In this series of posts, Victoria Willis explores how OSINT (Open Source Intelligence) can be applied in the areas of Cyber Threat Intelligence, IT Asset Discovery, Security Assessments and Attack Surface Monitoring. In this first post of the series, the focus is on the relevance of OSINT in the realm of Cyber Threat Intelligence.

Cyber Threat Intelligence

At its core, cyber threat intelligence (CTI) refers to the collection and analysis of data, the results of which are used by security teams to determine what actions are necessary to help prevent, detect and respond to cyber threats. CTI provides security operations with actionable information that has been refined and analyzed, and is key to a proactive cybersecurity posture. 

This slide from “Towards a Mature CTI Practice –ITU Advanced Cyber Security Attacks” by Richard Kerkdijk illustrates the relationship between different forms of CTI and key security elements of an organization.

Leveraging OSINT for CTI

There are many different sources of publicly available information that can be compiled and analyzed for the purpose of generating threat intelligence. The insights gleaned from Open Source Intelligence (OSINT) collection can help organizations identify potential areas of risk.

As an example, some organizations may collect OSINT on their own email addresses. The findings could then potentially be used to generate threat intelligence and identify potential high-ranking targets for phishing attacks. Finding email addresses in pastes, darkweb sites, data breach databases or using tools like IntelligenceX supports threat intelligence operations. After the targets have been identified, the security team can take action for prevention or plan a response (such as when an email suddenly appears in a breach). 

OSINT can also be leveraged against advanced persistent threats (APTs). By correlating collected OSINT with IP addresses, e-mail addresses and other indicators on their Internet-facing systems, security teams can contextualize suspicious activity for deeper investigation and situational awareness. OSINT analysis can also provide security operations with clues to APT attack methods and help them piece together potentially malicious activities. 

While an APT attack may start with infiltration, malicious actors will expand their presence over time and start exfiltrating data. Through OSINT collection and analysis, security teams may better understand events and entities that may be related to an APT attack. For example: Threat intelligence may assist in drawing connections between unauthorized logins to a recent data breach, or suspicious IP addresses appearing in logs with known threat actors.

Investigating Threats With OSINT

Security professionals can also use OSINT for investigations to gain better visibility into threats that may be facing their organization. For example, SpiderFoot can be used to scan multiple OSINT sources for information on a suspicious IP address, phishing emails or other concerning activity. 

SpiderFoot HX enables you to investigate entities through an intuitive graph interface. Querying OSINT data sources requires no knowledge of their API scheme.

An initial scan may provide hundreds of data points related to a target IP address, but it is analysis that provides context and meaning. For example, examining and sorting the data may show that an IP address is considered malicious by numerous sources and further investigation can also reveal other entities that it may be linked to.

Collecting and surveying data from a multitude of sources is essential for investigating threats; it gives security operations a clearer picture of what kind of threats they may be dealing with. 

Value of Automation

OSINT collection, sorting and analysis can easily become an overwhelming task, especially for larger organizations where there may be many thousands of data points to review. With automated OSINT platforms, security staff can streamline many processes which would be incredibly burdensome to perform manually. Time spent on gathering and investigating information on suspicious IP addresses, domains, emails and other publicly available information can be greatly reduced with automation. Additionally, automated tools often give users the ability to perform multiple tasks from the same interface, including visualization. 

Running an automated scan in SpiderFoot HX against a set of targets.

SpiderFoot allows users to collect OSINT from multiple sources, sort the data and investigate the findings from a single platform and can also provide users with continuous monitoring and instant notification — allowing security operations to detect new exposures as they crop up.