What is OSINT?
Any intelligence collected legally from open, public sources is known as Open Source Intelligence Gathering, or OSINT. With so much information freely available on social media and other online sources, OSINT is often the most effective method for profiling people or groups, gathering evidence, or following up on reports of suspected attacks or fraud.
OSINT grew out of spycraft as it shifted away from clandestine methods of information gathering (think phone tapping and couriers ferrying secure communications) and toward scouring publicly available information like newspapers and files or databases. With the advent of the internet, vast amounts of information became accessible to anyone, and OSINT became increasingly useful not just to sophisticated government and law enforcement agencies, but to financial crime analysts, fraud and brand misuse investigations and particularly – to cybersecurity analysts.
Cybersecurity teams frequently use OSINT for OPSEC (operational security) by understanding what information about their company is available in the public domain. OSINT is a great way to find out if any private information has intentionally been leaked, especially on social media, or perhaps accidentally exposed on public sources without proper authorization or approval.
OSINT on the deep and dark web
OSINT is not limited to research on the surface web – it can also be conducted on the deep or dark web. OSINT can still be applied to sites requiring login or subscription — as long as analysts can gather the information legally, without violating any access rules. And, that extends to the dark web.
If you’re using the dark web for OSINT, it’s important to remember:
- Paying for hacked/stole items doesn’t qualify as OSINT and create legal problems for the analyst and their organization
- Any website could introduce malicious code to your computer, but this is especially true on the dark web, where site owners often set boobytraps to track potential adversaries
- There is some anonymity to using the dark web, but there are still lots of details given to site owners about your identity — you’ll need to take special percussions to control your digital fingerprint
How is OSINT used in threat intelligence gathering?
In addition to being a valuable technique for OPSEC, OSINT can also be used to gather threat intelligence to proactively reduce cyber risks. OSINT is used to analyze, monitor and track cyberthreats from targeted or indiscriminate attacks against an organization.
If an issue is caught by a threat intelligence platform (TIP) or subscription service, the job of an OSINT analyst is to dig deeper and gather any available information across surface, deep and dark web to understand the urgency and scope of the potential problem. For example, a TIP may identify that company’s email addresses and passwords have been found for sale on a dark web site. An analyst would want to look at the complete package to assess the risk of bad actors using this information for future phishing attacks or data breaches. Investigators may also gather valuable insights on how the email addresses may have been obtained and where the weaknesses in the enterprise security perimeter lie. Additional information about attackers’ tactics and methods can be gleaned from various dark web forums. Having a thorough understanding of how the dark web works and how to use it as a resource without exposing their organization to risks is an essential skill for any OSINT analyst.
Homegrown solutions are no longer sufficient for OSINT research
Using the local computer and network to collect open source content puts OSINT teams and investigators at risk. In To minimize the risk, organizations use a variety of tools such as client-side virtualization, VPNs, segregated storage and advanced malware-scanning solutions. These are costly to deploy, and the complicated IT management requirements create security and attribution gaps.
Tools like Silo for Research offer a fully isolated, anonymous and secure platform designed for the demands of OSINT teams. They protect analysts and their organizations during the information gathering process and keep researchers compliant through collection, collaboration and production. A specialized solution like Silo for Research, gives analysts an isolated browsing platform for accessing social media sites, forums, and other web-based resources without ever touching the web. It also gives them control of their digital fingerprint to avoid tipping off subjects and adversaries during their investigation.
OSINT automation: a valuable resource for time-strapped analysts
Analysts are always under pressure. Especially when they are investigating a fast-moving incident or impending threat, they can’t afford to waste any time – researchers need to process as many data sources as possible in the shortest amount of time. And this is where automation is most valuable. Automation help you target more sources in less time, removing the human bandwidth limitation, increasing output and productivity, and saving valuable time to remediate issues faster.
OSINT is a fast-growing, multi-faceted discipline, and an increasing number of organizations, even beyond financial corporations and federal and law enforcement agencies, are investing in tools that can help make their analysts’ jobs easier and accelerate issue resolution times.
- Among many important considerations for OSINT automation tools are:
- How they manage footprint and attribution
- Whether they can rotate IP addresses and imitate various locations and time zones
- How effectively they can protect networks from accidental exposure to malware
- The ease of storing and sharing sensitive data
- Whether they can comply with industry and company audit requirements
The more sophisticated your adversary is – more time and effort is required to set up a successful OSINT strategy. With data constantly changing, the number of sites analysts need to investigate grows every single day. Automation – especially using the right tools and techniques – can help ensure that teams are gathering the most relevant data as quickly and efficiently as possible, while keeping investigations – and investigators – secure.
For more information on OSINT and how to protect your investigators, see: