OSINT - Open Source Intelligence

About 2 min read

OSINT (Open Source Intelligence) is a methodology for systematically collecting and analyzing information from publicly available sources to derive useful intelligence. Any information that can be accessed legally is in scope, including social media posts, the WHOIS database, DNS records, corporate public disclosures, and government open data. In the field of cybersecurity, it plays an important role on both sides: attackers' reconnaissance and defenders' threat intelligence.

Historical Background - From Military Intelligence to Private-Sector Security

The origins of OSINT lie in the United States during World War II. In 1941, the U.S. established the Foreign Broadcast Monitoring Service to systematically analyze the radio broadcasts and newspapers of enemy nations. During the Cold War, the CIA and NSA developed OSINT into one of the pillars of their intelligence operations. With the spread of the internet, from the 2000s onward the methods of OSINT spread to private security companies, journalists, and researchers as well. During the 2014 Ukraine conflict, the citizen investigation group Bellingcat identified military operations by analyzing social media photos and satellite imagery, demonstrating the power of OSINT to the world.

Classification of Sources

Abuse in the Attacker's Reconnaissance Phase

The first step of a cyberattack is reconnaissance. Attackers use OSINT to gather information about their targets. They look up employees' job titles and skills on LinkedIn to select targets for spear phishing. They search public GitHub repositories for accidentally committed API keys and credentials. They use Shodan to identify vulnerabilities in exposed servers and devices. They infer the technology stack in use from a company's job postings and target known vulnerabilities. The success rate of social engineering depends heavily on the quality of the information gathered through prior OSINT.

The OSINT Reconnaissance Process

Use on the Defensive Side

OSINT is a powerful tool for defenders as well. To understand your own organization's attack surface, you investigate your company's public information using the same methods as attackers. You regularly check with Have I Been Pwned whether employees' email addresses are included in breached data, and if they are, prompt them to change their passwords. Through monitoring of the dark web, you watch for whether your company's credentials or confidential data are being bought and sold. The article on protecting your digital identity also explains countermeasures at the individual level.

Real-World Use Cases

"When we conducted OSINT during the preliminary investigation for a penetration test, we were able to identify the technology stack of internal systems from a former employee's LinkedIn profile, and we found test credentials in a public GitHub repository. This is information that real attackers could discover as well."

OSINT Countermeasures at the Individual Level

Understanding how much information you are exposing is the first step in defense. Review your social media privacy settings and limit the disclosure of unnecessary personal information. Develop the habit of deleting the EXIF data (location information) from photos before uploading them. Please also refer to the articles on the privacy settings guide and defending against social engineering. For those who want to systematically learn OSINT techniques and countermeasures, OSINT and security books on Amazon are a helpful reference.