Information gathering from public sources is still one of the best ways to understand your potential target.
I have been reading a great book called "The Big Short". It's a book about the financial crisis of the sub-prime mortgage market in the US. I don't have any financial services training so I didn't quite grasp all the nuances of the financial machinations involved, but one thing is clear: All people that managed to profit during the failure of the subprime mortgage market relied only on publicly available information.
This only goes to show the power that lies in publicly available information, if it is analyzed properly. Always collect as much information as possible, using OSINT tools like collection of financial statements, annual reports, analysis through specific tools like Maltego and IP and DNS registries.
Regardless of whether you need to collect information on a potential competitor, a target of a penetration test, in financial spread betting or derivatives trading, or even in financial research of a company there are several lessons that the "The Big Short" teaches us:
- Financial statements contain non-financial data - do not run away from the balance sheets, income statements and the like. Most often, these documents have a significant narrative which describes the points of the financial items, and thus explains the operations of the target
- Collect information for the target - grab financial statements, news on sales contracts, news on key personnel that arrived or left the company and their assistants, everything in terms of indexed documents or spreadsheets.
- Collect information for the target’s partners and customers - it is not only the target that needs to be investigated. An excellent information source may always be the partners who may have less stringent information security policies. Also, their financial statements may have useful insights.
- Look at relationships between everyone - who owes money to whom, who is dependent, who has the trust of who. Understanding relationships between people and companies is a great foothold for social engineering.
- Ask the 5 Why- On every fact or relationship, ask yourself why is this done in such a way and try to answer it. Then ask why on the answer, and again and again. If you don’t find a good simple answer, there's a good chance there is a gap there, either some useful information is not available but is important, or there is a gap to be exploited.
While "The Big Short" is about making money, the lessons from it are excellent for information security. I would recommend a read for every security guy.
Talkback and comments are most welcome
Digging for information with Open Source Intelligence