Open Source Intelligence (OSINT) is attracting a great deal of interest among cybersecurity managers. What are the contours and contributions of this specific field of investigation? How do OSINT experts operate, and how important is their work in the cyber defense architecture? This article takes a detailed look at the strengths of OSINT and the vast scope of its applications.
Defining a key field of investigation
Behind the acronym OSINT lies a vast expanse of data with one essential thing in common: it's all publicly accessible. OSINT, or Open Source Intelligence, refers to the ability and intention to closely observe and analyze this data to derive predictions or a better understanding of a given phenomenon. The strategic interest of analyzing public data in the cyber context is relatively easy to understand, but OSINT has applications far beyond computer attacks alone.
Open Source Intelligence" translates as "renseignement de sources ouvertes" or "renseignement d'origine source ouverte" (ROSO). It refers to information that is accessible to all and unclassified. The notion of "intelligence" is essential here. To get a concrete idea of OSINT-type activities, imagine an intelligence cell, similar to the secret services, but working with data that is neither hidden nor confidential.
Applications and significance of OSINT
OSINT is often put to good use in the fight against terrorism, cyber-threats, fraudulent financial practices, and a whole myriad of illegal activities. This cell of activity is therefore just as valuable for governments as it is for businesses.
What information does OSINT contain?
Open Source Intelligence (OSINT) is intrinsically linked to our digital age. Thanks to the overabundance of exchanges and data on the Internet, OSINT finds its place in this ocean of publicly accessible information. This field refers not only to analysis and research work, but also to the vast volume of data available.
The three facets of OSINT data
Open Source Intelligence (OSINT) is intrinsically linked to our digital age. With the overabundance of exchanges and data on the Internet, OSINT finds its raison d'être in this ocean of publicly accessible information. This discipline encompasses not only analysis and research work, but also the vast volume of data available.
To be considered OSINT, information must :
- Be obtained from a freely accessible source.
- Be legally acquired.
- Be available free of charge.
Whatever the origin of the data (paper, social networks, Internet), it can be exploited by OSINT.
Specific public information
OSINT doesn't look at just any public information. It focuses on :
- Deliberately open.
- Distributed to a select audience.
- Designed to answer a specific question.
Sometimes, non-public information is sorted to make it OSINT-ready. When information requires a high degree of confidentiality, it is referred to as OSINT-V or Validated OSINT.
History and development of OSINT
OSINT has its origins in the Second World War, when security agencies exploited open source information to better understand their enemies. The term "OSINT" was formalized by the US military services in the late 1980s to analyze battlefields with an increased volume of publicly available data. In 1992, the Intelligence Reorganization Act emphasized the importance of using objective, unbiased intelligence.
What about today?
The bursting of the Internet bubble multiplied the uses of OSINT, placing it at the heart of defense strategies - military, economic and cyber. More recently, the Russian-Ukrainian conflict that began in 2022 has reaffirmed the importance of OSINT. The threat of large-scale cyber attacks has repositioned OSINT at the heart of cyber defense strategies.
Who practices OSINT?
Open Source Intelligence (OSINT) is mainly practiced by specialists known as OSINTERs, or OSINT investigators, also known as open source analysts. Ethical hackers, on the other hand, also use OSINT techniques to analyze systems and detect vulnerabilities. They must meticulously examine all publicly available information to ensure a comprehensive security assessment, making them experts in OSINT analysis.
OSINT investigator skills in the cyber field
For OSINT to be effective in cybersecurity, it must be practiced by technical experts with :
- Proficiency in computer development and tools such as Python, NodeJS, TypeScript or Docker.
- Pentester skills, with a thorough knowledge of penetration testing techniques.
- In-depth analysis of raw data.
- The ability to design, develop and maintain scripts to refine the investigation.
- Familiarity with threat intelligence tools, TIP management, MITRE ATT&CK repositories and Kill Chain.
The OSINTER must also be a good project manager, organized and methodical.
What OSINT tools are available for cybersecurity?
OSINT tools cover a wide range of public sources, including :
- Blogs and discussion forums
- Search engines
- Social networking
- Video and photo sharing platforms
- General press and trade publications
These sources are essential for OSINT investigators, and around 80 to 90 % of the information processed by intelligence professionals comes from open sources.
OSINT Framework
One of the most important concepts is the OSINT framework. This is an open-source research assistance tool, classifying sources into 32 different categories, including social networks, the dark web, public records, images, videos and more. Specific tools, both free and fee-based, are available for each category, to help you locate the information you need for your investigations.
The challenges of OSINT investigation
Collecting freely available information is no easy task. The success of an OSINT survey depends on the choices made upstream, because not all research can be carried out in the same way. Here are a few points to bear in mind before embarking on the world of open sources.
Differentiating between active and passive OSINT
Open-source investigation varies according to the type of contact with the target, implying different levels of risk.
Active OSINT collection
When the OSINT investigator contacts the target directly to collect data in real time or verify its accuracy, this is known as active OSINT. This method is used to analyze a network or scan a website linked to a specific target.
The main disadvantage of this strategy is that the investigator can be spotted. If the target detects the investigation, it can :
- Cut off external access to network or site information.
- Attempt to identify investigators and take retaliatory action, especially if the target is involved in fraudulent activities.
In such cases, the OSINT survey's objectives of completeness and accuracy may be compromised.
Passive OSINT collection
Conversely, passive OSINT presents little risk. Investigators focus on historical data or information from third-party sources, disconnected from the target. The risk here is that the data retrieved lacks currency and relevance. However, discretion remains the priority for analysts.
Historical data can be very useful, especially when no real-time information is available. For example, if a website is taken down by a malicious party, historical data becomes invaluable. Although obsolete data can lead to erroneous conclusions, repeating the investigation with different specialists can reduce this margin of error.
