What is OSINT and why is it important?
OSINT, or open source intelligence, refers to insights gathered from data that is publicly available and accessible by anyone. This generally means information found on the internet, but any public information is considered OSINT, including news, articles, social media posts, and blog posts, as well as data that is collected and openly shared by people or organisations.
Because OSINT is legal, based on publicly available information, organisations can use it freely to provide valuable insights, support decision-making and enhance security across sectors. In cybersecurity and threat intelligence, OSINT is used to identify vulnerabilities, track malicious actors and monitor emerging threats. OSINT enables security professionals to better understand the tactics, techniques, and procedures used by cybercriminals, enabling organisatios to enhance their defences and proactively respond to potential attacks.
OSINT has its origins in the military, where it was used for espionage and strategic intelligence gathering. Military forces relied on sources such as newspapers, journals, press clippings, and radio broadcasts to gather valuable information. This practice continued during World War II, as US Allies studied German newspapers and listened to radio broadcasts to gain insights. The UK Foreign Research and Press Service, and the BBC Monitoring Service all incorporated OSINT into their operations to understand activities as quickly and efficiently as possible.
Subsequently, during the Cold War, the CIA and KGB utilised OSINT to understand their adversaries' strategies and capabilities. Even without the internet, newspapers, official announcements and publicly available databases could be combined to produce useful intelligence. The term OSINT was created to describe this specific type of intelligence gathering and espionage technique.
Today, OSINT is used in a variety of sectors to address security concerns, whether military, geopolitical, physical or cybersecurity.
OSINT use cases in cybersecurity and other use cases
OSINT can be used in cybersecurity for:
- Threat intelligence. Online forums, social media platforms and other publicly accessible sources can be monitored to identify the tactics, techniques, and procedures (TTPs) used by malicious actors
- Vulnerability assessment. By analysing public vendor announcements, security advisories and cybersecurity forums, OSINT can provide up-to-date information on the latest vulnerabilities affecting software, hardware or systems, as well as vulnerabilities arising from third-party vendors, partners, or suppliers.
- Social engineering and phishing detection. OSINT helps in detecting social engineering attacks and phishing campaigns by analysing online platforms and social media channels to gather information about potential targets, employees, or key individuals within an organisation
- Brand protection. OSINT can be generated from the monitoring of social media, review websites and other online platforms to identify brand impersonation, customer complaints or negative sentiment
- Incident response. During cybersecurity incidents, OSINT can collect evidence, track attackers, and provide contextual information, such as indicators of compromise (IOCs), compromised accounts or leaked data
In addition to its uses in the military and cybersecurity, OSINT is also used in law enforcement, investigative journalism, business investigations, research and more.
The OSINT framework is a structured approach used to gather, analyse and utilise open-source information. Common components of an OSINT framework include:
- Planning and objective setting to identify the information needs and scope of the investigation, as well as the sources to be explored and the specific techniques and tools to be utilised
- Data collection to collect information from a variety of open sources - including websites, social media platforms, news articles, public databases, forums, blogs, and more – using OSINT tools and techniques like web scraping, advanced search operators, data mining and social media monitoring
- Data analysis to evaluate the credibility, reliability and relevance of the information, as well as identify patterns, connections and key insights using data visualisations, link analysis and correlation methods
- Information synthesis and reporting to organise and present the information in a structured format – e.g., reports, briefings, or intelligence products – to effectively communicate the findings and insights derived from the analysis
- Continuous monitoring and feedback to update the collected information for new sources, and emerging trends and feedback loops to improve the OSINT process and incorporate lessons learned
OSINT frameworks can be adapted and customised based on the specific needs and objectives of the organisation.
Techniques & best practices
There are several techniques for collecting and analysing publicly available information to create OSINT effectively. To start with, analysts use search engines like Google, Bing and Yahoo to filter and refine search results to find relevant information using advanced search operators.
Web scraping, which involves using software tools to extract data from websites, can pull relevant data from multiple websites, enabling analysts to gather large amounts of data quickly and efficiently.
Data analysis tools like Excel, Tableau, and R enable analysts to identify patterns, trends and relationships within large datasets.
Security research tools like Maltego, FOCA, Shodan, TheHarvester and Recon-ng are used to analyse open-source data from various online sources.
As new technologies and sources of information become available OSINT techniques are constantly evolving, so it's important for analysts to stay up-to-date on new techniques and tools to effectively gather and analyse OSINT.
Examples of OSINT sources
A wide range of sources can be leveraged for OSINT purposes. Beyond web content, social media and news, examples of the sources and the data that can be utilised for OSINT purposes include:
- Online Forums and Communities. Forums, discussion boards and online communities related to specific topics or industries
- Public Databases. Publicly available databases, such as government records, property records, corporate filings, court documents and licensing databases
- Academic Research. Scholarly journals, research papers, conference proceedings, and dissertations
- Publicly Available Government Reports. Reports, white papers, and studies published by government agencies and international organisations
- Online Directories. Online directories, yellow pages, professional networks and association websites
- Publicly Available Maps and Satellite Imagery. Mapping platforms and satellite imagery of locations, infrastructure and terrain.
- Publicly Available Data Leaks. Data breaches, leaks and public disclosures of exposed data, vulnerabilities or potential risks
Issues with OSINT
While OSINT has many benefits, there are also some potential issues and challenges associated with it.
The accuracy and reliability of information obtained through OSINT can be a concern. Publicly available sources may contain misinformation, biased opinions or outdated data. It is crucial to verify and cross-reference information from multiple sources to ensure its accuracy.
The massive volume of open-source data can be challenging to filter, analyse and prioritise. Effective data management, filtering, and analytical techniques are needed to extract meaningful insights efficiently.
Although the information collected is from publicly available sources, there are still ethical and privacy rights concerns to consider. It is important to ensure compliance with legal and ethical guidelines, respecting individuals' privacy and avoiding unauthorised access to sensitive information.
Without proper context, information may be misinterpreted, leading to incorrect conclusions or actions. Analysts must have the necessary subject matter expertise and contextual understanding to derive accurate insights.
While OSINT can provide valuable information for defensive purposes, it can also be exploited by bad actors for cyber attacks. Hackers use OSINT, so it’s vital that organisations are aware of any potentially damaging information they may inadvertently expose, and implement appropriate security measures to protect sensitive data.
Addressing these issues requires skilled analysts, sound methodology and the right tools to ensure the reliability and relevance of the obtained OSINT.
OSINT tools include software applications, platforms or services that facilitate the collection, analysis and visualisation of information from publicly available sources. These tools are vital for threat intelligence teams to gain full visibility into threats, bad actors, motivations and targets. Without them, intelligence teams can be bogged down by the manual collection, validation, deduping and standardisation of unstructured data across search engines, OSINT feeds, Twitter, reports and more.
Silobreaker was founded to help organisations find and prioritise threats based on unstructured OSINT data on the web and specialises in taking this text-heavy and conversational data from millions of sources in different languages, normalising the data set, and at the click of a button providing insight from that data and how it relates to your Priority Intelligence Requirements (PIRs).
Our data source-agnostic platform allows you to compare sources and measure reliability and credibility faster and more effectively. It also allows you to analyse and visualise information to identify relationships between people, organisations and places.
We bring all the steps of the Threat Intelligence Lifecycle together in one place; from the management of cyber, physical and geopolitical PIRs to the automated collection and processing of structured and unstructured, open-source, deep and dark web and finished intelligence data; to the analysis, production and dissemination of intelligence.
Find out how Silobreaker can help your threat intelligence team produce high-quality and relevant intelligence faster, and enable your decision-makers to act more quickly to reduce risk and protect the organisation.