Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:01,140 Presenter: One of the best sources 2 00:00:01,140 --> 00:00:04,740 of open source intelligence these days is social media. 3 00:00:04,740 --> 00:00:06,120 Many people tend to lift their guard 4 00:00:06,120 --> 00:00:08,130 down when they're posting on social media 5 00:00:08,130 --> 00:00:11,396 whether it's Twitter, Facebook, LinkedIn, YouTube, 6 00:00:11,396 --> 00:00:14,460 Instagram, Reddit, or even TikTok. 7 00:00:14,460 --> 00:00:16,260 By analyzing what the organization 8 00:00:16,260 --> 00:00:18,660 or its employees are posting on social media, 9 00:00:18,660 --> 00:00:19,830 you're gonna be able to find a lot 10 00:00:19,830 --> 00:00:22,890 of information that can really help in your engagements. 11 00:00:22,890 --> 00:00:25,650 When you're using social media to search for information, 12 00:00:25,650 --> 00:00:26,483 you should start 13 00:00:26,483 --> 00:00:28,920 with the organization's own social media profiles 14 00:00:28,920 --> 00:00:30,300 and their accounts. 15 00:00:30,300 --> 00:00:32,880 The organization is usually gonna post marketing information 16 00:00:32,880 --> 00:00:34,680 on their social media profiles, 17 00:00:34,680 --> 00:00:37,380 but often companies are now providing some sort of 18 00:00:37,380 --> 00:00:40,050 behind the scenes type of pictures and videos. 19 00:00:40,050 --> 00:00:42,480 These more candid posts can often capture things 20 00:00:42,480 --> 00:00:44,520 in the background that the organization didn't realize 21 00:00:44,520 --> 00:00:46,290 was there when they recorded that video 22 00:00:46,290 --> 00:00:47,790 or took that picture. 23 00:00:47,790 --> 00:00:50,220 For example, I've seen an organization who had one 24 00:00:50,220 --> 00:00:51,930 of their employees making a post 25 00:00:51,930 --> 00:00:53,640 to their Instagram account showing 26 00:00:53,640 --> 00:00:55,230 what an average day looked like, 27 00:00:55,230 --> 00:00:56,520 and when the employees snapped 28 00:00:56,520 --> 00:00:58,740 that picture with their front facing camera, 29 00:00:58,740 --> 00:01:00,510 they didn't realize that people could actually read 30 00:01:00,510 --> 00:01:02,850 the computer screen that was located behind them. 31 00:01:02,850 --> 00:01:04,530 By zooming in on that picture, 32 00:01:04,530 --> 00:01:05,970 people were able to read the contents 33 00:01:05,970 --> 00:01:08,430 of a sensitive corporate document that was being drafted 34 00:01:08,430 --> 00:01:11,220 by the employee at the desk next to the posters. 35 00:01:11,220 --> 00:01:14,310 These days, it seems that everybody is on social media 36 00:01:14,310 --> 00:01:15,930 and that means you can scour 37 00:01:15,930 --> 00:01:18,030 and scrape social media sites for details 38 00:01:18,030 --> 00:01:20,790 about an organization's employees from the CEO, 39 00:01:20,790 --> 00:01:22,320 all the way down to the person working 40 00:01:22,320 --> 00:01:24,270 in the proverbial mail room. 41 00:01:24,270 --> 00:01:25,710 Now, some employees are gonna have 42 00:01:25,710 --> 00:01:27,810 multiple social media accounts as well, 43 00:01:27,810 --> 00:01:29,460 and this is to divide their professional 44 00:01:29,460 --> 00:01:32,160 or work accounts from their personal account. 45 00:01:32,160 --> 00:01:34,530 For example, all of my employees have 46 00:01:34,530 --> 00:01:37,440 a personal Facebook account and a work Facebook account, 47 00:01:37,440 --> 00:01:38,940 and they're gonna use that work account 48 00:01:38,940 --> 00:01:41,040 whenever they're posting on behalf of our company. 49 00:01:41,040 --> 00:01:42,420 While they're personal, one is used 50 00:01:42,420 --> 00:01:44,640 for everything else they do on Facebook. 