OSINT stands for "Open-Source Intelligence" and refers to a method of collecting, evaluating, and analyzing publicly available information to generate insights for decision-making. In cyber security it can be used by security experts or cybercriminals. Originally part of military intelligence activities, it was used in parallel with SIGINT (Signal Intelligence: intelligence through communication interception) and HUMINT (Human Intelligence: intelligence through human information) and was used for national security and military strategy formulation. Currently, OSINT has spread to the private sector and is used daily by many companies and non-profit organizations.
The public information collected by OSINT is diverse. It includes information released by the government, information widely accessible from the Internet, books and news articles, etc.
To utilize OSINT, it is first necessary to understand the process. Collecting and analyzing public information is only one step in the process, and it is not a complete process. The series of steps in OSINT, which involves carefully planning and converting collected information into meaningful intelligence, is called the intelligence cycle.
In terms of the intelligence cycle, these are the processes by which OSINT activities are carried out to combat cyber threats as part of a company's cybersecurity measures.
In this stage, you assess the security threats and risks your company faces, identify what information you need, and set objectives and priorities for collecting that information.
Next, based on the specified information needs, data is collected from public sources, which could potentially include the Daewoo web, social media, specialized security blogs and news sites, public vulnerability databases (CVEs), etc. This process may also involve the use of dedicated OSINT tools and web scraping techniques.
The collected information is very voluminous and unstructured, so it needs to be processed and converted into a suitable form for analysis, where data is filtered, standardized, and unimportant information is removed. Effective data processing at this stage greatly determines the quality of the subsequent analysis.
The data is then subjected to a threat analysis, which includes identifying vulnerabilities that cyber attackers may use, identifying attack patterns, and predicting the attackers' intent and capabilities. From the analysis, companies can understand the specific threats and their countermeasures, prioritize them, and develop a response plan.
Finally, the generated threat intelligence is shared with relevant decision makers (IT departments, management, and sometimes peers in other industries or government agencies). The intelligence cycle may continue based on the decision makers' feedback. It is important to keep in mind that the role of intelligence is not just to collect information, but to use that information effectively and contribute to achieving the organization's goals. To do this, communication with decision makers is essential, from planning to sharing. It is also important to always be aware of what the decision makers want.
Recently, OSINT tools for cyber threats have become more and more sophisticated, making it possible to gather the necessary information efficiently. Here are some of the OSINT tools that are actually widely used.
A search engine that can search for devices connected to the Internet that would not be found in a general web search (such as searching using Google). It collects port numbers, IP addresses, and location information of publicly available servers and IoT devices. It can be used to check vulnerability information and access control.
A data correlation and visual analysis tool that allows you to visually map relationships between people, groups, organizations, websites, internet infrastructure, social networks, etc. It helps you understand the big picture that connects information by visualizing complex relationships.
By combining advanced commands, the search function provided by Google can efficiently extract detailed information and specific data that cannot be obtained by normal searches. Such use of the search function is called "Google Dorks," and indexed information is displayed in search results. By using this function, you can check whether your organization has accidentally published information that should not be made public.
Examples of search queries used by Google Dorks
cache: View Google's cached version of a particular web page
filetype: View documents in a specific file format
imagesize: Display an image of a specific size
site: Displayed only on specific websites
inurl: Display pages that contain a specific word in the URL
Intitle: Display web pages that contain a specific word in the page title
So far, we have introduced the meaning of OSINT and the tools it uses, but when using OSINT, you should be aware of the following:
We use public information as our primary data source, but you should always verify the reliability and accuracy of that information. Just because a source is public does not mean that the content is accurate, so it is especially important to be vigilant against disinformation and misinformation.
Information gained through OSINT can become outdated over time, so it needs to be regularly updated, and its validity continually evaluated. Also, due to the volume of data collected, it is important to have an effective data management system to keep it organized and accessible.
Taking these precautions into account, clear policies should be set in advance when promoting the use of OSINT in an organization. In addition, know-how is required for collecting and selecting OSINT information. Sharing information such as best practices within an organization can help organizations promote the use of OSINT more efficiently.
In Trend Micro, using Trend Micro’s open-source intelligence (OSINT), we create research reports with key trends in the ransomware threat landscape.
We use the data from OSINT along with data from RaaS and extortion groups’ leak sites, and Trend Micro™ Smart Protection Network™
In recent research created thanks to Trend Micro’s open-source intelligence (OSINT) we discussed in depth our monitoring of the ransomware landscape during the second half of 2023, with a focus on the families responsible for pulling in the highest number of attacks: LockBit, BlackCat, and Clop.
Trend Micro Cloud Security enables teams to visualize and prioritize risk as well as automate detection and response across on-premises, hybrid, and multi-cloud environments.
Go beyond CNAPP to gain comprehensive visibility, prioritize risk, and automate response across hybrid and multi-cloud environments.