What Businesses Need to Know About Open Source Intelligence (OSINT)
This post will cover what OSINT is, why it has grown in popularity, and what businesses need to know about leveraging it as part of their risk monitoring and employee safety strategy.
Every day, 500 million tweets are published around the world. That’s 200 billion posts per year. Add that to the approximately 350 million photos added daily to Facebook, 720,000 hours of new video content added to YouTube every 24 hours, and roughly 500,000 daily Reddit comments, and you start to understand why some say “The Information Age” has become the era of information overload.
While social media platforms have developed and trained algorithms to provide a personalized feed of information tailored to our unique interests, corporate security and safety leaders are left to their own devices trying to make sense of this ever-growing world of unstructured data. Meanwhile, monitoring and analyzing social conversations and content from countless other data sources is now of critical concern as organizations attempt to quickly identify pertinent information that poses a material risk to their business or people.
Welcome to the ever-evolving world of open source intelligence (OSINT).
Nearly everyone who has faced making a critical decision with incomplete information has longed for more or better data. At its foundation, open source intelligence is meant to provide decision-makers with more complete, timely, and actionable data—connecting dots and providing a more accurate picture of what’s happening around them.
In this post, we’ll cover what OSINT is, why it has grown in popularity, and what businesses need to know about leveraging it as part of their risk monitoring and employee safety strategy.
What Is Open Source Intelligence?
Open source intelligence, or OSINT, refers to information derived from sources available to the general public. Here’s how the U.S. Department of State defines it:
“Open source intelligence (OSINT) is intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”
“Open source” is used broadly to refer to public information which can be accessed and used freely without permission or special accommodations. This includes both public sources— popular websites, social platforms, and forums—as well as less discoverable sources of information, such as publicly accessible files and documents, webpages hidden behind a login/paywall, and more.
With 4.93 billion people now using the internet—roughly 63 percent of the world’s population—the volume of information created daily is almost beyond comprehension. Every person generates approximately 1.7MB of new data every second, and researchers estimate that 90 percent of the world’s data was created in the past two years alone. Consider the following:
This wealth of information also represents an invaluable source of insight for governments, intelligence agencies, and private businesses looking for a competitive advantage or to keep tabs on what’s happening in the world around them. While sifting through billions of data sources to find a handful of valuable and relevant pieces of information may sound like looking for a needle in a haystack, OSINT researchers and analysts have developed various tools and methods to help discover and take advantage of the information available to them.
Open source intelligence tools
While it’s easy to think about OSINT as the words or pictures seen on a website or in a social media post, its scope is far greater. Created in 2016, the OSINT Framework provides a helpful overview of the breadth and depth available to researchers and analysts, ranging from usernames, phone numbers, and email addresses to transportation records, public registries, and the global terrorism database.
Some of the available data sources OSINT researchers analyst include:
- IP addresses
- Email addresses
- Telephone numbers
- Social media posts (e.g. Facebook, Twitter, LinkedIn, Instagram, TikTok)
- Metadata (social media content, images, video, etc.)
- Blogs, forums, and message boards (e.g., Reddit, Craigslist, 4Chan)
- Digital and print media
- Academic research and journals
- Public records (courts, law enforcement, etc.)
Consumer search engines (e.g., Google, Bing, Yahoo, etc.) are invaluable tools for OSINT researchers. However, specialty search engines like Shodan are also used to find obscured data from various internet-connected devices (webcams, smart TVs, license plate readers, etc.) to aid cybersecurity investigations and other research. TweetDeck is also a popular OSINT tool used to curate real-time social content based on keyword, content type, or location.
To monitor, search, and make sense of this information, OSINT researchers use both Passive and Active collection techniques.
Passive vs. Active OSINT
Given the sheer volume of information publicly available on the web, there’s no shortage of OSINT available to researchers and analysts. However, there are limits to what researchers can access without taking some proactive steps—whether it be creating an account to access specific social media platforms or being invited to specific moderated communities, such as invite-only groups, messaging services, subreddits, or message boards. Depending on the techniques used to collect the information, it is considered either passive or active OSINT.
Passive OSINT techniques are designed to avoid drawing attention to the person accessing the information. For that reason, passive OSINT is typically anonymous and restricted to information researchers can access without detection or inadvertently making the individual, or their employer, a target for bad actors.
Conversely, active OSINT refers to information proactively sought out—often via sources requiring a login or some other negotiated access that isn’t easily obtained. While active OSINT may still be masked or done anonymously, the information accessed typically requires a more purposeful effort to retrieve it.
Now that we’ve established what OSINT is, it’s also worth exploring how we got here.
History of OSINT
There is some debate about the origins of OSINT, but the concept of monitoring and leveraging publicly available information sources for intelligence purposes dates back to at least the 1930s. At the time, the British government asked the British Broadcast Corporation (BBC) to launch a new service that would capture and analyze print journalism from around the world. Originally referred to as its Digest of Foreign Broadcast, the service eventually became known as BBC Monitoring, which still exists today. According to a report published in the Journal of U.S. Intelligence Studies, by 1943, this organization monitored approximately 1.25 million broadcast words every day, serving as a “modern Tower of Babel” with the stated goal to “listen to the voices of friend and foe alike.”
Image Credit: BBC
It wasn’t until the 1980s that the U.S. military coined the term OSINT, which grew from a desire to deliver more timely, dynamic intelligence to inform decisions on the battlefield. In 1994, the CIA formally acknowledged OSINT as tradecraft by establishing the Intelligence Community Open Source Program (COSPO).
