Saboteur or saviour? Understanding the risks and rewards of OSINT

Do you know how much potentially hazardous information about your enterprise is out there and available for harvesting by anyone with malicious intent towards your business? In isolation, snippets of information might appear innocuous, but pieced together they can build an intelligence picture that leaves you vulnerable to successful cyber-attack.

An attack always starts with reconnaissance and the richer the intelligence pickings, the greater the assailant’s chance of success. Open Source Intelligence (OSINT), the data up for grabs from publicly available sources, can give any would-be attacker what amounts to an invasion blueprint.

Cyber-criminals are past masters at aggregating clues trawled from every web page, social media post, photo, and job advert that relates to the target business.

But this is not a one-way street. You too can use OSINT to control exposure and reduce your risk, employing the techniques and tools of the saboteur to identify cybersecurity threats and turn OSINT into an ally.

Take back control

It is impossible to sanitize all the information out there about your organization. For a start, there will be much of it you don’t own. But there are steps you can take to protect yourself.

Metadata and other hidden information

Metadata can be a rich source of sensitive information. More and more apps rely on this ‘hidden’ data about files which enables them to locate other resources. Metadata can include details about the application used to create it, author, usernames, times, and dates.

Technical controls should be used to remove sensitive metadata from files before publishing outside your organization. Ensure redacted information cannot be recovered from files. Be careful to remove hidden sheets, links to external data sources and macros from spreadsheets.

Social networks

LinkedIn, Facebook, Twitter, Instagram and all rely on information sharing and therefore provide some of the best platforms for OSINT. Using powerful search tools, such as Facebook’s Graph Search, users can quickly identify individuals, personal information, favorite locations, interests, and much more. LinkedIn profiles and relationships provide a wealth of information for creating convincing spoof emails purporting to be from legitimate business contacts.

Again, it’s a jigsaw. Seemingly useless scraps of information may be valuable – and dangerous – in combination.

Having a social media strategy will help ensure members of staff don’t unwittingly give away the keys to the mint. Combine this with robust monitoring of social media and a data classification scheme to retain control of sensitive information.

Internet of Things

Internet-connected devices can give would-be attackers a back door into your enterprise. Shodan, a search engine for hardware, crawls the Internet looking for vulnerable systems and hardware that might offer a way in. These can include cameras, routers, servers, and even security devices themselves.

It’s crucial to ensure IoT devices are running the latest versions of firmware, are only publicly accessible where absolutely needed, and have security mechanisms, such as strong authentication.

Training employees in how OSINT can be used to target an attack on your organization can help reduce your vulnerability because once users understand their footprint they should be able to minimize it.

Turn OSINT to your advantage

An essential tool in your cybersecurity armory is proactive monitoring of your estate for threat intelligence: OSINT is rapidly becoming a tool of the defender as well as the attacker.

Good threat intelligence enables attacks to be thwarted before they have begun, and it also gives organizations an early heads-up about exposure to risk.

As a bonus, the OSINT monitoring tools you can use to protect yourself can also be employed to enhance your business. Organizations trawl OSINT not just for threat intelligence, but also for trading insight, trending information, brand awareness, marketing insights, and more.

Tools such as Hootsuite, Social Mention, and Echosec, enable regular audits for sensitive information, but they also provide insight for marketing campaigns and customer satisfaction. Search terms can be tweaked according to the task, which can make a compelling business case for investing in monitoring tools.

Other fully outsourced commercial solutions exist that can provide full time analysis of your OSINT profile.

A threat to be reckoned with

Don’t underestimate the OSINT risks posed to your business by poor cybersecurity practice and careless online chatter.

Staff must be schooled in the mantra ‘what goes online stays online’ and, more importantly, they need to believe it. The Wayback Machine archives web pages across time – more than 450 billion at last count – meaning nothing can be entirely deleted. Put it on the internet and the genie is out of the bottle forever.

So, organizations must remain vigilant, impose strict data controls, adopt an effective social media policy– and never stop hammering home the message that whilst loose lips may no longer sink ships…. loose tweets almost certainly can sink fleets.

Frst published in InfoSec Magazine