What is Open Source Intelligence(OSINT)?

Learn via video courses
Topics Covered

Overview

The internet and technological evolution have transformed the world into a small village. With the exponential growth of digital systems, information has become a critical asset for individuals and organizations. But cybercriminals often use this public information to plan an attack on a target system.

Open-source intelligence plays a significant role in extracting and analyzing publicly available information. There is no particular date on when open-source intelligence got first proposed. But it has been nearly hundreds of years now people have been practicing gathering intelligence & exploiting publicly available resources.

What is OSINT?

Open Source Intelligence (OSINT) is the practice and art of collecting publicly available information from various openly available sources.

Many IT professionals, security engineers, and cybercriminalsleverage the information extraction process through tools and techniques. In this process, the security professional or attacker search through a massive haystack of visible information to create a virtual profile of an individual, organization, system, or even nation.

In OSINT, the target individual or organization does not know that their personal or other related information is obtainable publicly. This open-source information for gathering intelligence requires specialized skills and tools.

Open-source intelligence gathering can be so powerful that Bellingcat (a prevalent online investigation firm), along with other media firms, used open-source intelligence (OSINT) techniques & methodology to build a timeline.

That timeline covered all the incidents enough to expose Russian claims and counterclaims as fiction. Open-source intelligence uses disparate sources to collect information to gather 360-degree intelligence.

Such a technique often helps government agencies and private firms make decisions, take adequate actions, or improve competitiveness by analyzing and monitoring this information or data trends.

It is a popular question: Is OSINT legal or not? The truth is, OSINT is legal & its tools and techniques are also.

Security professionals and hackers collect information already available on the internet or the open web.

Some well-known sources from where the open-source intelligence process collects information are social media, newspapers, blogs, government records, company websites, etc.

They can also collect different data and connect the dots through public dataset sites, academic sites/forums, professional publications, and sometimes leaked cloud storage/databases.

Open-source intelligence tools help in fetching data effortlessly. But such tools & techniques cannot penetrate private cloud storage, social media privacy data, and other confidential user content.

Although OSINT is not illegal, cybercriminals often use it for unlawful purposes. They collect information-based intelligence to perform social engineering on the target person or organization to gain sensitive data or credentials by tricking them.

Types of OSINT: Active and Passive

Open-source intelligence (OSINT) can be of two broad categories. These are:

  1. Active OSINT
  2. Passive OSINT

Let us take a closer look at it.

Passive OSINT:

In this type of OSINT`, the professional or hacker gathers information about a target system or individual without directly interacting with the target.

Through this technique, there is no way to know the target if someone is digging for open-source information about that target system or individual.

In other words, in passive OSINT, there is no direct communication or interaction of the professional or hacker with the target system or individual during the gathering intelligence process. Some well-known Passive OSINT information is –

  • Listing all social media handles
  • Date of birth
  • Year of graduation
  • Email address
  • Current working company
  • Address
  • Phone number

Active OSINT:

In this type of intelligence gathering, the professional or the hacker directly communicates or interacts with the target system.

During this OSINT process, there is a chance that the target might be aware of the intelligence-gathering process.

Active OSINT uses advanced techniques and harvests technical data about the target infrastructure or system. Some well-known Active OSINT information are –

  • Identifying open ports
  • Vulnerable entry points
  • Details about unpatched systems
  • Scanning web servers & applications

OSINT Techniques and Tactics

Let us look at some of the open-source intelligence techniques & tactics one can opt to gather intelligence from open-source resources and information.

Tools and websites used for OSINT

The use of appropriate tools & websites can enhance enterprise security and help quickly discover information about the employees or any individual, company, sensitive data, and details about IT assets. Companies often leverage the OSINT technique to uncover information first & then hide it or permanently remove it so that employees do not fall under phishing attacks.

Such uncovering & removing processes also help companies evade Denial of Service (DoS), Distributed Denial of Service (DDoS), or ransomware attacks. Here is a list of tools and sites that help to gather open-source intelligence.