51 00:01:44,640 --> 00:01:46,920 Now, that means that most employees will be proper 52 00:01:46,920 --> 00:01:48,870 and professional on their work accounts, 53 00:01:48,870 --> 00:01:50,670 but if you find their personal account, 54 00:01:50,670 --> 00:01:52,020 you can find the real person 55 00:01:52,020 --> 00:01:55,320 behind that employee, including their interests, habits, 56 00:01:55,320 --> 00:01:59,700 behaviors, friends, spouses, children, and much more. 57 00:01:59,700 --> 00:02:02,160 Now, some employees even publish their own personally 58 00:02:02,160 --> 00:02:03,930 identifiable information online, 59 00:02:03,930 --> 00:02:05,730 including things like their full name, 60 00:02:05,730 --> 00:02:08,460 their birthdate, their address their phone number, 61 00:02:08,460 --> 00:02:09,660 and much more. 62 00:02:09,660 --> 00:02:12,570 When it comes to social media sites, my personal favorite 63 00:02:12,570 --> 00:02:15,630 for open source intelligence research is LinkedIn. 64 00:02:15,630 --> 00:02:17,400 And this is because I can find out so much 65 00:02:17,400 --> 00:02:20,610 about an organization by reviewing their pages there. 66 00:02:20,610 --> 00:02:24,030 First, you can find the company's own page on LinkedIn. 67 00:02:24,030 --> 00:02:25,680 Let's take for example Udemy, 68 00:02:25,680 --> 00:02:28,380 the massively popular e-learning company. 69 00:02:28,380 --> 00:02:29,580 From their LinkedIn page, 70 00:02:29,580 --> 00:02:33,930 I can see they have 5,562 that have claimed a relationship 71 00:02:33,930 --> 00:02:35,730 with Udemy on LinkedIn. 72 00:02:35,730 --> 00:02:38,760 Now, if I go to the post tab, I'm gonna find a lot 73 00:02:38,760 --> 00:02:41,820 of marketing things in press releases and things like that. 74 00:02:41,820 --> 00:02:43,290 Now, this could be helpful, 75 00:02:43,290 --> 00:02:45,120 but usually it isn't really what I'm focused 76 00:02:45,120 --> 00:02:45,953 on when I'm looking 77 00:02:45,953 --> 00:02:48,150 at LinkedIn for open-source intelligence. 78 00:02:48,150 --> 00:02:50,810 Instead, I like to focus on the insights tab, 79 00:02:50,810 --> 00:02:54,570 the life tab, the people tab, and the jobs tab. 80 00:02:54,570 --> 00:02:57,270 First, let's look at the insights tab. 81 00:02:57,270 --> 00:03:00,480 Under this tab, we can see some key data about the company 82 00:03:00,480 --> 00:03:03,000 including its total number of employees and the growth 83 00:03:03,000 --> 00:03:05,700 of that employee number over the past two years. 84 00:03:05,700 --> 00:03:07,080 Now, in this case, I can see 85 00:03:07,080 --> 00:03:10,620 in the last two years that the company has grown 62%, 86 00:03:10,620 --> 00:03:13,830 but in the last six months, they've only grown 5%. 87 00:03:13,830 --> 00:03:16,470 Now, why is that important to understand? 88 00:03:16,470 --> 00:03:19,050 Well, if the company is rapidly growing 89 00:03:19,050 --> 00:03:21,390 that's usually a time when they have worse security, 90 00:03:21,390 --> 00:03:22,590 especially, due to the number 91 00:03:22,590 --> 00:03:25,740 of new users who aren't fully or properly trained. 92 00:03:25,740 --> 00:03:28,260 Additionally, if they have a very high growth rate 93 00:03:28,260 --> 00:03:29,250 that means it's common 94 00:03:29,250 --> 00:03:31,680 that new people are joining the team all the time. 95 00:03:31,680 --> 00:03:32,790 And this could be a good chance 96 00:03:32,790 --> 00:03:35,520 for you to conduct a social engineering campaign that relies 97 00:03:35,520 --> 00:03:38,220 on impersonation where you might pretend to be a new hire 98 00:03:38,220 --> 00:03:39,420 at the company. 