Intro – What is OSINT?

What this basically means is that every piece of information that we can find online (open and publicly available) would fall into the category of OSINT. For example, company’s employees on Linkedin, someone’s Instagram or Twitter accounts, etc. However, if you are maybe investigating a company, and you possess some ninja skills with Google dorking, and they have a not so good Internet hygiene – meaning some of their services that are Internet-facing are opened and you can discover classified information on their revenue, employee salaries, etc. that would still fall into the category of OSINT too.

Mainly, OSINT is done within the confines of one of the six categories, based on the information flow  – Media, Internet, Public Government Data, Professional and Academic Data, Commercial Data, and Grey Literature. Some main subcategories include: HUMINT (Human Intelligence), IMINT (Image Intelligence), SOCMINT (Social Media Intelligence), GEOINT (Geospatial Intelligence), and SIGINT (Signals Intelligence).

Before delving further, we would like to mention one more potential big source of OSINT data – Dark web. This is the most dangerous one, simply by its nature, so we would need really good OPSEC in order to protect ourselves while investigating on the Dark web, which we will cover in our future articles.

Why do we do/need OSINT?

From a civilian perspective, OSINT can be quite useful if you are for example worried you might have ‘overshared’ on social media. With some basic OSINT skills you can investigate yourself, and figure out what is your threat landscape, in order to establish a threat model that best suits your online needs. Moreover, you can also quickly investigate any fraudulent emails or offers you might receive.

One great recent example is me getting an email from (supposedly) Alexey Navalny, asking me to help him move some funds from a bank account in Turkey, since he is not able to do so himself, promising me a grand 25% of the total amount. Wow!

This is quite obvious, of course, and the email itself immediately gave it up, but it is an interesting story nonetheless, in regards to OSINT. I noticed it was an Indonesian-based domain in the email address, but even more interestingly, after a quick header analysis, I noticed the email address was spoofed, with the actual source being an account registered with Yandex, which is a Russian-based free email service, akin to Gmail, Yahoo, etc. This is something we call email spoofing; however such phishing emails can be of varying complexity, and actually quite masterfully crafted, so it truly pays to be well-aware, skilled, and vigilant when it comes to all the threats lurking out there, since even seasoned Infosec veterans can fall prey to some of the phishing campaigns or other types of attacks.

These are just some examples, but there are many more use cases where OSINT can be useful for you as an individual.

If we talk about Business Intelligence and OSINT, it is an invaluable tool that many, not only IT/software companies, currently expand on, adding new job openings, or training their staff, because they realize how it can protect their assets – be it their infrastructure, confidential data, or reputation.

Law Enforcement agencies and OSINT go hand-in-hand, since OSINT at its core is basically detective work. You can scrape all the data you want, or deploy your sophisticated automation tools, but without an analyst who is able to connect the dots, all that data means nothing. Law enforcement agencies have been using OSINT way before it became popular, or even called that way, using it to prevent various crimes, from frauds to kidnapping, human trafficking, or even murders. Today, LEA’s can reap the benefits of all that OSINT has to offer.

Also, nowadays, LEA’s, in conjunction with some organizations, even engage in something that’s known as crowdsourced OSINT or a search party. These events are organized by respective organizations, who provide the participants a gamified platform, and a CTF-like experience, where all of those who are gathered search for flags and compete with each other, in order to help out the real-world investigation. In this way, a few hundred people from various backgrounds, during an event that usually lasts around four or more hours, group up and compete in collecting the said flags which are in turn given to the LE’s by the end of the event. This is great for LEA’s because they can save a tremendous amount of time and very valuable man hours, by outsourcing their investigations to a crowd of volunteers. The participants also gain a lot by participating in a real investigation, albeit, since these are real world criminal cases, there can be very real consequences for the mental health of volunteer investigators, so caution, and of course good OPSEC, is always strongly advised. (A write up from the latest Trace Labs CTF is coming soon!)

On the flip side, since OSINT means Open, threat actors can also benefit from it, advancing their nefarious needs. In the same way a recruiter, or a sales agent, that is trained in some OSINT can scrape LinkedIn for relevant connections in order to do some cold calls, nothing stops a threat actor doing the same, for whatever purposes – their new phishing campaigns, or anything else. They can do reverse DNS lookups in order to find out more about your infrastructure, or do some GEOINT on images their targets shared, in order to figure out where they are physically located to further their goals.

Conclusion

Lastly, we would just like to emphasize on what we feel to be the main takeaway from this article, which is the fact that even though OSINT might be something a Programmer, IT Admin, or a SOC Analyst might seem to have an advantage with by default, this is not the case. Yes, you can get very (and we mean very) technical with OSINT, and that surely is a great asset to have, but, at its core OSINT is investigative/detective work. Investigators, investigative journalists, linguists, and many other professions, are already doing it in some way or form, and when further trained, can become incredibly skilled OSINT practitioners.

Of course, that doesn’t go to say that, for example, a highly motivated Sysadmin can’t become one too. And that’s what’s great about OSINT! 

Appendix

Google dorking – Usage of advanced operators in your Google searches, for various purposes

HUMINT – Defined by NATO as: a category of intelligence derived from information collected and provided by human sources 

IMINT – Analysis of imagery to find information that has intelligence value

SOCMINT – Analysis of social media with the purpose of obtaining relevant intelligence information

GEOINT  – Intelligence that is acquired by analyzing data and images that are associated with a specific location

SIGINT – Intelligence gathering by interception of signals

Dark web – Online content that is not indexed by standard search engines

OPSEC – Short for Operational security – protection of critical information and prevention of confidential and personal data leaks

Threat landscape – Defined as: a collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends

Threat model – Identification, prioritization, and representation of all the information which affects the security of a given system

Email spoofing – Technique used to trick someone into thinking that the email came from another source. Mostly used in phishing attacks

LE/LEA – Law enforcement/Law Enforcement Agencies

Search Party – Group of volunteers who participate in crowdsourced OSINT CTF events, investigating a real world case – from missing persons cases to cryptocurrency money laundering and frauds, as well as drug trafficking, or CSAM

CTF – Capture the Flag – (mostly) cybersecurity competitions where competitors capture flags (pieces of data, hidden within the systems that are being attacked – usually a string in some .txt file) in order to collect points and win the challenge