  • Spyse: It is the most comprehensive asset register & search engine on the internet that helps cybersecurity professionals gear up for gathering open-source information. It has tons of internet assets and helps in easy reconnaissance. This tool can discover other domains residing within the same IP address.

  • SpiderFoot: It is another free and powerful tool that makes reconnaissance easy. It leverages multiple data sources to gather and analyze IP addresses, domains, email addresses, ASNs, CIDR ranges, BTC addresses, and other technical details about a target. It has a web server (intuitive GUI) and a command-line interface tool. Because of its 200 modules`, it makes the tool ideal for red teaming.

  • Archive: Wayback Machine: It is a digital archive of all the websites, existed so far on the world wide web. It keeps all the older versions of the websites and the information within. To date, it archives:

    1. 625 billion web pages
    2. 790,000 software programs 1. 14 million concerts and audio recordings
    3. `4 million images
    4. `7 million video clips, including news and broadcast programs
    5. 38 million texts and digital books
  • Intelligence X: It is a website with archival service and works as a search engine to preserve the older versions of web pages. It also keeps leaked data as datasets that often get removed after some time. Although it might sound like "Internet Archive's Wayback Machine," it believes in preserving information; no matter how controversial the facts might be - Intelligence X will not discriminate.

  • Recon-ng: It is a powerful tool built on top of Python. The interface looks similar to that of the framework Metasploit. This tool automates various OSINT activities, like copying, cutting, pasting, searching, etc., for reducing intelligence gathering time. The tool design helps in the efficient search of publicly available data.

  • Mitaka: This tool is available as a Mozilla Firefox add-on & Google Chrome extension. It enables intelligence-gathering teams or professionals to extract domain names, URLs, hashes, IP addresses, email addresses, and cryptocurrency wallet addresses from 70+ search engines. Sputnik is another alternate tool (browser extension). Such extensions save you time during intelligence gathering.

  • GitHub: GitHub is a popular version control system available in free and premium versions. Often companies upload codes, projects, and other company details and instructions. Even individuals, also upload various projects and data that become a part of the information gathering. Here the hacker tries to gather sensitive information from GitHub's public repository that companies and individuals accidentally put in.

Google Dorking

Google Dorking or Google-based hacking is an advanced searching technique through which hackers can gather information about various organizations, websites, servers, and individuals. Here the intelligence-gathering team or professionals use advanced search queries to reveal valuable information from the surface web, publicly available domains, repositories, or content that is otherwise difficult to discover through traditional search techniques.

Thus Google Dorking acts as an essential technique/tool of open-source intelligence (OSINT). Hackers often leverage distinct commands like "intext", "filetype", "site", "allintext", "ext", etc., for fetching different detailed search information. Google Dorking helps hackers and security professionals identify vulnerabilities or unauthorized data leaks. Cybercriminals exploit these Google Dorking details, whereas security professionals and red teams perform penetration testing through this technique.

For example:

  • site or site:https://domainname/
  • filetype: log
  • intext: usernames
  • allintext: "username" "password"

Namechk.com

Namechk is a free domain search tool that allows someone to view if a username is available or not. Since 2009, it has been serving all open-source intelligence-gathering teams.

David Goose and Jeremy Woertink together created this web application. As of June 2019, it can check from over 98 distinct social networking sites.

Using this tool, you can gather information about the business and check whether the domain name & username of a business/brand is available on `social media sites or any other websites.

Shodan

Sentient Hyper-Optimized Data Access Network, abbreviated as SHODAN, is a powerful search engine that can gather information about internet-connected systems and devices.

It is also called the search engine for IoT systems. Some notable features of this app are vulnerability analysis, market research, penetration testing intelligence, hacking information, etc.

It can also throw insights into which countries are more connected. Shodan can gather insights and intelligence about all devices & systems directly linked to the internet.

The type of devices it targets ranges from small and large organization desktops to industrial control systems, surveillance cameras, nuclear power plant systems, IoT devices in factories, and everything in between.

