A (Very) Brief History of OSINT

OSINT traces its origins back to the days when intelligence was gathered from newspapers, television and radio broadcasts, and other publicly-available sources. Historically, governments used OSINT to supplement their classified collection operations such as collecting and analyzing Electronic Signals (SIGINT) and soliciting otherwise publicly-unavailable intelligence information from Humans (HUMINT) with special access to that data.

The advent of the internet and the subsequent explosion of data generated daily have dramatically expanded the scope and importance of OSINT. It has transitioned from being a supplementary source of intelligence to a critical component of national security strategies, business intelligence efforts, and cybersecurity measures. The ability to gather, analyze, and interpret this openly available information is now a prized skill in the arsenal of cybersecurity, law enforcement, and intelligence professionals worldwide.

With the ubiquity of interconnected electronic devices, OSINT has come into its own as a powerful tool for the modern amateur spy. Today, OSINT encompasses a vast array of information available online—from public records to social media platforms to digital publications and datasets.

Major OSINT Sources

OSINT encompasses a wide range of sources. Let’s take a closer look at some of its main components:

Academic and Professional Publications

Research papers, dissertations, and industry reports often contain cutting-edge research and expert insights. They are an excellent resource for in-depth, authoritative information on everything from national defense, technology breakthroughs, and scientific research.

These are scholarly articles, research papers, dissertations, conference proceedings, and industry reports. They provide in-depth analysis, experimental results, and expert insights on a wide range of subjects. For instance, a cybersecurity researcher might use academic papers to stay updated on the latest findings in network security vulnerabilities. Professional publications like white papers from technology companies can reveal emerging trends and new technologies in the industry. Examples include journals like “Journal of Cybersecurity” or industry reports from companies like Gartner or IBM.

Commercial Data Sources

These sources encompass databases and services that compile and sell information, often used for business intelligence, market research, or customer profiling. For instance, data brokers like Experian or LexisNexis aggregate vast amounts of data on individuals, which can include consumer habits, credit histories, and even public records. For businesses, commercial datasets from providers like Bloomberg or Statista offer valuable insights into market trends, economic forecasts, and industry analyses.

Online Publications and News

This area includes digital newspapers, e-zines, blogs, online news portals, and even newsletters. They are key for real-time information on current events, trends, and public opinion. For example, an OSINT analyst might use The New York Times or BBC News to gather information on a recent cyber attack or political event. Tech blogs like TechCrunch or Wired provide insights into the latest technology trends and product releases, which can be crucial for tech-related investigations.

Public Records and Data

Public records are documents or pieces of information that are not considered confidential. This could include birth and death records, marriage licenses, property records, court documents, and government reports. The United States Patent and Trademark Office (USPTO) database provides information on patents and trademarks, which can be vital for intellectual property research. Similarly, property records, which are often available online through local government websites, can reveal ownership details of a particular property.

Would it shock you to know that, if I have your address, it would be child’s play for me to get aerial satellite and ground-level photographs of your home? And I’d never even have to visit the city you live in or risk getting caught gathering intelligence on you.

User-Generated Content

This encompasses the vast amount of content created and shared by users on platforms such as social media, forums, blogs, and video sharing platforms. For instance, Twitter and Facebook can be mined for public sentiment on a specific topic, trends, or even to track the activities of a particular individual or group. TripAdvisor reviews might be used to assess the popularity and customer experience of a tourist spot. Reddit forums can provide insights into niche communities and topics, offering raw, unfiltered opinions and discussions.

Real-World Applications of OSINT in Cybersecurity

In the cybersecurity arena, OSINT is used for a myriad of purposes, including enhancing security postures and providing valuable insights:

Cyber Threat Intelligence (CTI)

Cybersecurity professionals can use OSINT to identify potential threats and vulnerabilities. By monitoring hacker forums, social media, professional/governmental CTI feeds, and other platforms, they can uncover and track emerging threats and trends.

Security Awareness and Assessment

Organizations (and individuals) can utilize OSINT to assess their security posture. This can involve searching for data leaks, monitoring the Dark Web, identifying exposed assets, searching public job postings for indications of technologies (and versions) used by that organization as well as any staffing shortcomings, and learning the Tactics, Techniques, and Procedures (TTPs) of potential attackers.

Have you ever Googled yourself? You might be shocked to find out how much information about you (and your loved ones) is available online for anyone to find and exploit.

Investigative Journalism

Journalists can leverage OSINT for investigative purposes, to uncover facts, and to gather evidence to support their stories.