99 00:03:39,420 --> 00:03:41,610 As you continue to look through the insights tab, 100 00:03:41,610 --> 00:03:44,580 there's other valuable information here for you to see too. 101 00:03:44,580 --> 00:03:45,780 For example, we can look 102 00:03:45,780 --> 00:03:48,600 at the distribution of their workforce, and I can see here 103 00:03:48,600 --> 00:03:51,210 that the majority of their employees are in education 104 00:03:51,210 --> 00:03:53,760 and the next highest area is engineering. 105 00:03:53,760 --> 00:03:55,830 This could indicate that they're spending a lot of money 106 00:03:55,830 --> 00:03:58,260 on their technical employees who might be better trained 107 00:03:58,260 --> 00:04:01,290 and less likely to fall for things like a fishing attempt. 108 00:04:01,290 --> 00:04:03,570 Next, I'm gonna move on to the life tab. 109 00:04:03,570 --> 00:04:06,270 Now, this tab is used by the company to tell their own story 110 00:04:06,270 --> 00:04:08,043 about why somebody would wanna work for them 111 00:04:08,043 --> 00:04:10,080 what their culture is like, and even some 112 00:04:10,080 --> 00:04:13,050 of the employee testimonials and company photos. 113 00:04:13,050 --> 00:04:15,210 Next, I'll move over to the people tab. 114 00:04:15,210 --> 00:04:16,380 From here, I can find 115 00:04:16,380 --> 00:04:18,180 out the breakdown of where people live, 116 00:04:18,180 --> 00:04:20,610 what colleges they went to, and more importantly 117 00:04:20,610 --> 00:04:23,670 a list of the people who are currently working for Udemy. 118 00:04:23,670 --> 00:04:25,800 This can be your springboard into a deeper dive 119 00:04:25,800 --> 00:04:27,810 on an individual that you might wanna target 120 00:04:27,810 --> 00:04:29,220 as part of your engagement 121 00:04:29,220 --> 00:04:31,980 or you might try to identify their system administrators, 122 00:04:31,980 --> 00:04:34,290 their engineers, and their security professionals 123 00:04:34,290 --> 00:04:36,630 and see if they regularly post to LinkedIn. 124 00:04:36,630 --> 00:04:39,060 Now, many people in technical careers like to post 125 00:04:39,060 --> 00:04:41,670 to LinkedIn about the challenges they're facing at work, 126 00:04:41,670 --> 00:04:43,200 and if they're having a work-related project 127 00:04:43,200 --> 00:04:44,130 that's challenging 128 00:04:44,130 --> 00:04:46,530 or they overcame it, they may go ahead and post 129 00:04:46,530 --> 00:04:49,080 about that to celebrate how they overcame that challenge 130 00:04:49,080 --> 00:04:51,600 and maybe even detail the solution they used. 131 00:04:51,600 --> 00:04:52,860 This can be great information 132 00:04:52,860 --> 00:04:55,052 for a penetration tester to have, especially when it comes 133 00:04:55,052 --> 00:04:58,950 from the technical personnel of that targeted organization. 134 00:04:58,950 --> 00:05:00,642 Finally, I'm gonna move into the jobs tab 135 00:05:00,642 --> 00:05:03,240 and this is my favorite tab. 136 00:05:03,240 --> 00:05:04,800 As we look at the jobs tab, 137 00:05:04,800 --> 00:05:07,950 we can see every job posted by this organization. 138 00:05:07,950 --> 00:05:11,280 Currently, there are 307 job openings available 139 00:05:11,280 --> 00:05:12,600 and I can search through all of them 140 00:05:12,600 --> 00:05:15,390 with a few keywords to find what I'm looking for. 141 00:05:15,390 --> 00:05:17,460 For example, let's say I want to determine 142 00:05:17,460 --> 00:05:18,870 which cloud service provider 143 00:05:18,870 --> 00:05:21,690 Udemy is relying on to provide their infrastructure. 