:18,090 --> 00:07:21,600
in the San Francisco California area is really challenging.
199
00:07:21,600 --> 00:07:23,700
So, the company is probably being very open
200
00:07:23,700 --> 00:07:26,280
to anybody who has the basic skill set needed.
201
00:07:26,280 --> 00:07:28,800
Since once you learn a language like Java or Ruby,
202
00:07:28,800 --> 00:07:31,560
you can pick up another one and it's not too difficult.
203
00:07:31,560 --> 00:07:33,570
The same holds true for cloud platforms.
204
00:07:33,570 --> 00:07:35,610
Once you use AWS or Azure,
205
00:07:35,610 --> 00:07:37,710
learning the other one isn't too bad,
206
00:07:37,710 --> 00:07:38,940
and I think that's more likely
207
00:07:38,940 --> 00:07:40,680
why this post is being so vague.
208
00:07:40,680 --> 00:07:42,420
It's because of a talent crunch
209
00:07:42,420 --> 00:07:44,670
and they're having difficulty hiring for this position
210
00:07:44,670 --> 00:07:47,640
if they're very specific on what their needs actually are.
211
00:07:47,640 --> 00:07:48,510
All right, so we're gonna go ahead
212
00:07:48,510 --> 00:07:50,520
and click around until we find one that helps us.
213
00:07:50,520 --> 00:07:53,400
I'm gonna go and jump down to the senior cloud engineer.
214
00:07:53,400 --> 00:07:55,170
This is probably a good one because we're talking
215
00:07:55,170 --> 00:07:57,330
about cloud, and that was what I was looking for.
216
00:07:57,330 --> 00:07:59,400
Now, I bet here we're gonna be a little bit more specific
217
00:07:59,400 --> 00:08:01,050
in their requirements as well.
218
00:08:01,050 --> 00:08:03,570
Now, in this position, we see some generic information
219
00:08:03,570 --> 00:08:05,010
about a cloud engineer,
220
00:08:05,010 --> 00:08:07,777
and then, in the second paragraph it says,
221
00:08:07,777 --> 00:08:09,540
"Our primary environments and tools
222
00:08:09,540 --> 00:08:14,540
include AWS, GCP,, VMware, Dell computer slash storage,
223
00:08:14,760 --> 00:08:17,400
VSAN, Terraform, Cloud Formation,
224
00:08:17,400 --> 00:08:20,970
Atlantic, Ansible, Datadog, and GitHub."
225
00:08:20,970 --> 00:08:22,050
That's a pretty good list
226
00:08:22,050 --> 00:08:24,390
of their tech stack and their different development tools
227
00:08:24,390 --> 00:08:25,680
and one of the things I noticed
228
00:08:25,680 --> 00:08:28,920
in there that wasn't listed is Microsoft Azure.
229
00:08:28,920 --> 00:08:31,620
So, we know Azure is not one of the cloud tools
230
00:08:31,620 --> 00:08:33,090
they're really focused on,
231
00:08:33,090 --> 00:08:33,923
and this tells me
232
00:08:33,923 --> 00:08:36,299
they are using a multi-cloud infrastructure though
233
00:08:36,299 --> 00:08:40,110
because I did see AWS and Google Cloud being listed.
234
00:08:40,110 --> 00:08:41,760
Now, based on my reading of that,
235
00:08:41,760 --> 00:08:44,700
it seems that they're primarily on Amazon Web Services,
236
00:08:44,700 --> 00:08:46,740
and they're using Google Cloud for a backup,
237
00:08:46,740 --> 00:08:48,810
but that's just my guess at this point.
238
00:08:48,810 --> 00:08:49,643
Now, if we look
239
00:08:49,643 --> 00:08:51,840
down a little bit further at the requirement section,
240
00:08:51,840 --> 00:08:54,210
you're gonna see that it states a good level of experience
241
00:08:54,210 --> 00:08:57,780
with AWS and cost management experience a plus.