Law Enforcement/Intelligence Agencies

Law enforcement agencies use OSINT for criminal investigations; it can aid in gathering critical information about criminal activities, locations, and associations. Needless to say, intelligence agencies also use OSINT as another source of corroborating information to back up or enhance their classified collection/analysis efforts.

Tools of the Trade

There is a plethora of publicly-available OSINT tools ranging from simple web search engines to sophisticated software that aggregates and analyzes data from multiple sources. Tools like Maltego and Shodan are quite popular among professionals. Many of these tools come pre-installed in Kali, a special distribution of Linux used by many offensive cybersecurity specialists.

Note that some tools require the user to purchase a license in order to utilize them at their full potential.

Shodan

Shodan is the world’s first search engine for Internet-connected devices. Unlike traditional search engines that index web content, Shodan scans for information about devices and services such as servers, cameras, printers, routers, and other devices connected to the internet, providing detailed information about each device’s Internet Protocol (IP) addresses, open ports, known vulnerabilities, and the type of software running on it. Shodan is an invaluable tool for security professionals and researchers to help identify vulnerable devices and systems exposed online.

Maltego

Maltego is a powerful tool for conducting open-source intelligence and forensics. It offers a depth and breadth of perspective as it focuses on link analysis. With Maltego, users can gather data from various sources and visualize the relationships and networks among different entities, such as people, groups, domains, and networks. This ability to graph complex information networks is especially useful in cyber investigations, where understanding the connections between different data points is key.

Maltego is very useful in a variety of capacities:

• Cybersecurity Investigations: Security professionals use Maltego for cyber threat analysis. It helps in mapping out the network infrastructure of potential attackers, understanding relationships between different nodes, and identifying vulnerabilities in a system.
• Digital Forensics: In digital forensics, Maltego can be used to uncover patterns and connections in digital evidence. It’s particularly useful in complex cases where large amounts of data need to be correlated.
• Fraud Detection: Financial institutions and law enforcement agencies use Maltego to track and visualize the networks involved in fraudulent activities, such as phishing attacks, financial frauds, and scam operations.
• Social Network Analysis: Maltego can analyze social networks to understand relationships and hierarchies within a group, which is useful in intelligence and law enforcement for investigating criminal networks or in business for market research.
• Corporate Intelligence: Businesses use Maltego for competitive intelligence gathering. It helps in mapping out a competitor’s online presence, partnerships, and digital assets.
• Law Enforcement and Counterterrorism: Law enforcement agencies and counterterrorism units use Maltego to uncover connections between individuals, locations, and organizations in criminal networks or terrorist groups.
• Investigative Journalism: Journalists use Maltego for investigating stories, especially those that involve complex connections between entities, like in cases of corruption or international politics.
• Research and Academic Studies: Researchers and academics use Maltego for a variety of studies that require mapping relationships and connections in large sets of data, ranging from social sciences to cybersecurity.
• Human Resources and Background Checks: HR departments and background check companies use Maltego to research potential employees’ digital footprints and connections.

Maltego’s plentiful transforms—basically plugins that fetch information from specific sources and format the results in useful ways—coupled with its flexibility in integrating with various data sources and its powerful mapping/graphing capabilities, make it an effective tool of choice for professionals who need to analyze complex networks and relationships in diverse fields.

theHarvester

theHarvester is designed to gather sensitive information from various public sources like search engines and social media platforms. It’s particularly effective in collecting email addresses, subdomains, host names, and employee names. This information can be used in penetration testing or cybersecurity reconnaissance to understand a target’s digital footprint. Its simplicity and effectiveness make it a favorite among penetration testers for initial data gathering phases.

Recon-ng

Recon-ng is a full-featured web reconnaissance framework written in Python. It has a look and feel similar to the Metasploit Framework, providing an interactive environment to conduct open-source web-based reconnaissance quickly and thoroughly. Recon-ng is modular, allowing users to leverage its powerful framework to write their own modules. It’s packed with a variety of plugins that gather intelligence from various public sources and is highly valued for its efficiency and integration capabilities.

OSINT Framework

While not a tool, per se, the OSINT Framework is a collection of tools and resources categorized by the type of data they are used to collect. This framework is extremely useful for anyone in the cybersecurity field, as it provides a comprehensive directory of resources for gathering open-source intelligence. From domain name lookups to exploiting social networks, this framework guides users to the appropriate tools for every conceivable type of OSINT research.

Google Dorks

I know… I know. The name sounds a bit silly and may even elicit giggles from the more adolescent among us. But Google Dorks can be quite powerful in the hands of someone who knows how to use them.

Google Dorks employ advanced search operators in Google to help researchers find specific strings of text within search results. It’s a method used to uncover hidden information and vulnerabilities in websites. For example, using specific syntax, one can find files containing passwords or sensitive information inadvertently left accessible on web servers. Google Dorks is more of a technique than a specific tool; it’s widely used for security reconnaissance.

TinEye

TinEye is a reverse image search engine that can track where an image came from, how it is being used, if modified versions of the image exist, or if there is a higher resolution version. This tool is especially useful in digital investigations, verifying the authenticity of images, and in the field of intellectual property and copyright, where identifying the use of an image across the internet is crucial.

Creepy

Creepy is an OSINT geolocation—determining the geographic position of a person or object—tool. It allows users to gather geographical information from social media platforms, images, and other sources. By aggregating all the geolocation data associated with a user’s social media posts, Creepy can map out the physical movement patterns of individuals, which is a powerful tool in investigations and intelligence gathering, but also raises significant privacy concerns.

BuiltWith

BuiltWith is a tool that can identify the technology stack used to build a website, including web servers, analytics tools, JavaScript libraries, and more. This information can be invaluable for competitive intelligence, sales intelligence, or cybersecurity. By understanding the technologies used on a website, one can infer potential website vulnerabilities, technology trends, or software preferences of target markets.

SpiderFoot

SpiderFoot is an open-source tool used for automating the process of gathering intelligence about a website, IP address, or domain name. It can collect a wide range of data including network information, web server details, email addresses, and more. SpiderFoot aggregates this information from over 100 different sources and presents it in a coherent manner. It’s particularly useful for in-depth investigations, providing a comprehensive view of a target’s online presence, vulnerabilities, and potential security exposures.

Ethics and Legal Considerations in OSINT

While OSINT seeks to exploit publicly-available information, there are ethical and legal considerations. In the process of conducting your OSINT investigation, it’s crucial to respect privacy, adhere to data protection laws, and ensure that the intelligence gathering and analysis activities are compliant with applicable laws. Unauthorized access, even to publicly available information, could potentially lead to ethical quandaries at best and legal repercussions at worst. While OSINT provides powerful capabilities, it must be used responsibly and ethically.

Another important thing to consider is that if access to information requires signing up for an account (e.g., accessing a social media site), you may be limited by legal agreements as to what you can do with information available to you on those platforms. Even though data may seem open, it may not be. My rule of thumb is that if you need a password to access it, the intelligence information may no longer be, legally speaking, Open Source.

Protecting Yourself Online

In an age where Personally Identifiable Information (PII) is abundant online, protecting your private data from becoming part of someone else’s OSINT research is crucial. Consider the following:

• Personal Data Management: Be conscious of the information you share online, especially when it comes to minor children or other sensitive areas of your life, such as location, absence(s) from the home, healthcare, travel plans, etc. Regularly review and manage your digital footprint.
• Privacy Settings: Regularly review and adjust privacy settings on social media and other online platforms to control who can view your information. Restricting social media posts to select, trusted family members, friends, and acquaintances could minimize exploitation of personal information you might prefer be kept personal.
• Awareness of Digital Trails: Be aware of the trails you leave on the internet. This includes being cautious about the information you post, the sites you visit, and the networks you use. Have you ever noticed that, right after searching for something, ads for that very thing seem to magically show up on your social media feeds? Cookies abound.

Getting Started

For those interested in exploring OSINT, many educational resources—both free and paid—are available. Online courses, webinars, forums, and communities offer a wealth of knowledge and support. If you’re just starting out, begin with foundational research and intelligence analysis concepts and gradually delve into specialized OSINT resources. Practical experience, combined with continuous learning, is key to effectively leveraging OSINT.

For starters, I recommend acquiring the aforementioned OSINT Framework and poking around until you find something interesting. Tools like Maltego can be intimidating for beginners, but there are many YouTube videos available to help teach you the ropes.

OSINT is a fascinating, dynamic field, integral to many sectors including national security, law enforcement, cybersecurity, and research. As the real world continues to expand into the online world, so does the relevance and importance of OSINT, which includes the development of an awareness of our own digital footprints in the form of monitoring what data about us exists online (willingly shared or not). I encourage you to delve deeper into this field, armed with the knowledge and tools to use it responsibly and protect your own data.

I immediately went to PayPal’s website and verified that, indeed, I had a seemingly legitimate invoice waiting for me to pay, replete with the warning: “Your checking account on file will be charged automatically (for $2,689.00, no less) on November 8th, 2022. If you didn’t make this transaction, please contact PayPal Customer Support at 888-449-1898.”

Seems simple enough. Call customer support and get it canceled, right? However, this blurb was in the Seller note to customer box. Also… that isn’t PayPal’s customer support number.

Note above that the “invoice” is from “Deborah Thompson” (clearly a totally real and absolutely not made up fake name).

Note here that “Deborah” had suddenly become “Best Buy.”

Also note “Invoice #0015.” How lucky to have gotten such a low invoice number from “Best Buy,” especially considering they’ve probably sold a million electronic gizmos and doodads this morning alone.

Also also note that, despite the linguist in me noting that the writing suggests being penned by a native English speaker, there is a space missing in the cost field between the x and the $: 1 x$2,689.00. Another bit of suspiciousness that might suggest a copy/paste job.

To PayPal’s credit, their website informed me that I could ignore the invoice, as the automatic payment nonsense was input by the seller scammer.

It is my sincere hope that you have Googled or (Duck-Duck-Go’d) the phone number or akin to “PayPal scam” and, perhaps, found your way to this warning, and that the information here helps you to avoid getting duped out of your hard-earned money.

And I also hope that (the real) Best Buy ups their anti-fraud game and that the FBI finds “Deborah” and buries “her” up to the duodenum in a fire ant hill.

Preface: If you are already thinking, “Finally! Someone has the answers to all our cybersecurity education woes!” you might as well stop reading now. I’m basically just here to complain about the state of things from the perspective of someone who, while admittedly being fairly new to the field, has a good deal of experience in a variety of educational subjects and modalities. I don’t necessarily have solutions… yet. But what I do have are some observations that might, handled properly, eventually lead me somewhere interesting. Maybe.

Can of Worms, Meet Can Opener

Q. What is the Purpose of Education?

I know what you’re thinking. “Easy answer. The purpose of education is to make people smarter, right?” In one sense, I suppose that isn’t far off. But the answer really depends on whether we’re talking about the purported purpose of education or education as it actually works out in reality. If my decades of experience in teaching technology, language, and martial arts have taught me anything, it’s that education in the Real World certainly appears to manifest significantly differently from what it could be in my Androgogical Utopia.

Reality: Education in the Real World (as I see it) is largely a means to, as efficiently as possible, train mass quantities of people to complete specific, prescribed tasks in specific, prescribed ways to eventually make them useful enough that someone else might be willing to pay them to complete specific, prescribed tasks in specific, prescribed ways. Minimum effort is exerted to eschew cramming vastly different people into the same box. In this model, already-overworked teachers can be somewhat freed from having to be excessively creative or spending copious amounts of time (which they don’t really have) getting to know students deeply, identifying their learning styles, discerning their individual needs, and shaping their methods and activities to suit their students.

Androgogical Utopia: Education is a means for building a holistic human being who is capable of creative thought and problem solving, eventually leading to autodidacticism.

The State of Cybersecurity Education

Q. What is the Purpose of Education in Cybersecurity?

From what I’ve been able to ascertain from my meager 3 intensive courses and 2 certifications, the purpose of education/training in cybersecurity would seem to be for the student to quickly cram a metric shit-ton of technical information into his or her brain for the express purpose of passing a certification exam and getting the paper. This, alas, isn’t that dissimilar from higher education in the United States right now. So, I guess if your goal is to get the paper to get the job, you can worry about figuring out how to do the thing after you get the thing. After all, if it works, it works, right?

If you’ve attended a [insert famous cybersecurity training company here] course at some point in your cybersecurity career, you might think the purpose of such training is to turn the fire hose up as high as possible and hope that 0) it doesn’t blast your head completely off and 1) some of that water actually gets into your think-meat in some usable and—hopefully—later-retrievable form. (If it also quenches your soul in some meaningful way, so much the better.) Once said course is over, one takes the associated certification test. Then, assuming one has vanquished one’s foe, one ascends the mountain, certification held aloft, bearing witness to all in the land one’s mastery over the subject.

So. Having completed said course, did you find yourself intellectually refreshed? Did you find yourself with a newfound foundational connection between existing and new knowledge in a way that usefully plugged you into the world? Were you able to suddenly make new connections and experience novel realizations, almost as if by voodoo? Were you suddenly technically competent and ready to jump into action to utilize your newly-gained knowledge in completely appropriate ways? Or did you just end up drenched, wiped out, mentally pudding’d, and even more clueless about what you had just survived? If you’re like me (Buddha help you), you probably identify more with the latter than the former.

