Welcome to the session on horizon scanning. So, horizon scanning is looking at threats coming towards the business, and that could be from different attack vectors, that could be from the deep web, dark web, or surface web. We're gonna look at different open-source intelligence platforms to look how we can-, we can gain and understand information. Now, this information can come from different sources, and can obviously be used from a defensive perspective. It can also be used from an offensive perspective, and this is publicly available resources that are available to us, and also, we have government publications which can also provide us information as well. So, let me demonstrate some of this to you now by going onto some of the sites. So, the first site we're gonna look at is a site called Bellingcat. So, Bellingcat were involved in investigating the Salisbury chemical attack. They used open-source tools and techniques to identify the perpetrators behind this attack. Two of them were obviously-, two perpetrators were in the area, and by just doing basic open-source intelligence and information, some postings that were done on social media, they were able to identify the perpetrators and also a third person behind this type of attack. Bellingcat was also involved in investigating the Iranian downing of an airliner, which they tried to deny, but through open-source tools and techniques they were-, it was quite obvious to see by analysing image photography from open-source postings by people that they were involved in bringing down the airliner, and they put their hands up about it.   

Bellingcat was also involved in, and are currently still involved in, tracking the Russian tank movements, and obviously they were able to show Russian tank movements. Which a lot of this was posted onto the Russian version of Facebook, and all that was tracked through different tools and techniques. The Russian version of Facebook was called VK. All this was posted by different Russian soldiers themselves. Some of them involved using dogs, which when you see the postings and the photographs then linked to other accounts. Now, this tool, you can see here is Bellingcat's toolkit, and it covers quite a few different areas. I'll just show you a quick sample of some of them. Some of them are using image and video verification techniques. So, metadata is data about data, so data inside images themselves. Facial recognition techniques, like PimEyes can look at people's facial recognitions or- faces. That can also be useful to identify people just from a face, and then obviously from that you can then search the Internet to find that face on other platforms. They've also used it for social media, so social media like Facebook, and obviously that's gonna be turned into Meta. LinkedIn, where people post too much information on there. A very useful tool to gain information and intelligence about organisations. Any of these tools I'm explaining to you can be used by-, offensively and defensively. Offensively from hackers, and then defensively from other types of organisations themselves trying to protect the type of, of information. So, you can see some of that coming through from social media, and then you've got people-searching techniques, where you can bring up people's phone numbers and names, to name a few.    

There's quite a few little tools just on this website alone. Let me just show you another site, and this one's called OSINT tool collection. There's loads of these open-source tools out there. Can be used by positive or negative, from hacker perspective, also from defensive perspective, and information can be gained. And if you think about someone's username, that might be quite unique, but maybe your profile picture might be quite unique, and people can then track and locate that information and gain further intelligence about it. The same with some of these hacker collectives. They gain information together. They talk about it on different blogs and platforms, and then communicate and share information and intelligence to each other, and that can obviously indicate potentially an attack is about to be launched. So, all of these are, are mentioned. We've talked a bit about ransomware, and ransomware - massive amount of attack in terms of ransomware. The threats, which are from-, and if we look at the-, what's ahead of us, we've got different types of threats coming towards us. We've got the likes of ransomware attacks, where people are encrypting data, but the latest ones that are coming forward now, which are new attacks, it's like the ones like deepfake. Now, 'deepfake' used to be a bit of fun, where you could just get someone to-, like, Barack Obama saying things he probably didn't say, or just taking words of context. The same with Trump and other people. This attack, these type of visual type of what appears to be a bit of fun now have been as real attacks.    

So, we've had cases where a company, someone recorded the information, or the voice of the CEO in quite detailed, and then they replayed that back over a phone call. So, they spoofed the phone number, phoned up the CEO of the company and played the message, and the person on the other end, which was the chief financial officer, believed it was the CEO telling him to pay an invoice to this company, which was completely bogus, but he didn't know that, and he authorised payment of £250,000. These type of things are growing, these type of threats are growing all the time, and we need to be mindful of these type of things. Open-source intelligence, yes, is very useful to gain understanding and knowledge of these different areas of the different threats coming out there. So, domain names. This is to do with companies. I'm on a site called OSINT Framework, and they list a whole lot of tools and techniques on there. Blue circle tells you it's a top-level folder. If I click into it and try to get some domain information, for example, I'm going to go into 'Whois records', Whois records is information about the domain themselves. Now, that was influenced by GDPR, the General Data Protection Regulations, which changed, and this information was supposed to be redacted. But some of the historical information still exists on there, and we've got a few sites that have come up here, and you've got the ones when you get a blue circle and a white background. These are actual search engines that people can use to pull information up, and sometimes we can find hidden data on different websites.  

Other open-source sites, 'start.me' is just a domain. It has lots of other sites it has on their site. Doesn't always do open-source intelligence. This one I'm looking at, start.me one here, which is specifically in OSINT one, has lots of different search engines. Some of them are international search engines. Some of them can search social media, some of them can search the dark web, some of them can obviously do map searching, some of them can access databases of information. So, some of these ones I'm bringing up now, bringing up financial data from different countries, and all this is potential threat information which in the hands of the wrong person or wrong people can be used to launch an attack. But also, from a flip side, from a defensive perspective, this-, if this information is available to hackers, it can also be available to defenders, who can then learn from these type of things and help to defend against this type of attack. But open-source intelligence, threat intelligence, all this is valid information that could help us defend against these type attacks. Hopefully this has been useful. We will cover threat intelligence in a separate module.