We often say that the SANS community is full of heroes who protect us and our society through their work every day. That fact, and the spirit and skill of this community, were on full display at the inaugural SANS OSINT (Open Source Intelligence) Missing Persons Capture-the-Flag (CTF) event at Cyber Defense Initiative (CDI) in December, in partnership with the Canadian non-profit organization, Trace Labs.
More than 90 students volunteered their time over two nights at CDI to uncover and turn in more than 400 pieces of intelligence related to 12 active missing persons cases – a significant achievement from a volunteer, evening cyber challenge.
Hear more about how this #OSINTforGood event came to be in the video below:
#OSINTforGood, For Everyone
One of the themes that resonated throughout the two-night event is that anyone can participate in OSINT activities – it’s not just for experienced cyber professionals, and CTF events like this benefit from a diverse group of participants. In fact, the winning team of students, which gathered and submitted 82 tips, was entirely comprised of OSINT newcomers.
“You know, I’m sharing this with my friends and family and I’m encouraging them to participate,” said Adam Silk, a SOC analyst who was on the winning team. “It really just takes the ability to go on Google and see what’s out there.”
Jessica Lee, a threat intelligence analyst for a financial company and a member of the winning team told us that she initially focused on the competition element of the event, targeting points to move her team ahead. As the team did more research, however, things changed.
“You start to learn a little bit more about the person when you’re doing this, and it stops becoming just about finding data points,” she said. “Then you are able to dig deeper and find things about their personality, their lifestyle, and cues that may help law enforcement locate them.”
5 OSINT Hacks from the Winning Team
The winning team shared with us the tactics and approaches they took to find intelligence, as well as a few lessons learned along the way. The result is the following five hacks that you may be able to use to ramp up your OSINT skills and prepare for the next Missing Persons CTF.
1. Prepare Your Research Environment
Before you arrive for the CTF, you need to prepare. Make sure to spend some time getting your research environment set up by downloading virtual machines and more, Jessica advised. That way, you’re not spending the time configuring things during the CTF. Also, read the resources ahead of time. One challenge Jessica’s team ran into was that they didn’t have a mobile research environment set up. Because some social apps, like Snapchat, are only available on mobile, they were unable to search every corner they wanted to.
Trace Labs makes available all the categories and examples of data that go under each category, Jessica said. “For example, I wouldn’t have thought to try to look for make and model and license plates for related vehicles. Using the categories related to point collection will help guide your research efforts.”
2. Stay Anonymous
OSINT researchers must keep their anonymity, so it’s important to confirm that your setup is bulletproof before starting. “If you’re using your personal accounts to do research and you accidentally ‘like’ something or friend somebody, you could potentially be putting yourself in jeopardy or, at least, alerting the missing person that somebody is looking for them.”
3. Take Different Approaches for Different Age Groups
Something that became clear to the winning team right away was that adults had more of a paper trail, and there were public records for more of their activities. Minors, on the other hand, weren’t old enough to have bought a house, and much of their information was private or protected, so the team had to rely more on what the minor had posted online about themselves.
4. Try Google Dorking
One concept that Adam found especially useful was Google Dorking, which is basically how to use Google’s advanced search features to get much more specific results than what would normally be available. While the results you’d get searching inside Instagram might uncover some key user information, advanced search criteria in Google such as site:instagram.com “user name” will widen your result field and locate more of the traceable data you’re actually looking for, Adam suggested.
5. Look into People Search Engines
People search engines can also be a great tool for OSINT investigations, Adam said. Just by entering the person’s name and residential region, the engine can return correlated Facebook and LinkedIn accounts. It’s important to realize this data could be incorrect, Adam commented, but sometimes even the incorrect accounts can get you closer to what you’re looking for by eliminating certain options.
Micah Hoffman, SANS Certified Instructor and organizer of this Missing Persons CTF, teaches professionals how to master these skills, tools, techniques and much more every day, and expects to partner with Trace Labs again in the near future to host more of these types of CTFs.
Catchup on more of our #OSINTforGood mission by looking at Micah’s course, SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis.