Whether it’s information on emerging threats or monitoring your company’s digital footprint, you don’t always need to pay big money to get top insights. This article describes open source intelligence and highlights five excellent sources of freely available information that can bolster your cybersecurity defenses.
What is Open Source Intelligence (OSINT)?
Open Source Intelligence (OSINT) refers to collecting and analyzing publicly available information from various sources to derive insights or intelligence for cybersecurity uses. This type of intel contrasts with proprietary intelligence, which you usually pay for because specialized providers conduct dedicated threat research and analysis to uncover this information.
For red teams in cybersecurity, OSINT is an invaluable tool. A red team’s primary goal is to simulate adversarial threats and assess the defensive capabilities of an organization. By leveraging OSINT, red teamers can:
Understand your company: Many businesses hire red teams as external services because it’s usually more cost-effective. OSINT provides a comprehensive view of your organization’s digital footprint, including details about employees, technologies in use, business operations, and more.
Plan attacks: Using the knowledge gathered, red teams can craft more realistic and effective attack scenarios that mimic the techniques of real-world adversaries.
Tailor social engineering attacks: OSINT can provide personal information about employees (e.g., birthdays, hobbies, affiliations from social media profiles) that red teams may use to tailor their simulated phishing campaigns or other social engineering attacks.
Leverage intel to gain access: Other types of intel like leaked credentials can be identified on pastebin sites and used by red teams to gain access.
Raise awareness: By demonstrating the potential risks of publicly available data, red teams help organizations understand and prioritize their security measures.
Beyond just red team exercises, OSINT enables your business to proactively adapt and respond to the dynamic threat landscape. Any information that lets you predict and halt hackers’ next moves is worth gathering, especially if it’s freely available. But where are some good places to gather OSINT? That’s what the post will explore next.
5 Useful Sources of OSINT
Here’s a rundown of five useful sources of open-source threat intelligence for red teaming and other cybersecurity uses.
1. Dark Web
Normal search engines like Google and Bing don’t index or have access to the dark web. Instead, you need to use the Tor network or other similar services to get to this veritable underground dungeon of the online world.
The dark web hosts a plethora of sites and services, some of which indulge in illegal activities. Despite its notorious reputation, from an Open Source Intelligence (OSINT) perspective, the dark web can be a goldmine of information.
Contrary to some beliefs, not everything on the dark web is illicit. Political activists, journalists, and others who require anonymity due to the nature of their work or the political climate in their countries can benefit from the dark web.
Here are some types of OSINT you can look for on the dark web:
Data breaches—One of the primary OSINT uses of the dark web is to identify data breaches. Hackers often sell or even give away stolen data on dark web marketplaces. By monitoring these platforms, you can see if user access credentials belonging to any employee are for sale or uploaded.
Emerging threats—Dark web forums are breeding grounds for discussions about new hacking tools, methods, or planned cyberattacks among hackers who know the anonymity of the dark web protects their identity. Tapping into these discussions may offer you a heads-up on potential threats to your IT environment.
Malware analysis—Newly developed malware or ransomware often first appears on the dark web. Having early access to these can allow cybersecurity professionals to develop countermeasures proactively.
Insider threats—Occasionally, disgruntled employees might seek to harm current or former employers by selling insider information or access. Monitoring dark web discussion forums can help you identify these threats.
The popular Telegram instant messaging app is emerging as a cybercrime ecosystem that some sources regard as the new dark web. A surge in popularity in 2021 saw a 100 percent uptick in cybercrime activity on Telegram, with many threat actors being spooked by increasing law enforcement scrutiny on the dark web.
On Telegram, there are public channels that involve one-to-many communication where admins broadcast messages to an unlimited number of subscribers. Any telegram user can search for and join these channels.
As for the OSINT potential, here are some bits of intel you might find by weeding through cybercrime Telegram channels:
● Many channels or groups cater to the hacker community, discussing exploits, sharing tools, or even advertising services. Monitoring such platforms offers a glimpse into the current tactics, techniques, and procedures (TTPs) of potential adversaries.
● Occasionally, admins of Telegram channels share compromised data, credentials, or database dumps exclusively on those channels.
3. Search Engines
Popular search engines like Google and Bing index billions of web pages; essentially enormous databases of public-facing information from around the world. The vast databases search engines create are continuously updated to give almost real-time access to an ever-changing digital landscape.
Some of the potential uses of search engines to gather open source intelligence include:
● General research: For foundational knowledge about a person, company, or event, search engines can provide background information, biographies, historical data, and more.
● Advanced search operators (dorking): Using specialized queries, known as “dorks,” researchers can locate specific information. For example, a dork could locate unprotected webcams, directories with specific files, or websites running a particular software vulnerable to known exploits.
● Archived data: Even if a piece of information has been removed or a webpage updated, search engines often retain cached versions of older web pages. There is also Internet Archive: This archived data is useful for tracking changes or trying to access information that has been recently deleted.
● Domain and subdomain discovery: Using specific queries, you can discover associated subdomains or related domains of your website to get a fuller picture of your organization’s online presence. You may even find lookalike domains that threat actors use to impersonate your business in social engineering scams.
4. Code Repositories
Platforms like GitHub, GitLab, and Bitbucket where developers store and manage their code. These repositories contain software projects, libraries, configurations, and more development-related stuff that your dev teams work on.
Developers occasionally inadvertently commit sensitive information like API keys, passwords, or configuration details to their public repositories.
Identifying these leaks before hackers do is an important task that can protect against a breach of your environment.
Also, Red teams can examine the contributors to a repository to gain insights into their expertise, affiliations, and even potential weak links in the organization’s cybersecurity chain.
5. Social Media
Social media platforms collectively house billions of profiles, posts, messages, and media. Every day, vast amounts of data are generated, shared, liked, and commented upon, which makes platforms like Facebook, LinkedIn, and X (formerly Twitter) rich sources of publicly available information.
Some potential uses of OSINT gathered from social media platforms are:
Phishing campaign awareness: Threat actors often discuss or brag about successful phishing campaigns on social platforms. Monitoring this chatter can provide insights into ongoing or emerging phishing threats targeting your specific industry or company.
Data leak alerts: Compromised data might be discussed, shared, or even sold on social media. Keeping an eye out can provide early warnings to facilitate swift response and mitigation.
Emerging threat intelligence: Infosec experts, white-hat hackers, and cybersecurity firms frequently share findings, vulnerabilities, patches, and threats on platforms like Twitter. Following these can provide real-time insights and allow organizations to act proactively.
Employee activity: Employees might unknowingly share sensitive company information, such as a photo of a workstation revealing sticky notes with passwords or details about internal projects on LinkedIn posts. Identifying and educating these employees can plug potential data leaks.
By tapping into these sources of freely available intel, a little bit of digging can unearth some cybersecurity jewels that prevent data breaches or help bolster your company’s defenses. Our team of security experts at DIESEC is well-versed in extracting useful insights from open sources of information. Whether you want more realistic red team exercises that truly simulate how real-world adversaries find information, or you want more realistic simulated social engineering tests, we use OSINT to drive better results.