OSINT Alert Details
Alert ID: OSINT-ORG-INFO-7842
Alert Time: 2024-02-08 10:05:12 EST
Severity: MEDIUM (62/100)
Source: Silent Push (OSINT Monitoring Platform)
Rule: “Corporate Information Exposure on External Platforms”
MITRE ATT&CK: T1591 – Gather Victim Organization Information
Alert Details:
OSINT Findings Summary:
1. LinkedIn Platform:
– 45 employees posted about “new ERP system implementation”
– 12 employees listed “SAP S/4HANA Migration Team” in profiles
– 8 employees posted photos of internal team meetings (badges visible)
– 3 executives posted about “Q4 financial planning retreat”
2. GitHub Platform:
– Employee repository: “internal-scripts” (public, now taken down)
– Contained: Internal server names, database connection strings (commented out)
– Pushed by developer “sjohnson” on 2024-02-01
– Repository had 3 stars, 2 forks
3. Job Postings:
– Company careers page: “Seeking Active Directory Administrator”
– Detailed: Experience with Windows Server 2019, Azure AD Connect, Group Policy
– Reveals: Current infrastructure stack
4. Conference Presentations:
– Employee presentation at TechConf 2024: “Scaling Our Kubernetes Infrastructure”
– Slides included: Internal cluster names, namespace conventions, monitoring stack
– Video publicly available on YouTube (2,300 views)
Risk Assessment:
– Information could aid targeted phishing (personal details)
– Infrastructure details aid network reconnaissance
– Employee roles aid social engineering targeting
– Overall exposure: MEDIUM risk
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify OSINT findings | Silent Push, Manual Verification | Confirmed all findings accurate |
| 2. GitHub Takedown | Contact developer to remove repository | GitHub DMCA, Developer Management | Repository removed within 2 hours |
| 3. LinkedIn Review | Identify employees with exposed info | LinkedIn, HR Coordination | 45 employees contacted; asked to remove/post settings |
| 4. Job Posting Review | Assess information revealed in job ads | HR, Marketing | Updated job templates to remove infrastructure details |
| 5. Conference Content | Review presentation for sensitive info | YouTube, Engineering Manager | Video still public; slides redacted and re-uploaded |
| 6. Policy Update | Create social media policy for employees | Legal, HR, Security | New policy drafted and distributed |
Jira Incident Report
Ticket: SOC-2024-044
Summary: T1591 – Organization Information Exposure via OSINT
Status: RESOLVED
Resolution: INFORMATION EXPOSURE – Remediated
Priority: P3 – LOW
Labels: T1591, osint, information-exposure, social-media, github
Components: Threat-Intelligence, Security-Awareness
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Silent Push OSINT Monitoring Platform.
- Alert: “Corporate Information Exposure on External Platforms”.
- Time: 2024-02-08 10:05 EST.
- Technique: MITRE ATT&CK T1591 – Gather Victim Organization Information.
2. Technical Analysis:
- OSINT Findings Details:
LinkedIn Exposures:
- 45 employees posted about internal projects (ERP migration).
- 12 employees listed specific team names.
- 8 photos contained visible badges (employee names, ID numbers).
- Attackers can use this for targeted phishing and social engineering.
GitHub Exposure:
- Repository: “internal-scripts” by employee sjohnson.
- Contents: PowerShell scripts with embedded server names, commented connection strings.
- Exposure period: 7 days (2024-02-01 to 2024-02-08).
- Forks: 2 (unknown if malicious actors forked).
Job Posting Exposure:
- Job ad for Active Directory Administrator revealed:
- Windows Server 2019 environment
- Azure AD Connect in use
- Group Policy management structure
- Helps attackers tailor network reconnaissance.
Conference Exposure:
- Presentation on Kubernetes infrastructure included:
- Internal cluster names (k8s-prod, k8s-staging)
- Namespace conventions (team names)
- Monitoring stack (Prometheus, Grafana)
- Video has 2,300 views.
- Risk Assessment:
- Phishing Risk: HIGH – Personal employee info enables targeted attacks.
- Network Recon Risk: MEDIUM – Infrastructure details aid attackers.
- Supply Chain Risk: LOW – No third-party credentials exposed.
3. Investigation Findings:
- Timeline:
2024-02-01: GitHub repository made public (unintentional)
2024-02-01 to 2024-02-07: Various LinkedIn posts
2024-02-05: Job posting goes live
2024-02-07: Conference video published
2024-02-08 10:05: Silent Push detects and alerts
2024-02-08 10:30: Investigation begins
2024-02-08 12:00: GitHub repository removed
2024-02-08 14:00: Employees contacted about LinkedIn
2024-02-08 15:00: Job posting updated
2024-02-08 16:00: Conference video redacted
- Indicators of Compromise (IoCs):
URLs:
– https://github.com/sjohnson/internal-scripts (now removed)
– https://youtube.com/watch?v=techconf2024-k8s (redacted)
– https://linkedin.com/company/company/posts (various)
4. Containment Actions:
- Immediate Remediation:
- GitHub repository removed via employee request.
- Conference video redacted and re-uploaded.
- Job posting updated to remove infrastructure details.
- 45 LinkedIn employees contacted to adjust privacy settings.
- Policy Updates:
- New social media policy drafted and distributed.
- GitHub usage policy updated (require private repos for work code).
- Conference presentation review process implemented.
5. Root Cause Analysis:
- Primary Cause: Lack of employee awareness about information exposure risks.
- Contributing Factors:
- No social media policy governing work-related posts.
- No review process for conference presentations.
- No scanning for exposed code repositories.
- Job postings written by HR without security input.
6. Business Impact:
- Risk Exposure: Attackers can use gathered information for targeted attacks.
- Reputational Impact: Low (no negative publicity).
- Operational Impact: None.
7. Remediation & Prevention:
Completed Actions:
All exposed content removed or redacted.
Social media policy created and distributed.
GitHub scanning implemented (truffleHog, GitGuardian).
Conference presentation review process established.
Job posting template updated with security team review.
8. Conclusion:
This incident involved the exposure of sensitive organizational information through various public platforms. While no direct compromise occurred, the information gathered could aid attackers in targeted phishing and network reconnaissance. All exposures have been remediated, and new policies implemented to prevent recurrence.
Closure Rationale: All exposures removed; policies updated; monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 17:00 EST