In my experience having taken a few such courses, they strike me as more of a right of passage than suitable education. Chances are, if you can both pass the certification exam and apply the knowledge gained right afterward, you probably already had a decent grasp of the material in the first place and the training was either a refresher or completely unnecessary. These ordeals are something to be survived rather than what I’d call a useful educational experience. (And this is from a guy who learned to speak Russian in a year and Japanese fairly well in just a few months.)

The Cult of the Cert

Be honest: How many security certifications do you have? Two? Three? Fifteen? Too many? How many of them reflect the actual degree of serviceable mastery you have over the subject matter? In how many of those areas can you function competently? Did you just cram before the test and immediately do a brain vomit of the info afterward? Did that process actually do you any good educationally-speaking (beyond just allowing you to post the bragging rights on your LinkedIn profile)?

While I am still fairly new to cybersecurity as a profession (~ 2 years in as of this writing), my brain has been wired for security from a variety of angles from decades of martial arts training, military intelligence experience, obsessing over language and linguistics, and trying to solve puzzles since childhood. I have a decade in military intelligence collection, analysis, and reporting for various TLAs. I have a technical background, involving networking, web design, some programming, building computers, and a lifetime full of tinkering with gadgets and gizmos. I have an academic research background. I even spent years of my young life learning to create and break codes and ciphers. And yet, breaking into cybersecurity was harder for me than getting into the military and snatching one of those shiny TS-SCI security clearances. Why is this?

Spoiler Alert: I didn’t have certs.

Knowledge, Skills, and Abilities didn’t seem to matter at all to hiring managers. Fortunately, I was eventually able to speak to a friend of a friend who works as an infosec hiring manager. He came clean with me: He didn’t care whether an applicant had a BS, an MA, or 7 PhDs. He looked for cybersecurity certifications first. Then, assuming they had the desired certs, he’d use academic degrees to figure out how much he needed to pay the person. While I can understand this might make the hiring (rather, the tossing of excess resumes into the trash bin) process easier, to me, this seems somewhat backward and counterproductive developmentally-speaking.

What Could Cybersecurity Education Look Like?

Fruitful education needs to first build a solid foundation. From there, connections need to be made between things the student already knows and the next layer of things that the student doesn’t know. This can be accomplished by a student-centered educational technique known as scaffolding, which comprises a variety of strategies designed to bridge gaps in knowledge and set the foundation for further learning.

Another educational concept to be aware of is the Zone of Proximal Development (ZPD). Researched and developed in the early 20th century by the Soviet psychologist Lev Vygotsky, ZPD is a space wherein the student is capable of completing certain activities with the help of a mentor or teacher, but not quite capable enough to do it him or herself. Note that this teacher doesn’t not have to take the form of a more seasoned practitioner; it could come from a video or book. According to Vygotsky, the ZPD is:

“The distance between the actual development level as determined by independent problem solving and the level of potential development as determined through problem-solving under adult guidance or in collaboration with more capable peers.”

Vygotsky (1935)

In blacksmithing, iron has to be at just the right temperature for the blacksmith to forge and re-shape it; this is different from the temperatures required for other processes such as annealing and heat treating. If the fire is too hot, the student burns out. If the fire is not hot enough, they aren’t forge-able.

Reflecting on the Past

There’s really no sense in reinventing the wheel here, as education has been studied and written about in various cultures for centuries. While the last thing we want is to get mired in tradition for tradition’s sake, it might make sense to do so to get the wheel spinning. Let’s take a look at Shū-Ha-Ri, a rough educational model (of sorts) in used in Japanese (martial) arts and other scholarly pursuits. Note that this isn’t a how-to manual so much as a set of general categories through which a student passes through while on the path. Detailed andragogy will have to come later.

Shū means to copy, protect, or obey. In this stage, the student copies what the teacher presents to them as exactly as possible. The reason for copying is that the student doesn’t really know anything yet and a lattice of fundamental knowledge must first be built up before anything else can be stacked or slathered upon it. (Note: Even after moving out of this phase, the knowledge must be maintained as-is (i.e., protected) in order to be able to pass it on intact to future generations.) Think: Apprentice.

Ha means to tear or break. In this stage, as you might guess, students are invited to break apart the principles they learned in the shū stage for the purpose of digging deeply into how things work (and don’t work), which hopefully leads to a deeper understanding of the material. It can take years—decades, even—to reach this stage in a martial art, depending on how often one trains, natural proclivities and talents, the skill of one’s teacher, and other factors. Think: Journeyman.

Ri means distance. In this stage, the student can break away from the teacher and form his or her own understanding of how to do things and how to teach (if such a thing is desired). This stage generally implies a high degree of proficiency in the topic being studied and perhaps even a different understanding of and approach to explaining/teaching the subject matter than one’s own teacher. One is viewed as a legitimate expert practitioner in one’s own right. Think: Master.

Putting the Hart Before the Corse

One major mistake I sense in the cybersecurity world is that it is demanded of the aspirant to hack their way, so to speak, directly into the Ha (Journeyman) stage without ever having a concrete, structured, logical grounding in the Shū (Apprentice) phase. Doing so skips right past the notions of scaffolding and ZPD and jumps right into the metaphorical cyber meat grinder. This approach can lead to frustration, a poor overall understanding of fundamentals, gaping holes in one’s knowledge that can only be discovered piecemeal through years of trial and error, or even quitting altogether. While dealing with a certain amount of frustration is, itself, very useful in the developmental process, it shouldn’t swallow up the entire process.

I don’t see how this whole rigmarole can reliably create solid practitioners or benefit the discipline as a whole in the long run. Sure, it may seem all sexy and Bond-James-Bond-y to require aspirants to hack and chew their way into the field SAS-style, but where does that realistically leave us? Where does this leave the security of our data, banking, businesses, and national technological infrastructure? It leaves us with a global shortage of 3.5 million cybersecurity professionals by 2021 (that’s next year, BTW) — 300,000 of those in the U.S. alone. Do you like apples? Well, how do you like them apples? And I don’t even know if those numbers account for the surge of remote workers due to COVID-19, requiring even more security.

While this hack-your-way-in approach may make sense for some—and even be a source of bragging rights—I do think it can preclude a lot of potentially skillful cyber-practitioners from even getting a foot in the door in the first place. Some might argue that going through such a process builds the grit and skills that a hacker will need in the future when they run into the unknown. I’d argue that it’s just a terrible way to learn for people who aren’t already wired to learn in such a way. Note that I, in no way, think that doing this for the sheer fun and adventure of it is a negative thing. I just don’t think it should necessarily be a requirement.

In my dojo, we build students from the ground up. As their skill increases, so does the level of difficulty of the problems we present to them to learn to solve. This is in keeping with both the ideas of scaffolding and ZPD. If the problem is too easy, they might not struggle appropriately. If the problem is too difficult, they might get completely shut down and cease to learn.

First, we teach them how to stand with good alignment (which, alone, can be surprisingly difficult for many students). Then we teach them how to move properly (within this new dojo context) while maintaining that structure. Then we teach them how to keep that structure while moving properly with someone’s weight/force on their structure. Then we teach them—maintaining all of the above—to deal with someone attacking them in 形 [kata] form (a practice through which they work on techniques designed to impart principles into their bodies and teach a great number of lessons over the years). Finally (?), the student learns to break those techniques down while maintaining the proper structure, movement, and target/distance/timing/angles/lines they have learned thus far in their practice. This leads them to eventually delve into the practice we refer to as 乱取り [randori], taking form out of the midst of chaos. The student eventually doesn’t know what attack is coming, what technique they might use, or who will eventually end up on the floor. At some point, advanced students (4th degree black belt) might decide they want to learn how to teach, which opens up a whole new world of learning.

Can you imagine being thrown into the chaos of randori on your first night as a white belt? This is analogous to what I see in contemporary cybersecurity education. (And, frankly, a lot of dojo.)

Enter the Apprenticeship

In the Shū stage, one of the most important, fundamental phases, the apprentice is taken under the wing of the adept and, bit by bit, taught foundational skills while earning their keep by performing particular tasks. They learn not just the what and the how, but eventually also the why. As skill increases, so increases the complexity of the problems. The teacher might also test the apprentice from time to time to ascertain what they have learned, what they are still lacking, and what needs to come next. Ideally, the test occurs in small doses every day instead of taking the form of some huge, anxiety-inducing cumulative formal exam.

Of course, what areas of the field someone is interested in will determine what skills they will need to learn. If, for example, someone aspires to eventually join a red team, it goes without saying that they will need to learn how networks, web servers, smart phones, applications, protocols, etc., work. But someone who leans more toward Governance or Compliance will likely not need to know any of those things, at least not in the same depth; regulations and legislation might be more appropriate for them. But in either case, both will need to learn to embody a fundamental security mindset and logical approaches to accomplishing what will be required of them in the field.

