Open-Source Intelligence (OSINT)

OSINT is a multi-method methodology for collecting, analyzing, and making decisions from publicly accessible data to produce actionable intelligence. It is a powerful tools that can be used for a variety of purposes, including journalism, business intelligence, law enforcement, recruitment, and cybersecurity.

Within cybersecurity, the most common use cases for OSINT are:

1. Measuring risk to an organization (Penetration Testing) - identifying the weaknesses and vulnerabilities in order to remediate them before being discovered and exploited by a threat actor.

2. Understanding threat actor, tactics, and targets (Threat Intelligence) - public data along with closed data sources (internal telemetry, dark web data, and other external sources) are used to create a comprehensive picture of the threat landscape.

Similarly, threat actors leverage the same public data to identify weaknesses and vulnerabilities to gain access to systems, usually through social engineering attacks. They will often gather information of potential targets via social media, breach databases, or other online activity to create a profile of the individual that can be used to customize phishing attacks.

In addition, threat actors can use OSINT to evade detection, for example, by reviewing publicly disclosed intelligence, they can know what defense measures organizations have deployed and look for alternative methods of attacks.

OSINT Techniques

Due to the sheer volume of public data, using machine learning and artificial intelligence to automate data collection and analysis and leverage mapping tools can find more significant links and patterns among different pieces of information. However, it is important to develop a strategy to identify reasonably reputable data sources and what data to gather to avoid information of limited value or questionable reliability.

OSINT Collection Techniques

1. Passive: no direct interaction with the target, but instead relies on collecting information from publicly available sources - websites, social media profiles, and search engines. It is less likely to be detected, but it can also be more time-consuming and challenging to gather useful information.

2. Active: involves direct interaction with the target to gather information. It can be done through the target’s website, communication, or physical contact. It is more likely to be detected, but yield more valuable information.

OSINT Framework

It provides a structured method for performing open-source intelligence tasks by compiling publicly available information from multiple free online sources. It provides a range of tools and techniques for open-source data analysis.

The OSINT framework can be used to:

• Establish the digital footprint of a target (or threat actor)

• Gather all intelligence about a target’s activities, interests, and habits (threat actors - techniques and motivations).

• Categorize data by source, tool, method, or goal.

• Identify opportunities to improve the current security posture through system and policy recommendations.

Drawbacks of Open Source Intelligence

• Legality

  • It is legal to access, analyze, and distribute publicly available information.

  • Caveat - publicly available information may not be accurate (altered or out-of-date).

• Ethics

  • Information from public sources should be used ethically and for legitimate purposes and that information is not used to exploit, harass, or generally harm individuals or organizations.

• Privacy

  • It is possible to develop a detailed profile of an individual from publicly available information including their habits, interests, and behaviors.

  • Often individuals expose this information without fully understanding the implications of doing so. Thus care must be taken when collecting, processing, storing, disseminating, and disposing any individuals collected during a penetration testing exercise.