Open-Source Intelligence - OSINT

Open Source Intelligence (OSINT) is a long-standing tradition of finding information on someone or something publicly available. Even though it sounds innocent and small in magnitude, in reality, it couldn't be anything less — since the rise and significant availability of the internet, a lot of information is disclosed online. Many times it is with the very author's consent. After all, what does it hurt to give some insignificant and partial information here and there?

OSINT can be seen as the art of forming a bigger picture from publicly available fragments.   The process is typically broken down into several unique steps:

1. Planning — for a given person (figurehead) narrow down potential sources of information: names, nicknames, addresses, connections, platforms used, etc.
2. Harvesting — depending on the type of information use dedicated tools to reveal additional information connected to the pieces already in possession.
3. Processing and Integration — the collected information is processed (distilled, summarized, etc.) to maintain the highest information density, while maintaining integration; smaller fragments are integrated into bigger chunks.
4. Analysis — the pieces are rounded up to see the big picture; at this point, many fragments, initially thought unrelated become entangled;
5. Delivery — a complete report is formed with annotations about derived behavioural patterns, new connections and potential figureheads; the report's scope strongly depends on the initial plans for the figurehead. In many cases, the first degree circle (identification of related people and institutions) is enough, but sometimes (e.g., bribery of government officials) more thorough research
will demand engaging in the circles of the second and higher degrees — engaging a dedicated OSINT search for newly identified people and institutions.

Interestingly there are probably two groups which use OSINT on a daily basis: investigative journalists and penetration testers. The former look for information regarding a missing person, evidence of bribery, and demasking a fraud. In some cases the traces of information can be crazy, e.g., judging the date and time the photo was taken, based on the length of the shadow. Other times it is a painful grind of small fragments, obfuscated in excruciating manner — demasking a spy is difficult (but not impossible) task. Penetration testers have a much easier job to do. A good OSINT provides splendid food for phishing since human is always the weakest link in the security chain. While breaking that set of long passwords or cloning an ID proximity tag can work better or worse, a targeted phishing attack is always effective. This is often not pure OSINT though, but paired with a fair dose of social engineering — the pentester will use the OSINT information to manipulate the figurehead to do their bidding.

Many cybercriminals boast using The Onion Router (TOR) network remains anonymous, elusive and impune. However maintaining TRUE anonymity can be difficult, even if one uses TOR. Around the year 2020 several ransomware groups were deanonymized using several simple OSINT tricks. The perpetrators used the same security certificates for their TOR-hidden websites and their clearnet counterparts. The use of the same logos (and in some cases the entire layout of the website) confirmed that the sites belong to the same entity. Deanonymized Clearnet websites were then analyzed in an old-fashioned way and the cyber defence forces were notified of the discovery. As a result, the ransomware groups in question were caught and hundreds of people were returned access to their encrypted hard drives.

OSINT is often seen as a form of stalking since it often involves a third party gathering information considered sensitive, even though they are publicly available. It should be noted that in most countries such actions will be considered entirely legal, however questionable the process itself may be.