OSINT, or open source intelligence, is information about threats collected from publicly available sources. The CIA defines OSINT as information “drawn from publicly available material, including:
- The Internet
- Traditional mass media (e.g., television, radio, newspapers, magazines)
- Specialized journals, conference proceedings, and think tank studies
- Geospatial information (e.g., maps and commercial imagery products)”
Given society’s current communication methods, one could almost bullet the last four items under “the Internet.” All viable businesses have robust online presences, and people of all ages and across all geographies and ethnic groups engage in social media. There are no barriers to social media, and this, in and of itself, presents both opportunities and challenges.
Online All the Time
For corporations, the opportunity to interact with customers at a deeper—and more trackable—level is staggering. Marketing teams now have the ability to understand the efficacy of their campaigns in a way they didn’t when print ads, billboards, TV, and radio were the primary means of information sharing. On the flip side, customers have the chance to engage with companies like never before as well. Have a bad customer service experience? Tweet it out, using hashtags and user handles. Need an answer from a company right away? Tag them on Facebook. Consumers can and do post scathing reviews on Yelp, TripAdvisor, or Jabber. Once the information is out there on the World Wide Web, guess what? It’s out there. Individual postings or reviews can be deleted by the person who originally posted the claim or removed by the hosting site on behalf of the affected organization (depending on site rules and if the post is found to be without merit), but most information security professionals know that nothing ever really gets deleted from the Internet.
There has been a lot of talk lately about how social media poses information security risk. The argument against this is that it’s the behavior—the people—behind the posts who are the real risk. I would argue, however, that actions and behaviors are ephemeral but the Internet is forever. (Consequently, understanding that one bad decision can haunt a person forever may have transformative effects on behavior.)
Ask any corporate executive about his or her top concerns for the organization and reputational damage is sure to be at the top of the list, along with financial loss and IP (intellectual property) theft. Managed well, over the long haul, companies have proven that they can bounce back from a breach or uppercut to their brand. It takes a lot of effort, time, and money to come out clean, though, and those are resources that could be allocated elsewhere if they’re not tied up in HR, legal, and PR.
Not to be outdone, financial and IP loss can devastate a company (just ask Nortel). While adversaries use many means by which to access sensitive information, once they have it in hand (or on screen, as the case may be), expect that it’s somewhere on the Internet.
Threat actors are people too. Just like you and me, they engage in social media and want to share their successes with their online friends. Their communities may be discussing how to harm a group of people or organizations, but it is a fact that attackers use the Internet to communicate. If one looks in the right places, pieces of information can be harvested and pieced together to form a timeline of events leading up to an adversarial act, and illustrate the actions taken to affect damage. OSINT “is ever-growing and the process is still being developed for managing it,” says Lance James, Global Cyber Intelligence Advisor at Unit 221b and Chief Scientist at Flashpoint. The government has historically relied on classified information, explains James, but they, too, have begun incorporating OSINT into their intelligence process because of the rich context it provides.
Security vendors offer threat intelligence solutions that rely on OSINT as their source. These tools can be extremely helpful; they automatically scrape the Internet to collect and aggregate relevant data for a client, then present it in an easy-to-use dashboard that highlights areas of concern. Organizations using these tools tout their effectiveness. The fact that the threat intelligence industry is booming is evidence that OSINT is a big f^(king deal – no CFO would sign a check if the company weren’t reaping benefits of knowing what information that’s hanging out on the Internet could be an indicator of future brand damage, financial loss, or IP theft.
OSINT is Here to Stay
It’s important for organizations to seek past and current information living on the Web; looking back over a timeline can be illuminating and help companies determine their future social media strategy or internal controls. A company caught unaware might face unexpected consequences. Let’s say your company was the subject of a social media smear campaign that was not addressed or not sufficiently addressed and the only information job seekers have about your company is what they see on your website and what they find through Internet searches. A number of outside negative experiences with your company compared to one glossy website may lead the candidate to look elsewhere, or at least become skeptical of the company and its culture. Either way, damage is done. The loss of potential job candidates is a mild example; more concerning is when IP is going out the door.
Developers rushing through a release cycle might post code to Github in the hopes of exacting a little assistance. Even after help is received and the post is deleted by the original user, it’s still possible for that post to appear elsewhere on the Web—it could have been copied and pasted by another user the instant it was put online, it could live in cache. Depending on the project, the appearance of this code in one forum could mean another organization is using the code to create the same or similar software/applications/widgets or it’s being examined by another type of enterprising user and your company is about to be hacked.
“OSINT is the bulk of available intelligence,” says Blask. There is nothing secretive or sophisticated about finding or using it, and organizations should do both. OSINT contributes another, very important element to managing risk, adds Blask: context. Companies should have their own internal telemetry from logs and other source data, but context from outside that dataset will provide necessary details around the potential impact, timing, and likelihood of an incident. “The specificity of privately developed intelligence is most useful when embedded in the much larger base of OSINT, which both provides opportunity to validate private intelligence and fills out the surrounding context,” offers Blask.
All companies are in the business of managing risk. When a new product is launched, risk is involved. When a company enters a new market, risk must be calculated. Risk is part of every company’s nomenclature. Some risks, though, like social media risk or the risk of unintentionally leaked data, aren’t as comfortable for executive teams and they don’t yet know how to manage those risks. Saying, though, that these risks aren’t as real as others or that they don’t need to be managed is a big mistake.
Make use of OSINT in your organization if you aren’t already. Commercial tools may be beneficial, and many offer functionality beyond simple data collection and aggregation. For those that can’t or don’t want to allocate budget, leverage existing SEIM or antivirus, set up search alerts, and take advantage of the DHS and US-CERT collaborations on TAXII™, STIX™, and CybOX™, which are open and free for the public.
Anyone who doesn’t think OSINT is a big deal probably doesn’t work for the DHS. While most of the U.S. was watching Super Bowl 50, hackers dumped the names, titles, email addresses, and phone numbers of 9,355 DHS employees on Twitter. The group responsible for the hack claims 20,000 FBI employees are next. Then there was Ashley Madison – anybody who knows where to look can still find his or her cheating spouse’s account info online.
None of this is going away. Security professionals do their best to clean up the messes, but a fact of using the Internet is that OSINT lives on long after we’re gone. To manage a company’s risk, the company must consider all categories of information it puts near Internet-facing systems, and then those that are not within their control, like Twitter, LinkedIn, Instagram, and more. While no company can dictate what others type about them online, successful companies proactively seek and manage that which pertains to its assets (including individual employees, especially top-ranking executives). It’s critical for organizations to monitor their brand and IP, through existing tools, open source solutions, and/or vendor offerings. By combining internal telemetry and OSINT, an organization will have a clearer picture as to what risks they need to manage and build a roadmap for future success. Says James, “The goal with intelligence (be it OSINT or All-Source) is to make a decision before it's too late, so know the data. What's the point of having intelligence if you're only using it to react?"