The use of open-source intelligence (OSINT) is becoming increasingly important within IT security departments. OSINT includes the acquisition, collection, analysis and consolidation of information that is available from publicly available sources such as the internet.
It is a great opportunity for IT security teams to track down internal data that should not be public – including, for example, open ports and networked devices. Loads of information that should not have been made public can also be found on social networks and websites. Nevertheless, OSINT is a great data and information source for not only IT admins and other professionals who oversee the company’s IT security, but also cybercriminals who profit from open-source intelligence when trying to attack the company, using public information as a useful database.
Nowadays, hacker groups work in a more sophisticated way than ever before – also due to the enormous financial and human resources that are at their disposal. Still, before proceeding with the actual attack, they have to do their “homework,” trying to spy on their victims and gathering as much information as possible to be able to identify the target’s weak spots. The easiest way to do that? Going through the world’s biggest information source; the World Wide Web.
From mass media and social media channels to public data such as government reports, commercial data or information easily searchable by search engines – there are many options for attackers to gain valuable perspective on almost any topic. The internet is a near infinite source that cybercriminals can easily take advantage of. But at the same time, IT admins can use publicly available sources to identify information about their company, its IT security posture and other data unnecessarily being exposed.
Although the purpose, legal framework and intention of use differ, it seems that thanks to OSINT both IT security specialists and cybercriminals often use the same information sources. If we turn this fact into a metaphor, open-source intelligence is roughly comparable to a weapons cache where both police officers and gangsters procure their weapons.
Which OSINT tools are on the market and for what purpose can they be used?
With the help of Shodan, for example, it is possible to detect IoT devices, OT (operational technology) systems and open ports.
- Maltego, a tool able to help identify hidden relationships between people, domains, companies, document owners and other entities. The information is then visualised via an intuitive user interface.
- Metagoofil, a tool to extract metadata from publicly available documents, providing crucial information about IT systems (usernames, software versions, MAC addresses, etc.).
- TheHarvester, one of the most widely used OSINT tools with great ease of use, offers visibility into what an attacker can see about your organisation, including subdomains, hosts, emails and open ports. TheHarvester not only analyses Google and Bing, but also lesser-known search engines such as DNSDumpster or the metadata search engine Exalead.
Most importantly for defenders, no matter the tool used to gather information about and test your defences, it is critical to always follow the penetration testing policy of your organisation and of those whose services you may be contracting.
Is OSINT legal?
As already explained, OSINT can identify public and freely accessible information. From that point of view, it is completely legal in most western countries. However, it's important to be cautious when it comes to data protection requirements.
How exactly do cybercriminals use OSINT in their attacks?
Cybercriminals try to identify relevant data sources in order to develop corresponding attack methods – ideally without leaving any traces. It is not uncommon for cybercriminals to leverage modern information and communication technologies that automate these tasks.
Example 1: Spear-Phishing
Search engines, like Google, excel at using the internet to search for personal and professional information about people. For this purpose, career-oriented social networks such as LinkedIn and XING are often and easily used. But other social media channels offer useful details too (such as names of pets and relatives) – all of which can be used to crack passwords. Data obtained like this can be misused to identify valuable targets too (mostly people with extensive rights for their own user accounts or access to confidential information).
Example 2: Security Vulnerabilities
With the help of OSINT, attackers search for security gaps, such as unpatched devices, open ports, poorly configured cloud storage or even accidentally published information, in order to identify potential targets.
And how can IT specialists use OSINT to secure the company?
When using OSINT, corporate security teams are primarily aiming to become aware of the publicly accessible information about their own IT systems, with the purpose of closing security gaps. These include, for example:
- Open ports and insecure networked devices
- Unpatched software
- Information about the devices and software they use, such as software versions, device names, networks and IP addresses
OSINT is also useful for IT managers, helping them to identify public information outside the company, such as content on websites and on social media. In addition, they can obtain information from non-indexed websites and files, which are also referred to as the deep web. Even though they do not appear in the search results, they are technically public and therefore accessible via OSINT tools.
If you want to use OSINT as part of your cyber-risk management, you should define a clear strategy in advance and deal with the following questions:
• Would you like to identify network and software vulnerabilities?
• Would you like to identify publicly available assets that can be used by hackers to select appropriate attack vectors?
• Would you like to find out if there are any risks associated with the posts employees share on social media?
You should also be aware that during analysis, a large amount of data is generated. Therefore, it is crucial that the process is largely automated. Also, regular penetration tests, taking OSINT into account, have proven useful.
In addition to important endpoint protection measures such as using an antivirus solution, firewall or cloud sandboxing as well as regular training for all employees in the company, strategies related to OSINT should also be integrated into your security concept.