Banner grabbing plays a significant role in penetration testing. Shodan attempts to capture the system's banner directly, gathering data by associating the server's ports.

OSINT Automation tools

Often it becomes time-taking to gather information & collecting intelligence from public sources. Thus,hackersand other `IT professionals prefer to use automation tools that can quickly provide insights and intelligence.

  • Maltego: It is a specialized tool that can uncover relationships among individuals, employees, firms, domains, and other digital assets publicly available on the internet. It is popular because it can connect the dots with a massive amount of information and easily plot them in charts and graphs. That makes the entire intelligence-gathering process effortless as it takes raw intelligence and extracts actionable insights. The chart of Maltego can connect up to 10,000 data points.

  • Social Links: It is a software development firm that provides apps to develop AI-driven solutions for extracting, analyzing, and visualizing data from diverse publicly-available sources, such as messengers, social media, websites, blockchains, forums, and even from the Dark Web. With the potency of automation and AI, this tool empowers data security professionals, investigators, and intelligence-gathering teams to work on objectives quickly and more accurately. It also features advanced search queries, filters, and machine-learning techniques to return comprehensive results from 500+ open sources.

  • Creepy: It is a popular geolocation intelligence-gathering tool that provides automated results from various social networking platforms and image-hosting services.` This tool usually renders data on a map using a search filter according to the exact location and date. IT professionals & hackers who are using this tool can generate and export reports in CSV or KML format for further analysis. It is written using Python and is available for Debian, Microsoft Windows, Backtrack, Ubuntu, and other platforms.

  • Lampyre: It is a paid app available as a PC version or can run online. It mainly deals with OSINT techniques like cyber threat intelligence, financial analytics, crime analysis, etc. This tool can automatically map all the intelligence data based on a single data point. Vampyre will scrounge and filter through massive amounts of information to extract intriguing details about the given data. The tool keeps updating from 100+ data sources regularly to provide cyber threat intelligence and financial insights.

What is Social Engineering?

Social engineering comprises a broad range of malicious actions accomplished by fooling humans or psychologically manipulating them into taking sensitive data or login credentials. In this technique, the `cybercriminal tricks the victim into making human mistakes & gives away sensitive data. Cybercriminals use that information to gain illicit access or use them for monetary benefit. Some well-known examples of social engineering are pre-texting, phishing, tailgating, dumpster diving, spear phishing, baiting, vishing, smishing, etc. For targeting a particular individual through phishing or smishing, the attacker uses open-source intelligence to gather information like an email address or phone number about the target. According to Statista's report, Google, Amazon, Facebook, Microsoft, Netflix, Apple, etc., are some top companies that become the target of social engineering attacks like phishing, spear phishing, smishing, vishing, etc.

Techniques Used in Social Engineering

Social engineering is a very skillful act that comes under cyber threat. Attackers use distinct techniques and technical-rich methods to target the weakest links in our security systems.

They trick the human workforce into leaking sensitive data or gaining access by illicit means. Here is a list of well-known social engineering techniques that cover news headlines. These are the most prominent & practical cyber attacks that enterprises and individuals face today.

  • Pretexting: In this social engineering technique, the attacker leverages fake identity to manipulate or trick the victim into extracting sensitive details or login credentials from the target. Often, through pretexting, the attacker masquerades as a legitimate person or organization who will ask you to provide credentials like email ID or OTPs with a sense of urgency.

  • Baiting: As the name suggests, the attacker will provide something valuable to the target system. The target clicks it or opens it that contains malicious code to inject your system. The attacker prefers emails, USB drives, malicious websites, adware, etc., to lure the target user. The baiting often shows mega offers, discounts, 100% off, limited offers, etc., as bait techniques.

