By the year 2027, research suggests that almost six billion people globally will use social media.
With the vast amount of data created by this alone, open-source intelligence (OSINT) has become an increasingly valuable tool.
With history spanning back to the Second World War involving the collection of information from publicly available sources like newspapers, radio broadcasts and even conversations among people to gain insights about the enemy's activities and intentions, OSINT provides a way to collect and analyse publicly available data which can then be used to make informed decisions.
“Open Source Intelligence is where cybersecurity experts, as well as cybercriminals, try and gather as much information as is publicly available about an organisation, asset or individual as they can, so as to use the information gathered to their advantage,” explains Ed Williams, Regional VP, Penetration Testing, EMEA at MDR leader Trustwave.
OSINT augmenting enterprise security
As Williams asserts, it is crucial to have an understanding of what OSINT is and how it can be used against an enterprise, asset or individual. “A good example of this, and one that has yielded results in the past, is job descriptions and the details they offer,” he says. “This detail can and has played an important role in creating pinpointed cyber-attacks that target specific individuals, thereby making them all the more susceptible and vulnerable to these attacks.
“With this in mind, OSINT can enable companies to understand the threats that are most likely to affect their organisation; it can help experts in understanding an organisation's attack surface and exposed assets; and most importantly, OSINT deepens the knowledge pool of broader cybersecurity trends, making it all the more easier to keep on top of new threats and mitigation tactics within the space.”
As Michael Skelton, Vice President, Security Operations and Researcher Success at crowdsourced security pioneer Bugcrowd comments, OSINT can significantly enhance enterprise security by providing actionable insights about potential threats.
“For example, it can be used to monitor Dark-Web and hacker forums to identify whether a company's information is being discussed or sold,” says Skelton. “Similarly, OSINT can be used to identify loose ends in the digital footprint of a company, such as unprotected servers or employees sharing sensitive info online. This could be the company's own infrastructure, or over services that a company uses. A great example of this, is monitoring GitHub to ensure that contractors, and employees alike, haven't inadvertently disclosed company secrets, or passwords.”
OSINT increasingly a pivotal aspect of cyber defence strategies
Describing it as a ‘force multiplier’ in traditional cybersecurity practices Skelton explains how OSINT can enable a more proactive approach.
“Traditionally, cybersecurity focused mainly on protecting internal systems and reacting to network-based attacks,” he says. “With the proliferation of OSINT, security professionals now can proactively gather information about potential threats and attackers, and take a more proactive approach to security. The more intelligence we have about potential threats and threat actors the better we can defend against them.”
However, as Williams stresses, it is important to consider that while OSINT is a powerful tool for security professionals, it can also be leveraged by cybercriminals to identify and attack vulnerable and misconfigured systems. Therefore, minimising the external footprint of an organisation to only what’s required should be a top priority for all CISOs.
“OSINT is a key practice in any modern cybersecurity strategy, alongside vulnerability testing and patch management,” he adds. “All practices that whilst unable to guarantee 100% security all of the time, given the evolving threat landscape, do help keep businesses up to date with all the threats and tools to protect from them.”
The ethical considerations when collecting and using OSINT
OSINT is, by its very nature, available to all on the internet. Because of this, Williams explains, it becomes important for organisations to ensure that the collection and use of OSINT data complies with all relevant laws and regulations, including data protection laws such as the EU’s GDPR.
“Whenever possible, obtaining consent from the individuals whose data is being collected can help ensure that the collection process is both legal and ethical,” he says.
“Overall, it's important for professionals to keep ethics at the top of mind when conducting OSINT investigations. While there are clear laws around computer misuse, the main feature of OSINT is the ability to gain an edge over an organisation, asset or individual. The key component of OSINT is how this information is used by both attackers and defenders.”
This viewpoint is reflected by Amir Sadon, Director of IR Research at Sygnia. “Although OSINT relies on publicly available data, the use of this data can affect people, both in the organisation and outside of it,” he describes. “When collecting this data, organisations should not only consider their investigative needs but also the ethical and regulatory impact of the data. For example, OSINT could be misused to collect information about private social media activities of employees and their surroundings.”
One of the biggest considerations to OSINT is privacy, Skelton asserts. “Just because information is publicly available doesn't mean it's ethical to collect and use. There must be a clear well-defined purpose, and care must be taken to only use the information in line with that purpose. Additionally, there can be challenges in ensuring accuracy and validity of data collected. Misinterpretation or misuse of information can lead to harmful decisions. It's important for professionals to maintain a clear ethical guideline of what data to collect, how to use it, and, importantly, what not to do.”
To help tackle these risks, Sadon explains that data collection should be limited to a minimum and only necessary to help meet investigation goals without violating the rights of employees or others.
“Allowing or enabling technology to collect data or scan systems “on autopilot” will often result in unethical or illegal data collection, and therefore a key part of ethical OSINT is to ensure data collection is controlled by humans who fully understand privacy issues and ethical concerns.”