Open Source Intelligence, Security Hacking, and Security Blogger Dancho Danchev

Open Source Intelligence (OSINT) is a tactic used to learn about information relevant to protecting an organization from external and internal threats using publically accessible data. Identifying information that could be used against an organization provides actionable insight that could reduce the risk that an organization may face. It’s an early warning system used to forecast and signal a potential threat.

LinuxSecurity editors thought it would be interesting to discuss the topic of open source intelligence, threat intelligence, and how to get started with OSINT with our audience, as well as to speak with Dancho Danchev, an acclaimed ex-hacker and security intelligence researcher from Bulgaria. Dancho is a leader in the field of current and emerging cybercrime research and threat intelligence and a prolific blogger on the subject.

Dancho Danchev, Bulgarian Hacker, Security Researcher

We thought it would be interesting to ask Dancho a few questions about his background, open source intelligence, current trends in the cybersecurity community, the Dark Web, government security, zero-day threats, and his efforts that resulted in the take-down Koobface, the world’s largest botnet at the time.

Formerly a ZDNet Zero Day blogger for more than four years, Dancho also worked as a security blogger for Webroot. In 2011, he was selected by SCMagazine for their Social Media award as a finalist for his twitter account at the time. Dancho also presented at UKs GCHQ including Canadian Intelligence Service’s HQ, and a Keynote presentation on “Exposing Koobface - The World’s Largest Botnet”.

In 2016, Dancho presented at CyberCamp RSA Europe and InfoSec Europe on current cybercrime trends and cyber jihad. Prior to this, he also was one of the primary developers of the underground network known as Astalavisita.

Dancho is often cited and frequently referenced cybercrime researcher, security blogger and threat intelligence analyst with over a decade in fighting cybercrime and actively responding to current and emerging cybercrime threats.

Dancho also worked as a Technical Collector for the infamous LockDown2000 anti-trojan software solution, including working as a Trojan Database Manager for the market-leading Trojan Defense Suite anti-trojan vendor. His research blog, Mind Streams of Information Security Knowledge, reportedly has over 5.6M active pageviews and visitors since it was started in 2005.

Dancho got started with computer security in the 90s, researching trojans and hacking tools and writing about them for a software company that developed anti-trojan solutions.

Threat Intelligence and Why It’s Important

Threat intelligence is the study and research of who may be attacking you, what their motivation and capabilities are, and what indicators of compromise in your systems to look for to help make informed decisions about your security. The skilled threat intelligence researcher should be able to strip out the extraneous information and false alarms and only focus on the actionable intelligence that directly affects her interests.

Dancho told us that “threat Intelligence has been an inseparable part of my career and it’s something that I do and practice on a daily basis. My earliest experience with Threat Intelligence is as a Technical Collector of trojan horses/viruses/worms and VBS scripts for LockDownCorp throughout the 90’s which in combination with my experience in OSINT let me to produce some of the industry’s most recognized research articles. I’m also researching Eastern European cybercriminals as well as international and global spam phishing and malware campaigns and information on the actors behind them.”

Threat intelligence and OSINT is the research and analysis of only public data. LinuxSecurity was curious if Dancho had ever been a blackhat hacker. “In my entire teenage ex-hacker enthusiast experience I've only compromised one Website which was my town's official Website,” writes Dancho. He managed to obtain the accounting data for the site by socially engineering tripod.com at the time into going through the System Administrator's ICQ profile to gain access to the site for the purpose of changing the homepage to spread a message and actually say "hi" and greet local friends.

What is Open Source Intelligence (OSINT)?

Open-source Intelligence, or OSINT, is data collected from publicly available sources to be used in an intelligence context. While it doesn’t necessarily refer to open-source software, OSINT instead refers more to information that is open and available to everyone, such as that which is available publically on the Internet.

An OSINT researcher is a skilled technician, capable of analyzing large amounts of data quickly, using sophisticated tools and knowledge of how the underground networks on the Internet work in order to understand the cyber criminals and how they operate.

OSINT can also be used to track a potential attacker prior to that attack occurring, as well as to analyze raw data to determine who may be impacted by an attack.

