Open-source intelligence (OSINT) is generating more buzz every year in security spaces, from employee training programs to pundits on the news, but what is OSINT, and why is it important?
Open-source intelligence refers to the collection of information and data that exists in the public realm. According to the Penetration Testing Execution Standard, developed by a group of cross-industry information security practitioners, OSINT is “a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.” As such, OSINT is actually a reconnaissance process used to gather information and determine entry points into an organization, and then to strategize an approach to pen testing or – perhaps more significantly – a malicious attack against a target group or network.
Who uses OSINT?
Originally coined by government and military intelligence communities, OSINT bridged the cybersecurity gap into the private sector by way of information security teams in industry, specifically penetration testers and Offensive or Red Teams. Some overlap often exists between these professional groups which results in certain skillsets being more desirable, such as critical-thinking and pattern-analysis, but the relationship between effective data gathering and tactical, opportunistic decisions is vital to an attacker as well.
What is included in OSINT, and how can that information be used against me?
Organizations, as part of their marketing and customer or employee relations efforts, often create their own social media profiles and sometimes entire data-sharing platforms, adding to the wealth of free and public information online. Websites like LinkedIn, Monster, and Glassdoor all serve as repositories for press releases that were the result of carefully-planned projects. Websites like these may also include employee reviews and further information about a company. The online OSINT Framework lists the many information sources available, from IP addresses and public or business records to geolocation, digital currency, and even the Dark Web.
Much of this data has been posted without confidentiality or other considerations, but organizations are beginning to understand why some types of public information can be a liability. But even in 2019, OSINT is still largely treated as an afterthought when reviewing and assessing organizational security postures and maturity. As long as the databases and archives stay online, that information could contribute to an attacker’s strategy.
As a specific example, listing employee email addresses online can provide an attacker with an email address naming structure that can then be used in the attacker’s next phishing scheme.
Reviewing and assessing which data is public information, via your organization’s website or through third-party sites, is imperative to ensure network security.
Prior to most vulnerability scanning or probing, an attacker has completed their own OSINT homework on the target; this can also be said about security service providers or internal team members when beginning a penetration test.
Email addresses, domain names, proprietary information, and honest employee reviews are just a few pieces of information often found with some efficient research. With a bit more digging and by connecting the dots, a savvy attacker can identify the security holes that open a door into a corporate network, undetected.
Humans are social animals, and we love sharing information about ourselves, such as what we do for a living and our favorite sports teams, but we may also inadvertently share the hardcoded credentials to our infrastructure!
Featured Image: iStock.com/metamorworks