Intro – What is OSINT?
OSINT stands for Open Source Intelligence, but what does it mean, really? From Wikipedia: Open-source intelligence (OSINT) is the collection and analysis of data gathered from open sources (overt and publicly available sources) to produce actionable intelligence. OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.What this basically means is that every piece of information that we can find online (open and publicly available) would fall into the category of OSINT. For example, company’s employees on Linkedin, someone’s Instagram or Twitter accounts, etc. However, if you are maybe investigating a company, and you possess some ninja skills with Google dorking, and they have a not so good Internet hygiene – meaning some of their services that are Internet-facing are opened and you can discover classified information on their revenue, employee salaries, etc. that would still fall into the category of OSINT too.
Mainly, OSINT is done within the confines of one of the six categories, based on the information flow – Media, Internet, Public Government Data, Professional and Academic Data, Commercial Data, and Grey Literature. Some main subcategories include: HUMINT (Human Intelligence), IMINT (Image Intelligence), SOCMINT (Social Media Intelligence), GEOINT (Geospatial Intelligence), and SIGINT (Signals Intelligence).
Before delving further, we would like to mention one more potential big source of OSINT data – Dark web. This is the most dangerous one, simply by its nature, so we would need really good OPSEC in order to protect ourselves while investigating on the Dark web, which we will cover in our future articles.
Why do we do/need OSINT?
Aside from us being curious, and maybe wanting to satiate our innate detective urges, why do people, law-enforcement agencies, businesses, and threat actors all use OSINT? Well, the answer is manifold, and there are many benefits of OSINT, but let’s try and give a brief overview on how it differs based on who is the one conducting said OSINT investigations.From a civilian perspective, OSINT can be quite useful if you are for example worried you might have ‘overshared’ on social media. With some basic OSINT skills you can investigate yourself, and figure out what is your threat landscape, in order to establish a threat model that best suits your online needs. Moreover, you can also quickly investigate any fraudulent emails or offers you might receive.
One great recent example is me getting an email from (supposedly) Alexey Navalny, asking me to help him move some funds from a bank account in Turkey, since he is not able to do so himself, promising me a grand 25% of the total amount. Wow!
This is quite obvious, of course, and the email itself immediately gave it up, but it is an interesting story nonetheless, in regards to OSINT. I noticed it was an Indonesian-based domain in the email address, but even more interestingly, after a quick header analysis, I noticed the email address was spoofed, with the actual source being an account registered with Yandex, which is a Russian-based free email service, akin to Gmail, Yahoo, etc. This is something we call email spoofing; however such phishing emails can be of varying complexity, and actually quite masterfully crafted, so it truly pays to be well-aware, skilled, and vigilant when it comes to all the threats lurking out there, since even seasoned Infosec veterans can fall prey to some of the phishing campaigns or other types of attacks.
These are just some examples, but there are many more use cases where OSINT can be useful for you as an individual.
If we talk about Business Intelligence and OSINT, it is an invaluable tool that many, not only IT/software companies, currently expand on, adding new job openings, or training their staff, because they realize how it can protect their assets – be it their infrastructure, confidential data, or reputation.
Law Enforcement agencies and OSINT go hand-in-hand, since OSINT at its core is basically detective work. You can scrape all the data you want, or deploy your sophisticated automation tools, but without an analyst who is able to connect the dots, all that data means nothing. Law enforcement agencies have been using OSINT way before it became popular, or even called that way, using it to prevent various crimes, from frauds to kidnapping, human trafficking, or even murders. Today, LEA’s can reap the benefits of all that OSINT has to offer.
Also, nowadays, LEA’s, in conjunction with some organizations, even engage in something that’s known as crowdsourced OSINT or a search party. These events are organized by respective organizations, who provide the participants a gamified platform, and a CTF-like experience, where all of those who are gathered search for flags and compete with each other, in order to help out the real-world investigation. In this way, a few hundred people from various backgrounds, during an event that usually lasts around four or more hours, group up and compete in collecting the said flags which are in turn given to the LE’s by the end of the event. This is great for LEA’s because they can save a tremendous amount of time and very valuable man hours, by outsourcing their investigations to a crowd of volunteers. The participants also gain a lot by participating in a real investigation, albeit, since these are real world criminal cases, there can be very real consequences for the mental health of volunteer investigators, so caution, and of course good OPSEC, is always strongly advised. (A write up from the latest Trace Labs CTF is coming soon!)
On the flip side, since OSINT means Open, threat actors can also benefit from it, advancing their nefarious needs. In the same way a recruiter, or a sales agent, that is trained in some OSINT can scrape LinkedIn for relevant connections in order to do some cold calls, nothing stops a threat actor doing the same, for whatever purposes – their new phishing campaigns, or anything else. They can do reverse DNS lookups in order to find out more about your infrastructure, or do some GEOINT on images their targets shared, in order to figure out where they are physically located to further their goals.
Conclusion
In the upcoming articles we will look into some resources, methodologies, and technical aspects of this immense and fascinating field, as we’ve just barely scratched the surface of what OSINT encompasses.Lastly, we would just like to emphasize on what we feel to be the main takeaway from this article, which is the fact that even though OSINT might be something a Programmer, IT Admin, or a SOC Analyst might seem to have an advantage with by default, this is not the case. Yes, you can get very (and we mean very) technical with OSINT, and that surely is a great asset to have, but, at its core OSINT is investigative/detective work. Investigators, investigative journalists, linguists, and many other professions, are already doing it in some way or form, and when further trained, can become incredibly skilled OSINT practitioners.
Of course, that doesn’t go to say that, for example, a highly motivated Sysadmin can’t become one too. And that’s what’s great about OSINT!
Appendix
OSINT – Open source Intelligence – gathering of data from open/publicly available sourcesGoogle dorking – Usage of advanced operators in your Google searches, for various purposes
HUMINT – Defined by NATO as: a category of intelligence derived from information collected and provided by human sources
IMINT – Analysis of imagery to find information that has intelligence value
SOCMINT – Analysis of social media with the purpose of obtaining relevant intelligence information
GEOINT – Intelligence that is acquired by analyzing data and images that are associated with a specific location
SIGINT – Intelligence gathering by interception of signals
Dark web – Online content that is not indexed by standard search engines
OPSEC – Short for Operational security – protection of critical information and prevention of confidential and personal data leaks
Threat landscape – Defined as: a collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends
Threat model – Identification, prioritization, and representation of all the information which affects the security of a given system
Email spoofing – Technique used to trick someone into thinking that the email came from another source. Mostly used in phishing attacks
LE/LEA – Law enforcement/Law Enforcement Agencies
Search Party – Group of volunteers who participate in crowdsourced OSINT CTF events, investigating a real world case – from missing persons cases to cryptocurrency money laundering and frauds, as well as drug trafficking, or CSAM
CTF – Capture the Flag – (mostly) cybersecurity competitions where competitors capture flags (pieces of data, hidden within the systems that are being attacked – usually a string in some .txt file) in order to collect points and win the challenge