- Strategy and planning of IT and security by taking a holistic view
- Intelligence on the cybersecurity landscape and industry trends
- Collaboration with the recognized bodies and regulations
Enhancing the strategy and planning of the businessHave you ever prepared for a meeting with a new contact by visiting LinkedIn and checking out their profile? If not, it might be beneficial to take a few moments to do this. You may find some common connections. Using public social media sites to identify someone is an example of what we commonly refer to as open-source intelligence (OSINT).
What is OSINT?OSINT is essentially looking at publicly available data, be it government records such as Companies House in the United Kingdom or social media posts on Facebook or Twitter. It can consist of checking out popular search engines to look for articles and pictures relating to your target or even searching historic records like the WayBackMachine or ancestor sites for family connections. OSINT is a powerful tool. Not only does it identify the image a target wishes to present to the world, but it can also reveal a lot about the target’s carefully selected interests, ‘likes’ and publicly posted updates. OSINT can also reveal information and habits about us we might not expect because it's reviewed by a skilled person. In many situations, these experts can identify malicious actors and discover relationships, information which can be used to enhance a family’s privacy and security plan.
How do businesses use OSINT?Interestingly, many organizations' use of OSINT has been neither formalized nor widely adopted. It often appears that various public postings that could be detrimental or harmful to the organization have to reach a wide audience before they are noticed and before action is taken. A prime example of this was the story of a Canadian CP rail conductor who was fired for a second time after the company expressed concerns over social media posts, including "racy" boudoir photos allegedly taken on rail company property. Given the previous behavior of the Canadian CP rail conductor, should the organization should have been monitoring her public online activity before it became a very public story? It may have been possible to deal with the situation quietly and professionally, an opportunity that OSINT may have been able to identify before it became national news. An OSINT program is the ultimate proactive measure – identifying those potential situations and suggesting mitigative action before the court of public opinions makes the call for you. In order to establish or gain support for an OSINT program, an organization often needs an illustrative example of how effective an OSINT program can be. What I have found beneficial is to examine the Board's or a senior executive’s digital footprint and what information might be exposed in the process. Sadly, all too often, the information leak or scandalous situation only comes to light post-incident. What would the OSINT program look for? One example is when a staff member has publicly disclosed an upcoming vacation or company event that could be used for targeted phishing.
Applying OSINT as Counterintelligence"Counter-intelligence means activities concerned with identifying and counteracting threats to the security of your organization and staff.” The first step of a malicious actor’s playbook is information gathering or reconnaissance – i.e. identification of your target(s) and any valuable information that can be used. This information gathered is ultimately turned into intelligence:
|Collected data relating to a specific target, fact, or event.||Reviewing information and being able to answer the ‘so what'? Or ‘what does the information mean'?|
Applying OSINT as Cyber CounterintelligenceConsider how much data we share daily. In our personal lives, most mobile numbers are connected to your full name, and your IP address is connected to the sites you access without controls. You also need to remember how your activities can expose the email addresses that you freely give for contact, your shopping habits through credit card usage and/or your location through fitness apps. These small pieces here and there add up and can eventually be used to identify who you are, including who your connections are. Now, consider an organization and all its individual employees. Those employees often have a LinkedIn account which tells us their roles and responsibilities, technologies they’ve gained certifications in or skills they have developed. This information, when used properly, can become valuable intelligence on how the organization runs, who’s responsible for what, and even possibly who could be targeted by a malicious actor looking to exploit the power of an authority figure through social engineering. A sensible balance between presenting public information about the organization and its structure needs to be found, and the OSINT program can provide an understanding and context of that information and the risk of being exploited. In situations where an organization contains highly sensitive information, a DNS entry for “classified-portal.3letteragency.gov” is probably a bad idea. Imagine the benefits of a dedicated team who looks out for information that could save the organization from reputational damage by looking for:
- Counterfeit or stolen property listed online
- Employee conduct, threats and harassment on social media
- Frustrated, angry or threatening customer correspondence
- Damaging reviews of product, services or work environment
- Leaked merger, acquisition & organizational partnership discussions
- Sensitive information publicly disclosed – accidentally or intentionally
- Inaccurate, harmful or out of date information
- Presence of fake websites, fake invoices or scams targeting customers, staff or the organization
- Staff disputes, associations or controversial commentary in a public forum
- Credentials from data breach & compromised accounts belonging the organization
- Research and validation of the background of prospective employees or board members
- Unsavory relationships, membership or pending court action related to the organization
Outcomes from OSINT program intelligenceFrom experience, it is all too easy to make roles and responsibilities implied and assume that all parties know their role. (Hint: it rarely aligns with each party’s assumption.) Therefore, to be explicitly clear, the OSINT program is specially trained to gather intelligence and create tailored guidance, and it will not act upon this intelligence unless approved. At times, areas of the OSINT program and ways of monitoring and identification may come into conflict with the rights of staff and customers to speak and associate freely. Therefore, there is still a need for an ethics board' any actions taken must be decided by senior leaders who are working under an HR- and possibly legal counsel-sanctioned investigation. Perhaps the guiding principle of the OSINT program should be the aphorism known as “Hanlon's razor”: "Never attribute to malice that which is adequately explained by stupidity.” The OSINT program will build intelligence and give recommendations, resilience prevention, detection and responses. Following this, the senior staff either directly take action or advise on actions to be taken, both in response and future prevention, via keeping in mind considerations like implementing more robust acceptable use policies, training, active monitoring and controls.
About the Co-Author: