How does open source intelligence (OSINT) help improve cybersecurity?

The volume of data that’s moving around the internet every second of every day is nothing short of astounding.

This includes all forms of public media such as words, images, and videos that are being uploaded or downloaded — and that’s not even the full extent of it.

Beyond the public web, there’s the dark web, sites that restrict access, and even unindexed websites. Information throughout all the compartments of the internet is constantly being added to.

Clearly, most people nowadays realize how important the internet is as an intelligence-gathering tool. What’s less clear, perhaps, is how to use this sheer amount of data for your cybersecurity practices.

What is open source intelligence (OSINT)?

Open source intelligence (OSINT) is a method used to extract and assimilate publicly-available data and use it for intelligence objectives.

The most notable types of OSINT come in the form of:

• Feeds that are open source - Some content providers make their intelligence feeds publicly available.
• Surface web monitoring platforms - This includes websites and other forms of intelligence such as forums and blogs that provide useful information for analysts.
• Social media - This shouldn’t be overlooked as it’s a helpful way of staying up to date on the latest developments in cybersecurity. Its scope is huge — ranging from people to business and integrated technologies.
• Paste websites - These are often a great place to find sensitive data that spans from passwords to niche client information. This is due to their function as short-term information stores.
• Sites that incorporate code sharing - Websites like GitHub act as source code hubs where you may encounter leaked code, application infrastructure, and other highly sensitive credentials.
• Websites based on file sharing - Such sites can display sensitive data including files, configurations, and images.
• Messaging forums - Chatting with other users and swapping information can be an effective means of gaining knowledge. Examples include WhatsApp, Discord, and Telegram.
• Dark web - This is the side of the internet that isn’t accessible via usual search engines. To enter the dark web, you’ll need to use applications such as I2P or Tor for example.
• Deep web - Usual search engines won’t bring up results that are hidden in the depths of the deep web, this is because sites on the deep web aren’t indexed by common browsing tools like Google, for instance.

OSINT sources excel at data gathering (the “collection phase”). Yet that’s only one step in the overall OSINT process:

1. Planning
2. Collection
3. Processing
4. Analysis
5. Integration
6. Feedback

Open source intelligence and cybersecurity: the opportunities and challenge

Effective OSINT use in your organization will minimize cybersecurity risks since it improves your threat intelligence in detecting threats and managing alerts. Any attempts to use OSINT need to be tempered by the understanding that it does have many challenges.

Managing risk with OSINT & TI

These processes can come in different forms, such as:

• Detection - the first step. Once an alert is detected, TI is used further in triage (to determine the confidence and severity of a detection).
• Alert triage and prioritization - This effectively speeds up the prioritization process for dealing with threats, enabling quicker action to mitigate the danger.
• Contextual enrichment - Prioritization of alerts by means of investigating their context and background allows for greater accuracy when determining the level of threat.
• Automated detection and response - This helps to constitute the threat level that a certain alert will carry. Quickly identifying what’s a danger and what isn’t, provides the user with information that enhances their cybersecurity prognosis.

Utilizing OSINT for risk analysis

TI, including OSINT, provides a view of currently occurring attacks (and evaluates which is high risk). In this way, the use of TI (and consequently OSINT) helps inform us of the kinds of assessments we should perform when performing penetration tests, and when performing vulnerability assessments. TI helps us assess the severity of vulnerabilities - i.e. how likely a vulnerability is to be attacked, and the amount of damage which can be caused by an attack.

So, when testing using that information you can do the following:

• Testing penetration - You can utilize the skills of a penetration tester or do this yourself if you have the means. It’s the act of using publicly available information to spot vulnerabilities within your setup.
• Assessing threat surface - To determine the threat surface of your organization, you’ll need to perform an inventory or audit of all the potential weaknesses in the system that you use. Threat surfaces are normally areas within your structure that could be used as an entry point for hackers.

Threat intelligence: using OSINT to understand threat actors, their methods, and their targets

OSINT, a part of threat intelligence, consists of information garnered from open sources but it amalgamates this data with knowledge gained from closed sources.

It’s a valuable tool used by cybersecurity teams to formulate context and background behind potential threat actors. It helps to paint a picture of what motivates attacks, who’s instigating them, plus when and how they’ll do it.

However, there’s also a downside…

OSINT for cybersecurity is a double-edged sword

Just as open source data is available for those wanting to examine their own cybersecurity, it’s also just as readily available to cybercriminals, too. Examples of using open source data for malevolent intent include phishing and corruption of sources by planting benign indicators, lowering trust in the information.

It’s also worth noting that data from open sources often needs verification and it’s unwise to trust the data prior to quality assurance.

It’s not uncommon for OSINT feeds to harbor data that’s redundant or created from incorrect sources that feature errors and incomplete information.

Curation (evaluation, cleaning and management of TI) plays a crucial role when it comes to trusting open source data. Associated issues can include:

• Limited data depth
• Hidden false positives
• Cleaning up irrelevant data
• Strengthening existing data — adding further material to formulate more cohesive information
• Data integration controls — making sure that data is integrated through safe means.

How to use OSINT in your cybersecurity approach

For OSINT to be effective, analysts must ask themselves:

• What’s the provenance of the data? Where was it sourced?
• What’s the data going to be used for?
• How relevant is the data?
• Has the data been modified?
• Does the data exclude anything?
• Can you or your security team use the data?

Choose Samurai for world-leading cybersecurity

NTT Security Holdings Global Threat Intelligence Center (GTIC) ensures that Samurai XDR is built on the most informative and powerful data gathering service that NTT can assemble.

While the use of OSINT is attractive - because it is available for free - the reality is that there are hidden costs, because of the expertise and systems required to curate OSINT. This means that, in order to use OSINT effectively you need to maintain the skills and tools to curate and utilize it. This is something that GTIC specializes in, and for most organizations it is more cost and resource effective to leave the curation of OSINT to experts like us (vs build your own teams internally). OSINT alone also doesn’t provide complete coverage, which is why GTIC maintains a number of proprietary TI sources in addition to open ones.

The GTIC pools information from available sources such as open web, dark web, deep web, commercial and proprietary feeds.

The continual development of threat feeds into our platform is based on analysis of:

• Source reliability
• Accuracy of the information
• Sensitivity of the data
• The use of the data
• Data protection requirements.

One example of how NTT makes use of social media to gain intelligence is through the CrowdCanary program, a recent addition to our OSINT gathering capabilities. It’s a way of transforming phishing reports, that are generated through Twitter, into useful and informative data that can help guide effective cybersecurity methodology.

Get in touch today to switch to the Samurai level of protection.