OSINT stands for open-source intelligence. It is the collection, analysis, and dissemination of information from publicly available sources, such as social media, government reports, newspapers, and other public documents. OSINT is commonly used by intelligence agencies, private investigators, and law enforcement to gather information about an individual or organization. The OSINT framework showcases the multiple ways in which organizations can gather intelligence.
As a valuable tool for gathering intelligence, OSINT can provide insight into a variety of topics, including current events, criminal activity, and potential security threats. It can also be used to investigate individuals or organizations, track the spread of information, and monitor the online activity of individuals or groups.
The practice of OSINT has become increasingly important, as a vast amount of information is available online that can be analyzed to gain valuable insights. However, OSINT is not always used for legal purposes. Cybercriminals can use OSINT to gain insight into their targets, as this helps them create more targeted and in-depth attacks that are usually more effective. For example, cybercriminals will conduct OSINT using LinkedIn to learn more about employees within an organization to curate a sophisticated phishing attack.
As a result, it is important that organizations have the right security (OPSEC) in place to limit the amount of information about employees on public forums.
OPSEC (Operational Security) is a set of best practices and measures designed to protect sensitive information from being compromised. OPSEC involves analyzing potential threats and applying measures to protect sensitive information and prevent unauthorized access. This can include secure communication channels, encryption, and physical security measures.
OPSEC aims to minimize the risk of sensitive information being obtained by malicious actors who could use the information to harm organizations and individuals. Assets, reputation, and privacy can be protected by following some OPSEC best practices.
Why is OSINT so effective?
OSINT can be gathered from a wide range of publicly available sources. It is important to note that OSINT is just one tool in the intelligence gathering toolkit and it is not always effective on its own. The OSINT framework is a suitable place to start when conducting intelligence collection on a particular individual or organization, as it consists of a variety of technologies.
OSINT can provide real-time intelligence, allowing anyone to monitor and respond to changes in the environment in a timely manner. As OSINT does not involve any physical intrusion or other risky behavior, it can be a low-risk method to gather information. Due to the nature of OSINT, there is often a wealth of information available, that can be used by bad actors to create targeted cyberattacks through social engineering techniques, such as spear phishing.
Unlike other intelligence gathering techniques, OSINT is non-intrusive and does not require the targets’ cooperation or consent. Ultimately, this makes it easier and less expensive for cybercriminals to gather intelligence on a potential target.
How do attackers use OSINT?
Attackers can use OSINT to learn about a potential target to launch more effective and targeted attacks. Below are some common examples of how attackers might use OSINT to choose their victims.
- Target selection: Potential targets can be identified, including individuals with valuable assets or a high profile, or organizations with weak security that allows attackers to target their employees.
- Reconnaissance: Information can be gathered about targets, including their phone number, email address, social media profiles, and other personal information that will then be used for the attack.
- Social engineering: Convincing social engineering attacks can be created to entice a target into falling victim, including spear phishing, smishing, or vishing attacks.
- Physical security: Information on physical security measures can be obtained, such as access to control systems, security cameras, or security personnel, to plan a physical attack or gain unauthorized access to a facility.
- Malware delivery: Potential vulnerabilities can be identified in web applications, network infrastructure, or software that can be exploited to deliver malware. An example of this is the use of Emotet malware in Microsoft OneNote attachments.
- Date exfiltration: Valuable data can be identified that can be exfiltrated from a targeted individual or organization once breached, such as customer data or financial information.
When is OSINT used in the cyber kill chain?
The cyber kill chain is framework used to describe the stages of a cyberattack. Below lists the seven steps within the cyber kill chain and how OSINT can be used during each stage.
- Reconnaissance: Attackers initially gather information about their potential target that can be used to identify potential vulnerabilities or attack vectors, including email addresses, employee names and network topology.
- Weaponization: After the reconnaissance is complete, attackers create or acquire the tools and techniques they will use in the attack. Cybercriminals use OSINT to identify exploit kits, malware, or other tools that can be used to attack the victim.
- Delivery: Once the attack is weaponized, the attacker delivers the payload to the target. OSINT allows the cybercriminal to identify potential delivery mechanisms, such as email, social media, or other channels.
- Exploitation: The attacker attempts to exploit a vulnerability in the target system to gain access. OSINT helps the attacker identify potential vulnerabilities or weaknesses that can be exploited.
- Installation: When the attacker has gained access to the targeted system, they can then install their tools and establish a foothold. OSINT would then be used to monitor activity and gather additional intelligence about the attack.
- Command and control: During this stage, the attacker establishes a command-and-control channel that allows them to control the compromised system. OSINT can be used to monitor the organization’s communication and identify the location of the command-and-control server.
- Actions on objectives: At this stage, the attacker carries out their intended actions, such as damaging systems, installing malware, or exfiltrating data. OSINT can be used to monitor the attacker's activity and gather intelligence about their objectives and tactics.
Overall, OSINT can be a valuable tool throughout the cyber kill chain, allowing attackers to identify any potential vulnerabilities and monitor activity in real time.
What can employees do to protect themselves from OSINT?
Protecting employees from OSINT can be challenging, as much of the information that is gathered is publicly available. There are, however, some steps that can limit the amount of information that employees make available online.
Employees should always be mindful of the information that they share online. It is important to avoid sharing information such as a home address, phone number, personal email address, or any other sensitive data they wouldn’t want to be publicly available online. Over time, employees must review their privacy settings to make sure that they are not sharing more information than they intend to.
It is also particularly important to use strong, unique passwords for every account and enable multi-factor authentication wherever possible to help protect accounts from any unauthorized access or being involved in password breaches. It is also essential that employees’ software and operating systems are kept updated with the latest security patches, as this can help protect systems from vulnerabilities that could be exploited by attackers. Setting up a password manager to securely store passwords is especially useful, as it allows employees to use strong, unique passwords for important accounts.
By following these steps, employees can help protect themselves from OSINT and reduce the amount of personal information that is available online. In addition, it is important to ensure your organization has the right technical controls in place to detect highly targeted attacks that are informed by OSINT. Increasingly, organizations are deploying integrated cloud email security (ICES) solutions, like Egress Defend, which use AI models to detect the advanced phishing threats that get through the native security in Microsoft 365 and traditional security controls (secure email gateways).