144 00:05:21,690 --> 00:05:23,029 I can simply type in the word cloud 145 00:05:23,029 --> 00:05:26,400 and see that it filters down from 307 postings 146 00:05:26,400 --> 00:05:29,730 down to a more reasonable number of 29 postings. 147 00:05:29,730 --> 00:05:32,550 Next, I wanna start clicking through some of the positions. 148 00:05:32,550 --> 00:05:36,000 The first position is listed as a senior systems engineer. 149 00:05:36,000 --> 00:05:37,800 As I look at that job description, 150 00:05:37,800 --> 00:05:39,270 I don't see anything that mentions 151 00:05:39,270 --> 00:05:42,750 whether they're using AWS, Azure or Google Cloud, 152 00:05:42,750 --> 00:05:45,870 but I do see that they're using JAMF and Intune 153 00:05:45,870 --> 00:05:47,430 for Windows OS patching 154 00:05:47,430 --> 00:05:49,200 and that they're seeking somebody who has experience 155 00:05:49,200 --> 00:05:51,510 in Mac OSX device management. 156 00:05:51,510 --> 00:05:54,570 And this tells me they're not just a Windows only company, 157 00:05:54,570 --> 00:05:56,490 so, we're gonna have to conduct some vulnerability scanning 158 00:05:56,490 --> 00:05:59,580 and exploitations against their Mac systems too. 159 00:05:59,580 --> 00:06:01,770 All right, let's move on to another position. 160 00:06:01,770 --> 00:06:02,730 Let's say, for example, 161 00:06:02,730 --> 00:06:05,130 we look at the security architect position. 162 00:06:05,130 --> 00:06:06,600 In this position description, 163 00:06:06,600 --> 00:06:08,280 I can see they're focused on programming 164 00:06:08,280 --> 00:06:11,232 and development experience, but they're not very specific 165 00:06:11,232 --> 00:06:13,680 in which single language they're using. 166 00:06:13,680 --> 00:06:16,020 Instead, they list out things like Python, 167 00:06:16,020 --> 00:06:19,830 Go, Ruby, Java, JavaScript, et cetera. 168 00:06:19,830 --> 00:06:21,540 Now, this isn't as helpful unfortunately 169 00:06:21,540 --> 00:06:22,830 because it's really too vague 170 00:06:22,830 --> 00:06:24,690 for me to know exactly what they're using 171 00:06:24,690 --> 00:06:26,370 in their system development. 172 00:06:26,370 --> 00:06:27,720 As we keep looking though, 173 00:06:27,720 --> 00:06:29,490 we're also gonna see they want experience 174 00:06:29,490 --> 00:06:31,470 with cloud service provider platforms 175 00:06:31,470 --> 00:06:35,700 such as AWS, GCP, Azure, and automation tools. 176 00:06:35,700 --> 00:06:37,950 Now, again, this is really vague as well, 177 00:06:37,950 --> 00:06:39,780 so, it's not that helpful. 178 00:06:39,780 --> 00:06:41,790 Now, there's really two reasons a company would be 179 00:06:41,790 --> 00:06:43,950 this broad on their job description. 180 00:06:43,950 --> 00:06:46,470 The first is that they are very security conscious 181 00:06:46,470 --> 00:06:47,760 and they don't wanna let attackers 182 00:06:47,760 --> 00:06:49,170 and penetration testers know 183 00:06:49,170 --> 00:06:50,880 what type of tech stack they have, 184 00:06:50,880 --> 00:06:52,590 and what all their different languages look like 185 00:06:52,590 --> 00:06:54,750 that they're using in their software development, 186 00:06:54,750 --> 00:06:55,920 and so, they're trying to prevent us 187 00:06:55,920 --> 00:06:57,360 from gaining enough information 188 00:06:57,360 --> 00:06:59,310 by looking at these job postings. 