Understand it, Consume it, Build it

You have to understand your adversary, then everything elucidates the deeper you go!

Take the below image. A farming site used as a ruse.

Farms you say? Interesting farming products!

I’ve been asked so many questions over the last few years, mostly around how I ended up where I am today practicing the unique disciplines of Threat Intelligence and Open Source Intelligence. To that end, I would like to share three main points (with a practical example) in which I truly believe have grounded me in all my efforts, through tough times and triumphs.

Understand it

To target the adversary effectively you need to put yourself their shoes (or clogs).

To enable our selves to do something we want, we need to visualise and understand what we want in the long term; the end state! In this example — We want to imagine all the main players inclusive of phone numbers, emails, contact information and alias, which will enable us to target the prominent players with a high betweenness/eigenvector score.

For our example checklist we need to understand:

• Where trafficked steroids are bought, sold and distributed online
• What platform its being sold on; Clear web, dark net or dark web
• What technologies are use server side
• If or not server side authentication is deployed
• Site based language restrictions
• Is the site formatted correctly (CSS, divisions etc.)
• Is it highly available, scalable and/or hosted via a CDN; and
• What tools we need to use or write to extract the data we want. (Browser addons and external programs excluded because we are running out collection host in digital ocean!)

Steroid trafficking site.

Let’s take the above image for example, t’s a normal website containing data which we want to extract; the data we want to extract is all the references (emails, phone numbers etc.) related to anabolic steroids contained within the presented content. To be able to extract the content we need to understand how the website operates, what technologies are used and what tools or processes we could use to interact with the website, then in turn extract the data.

For this explanation, this particular website uses PHP and JavaScript (mostly), is 8 hops from my Linux box (digital ocean), has around 2 seconds latency and we will be leveraging grep/curl plus some of our own code to extract the information into a format that enables us to visualise our data.

Consume it

Before we get to writing our own code, using tools then leveraging our own processes we must develop/have a mindset of continual learning.

I learn new things every single day, I do not know everything and the world is so rich in technologies that my life is amazingly interesting.

Each target assessment is different, is built on different technologies, has different levels of security and we need to understand how to subvert those technologies to gain the data we want (in this case HGH steroid information). To subvert systems, we need to understand all the technologies to the point where we are competent (not an expert), then we can complete our task. (For this example — What we need to learn is above in our understanding checklist)

Once we have learnt what we need, we build it!

Build it!

Be creative, build on others accomplishments and grow yourself into what you desire!

So this is the part where we write our own code leveraging amazing tools (created by other individuals and groups) to enable our outcome!

You should always be creative and think outside the box.

I wrote this simple code (can easily be augmented for your needs) that extracts the traffickers details (email address and Skype account) from the HGH URL’s I targeted. The export of this script can be imported into Maltego or I2 with ease (CSV formatted).

If you want to route the script via Burp Suite just run the below commands in your current terminal first.

http_proxy=http://127.0.0.1:1337
https_proxy=https://127.0.0.1:1337

Finalising it!

You could have easily gone out and download a chrome web scraping extension or used another free scraping tool but would you have understood it? Consumed all the knowledge? Or built a cool simple re-purpose-able tool? No that’s why you know your stuff because you don’t just use, you learn!

If you really have a passion for threat intelligence or intelligence of any discipline (or anything really) I encourage you to light yourself on fire and dedicate yourself to it!

Listen to the below clip (2 mins), Gary Vaynerchuk hits the nail on the head!

Do what your good at, have no regrets and forget the rest.

Just do it!

Tools used

• Chrome
• Bash, grep and curl (data collection)
• Quick source viewer chrome extension (html source viewer)
• IBM I2 (visualisation); and
• “Logger ++” Burp suite addon (logging).