Open-Source Intelligence or, OSINT, is the collection and analysis of information gathered from publicly available sources. This extends to much more than a Google search. There is much more information on the internet than can be found using search engines. It is estimated that only 4% of the internet is searchable using search engines. That leaves 96% of information on the internet cannot be accessed using Google, Bing, and other search engines. OSINT tools are effective at finding information which cannot be found by search engines.
OSINT is effective in gathering intelligence on a person, group, subject, and events. It is used by intelligence agencies, cybersecurity professionals and cyber criminals. As security practitioners, we use OSINT to better defend against attacks however cyber criminals use OSINT to gather information to better target their attacks on government, businesses or an individual.
Any publicly available information that can be obtained online is considered OSINT. It can potentially be a vast amount of information and, at first, gathering and analyzing this information may be overwhelming to some. There is no framework, methodology, or playbook which outlines how to conduct OSINT. Each cyber security professional has their own method to conduct reconnaissance. Plenty of tools assist in conducting OSINT This article will be one of a few in a series which covers some popular OSINT tools. This article provides a brief overview of Mitaka.
Mitaka is a browser extension that searches known Indicators of Compromise (IOC) such as domain names, IP addresses, and file hashes. It is a cross platform tool meaning the extension is added to Chrome or Firefox and can run on Windows, Linux, or Mac. Visit the Chrome web store or Firefox Add-Ons to add the extension. From there, you can use the contextual menu in the browser to easily start conducting your investigations. Highlight the IP address, file hash, or email address then right-click and a menu pops up to investigate using Mitaka. Let’s go through a few examples.
Investigate an IP addresses
Highlight the IP address you wish to investigate, right click and Mitaka will be displayed in the contextual menu. Select Mitaka and a number of options get displayed for you to choose where to conduct your search.
In this example, we selected AbuseIPDB and were redirected to their site. You can see the IP was reported to AbuseIPDB over 3000 times. They provide an abuse confidence level on the IP address. In this example, the confidence is high.
Scrolling further down on AbuseIPDB shows the IP addresses activity. An orange bolded message informs the reader they have received reports the IP addresses is conducting nefarious activity within 5 minutes of writing this this article (Feb 2022) which means the adversary is highly active.
Investigate an Email address
Highlight the email address to investigate. Right click on the email address and Mitaka will be displayed in the contextual menu. Select Mitaka and a number of options get displayed for you to select where to conduct your search. We will use EmailRep for this demonstration.
Emailrep reports the email to be risky and provides an explanation as to how it came that conclusion. There is a limitation on how many daily searches can be conducted on Emailrep however they do provide a free API key allowing for 10 look ups a day.
Investigate a File Hash
Highlight a file hash (SHA-256 or MD5), right click on the file hash and Mitaka will be displayed in the contextual menu. Select Mitaka and a number of options related to analyzing malicious files gets displayed. We will select any.run to analyze the hash.
Any.run conducts an analysis on the hash if a submission was not previously uploaded. In this example, the site reports the hash is of a ransomware file. Specifically, the WannaCry ransomware variant.
Click on Malicious Activity above and any.run provides more detailed information about the ransomware including process tree, HTTP connections, DNS requests and associated file names to name a few.
This article went through a small number of examples Mitaka provides to conduct investigations. Take the time to explore the various sources to retrieve information.
Mitaka is a valuable tool for conducting investigations or research. There is a myriad of search options for analysis. Take the time to test each option under different use cases. Different search options provide more detailed information than others and they are used in different context. For example, searching the IP address using urlscan.io retrieves domain and who is information. Abuseipdb.com retrieves the reputation of the IP address and if it is a suspected or known malicious IP address, Talos retrieves information on the IP addresses such as reputation and if the address is on any blocklists. They do not all provide the same information to the investigator.
Mitaka is a powerful tool. Add it to your OSINT toolbox. Do you have experience using Mitaka? Let us know your thoughts in the comment section.