OSINT definition
Open source intelligence (OSINT) is the practice of collecting information from published or otherwise publicly available sources.
Open source intelligence (OSINT) is the practice of collecting information from published or otherwise publicly available sources. OSINT operations, whether practiced by IT security pros, malicious hackers, or state-sanctioned intelligence operatives, use advanced techniques to search through the vast haystack of visible data to find the needles they're looking for to achieve their goals—and learn information that many don't realize is public. Open source in this context doesn't refer to the open-source software movement, although many OSINT tools are open source; instead, it describes the public nature of the data being analyzed.
OSINT is in many ways the mirror image of operational security (OPSEC), which is the security process by which organizations protect public data about themselves that could, if properly analyzed, reveal damaging truths. IT security departments are increasingly tasked with performing OSINT operations on their own organizations to shore up operational security.
OSINT history: From spycraft to IT
During the 1980s, the military and intelligence services began to shift some of their information-gathering activities away from covert activities like trying to read an adversary’s mail or tapping their phones to discover hidden secrets. Instead, effort was put into looking for useful intelligence that was freely available or even officially published.
The world at the time was changing, and even though social media had not yet made the scene, there were plenty of sources like newspapers and publicly available databases that contained interesting and sometimes useful information, especially if someone knew how to connect a lot of dots. The term OSINT was originally coined to refer to this kind of spycraft.
These same techniques can now be applied to cybersecurity. Most organizations have vast, public-facing infrastructures that span many networks, technologies, hosting services and namespaces. Information can be stored on employee desktops, in legacy on-prem servers, with employee-owned BYOD devices, in the cloud, embedded inside devices like webcams, or even hidden in the source code of active apps and programs.
In fact, the IT staff at large companies almost never knows about every asset in their enterprise, public or not. Add in the fact that many organizations also own or control several additional assets indirectly, such as their social media accounts, and there is potentially a lot of information sitting out there that could be dangerous in the wrong hands.
Why is OSINT important?
OSINT is crucial in keeping tabs on that information chaos. IT needs to fulfill three important tasks within OSINT, and a wide range of OSINT tools have been developed to help meet those needs. Most tools serve all three functions, though many excel in one particular area.
Discovering public-facing assets
Their most common function is helping IT teams discover public facing assets and mapping what information each possesses that could contribute to a potential attack surface. In general, they don’t try to look for things like program vulnerabilities or perform penetration testing. Their main job is recording what information someone could publicly find on or about company assets without resorting to hacking.
Discover relevant information outside the organization
A secondary function that some OSINT tools perform is looking for relevant information outside of an organization, such as in social media posts or at domains and locations that might be outside of a tightly defined network. Organizations that have made a lot of acquisitions, bringing along the IT assets of the company they are merging with, could find this function very useful. Given the extreme growth and popularity of social media, looking outside the company perimeter for sensitive information is probably helpful for just about any group.
Collate discovered information into actionable form
Finally, some OSINT tools help to collate and group all the discovered information into useful and actionable intelligence. Running an OSINT scan for a large enterprise can yield hundreds of thousands of results, especially if both internal and external assets are included. Piecing all that data together and being able to deal with the most serious problems first can be extremely helpful.
While OSINT techniques are often used by malicious hackers as reconnaissance before they launch an illegal attack, for the most part the tools and techniques themselves are perfectly legal—after all, they're designed to help you home in on data that's published or otherwise in the public view. Even government agencies are encouraged to use OSINT techniques to ferret out holes in their own cybersecurity defenses.
Following the trail opened by these OSINT queries can get you into legal grey areas, however. Media Sonar has some good advice on how to stay on the right side of the law here. For instance, it's not illegal to access public areas of the dark web, and it can be important to do so if you're trying to determine if your organization's data has been breached or stolen; but you shouldn't try to buy collections of stolen data as part of your research, or impersonate a law enforcement officer to shake information out of shady characters.
In general, it's important to develop a code of conduct in advance to guide your employees' behavior on these expeditions, and to document everything you do to demonstrate that you're sticking to those guidelines and haven't broken any laws.
Not every hack or intrusion involves advanced persistent threats or deep, sophisticated penetrations. Hackers, like everyone else, will take the easiest path to their objectives. There is no need to try to crack tight cybersecurity through many months of effort if the information they want is available through a publicly accessible channel. At the very least, sensitive information can be used as a shortcut to obtaining valid credentials or to help plan an effective intrusion with less effort or risk.
OSINT tools can help organizations get a grip on what information is available about them, their networks, data and users. Finding that information quickly is key since it would allow for its removal before someone can exploit it. These tools can be a strong boost during that most critical race.