Information Gathering - lessons from The Big Short

Information gathering from public sources is still one of the best ways to understand your potential target.

I have been reading a great book called "The Big Short". It's a book about the financial crisis of the sub-prime mortgage market in the US. I don't have any financial services training so I didn't quite grasp all the nuances of the financial machinations involved, but one thing is clear: All people that managed to profit during the failure of the subprime mortgage market relied only on publicly available information.



This only goes to show the power that lies in publicly available information, if it is analyzed properly. Always collect as much information as possible, using OSINT tools like collection of financial statements, annual reports, analysis through specific tools like Maltego and IP and DNS registries.

Regardless of whether you need to collect information on a potential competitor, a target of a penetration test, in financial spread betting or derivatives trading, or even in financial research of a company there are several lessons that the "The Big Short" teaches us:

  1. Financial statements contain non-financial data - do not run away from the balance sheets, income statements and the like. Most often, these documents have a significant narrative which describes the points of the financial items, and thus explains the operations of the target
  2. Collect information for the target - grab financial statements, news on sales contracts, news on key personnel that arrived or left the company and their assistants, everything in terms of indexed documents or spreadsheets.
  3. Collect information for the target’s partners and customers - it is not only the target that needs to be investigated. An excellent information source may always be the partners who may have less stringent information security policies. Also, their financial statements may have useful insights.
  4. Look at relationships between everyone - who owes money to whom, who is dependent, who has the trust of who. Understanding relationships between people and companies is a great foothold for social engineering.
  5. Ask the 5 Why- On every fact or relationship, ask yourself why is this done in such a way and try to answer it. Then ask why on the answer, and again and again. If you don’t find a good simple answer, there's a good chance there is a gap there, either some useful information is not available but is important, or there is a gap to be exploited.

While "The Big Short" is about making money, the lessons from it are excellent for information security. I would recommend a read for every security guy.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence

6 comments:

Diamond Geeza said...

Agreed, "The Big Short" is an awesome book - I only just finished reading it. Its funny how the guys that were 'short subprime' early on only managed to make a killing at the last moment, and that was by selling their 'shorts' (credit default swaps) to the very banks that were long, for exponential multiples of what they had paid for them: their ability to see that the original swaps were massively underpriced is what made them the profit.

Texte invitatii nunta said...

interesting your article,I like this one

Haine online said...

Good to know!!

Getit said...

Lovely blog it is. Download Zapya for PC to share files and folders easily from PC to Mobile

Sunmugam Chidambaram said...

I Pleased to Read to Read
Download xender for pc
Very good for share FILES ,PICTURES PC To any Android

Martin sam said...

CBSE Board 12th Result 2017
Mah ssc result 2017
mah hsc result 2017
sslc result 2017
rajresults.nic.in

Designed by Posicionamiento Web