“Too many people still mistake secrets for intelligence,” says Stephen Mercado, an analyst in the Directorate of Science and Technology at the CIA. OSINT, or open source intelligence, has been both a boon and an Achilles’ heel for intelligence communities for decades. While certain public information may seem harmless, OSINT collected for malicious purposes can prove devastatingly efficient when devising attacks, especially in the hands of an experienced social engineer.
OSINT refers to the wide range of information collected from publicly available sources: print and broadcast media, academic texts, and more recently, social media, blogs, forums, and more.
In the recent past, OSINT has helped every major world power gather intel on adversaries in conflicts from WWII, to the Korean and Vietnam wars, to the Cold War. Sources have evolved from print publications obtained by foreign agents (the US aerospace publication Aviation Week — dubbed “Aviation Leak” for its scoops — was a “perennial favorite,” according to Mercado) to radio, and finally to the Internet, today’s unequivocal fire hose of information.
The Internet not only provides its own wealth of information, it also makes obtaining other sources of OSINT easier than ever. “During the Second World War, Dr. Fairbank traveled far and at great expense to gather Japanese publications in China and send them to Washington,” writes Mercado. “Today, anyone, anywhere can order Japanese media with a click of the mouse from amazon.co.jp or other online merchants and receive the orders by express air shipment.”
But with great ease comes great vulnerability. Attackers who are aiming to break into your network won’t read a few newspaper articles and call it day. Numerous tools freely available on the Internet can assist anyone interested in gathering OSINT. Infosec Institute has a brief list, which includes specific information-gathering tools and data such as Maltego, and WHOIS data, as well as multidisciplinary tools like socialmention and NewsNow, which are primarily sales and marketing sites. (Another list is available here.)
Social engineers in particular are likely to make use of OSINT. Dale Pearson, writing for subliminalhacking.net, comments: “the use of both open source intelligence and acquired information, allows for individuals and groups involved in cyber crime to fuel their knowledge and power influence and manipulate their targets to achieve the required illusion of trust with their target.”
He continues, “The information gathered on a target allows the attacker to create a pretty accurate profile of their target, and potentially of that of their families and friends, as well as their interests both publicly and privately. The aim here is to either act as an individual of trust, or create a pre-text that will be considered trustworthy to aid in achieving their goals.”
According to social-engineer.org, “social engineering is a vector used in [more than] 66 percent of all attacks by hackers, hacktivists, and nation states,” and OSINT enables attackers to be more believable to unsuspecting employees.
However, defenders can make use of OSINT as well — to both understand what information is available to attackers, and how to educate employees and users on what information can be safely shared online. CSO Online statistics show that “the average U.S. company spends $15 million a year battling cybercrime.” Managing OSINT related to your business can help reduce the leverage bad actors have when attempting to infiltrate your networks.
OSINT is, according to Arthur Hulnick, a former CIA officer, “neither glamorous nor adventurous.” However, “open sources are nonetheless the basic building block for secret intelligence.” While not the sexiest intel on the market, OSINT can be highly effective for attackers. What constitutes sensitive information is different for everyone, so make sure your security team regularly communicates with employees about posting information in forums or on social media channels, and monitors all channels for sensitive data. Hackers want to infiltrate your castle — don’t make it easier by handing them the keys.