NormShield Blog

Passive Cyber Threat Intelligence

Cyber Threat Intelligence

Passive Cyber Threat Intelligence; The More You Look, the More You Find. So let me ask you a question. Have you ever lost something, like your glasses for example, and you are looking everywhere for them and you’re running around the house saying, “Has anybody seen my glasses?” and someone turns to you and says, “They’re on top of your head.”

Passive Cyber Threat Intelligence

When it comes to Passive Cyber Threat Intelligence you would be surprised how easy some of the data that we actually gather is to find. In fact, a lot of the information can be found through online services that we’re probably already using. Now maybe you’re thinking, what do you mean by Passive Cyber Threat Intelligence? What does it have to do with hacking? Passive Cyber Threat Intelligence is actually one of our biggest phases that we go through as a hacker at least what a hacker goes through. In this case, the hacker is being passive. He’s not doing anything. They’re just looking at information.

Below are some tips that you can follow to find some useful information.

  1. Whois Lookup: Whois is actually a huge database that contains information regarding almost every website that’s out on the internet. It contains common information such as who owns the website, the email of the owner, as well as some other information. There are a couple of open source sites that you can use to find Whois information: http://whois.domaintools.com; https://centralops.net. You may go ahead and search Whois record for your target by using their domain name or IP addresses.
  2. Obtain registrant email address:  Whois has useful information like the email address for the owner of the domain. You can use this email address to find other domains registered by the same person. Reverse Whois lookup will help you to find all the registered domains.
  3. Find IP address block: Defining how big your target is so important. ipinfo.io is a great source to determine your targets` IP block.
  4. Identify Software: Vulnerable technologies used on websites make your job easier to compromise web applications and the server. Wappalyzer can be used as a browser extension to detect the technologies used on the websites so you can find if there is an exploit available. And also Kali has a strong tool called WhatWeb that can be used for the same purpose.
  5. Reverse IP lookup:  If the primary target site appears to be secure, we look for less secure sites on the same server to gain access to the underlying operating system. You can easily find all other domains hosted on the same server with a reverse IP lookup and that expands the attack surface. Then you can continue to look for any vulnerable sites hosted on the same server. https://hackertarget.com/reverse-ip-lookup
  6. Open Threat Intelligence:  Visiting some open source intelligence sites allows you to detect if your target domain names or IP addresses are blacklisted, track if any malicious activity are found on your sites or detect if your domain is involved any phishing campaign. Cymon.io can be used as a threat intelligence source.
  7. Open ports: Hackers always look for different doors to get into targets` network and vulnerable ports can be considered one of the best entry points. But, remember that we are only collecting the information without touching our targets’ network. You can get this information without touching your targets` network by using censys.io.  You can even search for hosts with the specific services running and hosted in some certain locations.
  8. Google search:  Hackers use Google dorks to return information that is difficult to find through simple search queries.  You can find usernames and passwords, email lists, sensitive documents and website vulnerabilities. This information can be used for illegal activities by the hackers. In order to see what hackers can find about your company, you should also use Google search. So the question here to ask is “What should I search for?”

You should look for:

  • leaked data from pastes sites, dark forums and whistleblowing sites.
  • leaked data from document sharing sites and social media accounts.
  • fraudulent software and mobile apps from software markets and pirate mobile markets.

How NormShield Works:

Normshield Passive threat scanning collects information from the internet (hacker sites, security information sharing sites, internet wide-scanners, reputation services, search engines, etc.). NormShield does not scan or touch any of your systems or network assets at any time during the process.

Data leakages have the potential to be very damaging, whether to a business or individual. NormShield strives to solve this problem through gathering vast amounts of data. We monitor several paste tool data houses, underground hacking databases, social networking sites, and much more all in order to protect against potential data leakages.

The growth of social media worldwide has created an opportunity for hackers. Most social media platforms are open forums where they can share their success. In the last few years, the most successful and planned hacks were publicized on social media. NormShield closely monitors social media, looking to protect against hacking attempts.

Monitoring many security events is almost impossible for many organizations, even for the large ones! NormShield Cyber Threat Intelligence makes this easier, monitoring every single event, watching every single movement, collecting information related to your organization from millions of data points.

The Methodology

NormShield uses Open Source Intelligence services to collect, analyze and report security related events and findings. Security companies and hackers are always scanning publicly accessible networks and share their data on the internet. This commonly referred to as Open-Source Intelligence (OSINT).

Following mind map shows how hackers can leverage their attack vectors by using OSINT services like hacker forums, social networks, Google, leaked database dumps, paste sites or even legitimate security services like VirusTotal, Censys, Cymon, Google Safe Browsing etc.

Meanwhile, as we all know automated results may include some false-positives. NormShield security engineers eliminate all false-positive findings and provides you only the ones that matter to your organization.

Please take a look at all of NormShields’ Cyber Threat features at www.normshield.com