OSINT is a critical aspect of a competent cybersecurity program. Once an organization has the basics in place such as EDR, multi-factor authentication, network monitoring, and robust firewall rules, conducting effective open-source intelligence represents a significant opportunity for organizations to improve their cyber readiness. Cybersecurity OSINT enables companies to:
- Understand the threats that are most likely to affect their organization
- Detect risks across the dark & clear web such as dark web threat actors targeting their organization, leaked secrets on Public GitHub Repositories, leaked credentials, and IAB’s targeting their organizations
- Understand their organization’s attack surface & exposed assets
- Deepen understanding of broader cybersecurity trends
What is Open Source Intelligence (OSINT)?
OSINT stands for open-source intelligence and is one of the core methods for intelligence collection alongside HUMINT (intelligence derived from human sources), and SIGINT (signals intelligence). OSINT provides enterprise cybersecurity teams with publicly available information that can be used to enhance security procedures, validate security controls, and improve their understanding of the threat landscape. OSINT can be split into two categories:
Passive OSINT: Passive OSINT involves collecting data that is public and easily available. For example, a security team setting up Google alerts to notify them of news articles about cybersecurity trends in their industry is an example of passive open source intelligence collection.
Active OSINT: Active OSINT involves digging a layer down and gathering information that is publicly available, but might not be as easily accessible. A threat intelligence specialist infiltrating dark web forums that requires special access or permissions would be an example of active collection of open source intelligence.
Flare Automates Cybersecurity OSINT Across the Clear & Dark Web
Flare’s SaaS Platform automates identification, collection, and structuring of OSINT data across the clear and dark web. Our intuitive platform continuously crawls the clear web including sources like public GitHub repositories, Stackoverflow, Google Dorks, and paste sites in addition to thousands of dark web forums and marketplaces to provide CTI and SecOps teams with actionable intelligence on day 1. Get started with a demo of Flare.
How is OSINT used in Cybersecurity?
Uses for OSINT in cybersecurity vary based on business requirements, cybersecurity requirements, and the teams that OSINT is being collected for. Oftentimes, threat intelligence teams will be tasked with collecting open source intelligence to meet specific goals and objectives defined by other security teams or business units.
Dark Web OSINT
The dark web can be accessed using TOR (The Onion Router) which provides a high degree of anonymization for traffic across the network. Threat actors operate incredibly complex supply chains across dark web markets, forums, and illicit communities found on applications like Telegram.
The Dark Web is a critical area for developing OSINT gathering capabilities and can provide a rich area for intelligence collection. Dark Web Threat Intelligence can provide critical information regarding:
- Tactical threat intelligence such as threat actor tactics, techniques, and procedures (TTP’s) being used against specific industries
- Intelligence regarding initial access brokers selling access to specific corporate environments
- Operational intelligence such as leaked credentials or infected devices for sale that pertain to specific companies
External Attack Surface & Cybersecurity OSINT
Gathering open source intelligence is often one of the first things that an adversary will do when preparing to conduct a targeted attack against a specific company. An attacker may look for intelligence across dozens of sources including:
- Corporate social media profiles
- Personal social media profiles
- Business directories
- Corporate websites
- Corporate PDFs and documents published online
- Third-party data sources such as sales enablement platform that provide corporate statistics
- News sources
- Press releases
- Domain registry data
- Publicly available email addresses
- Phone records
- And other sources
For cybersecurity teams, conducting OSINT on your own organization can provide invaluable insights into where there may be security gaps or unwanted data exposure. Security teams may discover that key executives are accidentally publishing confidential information on publicly available forums, exposing personal information that could be used to compromise the organization, or have social media permissions configured incorrectly.
Geopolitics & Cybersecurity OSINT
OSINT can also be instrumental in providing needed context for how geopolitical risks are changing and affecting the risk profiles of individual organizations. Developments such as Russia’s war in Ukraine, and a potential crisis over the Taiwan strait are two poignant examples of events that substantially alter the risk profile of individual countries. Routinely monitoring sources of open-source intelligence can provide extremely valuable for understanding an organization’s risk in the broader context of world events.