In the US Government, the CIA is responsible for collecting, producing, and promoting open source intelligence through its management of the DNI Open Source Center (OSC).

In the intelligence community, the term "open" refers to freely available information, usually in its raw form, such as in a database. OSINT data is useful for gaining intelligence as part of an investigation - using OSINT doesn’t necessarily mean that data is also easily accessible.

It doesn’t necessarily refer to information that can be found using regular search engines - a huge portion of the Internet cannot be found using major search engines. Instead, the “deep web” refers to a mass of pages or paywalls that cannot be indexed by Google, but is publically available nevertheless.

For example, tools like Shodan and Censys can be used to find IP addresses, networks, open ports, webcams, printers, and pretty much anything else that’s connected to the internet. These individual pieces of information can be combined with other publically-accessible bits of information to develop a profile about a particular topic of interest by the skilled analyst.

There’s also a dark side to OSINT - anything which can be found by security researchers can also be found by threat actors. In fact, late last year Dancho identified hundreds of gigabytes of raw OSINT information in underground cybercrime forum communities from more than a million websites and scoured them for fraudulent activity in an effort to shut down the community.

Getting Started with OSINT

LinuxSecurity asked Danchev how he got started with OSINT. Writes Danchev, “In 2008 I earned the privilege of getting invited to an invite-only conference event at the GCHQ which I attended with the Honeynet Project. Since that time, I’ve made numerous valuable contributions to the U.S Intelligence Community as an independent contractor and through the research which I've been publishing at my personal blog in terms of high-quality and never-published before OSINT analysis as an independent contractor.”

Dancho tells us of a time when he was going through FOIA requests and in particular publicly released and classified information, visiting and browsing the CIA's official Website, and came across the following quote courtesy of President Nixon at the time - “What use are they? They’ve got over 40,000 people over there reading newspapers.” He says this got him interested in OSINT and helped him shape the future of his career as an Intelligence Analyst and OSINT analyst working under NDA as an independent contractor.

For this project, Dancho attempted to collect as much personal information as possible, including IoCs (Indicators of Compromise) websites including personal account information and email addresses.

His research resulted in publishing a list of thousands of email addresses and ICQ numbers of cybercriminals responsible for stealing credit card and CVV numbers, among other personally identifiable information (PII).

Danchev said he learned early on in my career that the best way to learn in the security intelligence world is to join a local hacking and security community. The security community rewards hard work and diligence. Prove that you can speak authoritatively on a security topic, manage a project, and build a community around it, and you will be recognized for your efforts.

Anonymous Communication Using Tor

One of the most useful tools in the arsenal of the security intelligence hacker is Tor, the free and open-source software for enabling anonymous communication. The name is derived from the acronym for the original software project name, "The Onion Router". Tor was initially a worldwide network of servers built for the US Navy that enabled people to browse the Internet anonymously.

Tor disguises your identity by transferring your traffic between different Tor servers, encrypting that traffic so it isn’t tracked back to you.

Accessing the Tor network requires using the Tor browser. It’s typically used in environments where you’re concerned about being tracked, such as if you live under a dictatorship or a hacker looking to stay hidden from the government.

“I believe it was around 2006 when I was busy researching several U.S Government programs including SPAWAR. I then decided to use it including several other covert communication tools for the purpose of preventing my local ISP from intercepting what I was doing online,” writes Dancho.

He continues, “At the time in particular the 90’s many Eastern European countries part of the Soviet Union at the time were under technology embargo which was known as COCOM with personal computers at the time being something in the lines of a luxury and only organizations and companies could really afford them.”

Dancho also talks about the Space and Naval Warfare Systems Command, known as SPAWAR, and the research they produced for foreign intelligence and other US Government programs as a valuable resource.

Zero-day Threats and Security Blogging

Dancho used to be a security blogger at ZDNet’s Zero-Day blog for four years, covering topics including the latest cyber threats, cybercrime, malware and botnets, as well as operating system vulnerabilities and exploits.

