One of the many dangerous tools in cybercriminals’ arsenals is OSINT. In this post, we explain what it is, the danger it poses, and how to guard your company against OSINT.
What is OSINT?
OSINT stands for open-source intelligence. That is, the collection and analysis of data obtained from publicly accessible information channels. Such sources can basically be anything: newspapers and magazines, television and radio, data published by official organizations, scientific research, conference reports, etc.
Nowadays, of course, such intelligence is primarily based on information scraped from the internet. Over the past 10–15 years, online public communication platforms have become especially valuable as OSINT-gathering tools: chats, forums, social networks, and messengers.
The range of people using OSINT is quite diverse: journalists, scientists, civil activists, government and business analysts, as well as intelligence officers themselves. In a nutshell, OSINT is an important and effective tool for collecting data. But perhaps the more significant question is how such information gets put to use.
OSINT and information security
OSINT can be used in planning a targeted attack on your company. After all, for a successful operation, cybercriminals need a huge amount of information about the victim organization.
This is especially true in the case of attackers who rely less on hi-tech tools (costly zero-day exploits, sophisticated malware, etc.) and more on social engineering tricks. For this type of threat actor, OSINT is often the number-one tool.
The most valuable source of open data in preparing an attack on an organization is employees’ activity on social networks. First and foremost, this means LinkedIn. There, it’s usually possible to find the full organizational structure of the company, with all names, positions, work histories, social connections, and lots of other extremely useful information about employees.
You don’t have to look far for examples of just how effective OSINT can be. Remember the infamous Twitter (now X) hack a couple of years back that targeted a whole bunch of people and companies, from Musk, Gates, and Apple to Obama and Biden)? It began with the hackers finding Twitter employees on LinkedIn who had access to Twitter’s internal account management system, and making contact with them. Then it was a simple matter of applying social engineering and good old phishing to dupe them into revealing the credentials needed to hijack the high-profile accounts.
How to protect your company from OSINT
Open-source intelligence is a predominantly passive method of information gathering, so there’s no simple and universal way to counter it. Fortunately there are measures you can take on several fronts.
Employee training and awareness
As mentioned above, modern-day OSINT is largely based on social networks, and information gathered through OSINT is most effective for social-engineering attacks. Thus, the human factor comes to the fore here.
Therefore, to counteract OSINT and the potential consequences of it, you need to work closely with your employees. Training is key here to increase awareness of potential threats and ways to protect against them.
The focus should be on two aspects: first, on the dangers of posting sensitive information about your company on social networks. Second, employees should learn to be more wary of calls, emails, and text messages that prod them to take some potentially risky action (and to be able to define “potentially risky action”). It must be clear that even if an email uses real company details, that doesn’t necessarily mean that the sender is a real colleague. The information could have been collected from open sources.
As a rough guide, if a caller, introducing himself as, say, John Smith, tells you that he works in such-and-such a position and asks for a username and password, this is wholly insufficient authentication – even if a John Smith does indeed hold this position in the company.
To raise awareness, you can develop and conduct your own in-house training program, or hire expert consultants. Another option is to use an interactive educational platform. For example, the Kaspersky Automated Security Awareness Platform.
It would also be useful to establish an internal cybersecurity communication channel with employees to convey information about live threats effectively.
Over the past decade, the world of cybercrime has become highly compartmentalized. Some actors create malware, others collect data – all of which gets bought on the dark web and used for specific attacks by others.
The fact that information has been collected about your company is a surefire indicator of an impending attack. As such, monitoring activity of this kind will give you advance warning of the threat. For example, if someone puts data about your company up for sale, it’s very likely it’ll be used later to carry out an attack. So, by doing your own counterintelligence, you can take preemptive action: warn employees about what data the attackers have; put security analysts on high alert; and so on.
But such monitoring doesn’t necessarily have to be done in-house: there are ready-made services that you can subscribe to, such as Kaspersky Digital Footprint Intelligence. Note that our service offers far more than just the monitoring of mentions of your company on the dark web. It also tracks attacks on your suppliers and customers and, keeps tabs on APT campaigns that may affect your company or industry, provides vulnerability analysis, and much more.
Segmentation, rights management and Zero Trust
The third front is to mitigate the potential damage from attacks that deploy OSINT and social engineering. The primary goal here should be to limit spreading over the corporate network in the event of endpoint compromise.
The first requirement here is proper network segmentation: dividing company resources into separate subnets; defining security policies and settings for each of them; and restricting data transfer among them.
Also, pay attention to user access management. In particular, implement the principle of least privilege; that is, define and grant users only those accesses they need to perform their tasks. And review these rights regularly to reflect changes in their roles and responsibilities.
The ideal option would be to adopt the Zero Trust concept, which assumes there’s no secure perimeter, and so, by definition, no device or user is trusted, both inside and outside the corporate network.
Open-source intelligence can be a powerful tool in criminals’ arsenals. Therefore, you need to be aware of the dangers and take steps to mitigate potential damage. Here’s a summary of my thoughts on how to protect your company from OSINT:
- Be sure to train employees in the basics of information security. To do this, you can use our interactive Kaspersky Automated Security Awareness Platform.
- Establish an internal communications channel to inform employees about information security.
- Try to monitor the collection and sale of your company’s data on the dark web. Our Kaspersky Digital Footprint Intelligence can help with that.
- Take measures in advance to minimize potential damage: manage user rights with maximum possible granularity; use network segmentation. And, ideally, embrace Zero Trust.