The first step in a targeted attack or penetration test is gathering intel on the said target. While there are several ways to do this covertly, gathering intel usually begins with scraping information from public sources. It is known as open-source intelligence techniques or OSINT.
There is a wealth of legally collectable OSINT now available, thanks to social media and the prevalence of online activities. It is all that is required to give an attacker what they need to profile an organization or individual successfully.
Let’s get you up to speed on what open-source intelligence techniques are all about and how you can learn to use OSINT tools to understand your digital footprint better.
What is OSINT?
If you have heard the term but don’t exactly know what it means here you go – OSINT stands for open-source intelligence, which refers to any information gathered from free public sources about an individual or organization. Ideally, this means information found on the internet. Still, any general information can fall into the category of open-source intelligence techniques, whether it’s through books or reports in a public library, articles in a newspaper, or statements made during a press release.
OSINT also includes data found in other forms of media. Though we think of it as just being text-based; data found in images, videos, webinars and public speeches count as well.
How can OSINT be used?
Gathering publicly available data about a potential victim enables an attacker to understand their characteristics better. Without actually engaging the target, an attacker can use the intelligence gained to plan an attack. Several targeted cyberattacks begin with surveillance, and the first stage of digital observation is passively acquiring intel without alerting the target.
Accumulating OSINT for yourself or your business is also an excellent way to understand what information you are giving out to possible attackers. Once you are aware of the kind of information that can be gained about you from general public sources, you can use it to form better defensive strategies in the future.
What is the OSINT Framework?
Getting the information required from a variety of sources is quite a time-consuming job. Luckily, many tools make gathering intel much quicker and more comfortable. While you may have heard of tools such as Shodan and port scanners like Nmap and Zenmap, the complete range of OSINT tools is pretty vast. Thankfully, security researchers have started to document the tools available.
Among the many helpful tools for opensource intelligence gathering are user favourites like Recon-ng and Nmap. Nmap allows you to specify a particular IP address to help determine which hosts are available, what services they offer, the operating systems they run, what firewalls they use, and other such details.
Recon-Ng is a tool written in Python for web reconnaissance. It can be used to do things like identify the subdomains of a given domain. However, many modules allow you to look into something like the Shodan internet search engine, Github, Jigsaw, Virustotal, and others, once you add the required API keys. These modules are then categorised into groups such as Recon, Reporting and Discovery.
Other OSINT tools and resources
One of the most prominent tools to use in intel gathering is web search engines like Google, Bing and others. There are plenty of search engines, and some may return better results than others for a particular kind of query. The problem is, how can you utilise these search engines in an efficient way?
A useful tool that can solve this problem and make web queries more effective is Searx. Searx is a meta-search engine that allows you to anonymously and simultaneously collect results from over 70 search services. Searx is available for free, and you can even host your instance for ultimate privacy. The best part? Its users cannot be tracked, and the cookies are disabled by default.
There are many working on new tools for OSINT, and a great place to keep up with them is Twitter, though keeping track of things on Twitter can be tough. Fortunately, there’s an OSINT tool available for that called Twint.
Twint is a Twitter scraping tool written in Python that makes it easy to anonymously gather information from Twitter without signing up or through using an API key. With Twint, no authentication or API is required. Simply install the tool and start hunting. You can categorise search as per user, geolocation, and time range, among others.
Another great tool you could use to collect valuable information is Metagoofil. This tool uses Google to pull out public PDFs, Word Documents, Powerpoint, and Excel files from any given domain. It then extracts the data from these documents to produce a report listing important information like usernames, software versions, servers, and machine names.
For people involved in cybersecurity, understanding how to collect opensource intelligence is a required skill. Whether you are defending an enterprise network or testing it for weaknesses, the more you know about its digital footprint, the better will you be able to see it from an attacker’s point of view. Armed with this critical knowledge, you can begin to develop better defensive strategies.
Speak to DS Security Operations Centre for assistance.