This document discusses the challenges security researchers face when conducting open-source intelligence (OSINT) research anonymously. It outlines anonymity challenges like security policies prohibiting VPNs and TOR, and a lack of funds for secure anonymous channels. It also discusses challenges obtaining valid information from large datasets and sharing intelligence due to policy differences. The document recommends tools for anonymous OSINT like Whonix and Tails virtual machines, and describes sources like search engines, social media, paste sites and intelligence reports. It emphasizes practicing intelligence in depth using multiple sources.

2. “White Hat Anonymity”: Current challenges
security researchers face preforming
actionable OSINT
Christopher R. Barber, CISSP, C|EHv7
Threat Analyst
Solutionary Inc.
Security Engineering Research Team (SERT)

3. Introduction
• Member of Solutionary’s Security Engineering Research Team
(SERT) specializing in threat intelligence and analysis
• Research and discovery of emerging threats and
vulnerabilities
• Use of Open-Source Intelligence Techniques(OSINT) for
tracking threat actor activities
• Analysis of threat landscape trends monthly
and high level analysis annually

4. Outline
• Challenges
• Establishing Anonymity
• OSINT Tools and Techniques
• Sources
• Information Sharing

5. Challenges
• Anonymity Challenges
• Source Information Challenges
• Intelligence Sharing Challenges

6. Anonymity Challenges
• Security policy prohibits the use of 3rd party VPN
providers and access to TOR network
• Lack of funds, resources and personnel for the
development of secure anonymous channels.

7. Source Information Challenges
• Large volumes of information from a diverse
collection of sources
• Being able to discern between valid
information and injected disinformation
• Personnel and Resources

8. Intelligence Sharing Challenges
• Conflicts between organizations due to
differences in security policies
• Lack of security from collaborating
organization leads to pivot point for
compromise

9. Establishing Anonymity
• Having an unknown or unacknowledged name
• Having an unknown or withheld authorship or agency
• Having no distinctive character or recognition factor
• Being able to gather information in a manner that does not
reveal your personal, professional, or organizations identity

10. Digital Paper Trail: The bread crumbs left as we
traverse the cyber domain.
• IP Address
• User Agent
• Cookies
• Behavioral habits

11. Anonymizing Service Providers
•
•
•
•
•
•
Private Internet Access
HideMyAss
BlackVPN
IVPN
AirVPN
TorGuard

12. Anonymizing Virtual Machines
• Whonix
• Tor Middlebox
• Tails VM

13. Whonix

14. Tor Middlebox
• Works as proxy between host machine and
Virtualbox
• Routes all VM traffic through Tor proxy on
host machine

15. Tails Virtual Machine

16. Open-Source Intelligence
• Collection and analysis of information
gathered from publicly available
sources
• Sources involve any form of electronic
or printed material available in the
public domain
• Intelligence is obtained through the
statistical analysis of the occurrence
and relationships between pieces of
information

17. Tools and Techniques for OSINT
• Collection Tools
• Search Engines
• Social Media
• Intelligence sources

18. Collection Tools
• Paterva/Maltego
• Recorded Future

19. Maltego

20. Recorded Future

21. Search Engines
• Google Custom Searches
• Iseek
• Addic-to-matic
• Shodan

22. Google Custom Search

23. Google Custom Search

24. iSeek

25. Addict-o-matic

26. Shodan

27. Social Media
• Facebook
• Twitter
• Google+

28. Dump Sites
•
•
•
•
•
•
Pastebin
Reddit
AnonPaste
PirateBay
Zone-H
Pastie

29. Honey Pots and Nets
• Provides automated method for distributed
traffic analysis.
• Provides early signs of malware or botnet
activities.

30. Intelligence Sources
•
•
•
•
Cyber War News
The Hacker News
Darkreading.com
FirstHackNews

31. Shared Intelligence
• Intelligence Sharing Organizations
• Intelligence Assimilation and Sharing
Applications

32. Intelligence Sharing Organizations

33. Intelligence Assimilation and Sharing
Applications
• Structure Threat Information
eXpression (STIX)
• Trusted Automated eXchange of
Indicator Information (TAXII)
• Common Attack Pattern
Enumeration and Classification
(CAPEC)

34. Intelligence in Depth
• Intelligence research and analysis
should be practiced with the idea of
“defense in depth”.
• Validity and actionable predictions
can only be made with the collective
analysis of multiple sources.

35. Solutionary’s 2013 Global Threat
Intelligence Report
http://go.solutionary.com/GTIR.html
Solutionary Minds Blog
http://www.solutionary.com/resourcecenter/blog/

36. Thank You
Questions?