189 00:06:59,310 --> 00:07:01,380 Now, personally, I don't think that's the reason 190 00:07:01,380 --> 00:07:03,660 because most companies aren't that smart, 191 00:07:03,660 --> 00:07:06,120 and so, as we continue to look at other job postings, 192 00:07:06,120 --> 00:07:08,370 we can probably find one that tells us a little more 193 00:07:08,370 --> 00:07:10,140 about what we're looking for. 194 00:07:10,140 --> 00:07:12,390 Now, the second reason that they're gonna be this broad 195 00:07:12,390 --> 00:07:14,550 and vague, and this is probably the more accurate one 196 00:07:14,550 --> 00:07:15,810 in the case of Udemy, 197 00:07:15,810 --> 00:07:18,090 is that finding security architects and programmers 198 00:07:18,090 --> 00:07:21,600 in the San Francisco California area is really challenging. 199 00:07:21,600 --> 00:07:23,700 So, the company is probably being very open 200 00:07:23,700 --> 00:07:26,280 to anybody who has the basic skill set needed. 201 00:07:26,280 --> 00:07:28,800 Since once you learn a language like Java or Ruby, 202 00:07:28,800 --> 00:07:31,560 you can pick up another one and it's not too difficult. 203 00:07:31,560 --> 00:07:33,570 The same holds true for cloud platforms. 204 00:07:33,570 --> 00:07:35,610 Once you use AWS or Azure, 205 00:07:35,610 --> 00:07:37,710 learning the other one isn't too bad, 206 00:07:37,710 --> 00:07:38,940 and I think that's more likely 207 00:07:38,940 --> 00:07:40,680 why this post is being so vague. 208 00:07:40,680 --> 00:07:42,420 It's because of a talent crunch 209 00:07:42,420 --> 00:07:44,670 and they're having difficulty hiring for this position 210 00:07:44,670 --> 00:07:47,640 if they're very specific on what their needs actually are. 211 00:07:47,640 --> 00:07:48,510 All right, so we're gonna go ahead 212 00:07:48,510 --> 00:07:50,520 and click around until we find one that helps us. 213 00:07:50,520 --> 00:07:53,400 I'm gonna go and jump down to the senior cloud engineer. 214 00:07:53,400 --> 00:07:55,170 This is probably a good one because we're talking 215 00:07:55,170 --> 00:07:57,330 about cloud, and that was what I was looking for. 216 00:07:57,330 --> 00:07:59,400 Now, I bet here we're gonna be a little bit more specific 217 00:07:59,400 --> 00:08:01,050 in their requirements as well. 218 00:08:01,050 --> 00:08:03,570 Now, in this position, we see some generic information 219 00:08:03,570 --> 00:08:05,010 about a cloud engineer, 220 00:08:05,010 --> 00:08:07,777 and then, in the second paragraph it says, 221 00:08:07,777 --> 00:08:09,540 "Our primary environments and tools 222 00:08:09,540 --> 00:08:14,540 include AWS, GCP,, VMware, Dell computer slash storage, 223 00:08:14,760 --> 00:08:17,400 VSAN, Terraform, Cloud Formation, 224 00:08:17,400 --> 00:08:20,970 Atlantic, Ansible, Datadog, and GitHub." 225 00:08:20,970 --> 00:08:22,050 That's a pretty good list 226 00:08:22,050 --> 00:08:24,390 of their tech stack and their different development tools 227 00:08:24,390 --> 00:08:25,680 and one of the things I noticed 228 00:08:25,680 --> 00:08:28,920 in there that wasn't listed is Microsoft Azure. 229 00:08:28,920 --> 00:08:31,620 So, we know Azure is not one of the cloud tools 230 00:08:31,620 --> 00:08:33,090 they're really focused on, 231 00:08:33,090 --> 00:08:33,923 and this tells me 232 00:08:33,923 --> 00:08:36,299 they are using a multi-cloud infrastructure though 233 00:08:36,299 --> 00:08:40,110 because I did see AWS and Google Cloud being listed. 234 00:08:40,110 --> 00:08:41,760 Now, based on my reading of that, 235 00:08:41,760 --> 00:08:44,700 it seems that they're primarily on Amazon Web Services, 236 00:08:44,700 --> 00:08:46,740 and they're using Google Cloud for a backup, 237 00:08:46,740 --> 00:08:48,810 but that's just my guess at this point. 238 00:08:48,810 --> 00:08:49,643 Now, if we look 239 00:08:49,643 --> 00:08:51,840 down a little bit further at the requirement section, 240 00:08:51,840 --> 00:08:54,210 you're gonna see that it states a good level of experience 241 00:08:54,210 --> 00:08:57,780 with AWS and cost management experience a plus. 242 00:08:57,780 --> 00:08:59,250 This confirms my suspicion 243 00:08:59,250 --> 00:09:02,130 that they're probably using AWS primarily. 