OSINT, short for “open-source intelligence,” refers to information obtained from publicly available sources to produce actionable intelligence. If you’ve never come across the term “actionable intelligence” before, it is the data cybersecurity specialists use to thwart cyber attacks, prevent threats from entering their networks, or mitigate ongoing attacks.
Given the OSINT meaning above, it’s primarily used for national security, law enforcement, and business intelligence gathering.
Contents
- What Are the Usual OSINT Sources?
- What Are the Uses of OSINT?
- What Are the Top OSINT Tools?
- Key Takeaways
Read More about OSINT
OSINT, as mentioned earlier, is open-source, but that doesn’t mean it always comes from published sources. Some OSINT content can be covert or secret, meaning without the required credentials (e.g., a national enforcement or media ID or owner’s permission), not everyone can access it.
What Are the Usual OSINT Sources?
Anyone investigating cyber threats can rely on the following OSINT sources:
- News articles or media (e.g., TV and radio) reports
- Published research
- Books and similar references
- Social media posts
- Census data
- Phone directories
- Court filings
- Arrest records
- Public trading data
- Public surveys
- Contextual location-related data
- Breach or compromise disclosure information
- Publicly shared indicators of compromise (IoCs) like IP addresses, domains, or file hashes
- Certificate or domain registration data
- Application or system vulnerability data
What Are the Uses of OSINT?
OSINT users aim to extract and analyze publicly accessible data to gain insights to improve decision-making and create an action plan. While only cybersecurity professionals initially employed it, its applications have expanded to include business functions.
1. Understand the Threat or Business Landscape
Cybersecurity specialists use OSINT to understand the current threat landscape to defend individuals and organizations. An example would be obtaining a list of the top threats to create specific policies to protect users.
Business users, meanwhile, can use OSINT to gauge the competition—see what their top rivals are up to (e.g., mergers, acquisitions, etc.)—and come up with better sales and marketing strategies.
2. Pinpoint Risks
In cybersecurity, OSINT, like vulnerability data, can help organizations identify weaknesses in their networks to address potential risks by installing patches, for example. Security teams typically use the data for penetration testing.
In business, OSINT, such as publicized upcoming product releases, can help companies go to market first should they wish to.
3. Create Threat Actor Profiles
OSINT collection and analysis can also provide context on threats targeting an organization. Contextualization can answer questions like:
- Who is responsible for the attack?
- What tools and tactics are the attackers employing?
- What are the potential threat sources that require blocking or monitoring at least?
4. Threat Source Blocking
OSINT is probably most useful to prevent threats from infiltrating corporate networks. Including IoCs in blocklists is the primary means to do that.
What Are the Top OSINT Tools?
While everyone can obtain OSINT, not all sources come free of charge. In fact, users who wish to gain the most significant amount of insights may need to shell out money to do so.
- Maltego: A paid tool that produces graphs from a single input like an IP address to identify the domains hosted on it, for example, using data from nearly 60 sources.
- SEON: A paid tool that lets users confirm a person’s identity by providing linked social media and other online account profiles from 50 sources.
- Lampyre: A paid tool that takes a company registration number, full name, or phone number as input to provide information on its owner from more than 100 sources.
- Google: Using advanced filters, the browser and its like can provide additional information on practically anything. Best of all, it comes free of charge and isn’t limited to cybersecurity.
- Recon-ng: A free tool that provides technical information on websites. The caveat—since it’s free, the data it provides is limited.
- SpiderFoot: A paid tool designed explicitly for asset discovery and attack surface management (ASM).
- Spokeo: A paid tool that provides U.S. citizenship information.
- Email checkers: Paid tools that check whether an email address exists.
- PhoneInfoga: A paid tool for phone number lookups.
—
While OSINT tools and sources were designed to help cybersecurity and other legitimate professionals address risks and threats more effectively, threat actors and malicious users employ them, too.
Key Takeaways
- OSINT is data from publicly available sources to produce actionable intelligence.
- OSINT helps users understand the threat or business landscape, pinpointing risks, creating threat actor profiles, and blocking access to threat sources.
- Typical OSINT sources include news articles or media reports, published research, books and similar references, social media posts, census data, phone directories, court filings, arrest records, public trading data and surveys, contextual location-related data, breach or compromise disclosure information, publicly shared IoCs, certificate or domain registration data, and application or system vulnerability data.
Other interesting terms…