 All right, hello everyone. How's everyone doing? Good. It's a 10 a.m. Talk on a Friday. So thank you for coming out So as I was introduced my name is Adrienne corn also known as a k-47 Intel if you follow me on Twitter or anything a little bit about myself, so I am a Canadian born and raised in Toronto area. So sorry for that if I say sorry a lot my presentation typical Canadian here My professional background in my career has been really around intelligence side doing things like threat intelligence O-scent threat actor tracking stuff like that I've worked in financial services in the tech industry right now I work for an enterprise DNS provider called blue cat networks. I do threat intel over there right now As I was introduced I also work for an offer profit called trace labs where I'm a member of the leadership team over there and Something else I do is I organize a DEF CON Toronto events over in Toronto So we meet every month. We do workshops ETFs talks and that type of stuff So now everyone knows a little bit more about me. I'm gonna go over the agenda for today's talk So I'm really gonna be touching on five key things here So first off we're gonna dive a little bit into what is O-scent and where did it actually all start? We'll talk about some common uses of O-scent we're seeing out there The challenges we're seeing with the O-scent today And new applications of it seen out there and then what the future holds for that So with that being said what is O-scent and where did it all start? So there's a lot of terms going around there about what O-scent is very broad industry There's some terms that are a bit outdated some that are current some opinionated So I'm gonna go and give you my opinion of what I think O-scent is So in my opinion O-scent refers to the collection Processing analysis of publicly available data to extract meaningful intelligence and get intelligence value out of that That's really what I see O-scent as if you can extract any intelligence value, then you've actually done O-scent And where does this come from so there's many different sources of O-scent out there We have the surface web deep web dark web social media news media Academic sources government records and extends to pretty much anything on internet. That's publicly available So why don't we take a moment to take a step back and figure out, you know, where did we all start with this? How did O-scent to get here today? So before I dive into like the timeline of that Curious if anyone in the audience knows what year O-scent actually became a thing if anyone had to guess a year No, okay So O-scent actually started close to 80 years ago Back during the World War two era where the US Looked for new ways to gather intelligence one way to do this was they started up a branch of FCC called the Foreign Broadcast Monitoring service and what they were tasked with doing was monitoring public radio waves that were beamed at the US for any Propaganda material that their enemy combatants were trying to spread to their country That was very the first use of O-scent seen out there They did start to see intelligence value out of this and that's why they continued to do work in O-scent space And they later expanded this to start looking at stuff like Newspaper clippings from countries around the world. They actually stood up over 40 monitoring stations Internationally to start collecting the cataloging all this intelligence from just public data out there That's kind of where we started Moving forward to 2005. This is really where O-scent took the next stage in evolution So you saw the rise of the internet people began adopting it, you know The common household had a computer with internet access Social media started to emerge. We had sites like MySpace Twitter Facebook even YouTube This all came out around this time area So the sources of O-scent started to emerge out there in terms of social media and such Also around this time period we had the CIA open up the open source center where the government was actually Interested in now taking advantage of all these new sources of open source intelligence Collecting it from you know digital media and all of that and starting to catalog that for their purposes Moving forward to 2009. This is really where social media usage took off. This is where O-scent space started to boom We saw smartphones becoming accessible where anyone could have a smartphone download their social media apps Had a camera and a smartphone and it could start sharing more moments of your life Than ever before and a lot of these social media sites would have more of a default Public state where if you post something it's public to internet and more non tech savvy users may not have been aware of it So they were kind of inadvertently sharing O-scent without knowing it Then fast forward to a few years ago to today we saw O-scent being applied to many different use cases. So businesses investment firms Political campaigns if you want to do some oppo research you can use O-scent for that if you want to look at Target voter audience O-scent can help you there if you're an investor looking to invest in a company You might want to look at the public presence of that Organization and you can do that was an O-scent as well Now moving forward to talking about More common uses of O-scent that we're seeing here today So you have your typical security use cases like blue teaming red teaming using O-scent give your threat actor attribution You also have the business side as well for stuff like business intelligence. So I'll be diving into all that right now So on the blue team