An employee at an organization had downloaded a Chrome browser plugin that acted as a virtual private network (VPN) to circumvent network security measures that the organization had put in place. Essentially, the employee was doing OSINT work, accessing sites such as social media websites that were blocked by their employer. The information technology security group was made aware through their monitoring systems, and we assisted with the investigation.
In collaboration with the internal information security team, we reviewed both the firewall connection logs and examined the programming code of the browser plug-in, in question and validated that the plug-in was connecting to Internet Protocol (IP) addresses in countries that were of concern. In addition to forensically examining the devices in question, reviewing network logs and examining the application, we conducted extensive interviews of the employee and his team.
The problem was also cultural. The management that the employee reported to were placing this individual under a significant amount of pressure to access information on websites that the organizations had blocked. The requests were legitimate but contravened the organizations security policies. This “functional group” had made requests to the IT security group for access in the past but were ignored. Partially due to impatience, instead of continually justifying access to these external resources and waiting for IT support to install the appropriate equipment and safeguards, the employee chose to use a work-around with the tacit approval of their management. Unfortunately, the work-around posed a significant security risk.
Being effective in OSINT work is important, but so is OPSEC. It is important that all parts of the organization support the OSINT function for it to be effective and for risk to be managed well. Free browser plugins and free proxy websites should be approached with caution.