The rapid growth of public data has made open-source intelligence (OSINT)an established tool for managing business security threats. For a long time, Open source intelligence remained the purview of the law enforcement community. Few people considered using OSINT for corporate security. Before understanding how OSINT tools bolster organizational security, it is important to understand what OSINT means.
Open-source intelligence (OSINT) is the practice of collecting and analyzing information from publicly available sources, both covert and overt, to create intelligence that can be acted upon. OSINT framework is a method that combines data, processes, techniques, and tools to help security teams identify publicly available information.
In January 2020, Fiserv's corporate security team advised against executive travel to China due to the threat of an outbreak of a disease. This recommendation was made weeks before most U.S. companies acknowledged COVID-19. They made this recommendation based on OSINT intelligence.
Organizations make use of an open-source intelligence tool for several reasons including Threat intelligence and Due diligence. By monitoring online forums, social media, and other public sources, organizations can identify potential vulnerabilities or attacks before they occur and take proactive measures to mitigate these risks.
However, OSINT has its downsides. Due to the vast amount of online data available, it is easy to generate a large quantity of raw data using OSINT. Unfortunately, not all of this data is useful. Often, the data generated through OSINT is irrelevant to the current needs of the organization. This can result in a waste of resources and manpower.
Therefore, while OSINT can be a valuable tool in corporate security, it is important to acknowledge its limitations and complement it with other tools and strategies, such as EASM, to ensure comprehensive threat monitoring and analysis.
Different types of OSINT and their value to threat actors
According to Accenture, data loss is the most expensive part of a cyberattack, costing an average of $5.9 million. OSINT can help malicious actors find data about not just the organization's externally exposed assets, but also the exposed information relevant to it.
Different types of OSINT and how they can assist attackers.
1. Dark web OSINT
The dark web is a valuable source of intelligence gathering for attackers. From personal information to credit card numbers, the dark web has it all. Through dark web OSINT, attackers can purchase Hacking services, malware, and other tools. The identified vulnerabilities in software or hardware can then be exploited in an attack.
2. Email addresses
Emails are usually the primary mode of communication in organizations. Countless emails are sent and received by employees every day. Attackers can use OSINT techniques, such as web scraping and social media monitoring to gather tons of email addresses. These email addresses can then be used to launch targeted spear-phishing attacks. The emails used in Spear-phishing attacks are highly personalized and designed to appear legitimate. Thereby, tricking unsuspecting employees into clicking a malicious link or attachment. Once clicked, the link or attachment can infect their computer with malware and even steal login credentials.
3. Third-party affiliations
Third-party affiliations ****OSINT can help hackers gain deep insight into the vulnerabilities of an organization. By gathering information about these relationships, attackers can identify potential targets and entry points that can be exploited in a cyber attack. This information can also be used to craft a targeted social engineering attack that appears to come from a trusted source.
4. Compromised Machines
By analyzing information related to how other threat actors have successfully compromised machines, attackers can identify common weaknesses or misconfigurations that may exist in the networks or systems. This information can then be used to craft more targeted and effective attacks against those systems. The compromised machines can be used to create a botnet.
5. Web OSINT
Web OSINT investigation is the easiest way for attackers to obtain publicly available open-source data about their target organization using a search engine. This includes anything from the names, social media accounts and email addresses of the organization’s employees to information about its systems and other business processes. This may incorporate searching for information on company websites, social media profiles, and online forums. Such information can be used to create targeted phishing emails, social engineering attacks, or even physical attacks such as theft or surveillance.
Assessing Security With OSINT
Open-source intelligence comes from data sources that are available to hackers and defenders alike. OSINT is widely used by organizations to assess their attack surface. Using OSINT for intelligence gathering can help organizations see the complete picture of their asset inventory and potential vulnerabilities. This also helps organizations prepare for Vulnerability scanning and Red teaming exercises by identifying threat regions that might not have been taken into consideration otherwise. This allows organizations to see their attack surface from a hacker's perspective.
After collecting data through OSINT, security teams can better plan their risk management strategy by including the newly discovered assets and vulnerabilities. However, efficiently assessing and monitoring this open-source data while taking actionable measures to mitigate these risks is another task. This is where automation comes in.
Limitations of OSINT in Corporate Security
1. Lack of credibility
OSINT data is collected from publicly available sources, such as social media platforms, blogs, forums, news articles, or other websites. However, the data collected from these sources can be incomplete, inaccurate, or even intentionally misleading. As a result, it can be difficult to separate valuable data from noise. Since nobody is accountable for OSINT data, organizations cannot rely on it blindly for their corporate security. OSINT data requires proper verification before it can be considered credible
2. Unactionable data
Organizations can collect vast amounts of raw data about themselves by using OSINT. However, using this data to improve the organization's security posture is not that simple. The data generated by OSINT must be analyzed and correlated properly before it can be used to assess corporate security. Additionally, organizations need to ensure that the data they collect and analyze is accurate and up-to-date. OSINT data can become outdated quickly, especially if it is time-sensitive. This can limit the effectiveness of the data and make it less valuable for security purposes.
3. Volume Overload
One of the main challenges when using OSINT data is dealing with information overload. The amount of data that needs to be scanned to obtain relevant information about a single threat actor is enormous. To make matters worse, the information available is often scattered across multiple sources and is presented in a variety of formats, making it difficult to sort through and identify relevant data points. Thus, the identification of relevant information from the vast amounts of data available takes a lot of time and requires a great deal of expertise.
4. Incomplete data
OSINT scan may provide many data points related to a target IP address, but it does not include any context or meaning. This makes it very difficult to understand the severity of the issues at hand. OSINT sources might not have access to certain sources and hence they might provide insufficient information. This lack of comprehensive data can lead to incomplete analysis.
5. False Positives
Due to the sheer amount of open-source intelligence (OSINT) data available, there is a greater chance of encountering false positives. While OSINT can be a valuable tool for gathering information, it lacks context. Therefore, skilled professionals are needed to perform OSINT data analysis and sift through the data to find what matters. This process is resource-intensive and time-consuming.
Therefore, OSINT cannot be relied upon solely for corporate security and must be used as part of a larger attack surface management strategy.
How Can Automation Help?
Although OSINT can help organizations find loads of open-source information about their attack surface and potential threats, it has a few downsides. Generating information using OSINT is a tedious and time-consuming process. New OSINT sources come up every day and different sources provide different APIs. Correlating, collating and normalizing these huge volumes of data is another challenge. The exercise of data collection via OSINT will render useless if the response time is delayed due to incompatibility with these vast arrays of information sources.
This is where automation becomes essential. Automation enables organizations to seamlessly translate Open Source Intelligence (OSINT) into actionable intelligence, which can enhance their overall cybersecurity posture. This helps security teams focus their efforts on incident response.
Relying solely on OSINT techniques for data collection invites the risk of false positives due to the sheer volume of the data available. Manually sifting through data and trying to correlate all of it can leave security teams with huge amounts of unactionable raw data.
Automated threat intelligence, can help organizations gather information systematically in one dashboard for easy analysis and reporting. It can also help with scanning multiple OSINT sources with significantly fewer false positives. Thereby, taking over the overwhelming task of analyzing and sorting the OSINT data.
With automated External Attack Surface Management (EASM) platforms, security teams can streamline processes that would be incredibly burdensome to perform manually. Time spent on gathering and investigating information on suspicious IP addresses, domains, emails and other publicly available information can be greatly reduced with automation. Additionally, automated tools often give users the ability to perform multiple tasks from the same interface, including visualization.
Here is a direct comparison between traditional OSINT and an Automated EASM tool.
OSINT v/s EASM