side our blue teamers using O-scent So if any of you have ever worked in a sock before you've probably done O-scent without even knowing it I have a scenario here. We'll talk about So typical sock analysts you get an alert in your queue Let's say in this example. We have a malicious word document was detected by some endpoint device Maybe the context we're getting here is date of detection File name hash and maybe that's all we get so as an analyst I might not know what to do with that might say hey, this could be a false positive I'm not sure but how can I validate that? How can I use open source intelligence to further get some contextual information and investigation like that? So if I'm using O-scent For this type of stuff. I might take that hash that we saw there Pop it into a tool like virus total see what it knows about it. It's public available source So you can see here in this scenario. We have 46 of AV engine saying that this is a bad file So that's probably indication. We're not at a false positive here But if I want to go deeper and figure out, you know, what threat might be associated with that actual word document You might pop that hash into Google and see what it knows about it Typically when I do investigation, I pop stuff into Google and see what other threat and tell related websites are telling me about it So here we can see we have some context that this word doc might be associated with Emotep, which is a very prevailing banking erosion out there in industry today If I want to go further here and see, you know, maybe where did this word doc come from? I might go look at some of the URLs that are showing up on the Google here as well So we got here URL house, which is like a public Open source feed site for malicious URLs We can take that URL and see what else we know about it here using another O-scent tool URL scan.io This is one of my favorite ones. I like to use we can go and search up that domain See if it knows anything about it without actually like sending it there for analysis So you see here someone analyzed this URL at some point before it's confirmed to be malicious But what's interesting here is you can see the content that was returned from the web server side was an actual word document So that would support our claim that this malicious word document that was detected might have come from this URL here And then if I'm in a sock I might pivot off that to try to find a source of that infection So just using O-scent I can go from just a hash to figure it out where an infection actually came from This might be an example of an email you would see here. These are your typical, you know Your scan is ready themed fishing emails up there Now let's look at how red teamers are using O-scent today. So a lot of you are probably red teamers in audience here I know where recon village Typically when you're using O-scent you're in the reconnaissance phase of your engagements So doing stuff like recon on domains, IPs, any applications you're targeting looking for stuff like open ports, services, etc If I want to do some recon on domain I might use a public tool like who is to see registration information See if maybe someone's exposed their personal phone number there or address that I can use to pivot off of and find other information on my target If I'm looking for open ports and services I can use a public tool like showdan to see what's open without actually probing the application itself and When we look at targeting personnel on aside from infrastructure a lot of engagements You're always looking for the weakest link in a company trying to target the employees to see what info they're gonna give you So if I'm targeting personnel, I'm gonna be looking at stuff like their social media email addresses that might be public Frequent locations they might be at See if I can actually scour their social media and find things like the posting pictures of their ID badge This is common people start a new job and they say like hey, here's my ID badge. Check out. I started job at Facebook today You might also find stuff like passwords on sticky notes up on the wall That could be a public available source So There's just ways you can use O-scent to like gather enough information to know where you're gonna start with your engagement in the recon phase and Then another technique you can kind of use O-scent for it's not Directly doing O-scent against someone. It's kind of using their O-scent against you I like to call it counter O-scent where you're setting up Google ads or Google analytics on some of your infrastructure to see if people are searching for it So if I spin up a custom domain for a campaign and you know I send a payload to someone and it calls out to a domain if I see someone matching an ad Based on a keyword for that domain It's there's a good chance that my target is aware that I'm looking at them or you know targeting them and that can kind of shift tactics from there Another use of this is using virus total to see if someone's uploading your payload there to see if they're looking to see What other AV engines are thinking about it? This is another way to be tipped off So a lot of red teamers threat actors to their monitoring virus total all the time to see if anyone's like looking at their stuff there Now another use for O-scent is attribution. So this can be targeting someone trying to find out their identity. It could be threat actor attribution Someone who's famous for this is Brian Kribes. He'll he loves the Docs people. So a few years back His site was actually DDoS by the Mariah botnet and this kind of set him out