242
00:08:57,780 --> 00:08:59,250
This confirms my suspicion
243
00:08:59,250 --> 00:09:02,130
that they're probably using AWS primarily.
244
00:09:02,130 --> 00:09:03,865
So, now that I gather this intelligence,
245
00:09:03,865 --> 00:09:05,910
what does it tell me?
246
00:09:05,910 --> 00:09:07,230
Well, I'm have to think
247
00:09:07,230 --> 00:09:09,780
about how I'm gonna test things during the engagement
248
00:09:09,780 --> 00:09:11,490
and I'm gonna wanna make sure that I have someone
249
00:09:11,490 --> 00:09:14,580
on the team who's familiar with AWS penetration testing
250
00:09:14,580 --> 00:09:17,700
and we need to make sure to get AWS's permission
251
00:09:17,700 --> 00:09:19,890
before we start doing those tests.
252
00:09:19,890 --> 00:09:22,440
Also, since they're using AWS for their cloud,
253
00:09:22,440 --> 00:09:24,390
that means I can use something like PACU
254
00:09:24,390 --> 00:09:27,480
which is an open-source AWS exploitation framework
255
00:09:27,480 --> 00:09:31,140
during my engagement against their AWS technical stack.
256
00:09:31,140 --> 00:09:34,020
I think you can see now why I love job posting so much
257
00:09:34,020 --> 00:09:35,670
during the reconnaissance phase
258
00:09:35,670 --> 00:09:37,830
because you can find so much great information
259
00:09:37,830 --> 00:09:39,690
that's open source within them.
260
00:09:39,690 --> 00:09:41,700
This includes things like the personnel who are making
261
00:09:41,700 --> 00:09:44,940
up the departments or teams, including the hiring managers.
262
00:09:44,940 --> 00:09:46,170
You might be able to find the lack
263
00:09:46,170 --> 00:09:48,330
of qualified personnel and critical positions.
264
00:09:48,330 --> 00:09:50,700
For example, we saw this organization needs
265
00:09:50,700 --> 00:09:53,310
a new security architect and a cloud engineer,
266
00:09:53,310 --> 00:09:54,960
and that means they either lost those people
267
00:09:54,960 --> 00:09:56,400
and they're looking for replacements
268
00:09:56,400 --> 00:09:57,840
or they're growing rapidly,
269
00:09:57,840 --> 00:10:00,450
and either those are things we can take advantage of.
270
00:10:00,450 --> 00:10:01,500
We can also find the level
271
00:10:01,500 --> 00:10:03,150
of technical capability they have.
272
00:10:03,150 --> 00:10:05,700
Again, this is based off those job postings.
273
00:10:05,700 --> 00:10:08,820
What level of education are they posting as requirements?
274
00:10:08,820 --> 00:10:09,653
We can also figure
275
00:10:09,653 --> 00:10:12,090
out what software architecture and services are used.
276
00:10:12,090 --> 00:10:14,280
We can figure out what programming languages are used.
277
00:10:14,280 --> 00:10:16,230
We can figure out the types of hardware they use.
278
00:10:16,230 --> 00:10:17,070
We can find out the types
279
00:10:17,070 --> 00:10:18,990
of security systems they've fielded.
280
00:10:18,990 --> 00:10:20,557
All of this is stuff we can find inside
281
00:10:20,557 --> 00:10:23,640
of these job postings if we just go out and look for it.
282
00:10:23,640 --> 00:10:24,750
In addition to LinkedIn,
283
00:10:24,750 --> 00:10:26,601
there's lots of other places to gather information
284
00:10:26,601 --> 00:10:28,200
about the people who work
285
00:10:28,200 --> 00:10:31,260
at that company and the positions they're hiring for.
286
00:10:31,260 --> 00:10:35,070
Sites like Monster, ZipRecruiter, Indeed, Glassdoor
287
00:10:35,070 --> 00:10:37,110
and many others are a great place
288
00:10:37,110 --> 00:10:39,210
for you to look as you're looking for more information
289
00:10:39,210 --> 00:10:40,863
on your targeted organization.
22492
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.