top of page

Using OSINT Reconnaissance to Protect Your Organization

Author Britton White

keyboard keys jumbled in a pile

Open Source Intelligence (OSINT) reconnaissance involves using publicly available resources to passively gather information on a target (a person or organization).

To best protect your organization, take the mindset of a threat actor. Ask yourself these questions and perform some OSINT reconnaissance to get the answers.

  • What information is available on the web which can be used to target your organization?

  • How can they break in, or otherwise gather enough information for a Phishing/Vishing (Social Engineering) attack?

Think about how your current policies and procedures may help protect against these types of attacks, or if your policies and procedures are weak and need revising. From there, ask yourself, do employees know/understand what our security policies and procedures are? Understanding is the key word here.

Don’t forget about your third-party vendors, business associates, etc. You can perform this same reconnaissance on them. Just don’t try to log in anywhere unless you’re authorized to do so.

OSINT Reconnaissance Tools

I use the following sites extensively for OSINT reconnaissance. There are automated tools that many use for a quick snapshot of information that I choose to look for manually.

VirusTotal - Analyzes suspicious files, URLs and hashes. Reports on possible malicious reputation.

Sub Domain Finder - Locates subdomains tied to a domain. - Reports on devices that are accessible from the Internet. - Reports on devices that are accessible from the Internet.

For the sites like and, one is able to enter specific search strings via specific query syntax for refined recon. As an example for shodan, you can enter “ip:x.x.x.0/24” to find all IPs in that range that are externally facing. Another is “country:us state:NY org:medical”. Be creative and search for vendors like vmware. Another shodan search example is “country:us vmware”.

Zenmap - This is the NMAP security scanner graphic user interface. If I find open ports in Censys or Shodan (for a specfic IP address), I then run a scan in Zenmap to confirm that the information is correct. - A DNS lookup which enables researchers to find hosts related to a domain. – Locates all domains owned by individuals and companies. Uses names or email addresses for the lookup.

Security Trails – Reports on current and historical information for IP addresses, domain names, DNS.