In this blog, an expert from the Fivecast Tradecraft Team discusses the five technical elements that enable Open-Source Intelligence (OSINT) programs to successfully accomplish their missions.
In the security, intelligence, and defense sectors, publicly available information is becoming increasingly important to assessing risk. Although this information has played a role in this space for a long time, open–source intelligence based on publicly available information has evolved significantly beyond the evaluation of newspapers and public broadcasts. Nowadays, most people operate in public spaces online to network both professionally and socially, communicate their thoughts, or for a small portion of the population, to engage in nefarious activities. Many people have completely mirrored their ‘offline’ communication and networking habits into the digital space. This means that important indicators for risk and threats that would traditionally have been communicated offline are sitting among masses of data in public spaces online.
This creates both a challenge and an opportunity for analysts and intelligence teams. OSINT programs are faced with the challenge of assessing an ever-expanding volume of online data and complexity of activity in an efficient manner. As technology enables more people to operate online, it creates opportunities for analysts to create understanding and value from publicly available information. Many public and private sector organizations have recognized the need for technical solutions that will aid in sifting through the online data, but what technical elements are most important for a successful OSINT program?
Successful OSINT programs require technology, which in this case is defined as a combination of software, hardware, data, and sound operating procedures for how analysts engage with technology. Intelligence teams face a running checklist of technology features and capabilities and often struggle to optimize the combination of resources and tools that will enable them to accomplish their missions.
What Defines a Successful OSINT Program?
Success for an OSINT program can vary according to the organization and its mission. Success could include investigation objectives such as:
- Identifying opportunities for intervention in an extremist organization
- Understanding the key influencers in an online network
- Uncovering threats to facilities, personnel, or events
- Gathering evidence on criminal actors online
A common success factor is the ability to consistently and reliably extract valuable insights from publicly available information and enable their organization to make key decisions. In my experience as an OSINT specialist, I’ve observed five key elements and characteristics that are present in the technology solution utilized by any successful OSINT program.
1. Technology Enables the Analyst:
Technology should be used to enable and create efficiencies for the analyst instead of replacing analysts’ valuable insights and understanding. At a high level, the analyst should be able to leverage the well-defined priorities, scope, and collection requirements of an OSINT program and translate that directly into the capabilities of the technical solution.
At a practitioner level, technical solutions should not replace the judgement and subject matter expertise of the individuals handling publicly available information. Analysts should be able to structure and define the collection and assessment process based on their experience, as opposed to a technical solution making analytical judgements on the handling of data. An analyst should never be unclear about the source of information or how data was processed by the technical solution. Finding a technical solution that supports the balance between saving time in ‘sifting’ out and presenting the most relevant data and empowering the analyst to make their decisions from an ‘enriched’ data set is essential.
2. Ability to Discover Entities and Content of Interest:
Technology should enable the discovery of communication and activity of threat actors from multiple starting points. Analysts and investigators receive a variety of leads, inputs, and collection requirements. They should be able to confidently discover activity or entities of interest online regardless of the background information they have.
This includes the ability to discover content, actors or networks by keyword, topic, affiliation, or personally identifiable information (e.g. name, location, email, or phone number). For example, suppose an analyst is tasked with determining the capabilities and intent of a white supremacist group online, and they are only given the name of the group’s leader. In that case, they should be able to enter the leader’s name and seamlessly discover content and social media accounts, groups or communities.
3. Ability to Automatically Collect and Assess Multi-media Data:
The technology should automatically collect masses of online data and rapidly assess data for individual threats and concerning trends of behavior. Data should be pulled in from multiple sources, regardless of medium or language. Technology should provide analysts with the ability to collect and assess data from social media platforms that attract hundreds of millions of users globally. Any solution should also provide analysts with access to more niche platforms that attract higher concentrations of threat actors across the surface, deep and dark web.
Threats can come in the form of an image, a written text-post, or digital network connections between nefarious actors online. An automated technical collection and assessment tool should be able to collect these diverse data mediums and present them in a way that makes assessment efficient for the analyst. The most successful programs also have technology that automatically identifies data that meets collection requirements or constitutes threatening or risky behavior on its own or as part of a trend. This could be an online actor being in a certain location, engaging with concerning entities, communicating or depicting concerning behaviors, or escalating in extremist ideology.
4. Complementary Data Sources or Collection Streams:
Technical solutions should enable the comingling and consideration of data from multiple intelligence streams and sources outside of just publicly available information. In recognizing the increasing importance of open–source intelligence, we must also acknowledge that not all threats or trends of interest are exposed online or in publicly available information. Programs should ensure that they are considering and acquiring alternate streams of information – whether proprietary data sets, signals intelligence, human intelligence, or imagery intelligence – and layering it with the collected publicly available information to enhance the value of both.
5. Digital Safety and Security:
The technical solution should protect the identity and the interests of the analyst and the organization. Through tradecraft and technical means, analysts in an OSINT program need to operate online and within collection and assessment tools without exposing their identity and interests.
The OSINT program’s mission can suffer immensely if they are exposing any information, regardless of perceived sensitivity, to their targets or adversaries. At a minimum, a successful program should employ the misattribution or obfuscation of an analyst identity, location, organizational affiliation, device information, network details, and the entities or topics they are researching. This ensures personal safety and the security of capabilities by avoiding elimination, subversion, or manipulation of the program’s access or data collection. OSINT programs that employ these elements in their technical solutions, toolkits, or workflows are establishing a solid foundation to successfully handle the speed, volume, and complexity of data in support of their mission.
Empowering Analyst Teams with Fivecast ONYX
The global customers I work with in national security, law enforcement and defense are deploying Fivecast ONYX in a variety of use cases that reflect the above 5 key elements of a successful OSINT program. The breadth and depth of data sources available within the solution combined with the capability to quickly discover new content, entities of interest, networks and evolving risks enables analyst teams to efficiently determine investigation targets and progress their missions. Fivecast ONYX empowers analyst teams to complement and extend their investigative expertise with the AI-driven collection and assessment capabilities of the solution. This leads to investigations that are faster to implement, more specifically targeted, and result in more successful OSINT programs overall.