3

Let's say that a fictional company, AwSemCo, discovers that a published vulnerability "CVE0day" affects their systems and they immediately start investigating it. They go to the web looking for a solution, what to look for forensically if they've already been hit, etc. As employees at AwSemCo are searching all about CVE0day, their search activity would leave signals in the searches that AwSemCo might be vulnerable to the issue.

Is it possible for someone outside of the search giants to determine what the people at AwSemCo are searching for on Google? If so, is this a viable source for reconnaissance and/or information-gathering?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jim M
  • 133
  • 3
  • wouldnt the publisher get steps to reproduce it?Why would they google anything? – yeah_well Aug 06 '19 at 19:10
  • 3
    @VipulNair "breaking news: wannacry outbreak!" - the company would want to get details and learn more than what was in the first article they read. – schroeder Aug 06 '19 at 19:12
  • If they are using an external DNS resolver,the entity in control of it can see requests made.The hostname by itself will not reveal Google searches but then if you follow a link going to a website named and created for a given attack/virus/vulnerability then one can infer you are interested in it. And for malware using the DNS as Command Channel, if they use the same resolver, the provider of that DNS service can even detect malware remotely! Note that some browsers (ex: Firefox) now enable by default DNS over CloudFlare (that is in reality DNS over HTTPS but to Cloudflare resolver). – Patrick Mevzek Aug 06 '19 at 19:32

3 Answers3

6

Viable? Probably not....

Years ago, I read an article proposing placing ads for a topic and targeting them to a geographic location. Then the mere fact that you got billed suggests that someone at the target location was googling your topic. I'm not sure it's very viable, as the author seemed mostly concerned about buying ads for their own name and limiting the scope to northern Virginia to see if certain 3-letter agencies were investigating them.... In your case, if AwSemCo was sufficiently isolated both geographically and in its interest in CVE0day (i.e. no one else in their city would care about CVE0day), it might work.

A lot better would be to own a site that places high in the Google rankings for CVE0day results, so the users at AwSemCo click through to your site. Then you can just look for their public IP address block in your logs. Additionally, Google's own Webmaster Tools lets you see how often your site appears in search results, even when users don't click through. Again you'd need AwSemCo to be sufficiently geographically isolated but perhaps you could use the geographic filtering to see results. Results in Webmaster Tools are delayed by a couple days, so you wouldn't get same-day results.

0

Someone inside the company could: there are user behaviour analytics tools that will help with this.

Given that search terms and the identity of who is searching for what is of massive importance to Google and therefore has a cash value, I expect their security and privacy engineers have burned many a brain cell to stop third parties getting that data

Bean Nighe
  • 9
  • 1
  • If the person wanting to gather this info is already inside the network, there are a whole host of options that could be employed, depending on the access they have. – schroeder Aug 07 '19 at 19:52
0

Waterhole intelligence is probably as good as you will get without an agent on the inside.

Is it possible for someone outside of the search giants to determine what the people at AwSemCo are searching for on Google?

Selling ads or ranking based on knowing what people are searching for is pretty much the primary business activity of a search engine. Search engines definitely have an idea of what people inside any given company (or IP block, at least) are searching for, but it isn't likely they would be interested in telling you about it.

If so, is this a viable source for reconnaissance and/or information-gathering?

If you were somehow able to see what people inside a company were searching for, you would have a goldmine of intel. From the CVE0day, to the junior admin desperately trying to get Exchange running again after a windows update, to the likely menu for next weeks potluck.

not_very_nice
  • 823
  • 6
  • 5