OSINT (open-source intelligence) is a branch of intelligence that analyzes information about people or organizations from sources available to the public.
Britain and the United States actively used OSINT during WWII, with special units monitoring enemy broadcasts. Today, OSINT methodology is employed not only in foreign policy, but also in information security.
OSINT in information security
Cybersecurity professionals collect information from open sources to:
- Assess the security of an object and determine the attack surface so as to counter threats more effectively;
- Detect data leaks;
- Identify threats in preparation, their sources and vectors;
- Investigate and attribute cyberincidents.
At the same time, cybercriminals use OSINT to identify promising targets and weaknesses in a potential victim’s defenses, as well as to plan targeted attacks involving social engineering and doxing.
OSINT data sources
OSINT data sources include:
- Open data (news, podcasts, information about staffing and contractors, blogs, social networks, other online communities, information about ports accessible from the Internet, et al.) that can be found on the Web using search engines, including specialized engines such as Shodan;
- Documents intended for public use but that are on the deep web:
- Materials available on request (e.g., reports, transcripts of press conferences, public statements);
- Materials available by subscription (e.g., articles in trade journals, newsletters from specialized services);
- Metainformation obtainable using specialized tools or by analyzing other materials (e.g., comments in program code).
OSINT can be passive or active. Passive methods are those that do not involve interaction with target systems and are not subject to automatic detection. In active data collection, analysts interact with target systems, which can involve employing advanced techniques or even simple interactions such as registering on an organization’s website to get materials available to registered users only.