Threat intelligence has received much attention from security teams in the last few years. In their fight against threat actors, security teams require all possible tools and mechanisms in their arsenal. Threat intelligence (TI) analyzes data from one or more threat intelligence feeds. These feeds contain a continuous stream of data related to current security threats. Once meaningful insights are derived, organizations can take faster, more informed, granular-level security decisions. Out of all possible subtypes of threat intelligence, open-source intelligence is the most popular. However, it is often misunderstood and underutilized.
What is Open-source Intelligence?
Section 932 of the National Defense Authorization Act for Fiscal Year 2006 (or Public Law 109-163) defines open-source intelligence as,
“intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”
In its terminology database, NATO has expanded the scope of open-source intelligence by including “other unclassified information that has limited public distribution or access.”
Put plainly, open-source intelligence refers to publicly available information about an individual or organization that can be gathered within legal boundaries. OSINT is an example of overt data collection method where data collection is done openly or in plain sight. On the other hand, covert data collection methods involve secretly gathering data and are usually considered illegal.
While it is true that the internet has led to an explosion of publicly available information, limiting the understanding of OSINT to the internet can be a myopic view. Open-source information can be classified under six heads: media, internet, public government data, professional and academic publications, commercial data, and grey literature.
Role of OSINT in Cybersecurity
OSINT exposes a security team to a plethora of information. For an analyst, this can be a blessing and a curse. While security teams can access every piece of information they need, they encounter an endless flow of data every time. This situation can easily result in information overload. In day-to-day security operations, OSINT has two critical use cases:
Penetration Testing and Red Teaming
Security teams use OSINT to identify vulnerabilities in an organization’s IT infrastructure. In offensive security practices and well-known red teaming frameworks, information gathering is one of the earliest steps a security team undertakes. As for formally defined frameworks and standards, information gathering is usually conducted in the reconnaissance phase.
Using OSINT in penetration testing and red teaming helps discover and expose external-facing assets, their exposed services and vulnerabilities. Thus, enabling security teams to remediate existing vulnerabilities before attackers exploit them. With the help of OSINT, commonly found vulnerabilities include:
- Accidental leakage of sensitive or protected confidential information
- Outdated or unpatched software
- Exposure of proprietary assets on the public internet
- Open ports
This use of Open-Source Intelligence is also called the ‘Attackers view’ of your organization, as the same vulnerabilities would be visible to cyber attackers too. On the defense side of cybersecurity, organizations and businesses often use a solution known as ‘External Attack Surface Monitoring’ to monitor and reduce the attack surface on the surface.
Identify Potential Threats and Attacks
OSINT can help security teams understand potential threats their organizations face from adversaries. The internet is an excellent source of information about current threats, emerging trends, and evolving attack vectors. Security teams can use publicly available information to protect their IT infrastructure against a zero-day vulnerability – or, they can implement defensive measures to prevent a new type of cyber-attack from damaging their systems. OSINT enables security teams to prioritize their time and resources for dealing with the most severe threats.
With the increasing acceptance of OSINT in security operations, OSINT tools like SIEM (Security Information and Event Management) and SOAR (Security, Orchestration, Automation, and Response) have seen a positive response. To efficiently use OSINT data, a security team must identify, correlate, and verify multiple data points before any action is taken. SIEM and SOAR tools automate intelligence gathering and analysis, which helps security teams address new threats in the minimum possible response time.
Can OSINT be a problem?
If open-source intelligence is freely available to you, the same will be the case for attackers. Attackers use OSINT to identify their potential targets and exploit vulnerabilities in their target assets. Once attackers identify a vulnerability, the exploitation process is not very difficult. We have seen many small and medium enterprises (SMEs) become a victim of cyber-attacks for this reason. An attacker may not have a specific interest in a target organization; however, discovering vulnerabilities in their IT assets does not require special efforts. In other words, SMEs are easily exploitable targets for attackers.
Attackers do not only use OSINT for gathering technical information about a target organization. They also employ social engineering techniques to collect information about individuals associated with an organization. This information can be further used in targeted campaigns for phishing, vishing, and smishing. Attackers can use information an individual shares on social media to prepare a customized campaign in line with the target’s interests. As a result, even well-meaning employees are tricked into sharing their credentials or giving access to their company’s IT assets.
The problems identified in the last section highlight why security professionals must consider OSINT in their security operations. OSINT allows you to find and fix vulnerabilities in your IT infrastructure and implement remediation measures before attackers exploit them. This is precisely what we do through BreachLock’s cloud-based penetration testing platform: help you find, fix, and prevent the next cyber breach.
Richelson, J., 2016. The U.S. Intelligence Community. 7th ed. s.l.:Routledge.