on a mission to uncover like hey Who is behind this botnet? Why are they targeting me? Can I doc some? So what what did he actually use to help uncover the identity? Well, he did use some closed source intelligence, you know talking to his contacts and stuff like he typically does But he also use O-scent as well. So things like looking at archived Twitter posts related to the person he thought was a The person behind Mariah looking at stuff like LinkedIn profiles to find out employment information Pacemen way back machine. These are all O-scent tools that people like Brian Kribes are using to do docs in your due attribution Now another use of O-scent is business intelligence And we're starting to see this emerge more and more before O-scent was kind of seen as Something used for like cyber security something's for engagements Maybe government but now you're seeing businesses start to adopt this as well So if you're looking to investigate new markets They might use O-scent to see what companies in that space are actually doing They also might use O-scent to identify things like business risk So something common is corporations are now spinning up Internal investigation teams where they're looking into their employees are looking into any Associations with their company that could have risk to their reputation and such So actually recently I was a beast as LV this week and I was talking to some guys who do a pen test Internally and they were actually given a challenge to take their boss's business card Take only the information on there and pivot off of that using O-scent to try to find out you know what risk there is to the company with this Individual and what they were able to find was his personal address his salary information They're able to find information about his family which they were able to use to unlock security questions to his accounts And this is all with just an email address name and phone number So you're starting to see businesses look at this stuff more and more Now O-scent is a very broad space. We're seeing it's applying to many different uses We're seeing it expand into the other areas of intelligence as well So typically in the past if you're doing stuff like Q mint or geo int you have to have Special access to tools or physically be there surveilling someone but now using O-scent you're able to do things like geo int using Google Maps Google Street view Google Earth Google satellite all that stuff. It's publicly available And now you can start using O-scent to apply to these other intelligence disciplines as well If you're doing human you can surveil someone social media to see places a frequent and kind of build a profile of you know where they're gonna be at So really because of the passive nature of O-scent it's becoming a more attractive intelligence technique to People in intelligence community because if you're doing this right no one should know that you're ever looking it's passive in nature You're not querying systems to get new information. It's already information that's out there Now I did say the O-scent industry is very broad and with this there come some challenges So the first one I see a lot is there's really no clear definition of what good O-scent is Everyone has their own definition, but there's a lot going out out there Another challenge we're seeing is there's new sources of O-scent popping up very fast You're also seeing a lot of them being taken down as well I'll talk about that a little bit more and then another problem I see is there's a majority of tools being falling into two different categories I like to call it single use tools for very specific purposes or use case specific tools that are more your Enterprise platforms that serve a very specific use case So why don't we dive into what is good O-scent? So if I'm doing O-scent is me gathering, you know Someone's whole friend list on Facebook good O-scent if I map out 500 people on a map here Is a good O-scent? Well, if you can get intelligence out of that maybe it is but just plotting public data on a link graph maybe not So why don't we play a game of O-scent trivia? Let's see I'm gonna put some definitions up of what good O-scent has been defined as in industry and curious to see what you guys think Would be the most correct answer. So if we look at the first one A good O-scent is pivoting from one public data point to another in an efficient manner to produce intelligence That's number one Number two good O-scent would be collecting processing and analyzing large amounts of data to produce intelligence Or three driving meaningful and actionable intelligence from open source data So let's do a vote who thinks it's number one Okay, who thinks it's number two Okay, you guys are too good who thinks it's number three Gave it away So trick question, they're all Correct to some extent But the most correct answer and I'm gonna be that guy if you've ever done like a CISP exam or anything The most correct answer here is getting meaningful and actionable intelligence Really, it shouldn't matter how much data you're processing or analyzing It only matters about the finished intelligence product like can I produce actual intelligence that can inform my stakeholders? So typically you'll see when someone does intelligence. They have key intelligence requirements So unless you meet those you're really not doing good O-scent And also looking at doing O-scent in an efficient manner Sure, it's nice if you can pivot from one point to another fast But unless you're really getting meaningful and actionable intelligence, it shouldn't really matter So that's