244 00:09:02,130 --> 00:09:03,865 So, now that I gather this intelligence, 245 00:09:03,865 --> 00:09:05,910 what does it tell me? 246 00:09:05,910 --> 00:09:07,230 Well, I'm have to think 247 00:09:07,230 --> 00:09:09,780 about how I'm gonna test things during the engagement 248 00:09:09,780 --> 00:09:11,490 and I'm gonna wanna make sure that I have someone 249 00:09:11,490 --> 00:09:14,580 on the team who's familiar with AWS penetration testing 250 00:09:14,580 --> 00:09:17,700 and we need to make sure to get AWS's permission 251 00:09:17,700 --> 00:09:19,890 before we start doing those tests. 252 00:09:19,890 --> 00:09:22,440 Also, since they're using AWS for their cloud, 253 00:09:22,440 --> 00:09:24,390 that means I can use something like PACU 254 00:09:24,390 --> 00:09:27,480 which is an open-source AWS exploitation framework 255 00:09:27,480 --> 00:09:31,140 during my engagement against their AWS technical stack. 256 00:09:31,140 --> 00:09:34,020 I think you can see now why I love job posting so much 257 00:09:34,020 --> 00:09:35,670 during the reconnaissance phase 258 00:09:35,670 --> 00:09:37,830 because you can find so much great information 259 00:09:37,830 --> 00:09:39,690 that's open source within them. 260 00:09:39,690 --> 00:09:41,700 This includes things like the personnel who are making 261 00:09:41,700 --> 00:09:44,940 up the departments or teams, including the hiring managers. 262 00:09:44,940 --> 00:09:46,170 You might be able to find the lack 263 00:09:46,170 --> 00:09:48,330 of qualified personnel and critical positions. 264 00:09:48,330 --> 00:09:50,700 For example, we saw this organization needs 265 00:09:50,700 --> 00:09:53,310 a new security architect and a cloud engineer, 266 00:09:53,310 --> 00:09:54,960 and that means they either lost those people 267 00:09:54,960 --> 00:09:56,400 and they're looking for replacements 268 00:09:56,400 --> 00:09:57,840 or they're growing rapidly, 269 00:09:57,840 --> 00:10:00,450 and either those are things we can take advantage of. 270 00:10:00,450 --> 00:10:01,500 We can also find the level 271 00:10:01,500 --> 00:10:03,150 of technical capability they have. 272 00:10:03,150 --> 00:10:05,700 Again, this is based off those job postings. 273 00:10:05,700 --> 00:10:08,820 What level of education are they posting as requirements? 274 00:10:08,820 --> 00:10:09,653 We can also figure 275 00:10:09,653 --> 00:10:12,090 out what software architecture and services are used. 276 00:10:12,090 --> 00:10:14,280 We can figure out what programming languages are used. 277 00:10:14,280 --> 00:10:16,230 We can figure out the types of hardware they use. 278 00:10:16,230 --> 00:10:17,070 We can find out the types 279 00:10:17,070 --> 00:10:18,990 of security systems they've fielded. 280 00:10:18,990 --> 00:10:20,557 All of this is stuff we can find inside 281 00:10:20,557 --> 00:10:23,640 of these job postings if we just go out and look for it. 282 00:10:23,640 --> 00:10:24,750 In addition to LinkedIn, 283 00:10:24,750 --> 00:10:26,601 there's lots of other places to gather information 284 00:10:26,601 --> 00:10:28,200 about the people who work 285 00:10:28,200 --> 00:10:31,260 at that company and the positions they're hiring for. 286 00:10:31,260 --> 00:10:35,070 Sites like Monster, ZipRecruiter, Indeed, Glassdoor 287 00:10:35,070 --> 00:10:37,110 and many others are a great place 288 00:10:37,110 --> 00:10:39,210 for you to look as you're looking for more information 289 00:10:39,210 --> 00:10:40,863 on your targeted organization. 22492