Postmortem

Needless to say, this rambling essay from a once and former educator isn’t likely to change the world of cybersecurity training. Not overnight, anyway. Maybe not ever. Education for the sake of being able to say that your people have been, technically-speaking, “educated” is worse than pointless. It’s boring, counterproductive, and a waste of valuable time. If you’re a bottom-line sorta person, imagine it takes everyone in your company, each making an average salary of $70,000, an hour to complete some training package of questionable use that has been assigned as mandatory. You do the math.

There’s a lot more to discuss related to how to actually accomplish all of this stuff. Teaching philosophy and methodology, looking into education research (i.e., “does homework actually work?”), and the actual nuts and bolts. Perhaps those ideas will serve as fodder for future forays into… (sorry, I’ve run out of clean F-words that fit here). The problem with adopting something similar to what I’ve attempted to outline here is that it can take time, effort, and the willingness to take chances on people that might not pan out and invest in the future of the field.

Doing things the right way requires time and effort. It also takes serious self-reflection, the courage to admit that one might have been less-than-completely-right, and the willingness to change when we realize what we’ve been doing isn’t working as well as it could.

APT (Advanced Persistent Threat)

APT are very sophisticated, sustained attacks in which an attacker illegally accesses network for the purposes of stealing sensitive data over a period of time. These attacks are carefully planned and strategically targeted and require a high degree of resources. Because of this requirement, the perpetrator of an APT could ostensibly be a state-sponsored actor or a state itself. APTs can comprise espionage (state or corporate), hacktivism, or cybercrime (e.g., financial theft).

Denial of Service (DoS)

A DoS attack involves the deliberate preventing of legitimate users from accessing networks, computer systems, devices, or other resources (e.g., websites, email, banking). When a DoS attack comes from multiple systems, it is called a Distributed Denial of Service (DDoS). Because of the multiple attacker systems, DDoS attacks can be quite difficult to defend against.

Malware

A portmanteau of malicious software, malware is software specifically designed to cause deliberate damage to systems. Typical types of malware include:

• Viruses act like actual physical viruses, infecting systems and self-replicating to other systems.
• Trojan horses, like the eponymous historical horse, hide their true intent, disguising their malicious payloads for covert insertion into the intended target system. (e.g., DarkComet, Magic Lantern)
• Ransomware holds a system ransom, threatening to block access to a system, delete data, or publish embarrassing information unless a fee is paid, usually via untraceable digital currency. (e.g., Bad Rabbit, WannaCry)
• Spyware is designed to steal information about a user or organization.
• Adware often installs itself onto a system with the user’s knowledge for the purposes of generating revenue for its developer

Man-in-the-Middle

In a MITM attack, the attacker surreptitiously intercepts (and possibly relays, after select alteration/editing) communication between two people, potentially changing the intended message or merely eavesdropping on the conversation. MITM attacks can occur when an unsuspecting user joins an unknown WiFi hotspot in public (which could actually be malicious in nature). Endpoint encryption and the use of known WiFi access points can be used to mitigate MITM attacks. Successful MITM attacks can involve someone impersonating a trusted contact.

Phishing

Phishing (ph- [hacker L337 speak for f-] + fishing) involves an attacker attempting to fraudulently gather sensitive data (e.g., usernames, passwords, credit card information) by disguising him/herself as a known, trusted person via electronic communications (e.g., email, text/instant messaging). There are several types of phishing.

• Spear Phishing is phishing targeted against an organization or specific individuals within that organization.
• SMS Phishing/Smishing is phishing carried out via text messages. To protect yourself from Smishing attempts, avoid clicking unexpected links in SMS/text messages unless they are from a verifiable, trusted person and you know what the link contains.
• Vishing uses voice (often a phone call) to gain access to sensitive information. An unsuspecting victim might be willing to give up PIN and bank account numbers to someone appearing to call from their bank.
• Whaling is phishing directed at senior corporate executives and other high-profile targets such as senior government officials. These will often take the form of communications that these executives expect to see and deal with on a daily basis.

SQL Injection

SQL injection attacks are directed against database-driven websites (think anything with a “search” textbox). SQL commands can be entered into these systems and used to retrieve/modify database entries without proper authorization, including giving oneself full access to a system or stealing protected information. Having developers follow OWASP^® procedures (e.g., the use of prepared statements, stored procedures, whitelisting input validation, and escaping all user-supplied input) can help mitigate SQL injection attacks.

