OSINT (Open Source Intelligence) – collection and analysis of information from publicly available sources. In the current reality, we are talking mainly about Internet sources. From Russian-speaking experts, you can hear the term "Internet intelligence", which is equivalent to OSINT in meaning.
As part of cybersecurity, OSINT is used for pentest, forensics, reverse engineering, and social engineering. Information security training often includes a section with the study of OSINT techniques and tools.
Pentesters use OSINT to optimize the first stage of their work: exploration and collection of information about a certain online object or subject. In this case, OSINT is necessary to identify the targets that need to be attacked, or to understand that nothing needs to be broken – it is already available to everyone.
OSINT is convenient because:
it implies much fewer risks: you do not violate someone's privacy and laws;
cheaper – you don't need any additional hardware and expensive software;
such information is easy to access (go online), and most often it is always fresh.
There are two main methods of collecting information:
1. Passive. In this case, you do not give yourself away in any way and what you are looking for. The search is limited to the content on the site of the research object, archived or cached information, and unprotected files.
2. Active. This method is used for Internet intelligence much less often. To get information, you explore the company's IT infrastructure and actively interact with computers and machines. Advanced techniques are used to gain access to open ports, scan vulnerabilities and web server applications. In this case, your intelligence can be easily recognized. Social engineering also belongs here.
The choice of method depends on the conditions under which you collect information, as well as on what data you need. Are you analyzing the company's security, have you signed an NDA and can you go anywhere you want? Or were you asked to get information about competitors?
It is important to understand that what you can easily access is not always legal.
For example, through Shodan (an Internet of Things search engine), it is not difficult to access the management of any of the systems, both personal and corporate. You can do this in a few clicks. However, if you start interacting with it somehow, trying to enter different passwords, this can already be counted as a hacking attempt and goes into active information collection, where the permission of the system owner is needed.
OSINT (Internet Intelligence) skills in Cybersecurity
The main sources of OSINT that are used in information security
Any information in the public domain can be dangerous. Social networks, photos, data from profiles and third-party sites, public documentation, etc. After all, together with other data, it can tell hackers what they are looking for.
Let's focus on the main areas that information security specialists explore on a regular basis.
1. File metadata.
In them, you can find the date of creation of the document, user names, printer models, software installed on computers, and sometimes geolocation. Information about installed programs and their versions, for example, will allow you to select the most vulnerable and select exploits. User names, in turn, will become potential logins to personal or corporate systems.
2. Confidential documentation.
Even in the most advanced companies and serious government agencies, some classified document may accidentally end up in the public domain. Examples of how to search for such documents can be found in the lectures of Andrei Masalovich. Confidential information may include the password creation policy, as well as the software and services used.
3. Domain information.
There are a lot of tools that help collect all the data from the site (including those that are not visible to ordinary users). For example:
e-mails,
phones,
faxes,
technologies on which the site is built,
cryptographic certificates that are used on a specific domain.
After researching the main domain, it is worth exploring how the company organizes its Internet resources. Subdomains usually have poorly secured sites for testing new technologies. Such subdomains may contain some important documents left on the server.
4. Server-side web applications, Internet of Things. Servers, routers, CCTV cameras, webcams, online storage devices, etc. can be indexed. In addition to the fact that some can be accessed simply by clicking on the link, these devices contain technical information. Geolocation, open ports, running services, the domain name associated with the device, the Internet provider, web technologies.
OSINT (Internet Intelligence) skills in Cybersecurity
OSINT training for use in information security
A couple of days will be enough for you to learn OSINT at a basic level and start doing some small research.
To immerse yourself in the topic and explore certain aspects, it is worth reading the following books:
Business Intelligence
Open Source Intelligence Techniques, Michael Bazzell;
The development in OSINT is divided roughly into the following stages:
1. Mastering basic techniques like Google dorks (advanced Google search). To do this, read the blogs of specialists or specialized companies. For example:
Hrazvedka – in the section "Razvednet" you can find a selection of different tools. In addition, the blog collects videos, articles, books, and films on the topic in Russian;
Sector035 – weekly collections with new techniques and tools;
OSINT Curious – in addition to the blog, they have a webcast where they invite guests and discuss the news;
Aware Online;
a significant crowd is gathered on Twitter: i-intelligence, Dutch OSINT Guy, Henk van Ess. In this collection, you can find other figures who will be interesting to subscribe to.
2. Start applying knowledge in practice. Look for interesting approaches to using tools and techniques and try to write small reports about it with visualization of the results. Share your insights on Twitter by adding appropriate hashtags or in the community on Reddit.
The necessary tools for exploration are available in the collections:
OSINT Framework;
OSINT Essentials;
Toddington;
Technisette.
3. Become as anonymous as possible. When studying OSINT, a lot of time is devoted to ensuring your security when searching. This is necessary so that the company or person cannot recognize that you are collecting some information. Here are some practices:
creating fake profiles;
using Android emulators (you access mobile applications through a special program on your computer);
VPN;
the Tor browser;
rules like it's not worth scouting at the same time of day. This can give away even the most skilled hackers.
To what extent to ensure anonymity depends on what kind of goal you have in front of you. You don't need to create a lot of social media accounts if you don't need to do research there. Or install security software just to search for geographical data on the map.
A lot of materials on this subject can be found in the blogs and books described above. Here is one of them.
4. Learn more advanced tools that require knowledge:
Kali Linux. There are many OSINT tools that only work on this operating system.
Python – working with some tools requires knowledge of the syntax of the language.
5. Try to write automated information collection and analysis tools in Python yourself.
OSINT (Internet Intelligence) skills in Cybersecurity
OSINT tools in Information security
1. Shodan is a search engine for devices connected to the network (including the Internet of Things and web applications). The "Explore" section will help you start searching, as user requests are collected there. To get access to the advanced search, you need to register. In the paid versions, you will have access to more devices, as well as an unlimited number of search queries per day. The Shodan manual in Russian (download link).
2. MaltegoMaltego is a software that collects all the data together, helps to see the relationships and draw conclusions. The result is visualized as a tree that collects IP addresses, e-mails, phones, domains, etc. Into a single system. There are three versions of the client, but for most specialists it will be enough for free. Maltego tutorials: in Russian and English (they are different).
3. Google Dorks are queries to Google using special operators. You've probably heard that to find the exact phrase, you need to put the words in quotation marks, and to exclude a word from the output, you need to put a "-" in front of it. This is just about Google dorking. Here you will find the basic operators, and here you will find a huge number of holes for finding vulnerabilities.
4. Foca is a program that helps with uploading, classifying and analyzing files on a remote web server. To do this, it scans a specific domain using Google, Bing, DuckDuckGo search engines. The software is free and installs quickly. In this material, you can find a small instruction on how to use the program.
5. Spyse is a search engine for technical information on websites. With it, you will find a variety of data, such as vulnerabilities, IP addresses, subdomains and SSL/TLS.
Conclusion
OSINT will help you reduce time and money when searching for information, and the tools and techniques you have learned will be useful outside of professional activities.