Originally published October 4, 2021 on Teressa's website, Dark Shiny Unicorn
Author Teressa Gehrke
This blog is originally taken from a presentation I shared in August 2021 to the Rocky Mountain Chapter of the Association of Continuity Professionals. This is to help new learners have a cursory knowledge of Open-Source Intelligence (OSINT).
To start, I’m a fan of definitions, so that’s where we will begin with understanding OSINT.
What is Open Source?
Information from publicly available sources, such as online search engines, online directories, and public records.
What is Intelligence?
Information about a (potential) adversary, opponent, or attacker.
What is Open-Source Intelligence?
Information collected from publicly available sources that can be used in an intelligence context to learn more about current or future events, people, and places.
Who Uses OSINT?
All kinds of people use OSINT for recreation and professional purposes. Let’s look at a few examples. First, we have our hackers, which can be broken down into essentially good and bad.
Good hackers are often called Ethical Hackers. They are commonly known as Penetration Testers (Pen Testers). They are individuals or companies employed by another company to evaluate their network security. They are third party vendors who have permission and are authorized to look for vulnerabilities in a company’s network, exploit the vulnerability, and compile a report to the company commissioning them to help patch and strengthen their network infrastructure.
Bad Hackers are often called Threat actors or bad actors. They have malicious intent to cause harm to a person, business, or critical infrastructure. They use commonly known exploits, like phishing, scams, and social engineering to access a private network. Their maleficence often coincides with a ransomware attack with a demand for payment in cryptocurrency, that can be untraceable.
Another group using OSINT is law enforcement. They can employ informants who obtain information, typically through secretive and investigatory means. Law enforcement can use public resources to learn more about a person, place, and event, and can use that information for situations like a sting operation.
A criminal can use OSINT to gain insight into something they want to do, such as a bank robbery. They can plan the day, time, place, location, hours of operation, to name a few.
Stalkers, specifically cyber stalkers use OSINT to control someone else, like the victim they are stalking. They can research a person’s routine, address, friends, social media accounts, hack into a person’s phone, device, emails, and more to learn more about a person. The stalker can harass their victim and may cause injury or death. A person may use a “Sock Puppet”, an online disguise or persona, to inject themself into the victim’s life to learn even more about them.
If you’re single and ready to mingle, you may want to investigate the person you are dating using social media, such as LinkedIn, Facebook, Instagram, people search engines, and/or perform a background investigation.
When do you use OSINT?
Use OSINT when you need to discover information about a person, place, event, business, or an adversary. It can be used for mundane things like researching your favorite restaurant, hotel, concert, or conference. A person can “dox” themself and others. Doxing is the act of publicly revealing previously private personal information about an individual or organization, usually through the internet. Methods used to acquire such information include searching publicly available databases, social media websites, hacking, and social engineering.
OSINT can be utilized for research of a cyber security attack; competitive advantage or market research; to understand a malicious group or hacktivist activity. Furthermore, it can be used when matters are sensitive, such as insider threat. Did an employee tweet something not in the best interest of the company? In the case of corporate protection, one may use it to protect human assets like C-suite and senior level executives. And, for risk management, OSINT is useful to gather information about potential attacks or natural disasters, such as preparing for an emergency, like inclement weather.
Where do you look for OSINT?
By no means is this an exhaustive list, but it is a good starting point.
Search Engines: Google, Bing, Explorer, Duck Duck Go, Yandex
Government sites and Freedom of Information Act records
Weather reports and FEMA
Mass Media, Local News, and radio
Social Media Platforms: LinkedIn, Facebook, Instagram, YouTube, Twitter, Vimeo, Discord, etc.
Blogs and forums
Data breach dumps
Why do you use OSINT?
In the workplace, OSINT can be helpful when searching and interviewing candidates. As is the case in hiring, a company will want to ensure there are no unscrupulous employees on their roster. Related to this, is Corporate Protection or Executive Protection, referring to physical safety of high-profile executives. Another reason to utilize OSINT is for competitive advantage. Market research can lead to greater profits, understanding purchasing habits of clients/customers and understanding competitors’ value in the marketplace.
Organizations like FEMA or National Weather Service are referenced when wanting to understand natural disasters and inclement weather. This can be very helpful in business preparation, continuity, disaster recovery, and protecting business and human assets.
Lastly, we can use OSINT to determine who our threat actors are or who they might be. We can look at what is trending within a country, region, and industry. One can research nation-state and hacktivist activity which likely coincides with a social, religious, or political unrest.
OSINT Information Processing
One of the first things to consider when beginning your OSINT research is Know Your Purpose. This blog doesn’t not address networking and setting up your system. However, I caution you to secure your set up, system, and network. If you’re performing highly sensitive reconnaissance, then talk to your IT and Security department first before diving into OSINT. Find a trusted advisor about hardening your network.
There are 5 steps in performing OSINT: Source Identification, Harvesting, Processing & Integration, Data Analysis, and Results.
Source Identification: In this step, an analyst identifies potential sources of information relevant to the target / threat. This is an iterative process as you sift through data
Harvesting is collecting information from multiple sources, categorize and classify data
Processing & Integration: searches captured information for actionable intelligence
Data Analysis analyzes available information. Search for connections and additional data points, often using tools to assist in the analysis.
Documentation is key and there are several tools used for OSINT development
It’s important to confirm OSINT data and that it is sound and factual. Verify with multiple agencies and sources. Fact Check!
Results and findings are presented, reported, or used to leverage a counterattack, preventative, or proactive measure.
Some parting words for those who are new to OSINT and want to explore further:
Remember your purpose for doing OSINT and the goals you want to achieve.
There are different levels of OSINT. Be mindful of the level of depth and protect your environment, especially if you’re doing OSINT to counter attacks against threat actors and nation-states.
OSINT can play a key role in providing valuable feedback to a company in the case of business continuity and disaster recovery, and even competitive advantage.
Anyone can leverage OSINT, you don’t have to be a spy!
About the Author: Teressa Gehrke is the Founder & CEO of PopCykol, a cyber security awareness company for kids. She has worked in cyber security since 2014 as a technical writer, project manager, and customer experience consultant. She holds a master's degree in Genetic Anthropology and International Development from Colorado State University and studied computer networking and network security. She’s an award-winning children’s music singer-songwriter and brings her children's music and artistry to PopCykol.