Corporate Reconnaissance

As an Open-source Intelligence professional you will undoubtedly be tasked with performing corporate reconnaissance at some point in your career. Corporate reconnaissance consists of investigating critical things such as contracts, financials, history, subsidiaries, organizational structure, governmental regulations, and third-party vendors. There are copious reasons an organization may request this kind of analysis be done on a competing company. However, more often than not the request is for an internal audit to ensure the integrity of clients, partners, and employees. Organizations need to be able to make informed decisions while protecting their brand and reputation. This post will be focused on finding actionable information on organizations within the U.S.


Searching for Personnel:

Google Dorks
Google Dorks or search operators are an easy way to find company information en masse. With a few targeted searches, we can find key people within an organization who may be targeted for an attack. My favorite dork for this purpose is site:linkedin.com “system admin”+”company name.” System Admin can be replaced with any job title that would be a rich source for information leaks within a particular company. For instance, I ran this search using Verizon as the company and as I would expect I got quite a few hits. You can narrow this search down by adding/replacing operators such as intext: resume “firstname lastname.

 


Searching for Emails and Breach Data:

Hunter.io
Hunter.io is my favorite tool for corporate email addresses. It allows us to search for a domain name and then it scrapes the web for the emails associated with that domain as well as the naming conventions that the company uses. 

The best part though is that it allows us to select the job title which immediately keys us into the people we should then search on social media for information leaks.

Another fun feature that Hunter.io has is the ability to select between personal and generic emails. When we switch to general emails we get a list of emails from potentially shared email accounts. If employees are sharing the account there is an increased chance of it being found in a breach and used in an attack. The only downside to Hunter.io is that in order to export your list of emails it requires a subscription.

Spiderfoot
Another option for discovering emails is Spiderfoot. Spiderfoot uses modules to run all sorts of domain recon but more specifically it uses a hunter.io module for emails. You may be wondering why someone would use Spiderfoot for this instead of just going to the hunter.io website. On Hunter, a subscription is required in order to export a csv file but in Spiderfoot we can export a csv of what hunter finds sans subscription. Additionally, if you have a haveibeenpwned API you can run that against all of the emails right in one spot. I ran Verizon again for this scan below (not picking on Verizon for any specific reason other than they have a lot of employees).

 

Haveibeenpwned
Once all of the company emails have been collected and compiled, we can run them through Haveibeenpwned to check if any emails have been found in a breach. This output is useful if you need to show how personnel can lead to data compromise within an organization. Haveibeenpwned has an API so you can run batches of emails through at once and it spits out breach information for each. I took one of the Verizon emails I found in Spiderfoot and searched in HIBP.

 


Searching for Company Structure:

Company Websites
The first stop for determining the organizational structure of a particular company should be the company website. Many sites have an About Us page or a list of the company structure publicly available. If they don’t have an obvious page for the company structure you can try using a Google Dork that searches for an org chart on their website such as intitle: “org chart” site:website.com

Using the About Us page to find personnel and titles can assist us with finding the social media profiles of people with privileged access within the company, think C-suites and System Administrators. Information about the company such as technology uses, private business dealings, and day-to-day activities may be exposed through business resumes, personal social media pages, or personal LinkedIn profiles.


Searching for Financials & Filings:

Corporation Wiki
Corporation Wiki allows us to search for Trademarks, Bank Data, and Company information. For example, I put “potato” in the search bar and it returned 2,077 results for companies registered with the name Potato.

I noticed the second entry mentioned Gordon Ramsay so obviously I was intrigued.

If we click on One Potato, Two Potato, LLC we get a company overview, known addresses, filings and key people related to the business.

My favorite part of this site, however, is the data visualization it offers for showing connections with the company.

Enigma
Enigma uses public data sources from state and federal records as well as SEC filings and frozen assets. Here I have done a search again on Verizon and I have specified a dataset collection on the left “Top 100 Contractors 2010-DOD.”

If we click the “View” button, it shows us the one hit in that dataset that matches Verizon along with specific details and dollar amounts.

Enigma also offers a free visualization app called Tableau Public that allows you to take your data and put it into fancy charts and graphs. There are some downsides with the free version, for instance, all published charts are public and you are limited to 15,000,000 lines of data.

Open Corporates
Open Corporates allows you to input a company and select the jurisdiction, data held, current status, and company type when searching. These options are handy for narrowing down large organizations like in my example below with Verizon.

A search for Verizon brings up a lot of results but we can filter them down to see the exact location that we want.

If we click on one company in the list it opens up additional details showing filings and reports.

Another useful search we can perform in Open Corporates is for company officers. This type of search is helpful when trying to link someone to a company across multiple states or even countries.

Offshore Leaks
The ICIJ Database pulls data from the Panama Papers, Bahamas Leaks, Offshore Leaks, and Paradise Papers investigations to provide a list of companies by country/region with offshore accounts.

Selecting the U.S. gives us a list to choose from and I randomly selected the top one on the list. This by no means indicates that a company with an offshore account has done anything illegal but the information contained in the database may further your investigations into a company’s activities.

Again, I am a sucker for visualizations so I rather enjoy that this site shows the connections visually. Each node provides more information about the entity when we click on it.

US Security and Exchange Commission
The SEC EDGAR Search is a database of Security and Exchange Commission filings up to the current year. The search works best if you have a company in mind to start with. There is also a guide to using the EDGAR system that is helpful.

I then searched for “Coffee” in the company name and it brought up numerous companies with Coffee in the name, their CIK number, and the state.

If we click on one of the listed companies we can see all of the filings listed by date/file number.

Here we can go one step deeper and look at the details of the individual filing submissions.

 


Finding a Specific Company & Their Connections:

Corporation Directory
Corporation Directory is a website where we can search for state corporation registries. Each registry is maintained by the specific states and therefore they all have different results. The trick for this site is not to use the search function which requires a subscription.

Instead, if you click on the link next to the state name it will take you directly to that site and you can avoid a subscription. Do note here that you must access many of these using a US IP address for them to work.

Little Sis
Little Sis is “a grassroots watchdog network connecting the dots between the world’s most powerful people and organizations.” For example, when I searched for Jeff Bezos I got his business positions, relationships, charitable donations, and political contributions.

Each tab breaks the data down with more detail. The Political tab shows graphs of contributions and party affiliation.

Thomas
Thomas is a search tool for finding Suppliers for specific products. We can search by product category, company, and brand. Searching for pharmaceutical suppliers gives us a whole lot of results that we can then narrow down by region. If we click on a specific supplier the site shows their number, address, product catalog, certifications and more.


All of the above resources can be used to singularly or in tandem to create pivot points within your research. It is definitely a good practice to check multiple sites for the same information to verify and validate that what you find is correct. This is certainly not an exhaustive list but I hope it provides you with some good ideas! Happy hunting!

 

Thanks to MwOsint and Nixintel for contributing to this post.