Cybersecurity Terms - OSINT
OSINT stands for open source intelligence. In practice, it is the gathering; reviewing and analyzing; and making use of publicly available information - through sources like social media platforms, the internet in general, public records, brick and mortar libraries, and more.
Using OSINT as a tool can be very effective for both attackers and defenders in the cybersecurity space. As defenders, we can use OSINT in one-off and ongoing efforts as part of our cybersecurity program. It is a great fit within a security awareness program. For example, for use in simulated phishing / social engineering exercises that are crafted around users’ profiles on social media - using their job titles and personal interests to invite them to events or similar themes. Educating users on what information is safe to share and where is part of this as well.
In cyber risk assessments we can identify the organization’s volume and level of exposure. We might find that X number of company email addresses have been found on social media and websites where they should not be used, or that our job postings contain too much detail on technologies used (which attackers will be happy to see and to try to take advantage of). Even a list of partners/vendors can be a potential supply chain attack vector worth looking into for attackers.
In short, anything we can do to minimize the amount, and more so the type, of organizational data shared online, makes life harder for adversaries.
Note: We need to be very careful in establishing the scope of our internal OSINT efforts, and our reporting on these. Some types of data may be out of bounds, and some may have legal issues in play.
From the perspective of attackers, OSINT is a relatively fast, easy, and low risk of exposure activity as part of reconnoissance efforts. All the open source intelligence that we can seek out and make use of as defenders, is of course out there for attackers to take advantage of as well.
There are a number of notable and effective free OSINT tools that can be leveraged by attackers and defenders. I like this list of 12 of those at MakeUseOf.
Two of my favorite OSINT sites are in that list. One of them is Troy Hunt’s have I been pwned site - that does exactly what is says on the box, which is well worth keeping track of at both an organizational and a personal level:
The second one is an outstanding cyber tool for discovery of devices on the web, which I plan to write about next week, So stay tuned :)
Nice summary, Patrick!
Two aspects of OSINT I try to "lean in to" are "aggregation" and "inference." These concepts are very basic to OSINT.
Aggregation involves collecting data from various sources and consolidating it into a single repository or platform. The goal is to gather a wide range of information from publicly accessible sources such as social media, news articles, forums, blogs, government websites, public records, and more.
Inference is the process of drawing conclusions, making deductions, or forming hypotheses based on the collected aggregated data. It involves analyzing and interpreting the information to extract meaningful insights or patterns. Inference is an important step in OSINT analysis as it helps connect the dots and uncover hidden relationships or trends.
In my own experience the aggregation in conjunction with "critical thinking" allows for development of credible inferences or conclusions on what could be happening based on the data.
Thanks for letting me offer a comment!
Ernie Hayden MIPM CISSP GICSP(Gold) PSP