In this article, we explore how Open Source Intelligence (OSINT) can be utilized to help the organization secure the information and data they possess. Before we go further into exploring how OSINT is a valuable arsenal in a cyber defender’s toolkitOSINT is a valuable arsenal in a cyber defender’s toolkit, we will need to elaborate its role within the context of cybersecuritycybersecurity.
Cyber Threat Intelligence
Intelligence in the cybersecurity context refers to useful insight into the risks and threats an organization faces. Armed with this insight, or intelligence, security teams can formulate effective countermeasures and mitigation actions specific to the organization’s operational contexts. In the security world, this is commonly known as cyber threatcyber threat intelligence, or simply threat intelligence. In short, threat intelligence enables the organization to understand more about themselves (Know Thy Self), their adversaries (Know Thy Enemies), and their landscapes (Know The Battlefield).
OSINT: Cyber Threat Intelligence Gathered From Public Source
Threat intelligence is usually composed of different types of intelligence, where OSINT plays a critical role given its ease of access and collection. Thus, we may define OSINT as actionable and predictive information developed from publicly available sources. In contrast to intelligence developed from covert sources, which might have been obtained illegally and unethically, OSINT’s use of public sources circumvents legal concerns around intelligence collection.
OSINT Values for An Organization
With the advent of instant communications and information transfer in the digital era, predictive intelligence can be easily developed from unclassified sources. This condition enables organizations to utilize OSINT for having these benefits:
Practical and low-cost intelligence gathering
Since OSINT focuses on publicly available information, it is a low-cost operation in comparison to other types of intelligence collection. It is also much more practical since all the tools or software supporting the collection of Open Source Information are also mostly available publicly at a reasonable price. Because of this, OSINT is a valuable commodity to companies of all sizes and financial positions. For more established organizations, OSINT can be used to complement other forms of intelligence, thus increasing the company’s awareness of its digital footprints, threats, and weaknesses.
More robust cybersecurity posture
Developing actionable intelligence can change one’s security posture and determine if the organization is vulnerable or secure. Within the narrower context of cybersecurity, knowledge of one’s potential risks is invaluable for organizations to protect themselves and their corporate operations.
Valuable input on business decision making
OSINT is a very valuable asset within a business’s decision-making process around the topic of cybersecurity risk management (e.g., selecting third parties or implementing technology).
OSINT sources can be divided into several different categories of information such as:
- Media: Newspapers, magazines, radio, and televisions.
- Internet: Online publications, blogs, discussion groups, citizen media (i.e., user-created content like videos stored in mobile devices), video streaming, and social media websites. OSINT also can be collected from search engines or harvesting tools for the public internet, deep web, or even the dark web.
- Public Government Data: Public government reports, budgets, hearings, telephone directories, press conferences, websites, and speeches.
- Professional and Academic Publications: Information acquired from journals, conferences, symposia, academic papers, dissertations, etc.
- Commercial Data: Information from commercial imagery, financial and industrial assessments, and databases.
- Gray literature: Technical reports, preprints, patents, working papers, business documents, unpublished works, and newsletters.
OSINT Tools and Software
There are several tools, software, or websites intended to collect OSINT. However, there are also tools that are not designed for this intention but can be utilized to gather OSINT anyway. These are available to the public over the conventional internet, deep web, and dark web. Some of these tools include, but not limited to, Whois, Nslookup, FOCA, theHarvester, Shodan, Maltego, Recon-ng, Censys, UserSearch, Haveibeenpwned, Spyse, SpiderFoot, Searchcode, TinEye, Metagoofil, thehiddenwiki, deepdotweb, Google, and many more.
Pieces of Intelligence of OSINT
When OSINT is developed properly, organizations will be able to identify the following pieces of intelligence:
- Compromised credentials: Includes username, password, PIN, keys, phone number of customers, or an employee’s personal, application, or service account.
- Exposed sensitive information: Any sensitive (or useful information) about an organization that can be harvested from the internet such as email addresses, technology stack (from domain & subdomains or HTTP responses), exposed source code on the misconfigured repository, etc.
- Malicious phishing domain or application: Malicious and falsified web domains or applications disguised as authorized applications may have been created as a means for attackers to steal sensitive or personal information from current and future customers.
- Industry-oriented cyber threats: Certain threats may exist for a specific industry or sector such as malware or ransomware on banking or financial applications. This intelligence enables an organization to take a proactive countermeasure based on their industry.
- Data leak on a third party: More information on the security posture of third parties’ will enable the organization to evaluate whether to continue working with vendors with whom data has been shared.
OSINT, considering its legality, low cost, and practicality of cyber threat intelligence, is an excellent way to initiate cyber threat intelligence in an organization. OSINT will provide organization useful and actionable information that enables an organization to identify cybersecurity risks and threats and prepare countermeasures or mitigation actions toward those risks and threats.