Open-Source Intelligence - OSINT

"I don't know, Susan. This sounds pretty shady." Kalina looked hesitated and was not convinced.
"We're not barging into his privacy. It's only the information that is publicly available. Like a public library. You can't feel ashamed for learning how to reach a fucking book. Anyone could with a little effort."

Open Source Intelligence (OSINT) is a long-standing tradition of finding information on someone or something publicly available. Even though it sounds innocent and small in magnitude, in reality, it couldn't be anything less — since the rise and significant availability of the internet, a lot of information is disclosed online. Many times it is with the very author's consent. After all, what does it hurt to give some insignificant and partial information here and there?

How is it done?

"First thing, write down everything you know about him — names, digital addresses, nicknames, etc. When you're done we'll..."
"Sus, he's a frickin' Faustist! That's bordering on the impossible with their information volatility!"
"He may be one, but at the same time he's too proud to get rid of all his trophies. He hoards and shares memories and thoughts, like everyone else. And we're gonna aim for a common link."

OSINT can be seen as the art of forming a bigger picture from publicly available fragments.   The process is typically broken down into several unique steps:

  1. Planning — for a given person (figurehead) narrow down potential sources of information: names, nicknames, addresses, connections, platforms used, etc.
  2. Harvesting — depending on the type of information use dedicated tools to reveal additional information connected to the pieces already in possession.
  3. Processing and Integration — the collected information is processed (distilled, summarized, etc.) to maintain the highest information density, while maintaining integration; smaller fragments are integrated into bigger chunks.
  4. Analysis — the pieces are rounded up to see the big picture; at this point, many fragments, initially thought unrelated become entangled;
  5. Delivery — a complete report is formed with annotations about derived behavioural patterns, new connections and potential figureheads; the report's scope strongly depends on the initial plans for the figurehead. In many cases, the first degree circle (identification of related people and institutions) is enough, but sometimes (e.g., bribery of government officials) more thorough research
  6. will demand engaging in the circles of the second and higher degrees — engaging a dedicated OSINT search for newly identified people and institutions.
It can happen (and often will) that during the Processing phase new sources of information appear. In such situations, if the scope of the research is too narrow, it is often advised to return to the Planning/Harvesting phase to consider new potential roots.

Common usecases

"You found it, Kali!" Susan jumped her friend, screaming with excitement. "You found the link. What're you gonna..."
"It means ████████ to me and I'll make ████████ out of it."
She woke up with her heart still racing. The dream was blurry at the end but vivid enough to recall the events from the past. Nothing could be done about it, now, but the guilt felt almost physical as if it was tattoed on her skin. She hoped for it to be more like a scab on an old wound, one that would come off when given sufficient time. Some day... Eventually...

Interestingly there are probably two groups which use OSINT on a daily basis: investigative journalists and penetration testers. The former look for information regarding a missing person, evidence of bribery, and demasking a fraud. In some cases the traces of information can be crazy, e.g., judging the date and time the photo was taken, based on the length of the shadow. Other times it is a painful grind of small fragments, obfuscated in excruciating manner — demasking a spy is difficult (but not impossible) task. Penetration testers have a much easier job to do. A good OSINT provides splendid food for phishing since human is always the weakest link in the security chain. While breaking that set of long passwords or cloning an ID proximity tag can work better or worse, a targeted phishing attack is always effective. This is often not pure OSINT though, but paired with a fair dose of social engineering — the pentester will use the OSINT information to manipulate the figurehead to do their bidding.

Famous examples

Many cybercriminals boast using The Onion Router (TOR) network remains anonymous, elusive and impune. However maintaining TRUE anonymity can be difficult, even if one uses TOR. Around the year 2020 several ransomware groups were deanonymized using several simple OSINT tricks. The perpetrators used the same security certificates for their TOR-hidden websites and their clearnet counterparts. The use of the same logos (and in some cases the entire layout of the website) confirmed that the sites belong to the same entity. Deanonymized Clearnet websites were then analyzed in an old-fashioned way and the cyber defence forces were notified of the discovery. As a result, the ransomware groups in question were caught and hundreds of people were returned access to their encrypted hard drives.


OSINT is often seen as a form of stalking since it often involves a third party gathering information considered sensitive, even though they are publicly available. It should be noted that in most countries such actions will be considered entirely legal, however questionable the process itself may be.

Cover image: by MidJourney


Please Login in order to comment!