Social Media OSINT for Security Teams

Monitoring Social Media such as Twitter is a great first step in identifying threats to your organization or other types of business intelligence that may be relevant to your team. Open Source data analysis (OSINT) has become a core competency for many larger security teams. It is extremely valuable during an incident for both investigative as well as preventative work. During incidents, managing exposure, information leaks, and insuring consistent messaging may even be an advisory role for a security analyst.  

While there are excellent organizations like Recorded Future and SiloBreaker that can help you dig deep, we frequently work with Small and Medium businesses who need similar capabilities that are no or low cost. In other cases, organizations simply want to determine if this level of investment is worthwhile for them. 

Because of the popularity of OSINT monitoring, there are free resources you can build for yourself to help track events. In many cases, even the social media platform itself can help your Ops team perform such monitoring.  

GetImage.png

For Example, Twitter's TweetDeck is utilized by organizations all over the world to perform Lucene style searches that will identify potential electronic or real-world threats.  This solution can be used virtually any device with a web browser and Internet access. Many MSSP's use this data to keep an eye on their customer base and supply chain. 

By compiling search terms with AND/OR,  "from" and "near" you can quickly match data of interest. Consider this Twitter query that I have running in a TweetDeck tab to help me keep an eye on wide scale issues around data dumps, system crashes, etc: 

(("computer system" OR "computers" OR "systems") AND (("outage" OR "failure" OR "offline" OR "down") OR ("Breached" OR "hacked" OR "compromise" OR "long line" OR "waiting" OR "globally" OR "nationwide") OR ("Hacked" OR "Breached" OR "compromised") OR ("dump" OR "exposed records"))) OR from:DownDetector

 The problem with TweetDeck is its hard to correlate events that happen on social media with threats targeting infrastructure we are all tasked with protecting. This is especially true with popular organizations. Security Incident and Event Monitoring tools (SIEM) are purpose-built for doing this work, but most lack the ability to integrate with third-party social media services.  

A search similar to the one above can quickly be pushed into log collection tools searched or matched with potential observables of interest. In some cases, this may be the closest organizations ever come to true attribution work.  

A lot of really smart individuals have developed software libraries that allow us to interact with social media API's. In the example code provided here, we utilize the Python library Tweepy to query Twitter for specific terms.  We then ship this data via Syslog to a log collection tool such as Splunk, Graylog or ELK.  

From there, the security team can do attribution work in real time or after an event has happened, even if an actor removes the post.  That said, Twitter's API terms of use require that you delete tweets from your data store if the tweet has been deleted by the author. You should investigate the terms of use with your legal team.  

In conclusion, OSINT monitoring is a valuable service for any organization. This proactive task can be a very cost-efficient and effective way to obtain situational awareness and key into threats that may impact your organization or identify a disgruntled customer or employee before the situation explodes.

Sun Tzu teaches us to know ourselves and our enemies to be successful.  Understanding how our adversaries communicate and knowing where our environments are exposed, allows us to tailor our OSINT monitoring to identify attacks before it's too late.  Consider employing your red team to test these filters before they are necessary.  

Security isn't Compliance and Compliance isn't Security

Nine Booms Monero Miner