When it comes to information, it is everywhere and it is infinite. However, we can’t say the same for intelligence. Gathering relevant intelligence for a cybersecurity investigation is a challenging task, especially when operating with limited or no information about the adversary.
What is OSINT?
OSINT, which stands for Open Source Intelligence, in simple terms, is any information available from public sources on the Internet or even from physical artifacts such as books, newspapers, or magazines.
In the context of cybersecurity, we primarily deal with information available on the Internet. Any information that is public, free, and legal falls within the criteria of OSINT. Armed with the right information, researchers or investigators can demystify challenging threats and shine a light on the threat actors behind it.
How do security analysts use OSINT?
OSINT, as a concept, is quite straightforward. Each one of us performs some daily tasks which are crude examples of OSINT. This could include things like searching for specific information on search engines, reading public forums to learn a certain concept, or browsing a job platform to find a vacancy in a certain company.
However, for a cybersecurity professional, using OSINT is much more than simply making a search query on Google. Due to the abundance of user data generated on the internet every second, it is important for security professionals to use the right tools and techniques to get the most out of the information available in the public domain.
Let us consider the scenario of a security analyst working in the Security Operations Center (SOC) of a large organization.
On an otherwise dull weekend day, the analyst notices an alert flashing on his dashboard. A certain device within the network is transferring data to an unknown IP address. The analyst checks the device process but cannot figure out what the purpose of the process sending the data. This makes the situation suspicious but he is not sure if it is a legitimate process or not as the user may have installed some unregistered application.
In this scenario, the security analyst needs to investigate the matter and make sure there is no malicious activity taking place on the network.
Nowadays, organizations are often equipped with multiple internal and external sources of threat information including the tools deployed within their network, paid TI sources, TI shared by peer organizations and advisories from regulatory bodies.
However, within the context of the evolving threat landscape with countless threat vectors, it is impossible to find the necessary threat intel among all these sources. This is where OSINT comes into play. By leveraging OSINT-based tools, a security analyst can effectively break through the barriers of limited intel pool to obtain the necessary intel.
OSINT in the context of Threat Intelligence Operations
Analogous to a technology stack, threat intelligence can be visualized in the form of an information or knowledge stack.
It starts with the low-level indicators such as IP addresses, email addresses, or user agent strings which are often visible in the system logs.
These indicators when combined with computed data like malware file hashes, can be quite effective for matching against the data obtained from other attacks on different organizations. This kind of data is available publicly as the organizations often share key threat intel in their security notices.
Going a step further, these indicators can be connected to the behavioral indicators of the threat actors. The threat actors often employ a specific set of Tactics, Techniques, and Procedures (TTPs) to compromise their targets. By establishing relations between the low-level indicators and behavioral indicators like TTPs of the adversary, the security teams can understand if the incident is a part of an attack campaign or just a one-off event.
By studying this information over time and tracking information available from other public reports, analysts can put together a sufficient amount of threat intel to develop a strategy to defend against the threat actors. Furthermore, the intent of the threat actors can also be studied or predicted from a detailed investigation like this.
Thus, various sources of OSINT at different stages of an investigation can prove to be a boon for threat intelligence operations.
Sources and Tools for OSINT
High-quality OSINT can be found from various sources like online articles on trusted sites, security conferences, and specialist cybersecurity mailing lists. The industry sectors which have Information Sharing and Analysis Centers (ISACs) can also be great sources of information.
Some of the issues security analysts face while working with OSINT sources include filtering information from different sources, finding the most relevant information from noisy sources, communicating the key intel with other members in the security team in a precise way, creating alerts to track the necessary updates and incidents, and managing it all from a single platform.
Security analysts can leverage the benefits of OSINT and tackle the issues faced in the process by incorporating Cyware’s Cyber Threat Intel Exchange (CTIX) platform to streamline and optimize their CTI operations.
The CTI platforms enable the creation of detailed threat analysis through collaboration among peer organizations sharing relevant, enriched, and structured threat information.