OSINT for Cybersecurity and Physical Threat Detection
While governments and intelligence agencies continue to use OSINT for a variety of purposes, its origins in the private sector can be traced back to the 1980s. Today, OSINT is used by companies of all sizes to both reduce risk and inform decision-making. Examples include:
Monitoring emergencies and developing events
When it comes to emergencies and other potentially disruptive events, a fast and effective response can be the difference between a positive or tragic outcome. Used effectively, OSINT can help security and business continuity leaders identify emergencies as they happen, providing timely information to employees in harm’s way before they are impacted.
Investigating security incidents
Corporate security teams commonly use OSINT when investigating or responding to reported security incidents such as active shooter situations, suspicious activity, bomb threats, and more. Once the situation is reported, security teams may use OSINT to verify critical details such as the location or time an incident occurred or provide the most up-to-date information about rapidly developing events on the ground.
Detecting data breaches and cyber threats
OSINT can help companies quickly detect when sensitive company information is discussed or published on dark web message boards or forums, helping security teams investigate breaches and learn about the vulnerability hackers may have exploited to access the information.
3 Reasons OSINT Alone Falls Short
While open source intelligence is a well-established field with countless applications, the majority of organizations are ill-equipped to navigate the ever-changing field of OSINT on their own. From navigating legal and ethical debates around OSINT data collection to the extensive human and financial resource requirements to effectively monitor online conversations and world events 24/7/365, there are many reasons why organizations might find themselves unsuited to this approach to risk monitoring. Below are some of the ways that OSINT falls short.
Reason #1: OSINT data collection is highly time-consuming
While collecting OSINT data is far simpler now than ever before, making sense of it remains a highly specialized skill set requiring years of training. Unfortunately, due to the volume of data generated every day, OSINT analysts must sift through copious amounts of information from a wide range of sources to piece together a coherent story about what’s actually happening at any given time in a given location. Meanwhile, if the situation is urgent—such as in an emergency or business-critical event—the time required to gather and analyze the information may be longer than the time in which the organization can take meaningful action to alter the outcome, thus calling into question the value of the collection process itself.
Reason #2: OSINT is noisy and difficult to filter
In addition to consuming significant time, the need to constantly monitor, search, and filter voluminous troves of available information to identify relevant insights is tedious for even trained analysts. While AI, machine learning, and other specialized tools help researchers parse information faster, it is challenging for any sized organization to quickly identify all critical, time-sensitive events as they happen. This is particularly true for multi-location businesses tasked with monitoring hundreds of distinct facilities or thousands of remote employees.
Reason #3: Unverified OSINT can’t always be trusted
False positives are another primary concern within the OSINT community. For example, last year, a video of a woman in Singapore rejecting the country’s COVID-19 mask mandate went viral. Shortly after, the woman in question was taken into custody by local police; however, various internet figures took it a step further, identifying her as the CEO of a digital security firm based on publicly available information—reports that turned out to be false. Unfortunately, the misinformation resulted in her company and its employees having to endure both damage to the company’s brands and personal threats before the initial reports were corrected.
4 Things to Look for in a Threat Intelligence Tool
Fortunately, there are several ways organizations can leverage the benefits of OSINT to improve situational awareness and aid decision-making without hiring a dedicated team of analysts to comb through the data. Many are turning to purpose-built threat intelligence solutions that make use of OSINT data while also providing a layer of curation and verification in order to provide businesses a cleaner, more actionable view of what’s happening.
If your organization is considering investing in an intelligence solution, here are four things to look for when evaluating your options.
Whether you have a small security team or a large GSOC, it’s crucial that you know about critical events that pose a risk to your employees or business as quickly as possible. When assessing tools, be sure to ask how intelligence is delivered and how easily it can be operationalized to alert those in harm’s way. Is threat intelligence offered 24/7/365? Can it be integrated with your organization’s mass notification system to streamline response workflows? Activating your emergency response isn’t only about the speed at which information is delivered, it also requires having a mechanism to share it with those impacted.
Depth and breadth of coverage
Make sure any potential provider offers both around-the-clock monitoring as well as comprehensive coverage of a wide range of threat types. What type of incidents are captured? What data sources are used? Does the provider cover all major geographies? Use this information in conjunction with a business continuity checklist to understand if there are any gaps in your preparedness efforts that need to be addressed before moving forward.
Noise-free, accurate information
If the phrase “drinking from a fire hose” came to mind reading about the volume of data created every day, you’re not alone. Trying to monitor and make sense of everything posted on the web—even if you only monitored a fraction of available data sources—is guaranteed to leave your organization overwhelmed with little more insight than had you done nothing at all. How does your provider analyze and filter information? What parameters are used to determine relevance? How does the provider differentiate between unverified and verified sources? Consider requesting a demo to see real-world threat alerts around one of your locations so you can independently assess whether the information provided is adequate.
Location-aware risk assessments
Moving from raw information to actionable intelligence is all about context. In order for organizations to truly understand the impact of threats, they must also understand if, how, and to what extent each threat poses a risk to their people, facilities, and assets. Be sure to ask potential threat intelligence providers how threat data is married with location intelligence? Do they support real-time data syncing with your HRIS? How does the solution account for threats occurring near remote employees or business travelers?
Addressing Information Overload
With an entire world’s worth of information available at our fingertips, learning how to parse and interpret it becomes all the more important. Using OSINT as part of a holistic approach to threat intelligence and monitoring can help your organization reduce risk and keep employees safe during emergencies and other critical events.
Learn more about how AlertMedia’s Global Threat Intelligence helps customers monitor, analyze, and quickly communicate threats to their people in this podcast interview or request a demo to experience it for yourself.