just my opinion on that point there Now the next challenge we're seeing there's so many new sources of O-scent popping up It almost seems That as well for every five O-scent sources that disappear ten more pop up And it's just we're playing a game of whack-mole. It's just like okay, which one do I look at now? There's so many tools popping up so many platforms APIs are changing. So how do we tackle this? So the main way to do this is to really stay up-to-date with all the O-scent tools listen to your podcasts Look at your blogs see what tools are being more commonly used to serve the specific purposes that you need them to So why don't we take a look at some examples of what O-scent tools have been changing out there in the landscape? So One thing that happens is typically a company will tighten up their privacy or security Which closes off a source of O-scent? You'll also see individuals become more aware of their privacy close off those sources of O-scent as well We look at things like Facebook profiles before they were typically public by default now everyone is locking them down So maybe you know five years ago you had a lot of O-scent from there, but now you're starting to see people become more aware So how do we handle that? If we look at Facebook again Recently after the Cambridge Analytica scandal they had they started tightening up the privacy of their users So they had this really good Facebook graph search tool out there that leveraged a Facebook API To do a lot of mass-scale searching across the public Facebook data Now this was being used in a legitimate way by Investigators out there and such for good purposes But was also being abused by some malicious people as well so you saw Facebook close off their API a lot to this and In turn you saw a lot of O-scent tools that used this API Starting to go down to say that hey We can't support this functionality anymore because the Facebook API got closed off for the Facebook graph search So that's the challenge as well. How do we keep up with that? In addition if we look at the tool landscape There's a lot of different tools out there One of the websites I like to use is O-scent framework it kind of spreads out How we can pivot from one data point to another using public tools? If you look here just taking a username you can pop it into I don't know 10 different tools and look to see if there's other profiles out there that use it You look at email address there's so many different email tools But which ones do we use which ones are the you know most legitimate good for my use cases? It's it's hard to tell Especially if there's someone that's new to the O-scent industry and you know doesn't know where to start It can be a little bit overwhelming And if we look further at the landscape of O-scent tooling here I kind of separate O-scent tools into two categories You have your single use ones on the right things like have I been owned where you're looking for breach information? Virus total you're looking for malware information who is domain Tools like ten I you know reverse image search people have their custom scripts And they serve very specific use cases and they can be flexible because you can customize them But the challenge is there is that if you go into one tool and you find one piece of intelligence You pivot let's say from an email address to a domain name Now you got to take that domain name pop into another tool and pivot from there And then you're going to keep going down rabbit hole of opening up a million tools and your Chrome browser is going to have a hundred tabs That's the challenge here Then on the left here we have our enterprise tools. These are more full-fledged platforms They have use case specific criteria things like searching a dark web for stuff. They're refined to Meet certain business needs and these are great for you know specific use cases But what if I'm an organization who has a very weird O-scent use case How do I handle that? Do I go right my own tools every time or is there something out there that I can leverage to do what I want? And that's where I really see The gap here in O-scent landscape There's really no platforms out there where you can define your own O-scent workflows where you can define your own O-scent use cases What I think we're going to start to see in the future is platforms where you can kind of Build your own workflows to say I have this input take me to here take me to there And then take me to here and that's gonna be my finished intelligence I find a lot of tools already have that built in but for very specific use cases So I think this is a need that we have in the industry Now, why don't we talk about some new applications of O-scent? We're seeing out there So things like blockchain and Bitcoin They're known as a cryptocurrency, you know for financial purposes, but how can we apply O-scent to that? There's definitely some use there then there's things like the trade slabs crowdstores to O-scent for missing persons We look at missing persons before in the space and We didn't see O-scent being applied there that much from the greater industry. So we'll talk about these So if you look at O-scent for stuff like Bitcoin Because of the way Bitcoin is designed, you know to the general public they might see it as being secure and anonymous But in reality you have this public ledger on the blockchain of all the transaction information associated to Bitcoin address So if I'm looking into someone's Bitcoin wallet address, I know it's associated to them I can now see all their transactions on the blockchain like number of transactions full