You might have followed the war in Ukraine in the past year and a half and come across the term OSINT. Before the war, the term was, in my opinion, mostly known from the MH17 incident and Bellingcat, but what exactly is OSINT? What are its uses? And why should it be of interest to companies and private citizens alike?
OSINT, Open-Source INTelligence is, as the name implies, the process of gathering and analyzing intelligence from open – be they free or commercial – sources. These sources may be newspapers, TV, radio, or, more recently, internet and social media platforms. Commercial sources include high-res satellite imagery or terrain/maritime maps, which you can purchase from several service providers. Modern technology has significantly “democratized” intelligence gathering, as it used to be the sole domain of national intelligence services, whereas now anyone can access, at least almost, the same level of data. Unfortunately, these people also include criminals, making the openly available information a potential threat.
The notable difference between intelligence and espionage is worth mentioning in this context. While intelligence is about gathering information to guide decisions and actions, it is mostly done by using public sources and is legal in most countries. A good example of intelligence gathering that is tolerated by many countries is diplomatic missions that include, for example, the posting of military attachés to an embassy. Their job is to socialize and gather military-related data openly. Espionage, on the other hand, is covert and criminalized around the world. Words such as spying are very often associated with espionage, and espionage activities can be targeted against states, individuals, and, of course, companies.
Social media has revolutionized how we interact with our friends, family, and the rest of society. It is easily forgotten that Facebook was only launched in Finland as recently as 2007. After Facebook, the world has also seen an explosion of other social media platforms. It might be hard for many to imagine a world without WhatsApp, Instagram, TikTok, or the latest trending platform. We upload our CVs to LinkedIn, publish our hobbies and private life on Instagram, and chat away on WhatsApp.
While this is very convenient (and people really want to share their hobbies etc. voluntarily online), it also leads to another problem: the ever-growing digital footprint. As we know, businesses get compromised through people and their – as well as the company’s own – digital footprint, so there might be risks in publishing unnecessary, detailed information. A digital footprint is anything that can be found about you or your company, mostly online. Have you ever googled yourself or your company? Not all of us are aware – or just don’t care – that all this information is available to the whole world. Unfortunately, not all people on the internet have good intentions, and this wealth of information is also readily available to criminals and other malicious actors.
For a hacker, there are very few better things than leaked username-password lists, with email addresses associated. Do you remember all that talk about not having users’ passwords in plain text in the user database? Users have a bad but human habit of reusing passwords (as well as usernames if they are allowed to choose). If a malicious actor has access to a leaked database, which there are several from past leaks circulating the dark web, they might be very tempted to try if the person’s password is still valid somewhere else. Especially, if the person has used their company email address for private purposes, there is a very straightforward path to knock on the employer’s company portal or AD.
OSINT is an integral part of the attack preparations when it comes to, for example, phishing campaigns. Phishing is a form of social engineering where criminals try to gain sensitive information from people or get them to install ransomware or other malware in their systems, usually by pretending to be someone else (to read more about social engineering, see Hanna Raitanen’s blog post here). There is a good chance that if you investigate your spam folder, you will find several phishing emails there. To be more effective, criminals might first map employees of a certain company from LinkedIn and, after the initial intelligence gathering, start to profile the people that they consider key employees. Profiling is usually done via social media platforms, where you can easily approach people directly. When it’s time for contact, the gathered nitty-gritty details come in handy. This, of course, is dishonest behavior. The only goal is to extract even more information from the target to leverage the information later in an attack, as people tend to be less vigilant on social media platforms compared to an unknown person calling or sending an email to them.
Nowadays, more specialized services are available over the web, making OSINT much more easily accessible than before. A good example is a web service called Shodan – which is available to anyone with a web browser. It is basically a database of different scanned IP addresses, and you can access the IP’s basic information like open ports, version information, etc. This information can be used to prepare for an attack on the company’s infrastructure without scanning the services manually, which might alert the victim’s security components. Open database ports, or any other unsafe services accessible from the public internet, are an open invitation to an attacker. Have you ever shodaned (yes, I invented a new word) your company’s public IP ranges?
So, what can companies and private citizens do themselves?
One good way of starting is mapping the current situation by asking some questions, namely: What can one find out about their company by simply googling? Or if being more advanced: by using other complimentary OSINT techniques? Every company and private person should be asking themselves these questions. As mentioned, simple googling gets you already going, but for more advanced analysis and profile building, these assignments should be given to professionals.
OSINT professionals with proper tools can form a comprehensive picture of the internet/digital footprint in an easily accessible format. As with many other projects, the visualization of the data gathered is paramount, especially when there is a huge amount of it. It doesn’t take a large organization to reach a point when there is just so much data that it turns hard to interpret and analyze efficiently. Lucky for us, there are a number of tools used by professionals that make this task more manageable. In the intelligence world at large, the data itself is not valuable per se, but the analyzed product derived from that said data.
We at Nixu have successfully completed many kinds of OSINT projects, be it as a separate OSINT project considering a person or a company, or as a part of intelligence gathering in larger Red Teaming projects. We are very happy to help organizations and companies to map out their digital footprint and assess the possibilities to limit or mitigate the impact it might have from a cybersecurity point of view. Via OSINT means, it is also possible to find out if any passwords, usernames, or other sensitive information has already been leaked to the internet.
If you are interested in these kinds of services, feel free to contact us directly.
Technology Lead, Defence and Strategic Technologies, Advisory