The cybersecurity industry often gets obsessed with technology: the latest exploits, hacking tools and threat hunting software. In reality, a lot comes down to people. It’s people who develop malware, people who hit the red button to launch attacks and, on the other side, people who are tasked with defending against them. To this end, OSINT, or open source intelligence, is an important but often overlooked “human” element of cybersecurity.
The bottom line is that whatever you can find out online about your organization, so can the bad actors. That thought alone should drive ongoing OSINT efforts to mitigate cyber-risk.
How is OSINT used?
The term OSINT was first used outside the cybersecurity industry, referencing military and intelligence efforts to gather strategically important but publicly available information in matters of national security. While post-war spy efforts focused on different ways to obtain information (e.g. HUMINT, SIGINT), by the 1980s OSINT was back. With the advent of the web, social media and digital services, there is now a huge resource for OSINT actors to gather intelligence on every part of an organization’s IT infrastructure, as well as its employees.
For CISOs, the primary goal is to find any of this information that may pose a risk to the organization, so they can mitigate that risk before it’s exploited by threat actors. One of the most obvious ways to do this is by running regular penetration tests and Red Team exercises, which tap OSINT to find weaknesses.
Here’s how OSINT can be used by attackers and defenders:
How security teams can use OSINT
For pen testers and security teams, OSINT is about uncovering publicly available information on internal assets, as well as info outside the organization. Sometimes sensitive information is found in metadata that has been accidentally published by the organization. Useful intel on IT systems could include:
- Open ports and insecurely connected devices
- Unpatched software
- Asset information such as software versions, device names, networks and IP addresses
- Leaked information such as proprietary code on Pastebin or GitHub
Outside the organization, websites and particularly social media can be a trove of information—especially on employees. Suppliers and partners may also be oversharing certain details of your IT environment that would be better off kept private. Then there’s the vast expanse of non-indexed websites and files known collectively as the deep web. This is technically still publicly available and therefore fair game for OSINT.
How threat actors use OSINT
Of course, there’s a flip side to all of this. If information is publicly available, anyone can access it – including threat actors.
Among the most common examples are:
- Searching social media for personal and professional information on employees. This could be used to select spearphishing targets (i.e. those likely to have privileged accounts). LinkedIn is a great resource for this kind of OSINT. However, other social sites may also reveal details such as birth dates and the names of children and family pets, any of which could be used to guess passwords.
- Scanning for unpatched assets, open ports and misconfigured cloud data stores has been made relatively cheap and easy thanks to the power of cloud computing. If they know what to look for, attackers can also search sites such as GitHub for credentials and other leaked information. Sometimes passwords and encryption keys are embedded in code, which is how Uber was breached, via a leak on GitHub.
RELATED READING: Spring cleaning? Don’t forget about your digital footprint
Is OSINT legal?
OSINT is all about finding information that is publicly available, so in that respect it’s absolutely legal, at least in most Western countries. Where data is password-protected or made private in any other way, there could be repercussions for OSINT teams if they go looking for it. Scraping data from social media sites is also against most of these companies’ terms of service. Pen testing teams would usually seek to define what is on- and off-limits before starting their work with a client.
Popular OSINT tools
For CISOs keen to use OSINT as part of their cyber-risk management efforts, it’s important to start with a clear strategy. Understand what you want to get out of projects – is it to detect network weaknesses and software vulnerabilities or gain knowledge of where employees are oversharing on social media? Then shortlist the tools and techniques you want to use to collect and mange that data. The volumes of data involved will require a high degree of automation here.
Some common tools include:
Shodan: A highly popular way to scan for IoT devices, OT systems, open ports and bugs.
Maltego: Designed to unmask hidden relationships between people, domains, companies, document owners and other entities, and visualize it via an intuitive UI.
Metagoofil: Extracts metadata from publicly accessible documents to provide users with useful information on IT systems (directory trees, server names etc).
Google Dorking: Not a tool as such, but a technique for using search engines in a more advanced way to locate specific information. By crafting specific queries, individuals could gain access to servers, web pages and information that admins may otherwise think are private. It’s also known as Google hacking.
We would be remiss in not singling out OSINT Framework and OSINT.Link, two vast repositories of resources that can be explored and used for gathering intel from publicly available sources.
In closing, whatever route you take, OSINT is an increasingly important part of cybersecurity. A well-designed strategy can add another dimension to your risk management efforts.