  • Phishing: In this attack vector, the attacker sends an email or message from social media with a link that contains a message showing some urgency. The attacker insists or tricks the victim into clicking the link. Once they click the link, it will redirect the attacker to a phishing (legitimate-looking fake) page or website. Once the victim submits the username, password, or other sensitive data, the website sends the credentials to the victim's database. Most phishing technique lures the victim or expresses a sense of urgency or risk.

  • DNS poisoning or Cache poisoning: It is another well-known social engineering-based network attack wherein the attacker poisons the web cache with a malicious URL or IP address. In other words, the attacker spoof the original DNS server names with a malicious one. Thus, when the victim enters a particular domain name, the DNS will redirect that victim to a malicious website, letting them download malware or other harmful programs. Attacks like DNS spoofing or cache poisoning do not just divert regular traffic to unknown websites - they even leave the system vulnerable to data theft and malware infection.

  • Spear phishing: It is a specialized cyberattack `type wherein the attacker targets a particular individual or organization that can provide attackers with privileged access. Here the attacker uses sophisticated social engineering techniques to execute phishing and grab sensitive or valuable information. To perform such a sophisticated attack, the attackers should conduct thorough research to design a message that will drive specific targets/users to respond and perform a particular desired action.

  • Piggybacking or Tailgating (physical breach): This attack type involves physical breaching where the authorized person allows (mostly unintentionally) an unauthorized person to access a restricted area. Often the attacker tricks a person by masquerading as a legitimate one and following a legitimate one. As the legit person swipes the card and the security door opens, the scammer or malicious attacker follows back and enters the security zone to perform physical hacking. These scammers often dress as legitimate individuals of that organization.

  • Smishing & vishing: Phishing is not just limited to emails and messengers. Attackers even utilize platforms like SMS (mobile messaging services) and voice calls to deceive or mislead you into delivering sensitive data. Smishing is a portmanteau formed by combining two words: SMS and Phishing. Scammers purchase untraceable phones without identity, change their IMEI numbers, and buy spoofed numbers to spam SMSs to all target individuals. That SMS contains a link that redirects anyone to a phishing page that might look legitimate. Likewise, in a vishing (portmanteau by combining two words: Voice and Phishing), wherein, the attacker calls the target individual and uses psychological tricks by impersonating a legitimate person. They insist the victim give personal information, sensitive credentials, and financial details. They mainly target login credentials, account numbers, OTPs, PINs, etc.

  • Watering hole: In this attack format, the attacker compromises a legitimate website and injects a malicious link. When an individual click those links from that legitimate website, they unknowingly download malware or launch an infected program into their system. Such compromised sites typically comprise a backdoor (Trojan horse) or any other malware program that can allow the attacker to gain remote access to those infected systems. Elite hackers & skilled attackers perform watering hole attacks who have discovered zero-day vulnerabilities. They target a particular customer type of that compromised website to exploit.

  • Honey traps: Often news headlines cover romance traps and scammers who scam girls (mostly) into taking their details or private photos and blackmailing them into releasing them in public domains. Such scammers use fake dating apps, social media platforms, messengers, etc. Once they identify a weak individual or target, they might send flirty and provoking messages. They will insist the victim start a relationship. Once the target gets into the trap & shares personal/sensitive photos, they will use them to blackmail for money or take undue advantage.

  • Scareware: These are malicious social engineering techniques where the attacker tricks the victim into downloading malicious software that looks legitimate. It also tricks the victim into purchasing the software and updating them, which is infected with malware. Scareware often shows security alerts, warnings, and pop-ups with the message "Your system has a virus" or "update your driver with our software, or your system will get compromised."

Conclusion

  • The exponential growth of technology in the digital era has made information a critical asset for individuals and organizations.
  • In this information age, billions of users can exchange information over the internet.
  • This article has given a crisp idea` of what is OSINT and whether it is legal or unethical.
  • Then we understood the types of open-source intelligence & various techniques, tools, and websites used for OSINT.
  • Next, we came across some well-known tools that automate & ease our open-source intelligence.
  • Lastly, we encountered the topic of social engineering & various well-known techniques of` social engineering.