When it comes to information, it is everywhere and it is infinite. However, we can’t say the same for intelligence. Gathering relevant intelligence for a cybersecurity investigation is a challenging task, especially when operating with limited or no information about the adversary.
What is OSINT in Cybersecurity?
OSINT stands for Open Source Intelligence, which in simple terms refers to any information available from public sources on the Internet or even from physical artifacts such as books, newspapers, or magazines.
In the context of cybersecurity, we primarily deal with information available on the Internet. But, what is open source information? Any information that is public, free, and legal falls within the criteria of OSINT. Armed with the right information, researchers or investigators can demystify challenging threats and shine a light on the threat actors behind it.
How do Security Analysts Use OSINT?
OSINT, as a concept, is quite straightforward. Each one of us performs some daily tasks which are crude OSINT use cases. This could include things like searching for specific information on search engines, reading public forums to learn a certain concept, or browsing a job platform to find a vacancy in a certain company.
However, for a cybersecurity professional, using OSINT is much more than simply making a search query on Google. Due to the abundance of user data generated on the internet every second, it is important for security professionals to use the right tools and techniques to get the most out of the information available in the public domain.
Let us consider the scenario of a security analyst working in the Security Operations Center (SOC) of a large organization.
On an otherwise dull weekend day, the analyst notices an alert flashing on his dashboard. A certain device within the network is transferring data to an unknown IP address. The analyst checks the device process but cannot figure out what the purpose of the process sending the data is. This makes the situation suspicious but he is not sure if it is a legitimate process or not as the user may have installed some unregistered application. In this scenario, the security analyst needs to investigate the matter and make sure there is no malicious activity taking place on the network.
Nowadays, organizations are often equipped with multiple internal and external sources of threat information including the tools deployed within their network, paid threat intel sources, threat intel shared by peer organizations and advisories from regulatory bodies. However, within the context of the evolving threat landscape with countless threat vectors, it is impossible to find the necessary threat intel among all these sources. This is where OSINT comes into play. By leveraging an open source intelligence platform, a security analyst can effectively break through the barriers of a limited intelligence pool to obtain the necessary intel.
OSINT in the Context of Threat Intelligence Operations
Analogous to a technology stack, threat intelligence can be visualized in the form of an information or knowledge stack. It starts with the low-level indicators such as IP addresses, email addresses, or user agent strings which are often visible in the system logs.
These indicators, when combined with computed data like malware file hashes, can be quite effective for matching against the data obtained from other attacks on different organizations. This kind of data is available publicly as the organizations often share key threat intel in their security notices.
Going a step further, these indicators can be connected to the behavioral indicators of the threat actors. The threat actors often employ a specific set of Tactics, Techniques, and Procedures (TTPs) to compromise their targets. By establishing relations between the low-level indicators and behavioral indicators like TTPs of the adversary, the security teams can understand if the incident is a part of an attack campaign or just a one-off event.
By studying this information over time and tracking information available from other public reports, analysts can put together a sufficient amount of threat intelligence to develop a strategy to defend against the threat actors. Furthermore, the intent of the threat actors can also be studied or predicted from a detailed investigation like this. Thus, various open source intelligence sources at different stages of an investigation can prove to be a boon for threat intelligence operations.
Sources and Tools for OSINT
High-quality OSINT can be found from various sources like online articles on trusted sites, security conferences, and specialist cybersecurity mailing lists. The industry sectors which have Information Sharing and Analysis Centers (ISACs) can also be great sources of information.
Some of the issues security analysts face while working with OSINT sources include filtering information from different sources, finding the most relevant information from noisy sources, communicating the key intel with other members in the security team in a precise way, creating alerts to track the necessary updates and incidents, and managing it all from a single platform.
By automating open source intelligence via an advanced threat intelligence platform (TIP), security analysts can streamline and optimize their cyber threat intelligence operations, thereby benefiting from the OSINT model. TIPs enable the creation of detailed threat analysis through collaboration among peer organizations sharing relevant, enriched, and structured threat information.