Danchev writes, “During this period I covered hundreds of high-profile security events, including vulnerabilities affecting Adobe, Apple, Google, and Facebook, as well as botnets and malware affecting hundreds of millions of users. I also was awarded the prestigiousJesse H. Neal award for best blog quite some time ago.

In one post, Dancho discussed how the process of developing and managing such a botnet is entirely automated, efficient, and most importantly - available as a service through a malicious underground Cybercrime-as-a-Service provider.

I’m sure we’ll learn more about how that works in a future report.

Astalavisita, Baby

Throughout 2003-2006 Dancho was the site operator for astalavista.box.sk - the underground hacking website while acting as a Managing Director where he was responsible for managing the portal’s content and the production of a security newsletter where he interviewed people from the security industry.

Back in the early 2000s, the Astalavista portal was one of the world’s most widely known and visited Websites used to search for hacking and security resources with thousands of users visiting it on a daily basis. Although it originally was created as a resource for security researchers, it also became a popular search engine for security exploits, software for hacking, cracking and different keygenerators and software cracks.

In present day - he currently runs a high-profile project on the original Astalavista.box.sk domain, still one of the world’s most highly-visited websites for hackers and security experts including a popular security forum.

Koobface Botnet and Compromising Social Networking Sites

The Koobface botnet (an anagram for Facebook) propagated exclusively across Facebook and managed to infect hundreds of thousands of users globally using social engineering campaigns to trick them into revealing personal details about themselves and their friends.

“Over a period of two and a half years I actively monitored the botnet’s activities and published the details on my personal blog. Eventually I learned of a single mistake made by one of the botnet masters behind the campaign, which eventually led me to actually find personally identifiable information on him, ultimately leading to the shutdown of the entire Koobface botnet at the time,” writes Dancho on his botnet takedown assist with the US government.

Dancho worked full days to provide actionable intelligence on the way the Koobface botnet worked including actual information on some of the current and latest campaigns launched by the Koobface operators at that time. He then made this information available to the broader security industry, including law enforcement, so they would be able to actually track down and prosecute some of the botnet masters behind it.

Bill Brenner from CSO Online reported in his article, “Dancho Danchev unmasks man behind the Koobface Botnet” at the time that Koobface “prompted friends to download an update to their Flash player in order to view a video. The update is a copy of the virus.” Pretty amazing stuff.

Launching an actual take-down effort against the botnet’s infrastructure, including the primary Command and Control (C&C) servers led to a personal message being distributed to all the infected hosts internationally which greeted me personally and included a reference to my personal blog followed by another message during the Christmas season including an actual point-by-point answers to my “Top 10 Things You Didn’t Know About the Koobface Botnet” which I published at ZDNet’s Zero Day blog at the time embedded on every malware-infected host part of the botnet.

It was an incredible success, and extremely rewarding for the intelligence community.

The Evolution of Intelligence Gathering

The US military first coined the term OSINT in the late 1980s as a way of providing timely, objective intelligence, free of bias, based upon all sources available to the US Intelligence Community, public and non-public.

When 9/11 occurred, government agencies were formed to ensure OSINT was a major source in merging and consolidating relevant intelligence into actionable products.

The government learned to collaborate with academia - universities are the perfect place for capturing the expertise needed to do the analysis.

OSINT analysts are now processing immense amounts of public data, such as that on social networks, to discover emerging trends and identify valuable information.

The tools being used for OSINT have also evolved greatly. On the evolution of the tools used, Danchev writes that the “majority of tools that I'm aware of rely on APIs including the active use of public sources. Users who use these tools should definitely take basic precautions to protect their own privacy, such as through the use of VPNs and secure tunnels.”

“I'd rather say people should look for what information they publicly provide including social media as people including spies and bad guys often tend to do their homework before and prior to launching cyber attacks that also includes espionage campaigns.” Sage advice from an experienced OSINT researcher.

Are you a security blogger or researcher and would like to be profiled here? Share your story with us and we’d be happy to discuss it with you.

Connect with Dancho on social media:

Twitter - https://twitter.com/dancho_danchev

LinkedIn -

Medium - https://medium.com/@danchodanchev