timeline of those Amount of money sent or received where it's coming from where it's going to and then any other associated Bitcoin addresses Maybe in the same wallet as that one that can be very valuable for investigation purposes So before you were seeing people want to do financial crime analysis They had to have special access to banks now you can do it publicly using O-scent With things like the blockchain Now looking at trace labs, so I do work for trace labs not for profit We do crowd source O-scent for missing persons It's actually just a couple years ago that this new model was born around crowd source O-scent to helping to find missing people Before we saw like a lot of vigilante sites pop up that did this but not really in a structured way So oops the idea here was to really pair people in the O-scent community Together to work in teams and crowds versus a collection of O-scent to help solve the social problem So problem statement here We have a number of missing persons cases worldwide not enough resources to tackle them all with the same level of urgency Sometimes law enforcement can be understaffed in that area So how can O-scent help here well now? We've built this community where you can bring together skilled investigators with more senior members as well to track A digital footprint of an individual to help find valuable intelligence on them to provide law enforcement with So the goal here is to really get intelligence value for law enforcement Provide them new leads on investigations that they can actually follow up on and help out We've really seen this starting to be adopted also by the general public So people who haven't done O-scent before are learning about us and saying hey Can I try it out and you know with a little bit of O-scent training they can actually go and start looking for stuff on these missing people So really we're starting to see that like 2019 is the year O-scent is going mainstream more people are becoming aware of it More people are getting involved there So how does our model work exactly so what we really try to do is bring together the investigators also known as intelligence operators and this diagram here and pair them with our more volunteer team of Intelligence administrators where people are collecting O-scent Submitting it to us and we have our administrators vetting it to check for relevance and context and such and then if it's vetted We store it in a database package it up after and share directly the law enforcement So that starts in the model here as well and what we really do is we look at only public cases as well So if law enforcement is asked for the public's assistance with a missing person's case We can push that to our platform and people can start working on that right away So this is actually an example of one case just a sanitized case There's not a real person But this is what you would see typically in one of our captured a flag events where we put up a case We give the known information that's publicly available We give the source link and it's up to the contestants to start crowdsourcing O-scent on these people doing Pivots from one piece of information to another We have a number of different categories for flags that they can submit this O-scent against Here's an example of what one submission might look like We have a category called advanced subject info Maybe what I'm doing is looking at someone's phone number that I found Pivying off there to see something like their used car for a sale up on Kijiji That can be a valuable piece of intelligence that can help out in a case These are just some examples of you know what we're seeing And this is actually an example of a recent event. We ran last month We ran a global international remote event where we had over 200 people on the platform collecting O-scent We had about 25 intelligence administrators and here's a breakup of intelligence regards So you're seeing different things here like dark web information day last seen of the individual Employment information family friends. There's just so much you can find from O-scent here So now I'm moving forward. Where do I see the future of O-scent going from here? So I talked about, you know, the challenges we're seeing I'm talking about the uses where it's come from What are the new applications of it? But what I really see happening in the future is More crowdsource models are taking advantage of O-scent to solve specific social problems like the missing persons Trace labs also I expect to see more dedicated O-scent platforms spinning up There's a number of startups in the space doing this work already But I think we're gonna see more of this as O-scent becomes a more well-known space I also think we're gonna continue to see the shifting of O-scent sources I don't think that's ever gonna change. There's always gonna be sources popping up going down We just have to stay up to date with that and there's gonna continue to be roadblocks there as Companies start to tighten up their security. Users start to become more privacy aware We're gonna see roadblocks here and collecting O-scent, but that's okay because we're gonna figure out a way to get around it So that actually concludes my talk If anyone has any questions at this time, I'd be happy to answer And if you want to learn more about what we're doing at Trace Labs that I talked about We're actually running a full day O-scent to CTF tomorrow in the contest area I'll be there if you want to come up and chat more about that as well But right now I'll open up the floor to questions Good. How are we doing on time? Good. Awesome. Thank you