Vulnerability Management and OSINT in Cybersecurity
Vulnerability management is another key application for OSINT. 0-day exploits and new vulnerabilities are routinely disclosed by hundreds of software vendors and researchers on a daily basis. Security operations teams or cyber threat intelligence teams may be asked to monitor for newly disclosed vulnerabilities affecting enterprise software applications.
OSINT, Google Dorks, and Targeted Cyber Attacks
Google Dorks are a slightly more advanced collection method for open source intelligence than collecting relevant news articles or social media profiles. Both threat actors and security teams can create highly customizable Google search terms using Dorks, which can be used to turn up hard to find sources of intelligence.
For example, a simple search of a company name may turn up various publicly available company website pages which are intended for external communication. However using a Google Dork, a threat actor could search for:
filetype:PDF
When combined with another Dork containing a specific companies domain name, this would turn up all publicly available PDFs associated with the website, including ones that misconfigured permissions may have inadvertently rendered publicly available.
Cybersecurity, the OSINT Lifecycle & “Finished Intelligence”
OSINT can aid security operations teams across a wide variety of domains, but without careful collection, analysis, and contextualization can prove overwhelming. This is where the concept of “finished intelligence” comes into play. Rather than provide another definition, let’s briefly walk through a lifecycle of how open-source intelligence can be collected and used. In our example, we will use a security company that has been tasked to conduct an outsourced red teaming engagement. We will walk through exactly how they would identify, collect, and utilize OSINT throughout the reconnaissance and information gathering stage of the engagement.
Stage 1: OSINT Source Identification
First the cyber threat intelligence team would likely work to identify specific sources of intelligence that they can leverage. A good starting point would likely be:
- Social media profiles of key executives
- Corporate social media profiles
- Business directory & address information
- Dark web markets & forums
- Press releases and corporate news
- Data breaches notifications
- Compliance & regulatory fines
- Lawsuits & litigation
- Employee social media accounts
- Passive vulnerability scanning to detect at-risk machines
Stage 2: Cybersecurity OSINT Data Collection
Once the sources of data about a company and its employees had been identified, next the team would work to collect data from identified sources. In some cases it may be as simple as adding data to spreadsheets where in others the red team may have to infiltrate dark web markets & forums as part of an active OSINT approach.
Stage 3: OSINT Data is Processed & Contextualized
Once collection is complete, the red team would like to process, structure, and contextualize the data to aid in the next step, analysis. Similar data would be aggregated together and additional contextualization would be applied based on lessons from the reconnaissance performed so far in order to provide a more complete picture of the organization and its potential weak points.
Stage 4: OSINT Analysis
Finally, OSINT data would be analyzed by the red team. The red team would be seeking to answer questions that could aid them in their engagement like:
- Do specific employees have public information that could be leveraged to conduct the initial compromise of the organization?
- Does the organization have publicly available leaked passwords or files that represent a potential weak point?
- Are critical employee emails publicly available that could be used in a phishing campaign?
- Does the organization have vulnerabilities such as unpatched systems that could be easily exploited?
Stage 5: OSINT Finished Intelligence
Finally the red team would produce a piece of finished intelligence which would factor into their larger attack plan. This would likely contain key intelligence that the team could use during the engagement to facilitate access and persistence on the organization’s network or aid in detection evasion.
Cybersecurity OSINT isn’t a One Way Street
Conducting cyber reconnaissance is critical for defenders to understand what the attack surface of the organization is. However, it can just as easily be used by cyber adversaries to gain access to an organization. The entire process outlined in the red teaming engagement would also be used by a sophisticated attacker that was conducting a targeted attack against a specific entity.
This underlines the importance of conducting continuous cyber reconnaissance against your organization to understand the weak points that an attacker might attempt to leverage, so you can resolve high-risk exposure before an attacker leverages it.
Flare Can Support your OSINT Strategy
The Flare platform monitors your company’s external digital assets. The platform identifies risks across the clear & dark web and other illicit communities so you can secure your organization’s attack surface.
Book a demo today to learn more.
