Have you ever looked someone up online, googled an unknown number that called, researched a company you were about to interview at or did a reverse google search of an image? If you have, it means you conducted Open-Source Intelligence (OSINT) research. In simple terms, you obtained publicly available information.
OSINT is an umbrella term. It refers to publicly available information, which can be found and accessed without the use of special skills or tools. OSINT research is a process of accumulating and analyzing such information about a target individual or organization.
Open-source information is available through major search engines, but is not limited to the websites, databases, and files which are indexed by Google, Yahoo, Bing, or others. Most information found on “deep web” and “dark web” is considered open source as it is available to the public as well.
Open-source data includes:
Open-source intelligence is expansive and growing by millions of new data points every day. Its availability and ease of access are convenient for the public. It is traditionally used by governments, especially military departments. However, in recent years OSINT has become an essential tool for cybersecurity efforts across many industries. Some of the largest consumers of open-source intelligence are now also international organizations (for example, UN and Red Cross), law enforcement, businesses, cybersecurity, and cybercrime groups, as well as terrorist groups and even privacy conscious ordinary people.
What is the importance of conducting research and assessing the threats originating from open-source intelligence? OSINT has its dark side. Being readily available to the public makes information equally accessible to threat actors worldwide.
Threat actors use OSINT data, tools, and techniques to identify potential targets and exploit vulnerabilities in their networks. Threat actors also use the OSINT to seek out information about individuals or organizations and businesses, which can be used for social engineering campaigns (such as, phishing, vishing, or SMiShing). They conduct thorough research of a potential target, as well as utilizing additional sources from social engineering, extortion, and even stalking to gather intelligence to later conduct cyberattacks.
Threat actors come from all levels of society and can have a wide variety of motivations and can be external and internal. One of the leading reasons threat actors leverage OSINT data is for social engineering. It is worth mentioning that not all attacks are for financial gain, even when financial gain is achieved, it may be a secondary goal, or simply an opportunity which presented itself in pursuit of the target. We are also seeing growing risks associated with the ongoing global conflict. As cyberattack attacks sponsored by nation-states and planted insider threats are increasing, so is the search for vulnerabilities through open-source information.
On the other hand, OSINT allows cyber analysts to leverage the data and discover vulnerabilities in an organization’s network and understand the threat landscape. It empowers companies, as well as individuals, in defending themselves against risks within their environment and preventing cyberattacks.
The previously mentioned risks of data being openly available make OSINT essential to utilize for security purposes. A thorough open-source intelligence check must be performed to discover vulnerabilities in your network, remove sensitive information which could be publicly available, and educate staff on data security before threat actors can use the same techniques to exploit your company’s weaknesses.
Applied OSINT allows businesses to better understand the threat landscape and prioritize their risks. OSINT can provide decision-makers with complete, timely, and actionable data for developing effective risk management.
However, collecting and analyzing the data can quickly become an onerous task. The amount of information can grow fast and include metadata searches, code analysis, staff and identity investigations, personally identifiable information data, social media accounts, image analysis, mapping, etc.
To perform an open-source analysis, you must have clear objectives for your organization’s risk management. For example, it can be identifying and remediating vulnerabilities, developing a strategy and framework for acquiring and analyzing the open-source data, followed by remediating and future risks assessments.
At this point, companies have a choice to assemble a special OSINT team, which would be trained in open-source tools, techniques, and analysis, or utilize OSINT as professional services provided by cybersecurity companies.
The OSINT specialist first conducts an assessment of the threat landscape with the focus on the resource to be protected. What can motivate a threat actor to target this particular resource? What benefits would the resource’s data offer? Finally, consider an opportunistic attack and what can be gained without targeted intent.
A variety of tools and methods are available to gather intelligence, evaluate the data, and analyze it for potential vulnerabilities and threats.
OSINT Framework, a methodology that integrates data, tools, methods, and techniques, is widely used by security teams to establish threat footprint, gather intelligence pertaining to possible adversaries, and enhance the security posture.
Creating the Threat Landscape:
As mentioned above, an OSINT specialist has a wide range of tools available to harvest intelligence. Some are readily available, such as public records and reverse image search tools to identify people or objects, while others, mentioned below, are more industry specific and might require training. In addition, dark web searches, leaksites, social media channels, and even physical observations are used.
Trace Labs OSINT Virtual Machine (VM) provides a centralized collection of practical tools for OSINT specialists. Some of the most commonly used tools are Shodan (“google” for devices and vulnerabilities), ExploitDB (exploit database), TheHarvester (email gathering). Scans and dark web searches are other methods cyber specialists use. Information can also be gathered through fake identities and emails. There are social media tools, like Social Blade, that can provide powerful analytics to develop an awareness of the impact of social engineering attacks, specifically when it comes to the reputational damage companies or individuals might face as a consequence of OSINT oversight.
In the modern world, Open-Source Intelligence must be an essential part of any company’s security framework. Identifying information cybercriminals can use for exploitation and training personnel in OSINT awareness is paramount.