Zero Day Vulnerability

Zero Day refers to a vulnerability that is unknown to the developers of a particular piece of software or antivirus creators. While this vulnerability may be unknown to the developers and public in general, it may be known to malicious actors and/or security researchers. Because it takes time to develop and distribute security patches, this creates a window in which attackers have time to exploit the vulnerability.

Most definitions of the word contain something like this:

security / sɪˈkyʊər ɪ ti / freedom from danger or risk

This definition is, unfortunately, largely nonsense. There is no way you can be free from danger or risk, even if you’ve locked yourself in a padded Faraday cage. You can minimize risk or danger, but you can never be free from it. Let’s take a look at a few different kinds of security to see if we can’t nail down an acceptable meaning.

OPSEC

OPSEC (OPerations SECurity) is a term often used in the military to describe a process of denying the enemy operational intelligence. Think: “loose lips sink ships.” Don’t talk about an upcoming deployment in a coffee shop where unknown ears might be listening. When calling home from a war zone, don’t talk about specifics with family members; they may not be as tuned into security as you are and might blab to someone else who might blab to someone else who is almost definitely a North Korean terrorist mastermind. Be careful of taking photos while on operations; digital photos taken on smartphones can contain embedded EXIF (Exchangeable Image File) data which can store information such as the type of phone used to take the picture, the time and date the photo was taken, and even GPS data. Needless to say, if an attacker can learn who took a picture, what the picture is of, and when/where the photo was taken, they have quite a bit of intelligence upon which to base an investigation or attack.

Although it should go without saying, if you’re stationed at a covert military base in the middle of the desert, don’t use your FitBit, Apple Watch, or Strava to track your jogs around the Tippy-Top-Secret flight line.

PERSEC

PERSEC (PERsonal SECurity) follows roughly the same idea as OPSEC, but with the emphasis more on the security of you and your loved ones rather than strictly operational secrecy. Have you ever gone to the mall and seen a sticker on the back of someone’s minivan with all their children’s names, what size (and how many) dog(s) they have, and what soccer/gymnastics team their kids are on? Oh, and don’t forget that their child is an honor student at _________ school. Given enough information like this, it certainly wouldn’t be hard to track down when and where their sports team is holding a match or what sort of canines might be expected, should one wish to break into their home while they’re away at those games. The amount of actionable intelligence I can glean from some people’s vehicles would curl your toes. And it should. Good thing I’m a Good Guy.

Cybersecurity

While I intend to talk about all different aspects of security as a whole here, professionally, I am primarily concerned with cyber/information security. Merriam-Webster defines cybersecurity thusly: measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. Cisco says cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. All in all, not bad.

One aspect of cybersecurity that should concern everyone is the theft of PII [Personally Identifiable Information]. Examples of PII include, but are not limited to: name, email address, physical address, birthday, place of birth, sexual orientation, IP address, phone number, geocoordinates, license plate, medical records, biometric information, credit/debit card numbers, pictures, operating system, social media usernames/handles, relationships, occupation, and hobbies. PII can be stolen by dumpster diving (literally going through your trash), intercepting unsecured internet activities, phishing, social media, or social engineering. One bit of information by itself may not provide much leverage, but several woven together can allow malicious actors to steal your identity, open fraudulent financial accounts in your name, or ruin your reputation.

Conclusion

Here’s my thought: Security is (basically) an illusion.

The feeling of being safe is just that… a feeling. It’s an emotional response to the (likely incorrect) presumption that one is free from danger or risk (which always exists). Instead of thinking of security as the absence of danger or risk, maybe it makes more sense to think of it in terms of mitigating (i.e., lessening) danger or risk. I divide risk into roughly two categories at a high level:

• Possible: Something that is not impossible
• Probable: Something that is not only possible, but somewhat likely (how “likely” is defined is another conversation)

In the martial arts world, we sometimes talk about personal security. Possible/Probable work quite well here, too. Yes, it’s possible that I might be attacked by a horde of sword-wielding ninjæ on my way to the food court. But it’s not probable (outside of a Sho Kosugi movie). What’s the ROI on me spending hours upon hours training to dispatch such an ill-tempered ninja horde (likely in front of the Panda Express)? In my estimation, it’s pretty much zero. Knowing the difference between probable and possible can save you a lot of time and heartache when it comes to securing yourself, your systems, and your data.