Opensource Intelligence

1. What is OSINT?

OSINT, short for Open-Source Intelligence, is data that has been obtained from publicly-available sources, that are accessible without payment. OSINT is widely used within law enforcement work, cyber crime activities such as planning an attack, or for business operation purposes, such as checking out the competition. This course will primarily be focusing on the application of OSINT tools and techniques for both red (offensive) and blue (defensive) teams. Let’s explore some examples of OSINT data:

• A company that has a public web page that introduces some/all of their employees (think a “meet the team!” page). An attacker could use this to very easily gather a list of targets for social engineering attacks. Some sites may even include contact email addresses or phone numbers, which can aid the social engineering process dramatically.

• Job Descriptions that leak information about a company’s internal systems (example: a system administrator role requiring experience with Windows Server 2016 and Solaris). An attacker can use this to plan internal attacks, lateral movement, and privilege escalation once they have gained a foothold in the network.

• Photos on social-media that are geotagged and contain device information in the metadata (example: that nice photo you shared on holiday? we can find where that is, usually in a matter of seconds – and the device you took it on).

• Reading a user’s social-media profile to build up a profile of them (information such as date of birth, locations, friends, interests, family). This can be used to learn more about an individual, which is commonly done pre-interview so that employees can get a sense of how the person will act in the workplace.

• Exposing Cyber Criminals. Whilst this begins to move into the Threat Intelligence domain, it is possible to use OSINT sources and social-engineering skills to identify the true identity of cyber criminals, and pass the details to law enforcement. Whilst this is out of scope for this entry-level course, it shows how powerful OSINT can be in the right hands.

2. Use cases

OSINT can be a powerful ressource for defenders, law enforcement, businesses and as well for attackers.

2.1 Defenders

By looking at the information that is available on the internet, defenders can take steps to reduce this, or implement other controls that will mitigate attacks or reduce their effectiveness. If an attacker was able to build a detailed profile on an employee, this could be very dangerous. However, if that employee has had security training, then they will potentially be better at spotting malicious emails and social engineering attacks. By removing information online that may aid an attacker, the defenders are reducing the attack surface, which is the total area that an attacker could exploit to gain access to internal systems. This activity is often referred to as conducting public exposure assessments. Examples include gathering information employees put on social media, identifying internet-facing assets, DNS checks, finding old login portals or websites, and much more

2.2 Law Enforcement

Government and Police organisations will utilise OSINT to track persons-of-interest, such as criminals, suspects, and terrorists. Profiling is the activity of collecting information on an individual to build up a picture of their personality and behaviour. This can be used to predict where they will be at certain times, based on interests and previous locations. OSINT can be used to uncover the identities of cyber criminals that have poor OPSEC (operational security – the practice of hiding yourself online by disassociating your online persona with your real self). It can also be used to help find missing persons (a great example of this is Trace Labs, a non-profit organisation that hosts online OSINT CTFs, which actually work to track missing people and assist law enforcement).

Hackers find missing people

2.3 Businesses

Businesses can utilise OSINT to keep an eye on the competition, watch for market activity, learn more about their customer and how to best engage with them, improve business operations via data enrichment, and also monitor for security risks such as leaked credentials, employees sharing confidential information, or hackers planning attacks

2.4 Attackers

OSINT sources can be a great way to discover information about a target company or individual. By working out what systems a company uses, the right exploits and attack methods can be planned out in advance. Employee information can be harvested, allowing potentially effective social-engineering attacks, and spear-phishing email campaigns to be conducted, tailored to their intended targets to make them more believable. A company should be careful about what information their systems and employees are sharing online. The process of collecting this information for malicious purposes is commonly referred to as target information gathering, or passive information gathering (because the attacker is not directly engaging with the target’s systems, such as port or vulnerability scanning).