The Social-Engineering OSINT Process

In a previous blog post I told you about the two approaches for social engineering attacks. The structured approach has the following steps.

  1. The OSINT Process
  2. The target selection
  3. Profiling the target
  4. Target specific OSINT
  5. The attack preparation
  6. The attack execution

Today we dive deeper into the OSINT process.

What is OSINT?

Before we go any further we need to explain what OSINT is and what it is not. OSINT is all information that is publicly available. This means you go to a source and can query that source for information about the target.

It should be noted that I do not mention anything about either or not OSINT is free as in gratis or should be paid for. If you would use the services of a private intelligence agency, a private investigator or a commercial company that sells you the information it would also be considered OSINT.

Building A Company Profile

Building a target’s company profile is a time consuming job. MITRE has done an amazing job by creating the MITRE PRE-ATT&CK framwork.

By using techniques to do economical analysis like a SWOT analysis and a PESTLE analysis you build yourself a better understanding of the company’s environment. Of course we will go through it accounting books and statements by its board of directors.

Once we have a good idea about the company and its economics we shift our focus on the organization and what better point to start with websites, social media sites and a good generic search on our favorite search engines.

Building A Role List

Once we understand the market, we know how the company is structured and where it physically operates it is time to get to know the people.

With the people we got to understand that there are departments and roles in an organization. Depending on the role it can either be an employee or a contractor. It is important to understand that there is a different relationship. The employee has the risk to loose his or her job where the contractor has the risk to loose his or her customer.

Depending on what assets we target we will need to figure out what departments and roles have the possibility to give us access to that asset. We start with the assumption that the asset will be protected with an access control list.

For example if  we want to access a building we will assume there is a door and thus a key is a form of an access control list. It is important to understand that the access control mechanism needs to be bypassed either by walking in when the door is unlocked or being able to lock pick the door.

Once the role list is complete we go to the next phase, target selection, which I’ll discuss in a next post.