Much like Cyber, OSINT is a popular catch-all term comprising dozens of components each with its own specialisations and uses. War crime analysts might need to geolocate where an image was taken, police might need to collect the digital footprint of a killer and medical researchers might require every paper and article written about a type of cancer. It can mean many things to many people, but what is OSINT and how can cybersecurity professionals use it?
WHAT IS OSINT?
Open-Source Intelligence is information that has been collected from publicly available sources, which is then analysed and disseminated to its intended consumer. The crucial term here is “publicly available sources” – information that was originally intended to be viewed by a public audience. Not data that is kept behind private social media profiles, encrypted messaging channels or member-only groups. Where information has been gathered using specialist skills, classified sources, persuasion or hacking, it is no longer considered open-source.
For some, OSINT could be considered as simply “googling” but it isn’t confined to search engine data alone. Forums, social media, news websites, academic journals and government documents are just some of the resources that fall under open-source data. OSINT is mainly drawn from text-based sources, but it can also include videos, images, public webinars and radio shows.
Open-source data can also include data about the data – also known as secondary or metadata. Where a person of interest has posted an image, file, or tweet, that bit of content might also include when and where the image was taken, the device used to create the file, who the original author of the file was and much more. The person’s profile can also be mined to discover their employment, aliases, place of residence, birthdate and other associated usernames or social profiles.
In addition to content-specific open-source data, there are numerous online tools that trawl the web for things that are connected to the internet, for example, webcams, printers, servers, open ports and public-facing IP addresses.
Access the Evolving Role of OSINT White Paper
HOW IS OSINT USED BY CYBERSECURITY TEAMS?
Cybersecurity professionals use open-source data to gain a deeper understanding of their organisation’s threat landscape, to assist in protecting them from known risks, discover unknown exploits and learn about their adversary’s capabilities. Cybersecurity teams have several functions; network architects, digital forensic experts, incident responders, threat hunters, and many more. This blog will focus on three core cybersecurity use cases and the complementary role that OSINT plays in each:
- Offensive/Ethical Hacking
- Defensive Security
- Threat Intelligence
OFFENSIVE/ETHICAL HACKING
Ethical Hacking or penetration testing is where security professionals attempt to perform a cyberattack on a real-world organisation to test its defences and expose any vulnerabilities. This allows the defending team to remediate any issues found during the test before they are exploited by a real threat actor.
How do they use OSINT?
The very first step in any attack – simulated or real – is to gather as much external data as possible on a target to help choose and create the method of attack. This stage is often regarded as the Reconnaissance phase. They will be looking for information like domains, subdomains, employee details, public business records, inter-connected devices and much more. OSINT is an integral part of this phase as much of this type of data is publicly available. OSINT enables cyber specialists to uncover a range of data such as:
- Map out an organisation’s entire internet-facing system to discover any exposed vulnerabilities, open ports or insecurely connected devices – e.g., Shodan can be used to locate open Remote Desktop Protocol (RDP) log-in pages that can be exploited further.
- Enumerate the versions of hosting tools and software used by websites to look for older unpatched versions – e.g., scan for website tools and technology using open-source tools like Wappalyzer or Builtwith.
- A company’s physical location might need to be tested for security vulnerabilities. CCTV, fences, barbed wire gates and security guards can all be discovered using Google Street View.
- Unintentional leaks of sensitive data over social media – e.g., images of staff members with their photo ID cards on display on a social media post.
- Using LinkedIn or the company website to map out employees, and roles and identify who might have privileged access.
- Leaked passwords, credentials, employee information and software code can be found in paste bins online.
DEFENSIVE SECURITY
Defensive cybersecurity teams provide 24/7 security to companies and organisations, protecting from and responding to security incidents. They are made up of Security Operations Centre (SOC) Analysts, Network Engineers, and Incident Responders. They apply the same techniques and information gathered by the offensive team to view what is open to a potential attacker and use that to strengthen their existing defences and secure their infrastructure. Where openly connected devices have been discovered they will look to secure them. They will trawl the web for vulnerabilities found in the software and equipment they operate and ensure they are patched and updated accordingly.
In the same way that an attacker would look to perform reconnaissance on a company’s infrastructure, defenders will use that same information to build a threat model that helps to shape their defensive strategies.
THREAT INTELLIGENCE
Cyber Threat Intelligence is the process of collecting data on a threat actor’s activity to determine their motives, Tactics, Techniques and Procedures (TTPs) and likely targets for the future. Intelligence analysts use OSINT to collect information on attacks carried out in the past, Indicators of Compromise (IOCs), sift through data breaches, monitor threat-intel feeds and track threat actor activity on forums and marketplaces on the dark web.
An often over-mystified area of the internet, the dark web makes up a relatively small portion of the internet. Using specialist software (i.e. Tor Browser), analysts can find a bustling ecosystem of underground vendors and consumers with its own functioning supply chain. Whilst most of the activity will consist of financially motivated cybercrime and illicit trafficking, the Tor browser offers relative anonymity and surveillance evasion. This can be utilised for more legitimate activities like freedom of communication by political dissidents in countries with oppressive regimes.
Threat Intelligence teams will often use open-source data in tandem with a range of other sources to validate the information and add further context. Closed sources such as internal data logs, network telemetry, private dark web communities and intelligence-sharing communities are alternative sources that can be used by analysts.
In the same vein, analysts don’t react to one data point without seeking additional data to corroborate the original content of concern. For example, one threatening message on a hacker forum might seem isolated at first but if (after some additional research) the sender was already known to authorities as operating for a state-backed threat group the message might be treated differently.
THE FLIP SIDE OF OSINT – CAN ATTACKERS USE IT?
Yes. If information can be found by cyber security experts, it can also be found by threat actors.
Using the same techniques and tools mentioned, threat actors can enumerate networks, identify vulnerabilities and search for exploits that specifically target the ‘lowest hanging fruits’. Often, threat actors don’t target a company specifically for its product, mission, or staff members. They are attacked because they were found to be vulnerable in a way that was easy for the attacker to exploit.
Threat actors will read the same public intelligence reports on attacker methodology that cybersecurity professionals use to inform defensive practices; only they are looking for ways to evade those defences. A company might post a highly technical job description with the hope of finding a competent candidate without realising they’ve identified every system and piece of infrastructure they operate that can be researched further by an attacker and exploited.
As well as the more technical type of data that can be found and exploited through OSINT, attackers will often use OSINT for social engineering purposes. Platforms like LinkedIn offer a plethora of information about a company’s structure, key personnel, and events and illuminate any potential high-value assets the company might hold. This information can be used to build a highly sophisticated social engineering campaign targeting key members of staff using spear-phishing and whaling techniques.
Social Media platforms hold vast details on people’s private lives, family, and employment data. This can be gathered to create convincing social engineering campaigns where the attacker will attempt to trick a user into eliciting sensitive information or even compromise their own system.
CONCLUSION
When working with OSINT, it is imperative that there is a clear, defined collection and analysis strategy. This will likely be different for every team and will take time to test and adjust what works best for them. Generally, an OSINT initiative should include:
- What tools and techniques the team should be using?
- A clear understanding of what they can access legally and ethically.
- What requirements and goals are they looking to accomplish?
- Finally, what does the finished product need to look like for it to be delivered on time and actionable by the key stakeholder?
This blog is just a snapshot of the types of data that can be acquired through OSINT and why it is useful for cybersecurity teams. Understanding how to gather data, what they are looking for, where it can be found and why they need the data in the first place is vital for anyone working in cybersecurity.
Request a demo from our industry experienced Tradecraft team to learn more about how to incorporate OSINT into your Cybersecurity strategy.
