Rethinking Open-Source Intelligence for Security in Commercial Settings

Written by

As the global security and intelligence landscape continues evolving, open-source intelligence (OSINT) has gained clear traction as a valuable tool for governments, militaries and law enforcement agencies. Thanks to OSINT, investigators and analysts can now automate processes that would typically take hours, days, or even months to complete manually – in just a few minutes.

From investigating crimes in local jurisdictions, to strategic initiatives implemented by global military forces, the tradecraft of OSINT is here to stay. Near the beginning of the year, I find myself reflecting on the current landscape of the OSINT community and its trajectory, specifically within commercial settings.

There’s a shift happening in the private sector where OSINT is being adopted to address corporate risk, fraud, human resources needs, insider threats and more.

While these issues have historically been handled by non-cyber and non-intelligence teams, organizations are beginning to assign these tasks to groups that leverage traditional threat intelligence capabilities, such as security operations and network security.

Lessons from Traditional Applications of OSINT for the Private Sector

OSINT has a proven track record of robust applications in the public sector, such as addressing challenging criminal cases ranging from human trafficking networks to national security concerns. The effectiveness of OSINT is particularly evident in modern warfare, as observed in the ongoing conflict between Russia and Ukraine.

As a society, we are witnessing the next generation of soldiers rising through militaries that grew up with social media and have a heavy presence on platforms like Telegram. This is contributing to a trend where individual members of modern militaries publish more online, in some cases unintentionally divulging sensitive information, like troop movements, locations, or general insights into what their nation/states are doing.

This isn’t just true for individuals headed into the military, who may be more self-aware about their online identity than the average person. We are collectively creating more publicly available information (PAI) online today than ever before. Because of this, in the next few years I expect to see a transition toward integrating OSINT capabilities into network security within the private sector.

Unleashing OSINT’s Potential in Business

As data privacy concerns loom, CISOs are proactively adopting technologies traditionally associated with risk and privacy to stay prepared. This shift is aimed at positioning organizations to respond effectively to breaches, understand the implications of data exposure and promptly meet regulatory requirements, like the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).

Understandably, data privacy and legal firms are concerned with knowing the next steps in the event of a breach. The same technologies and methodologies that apply to network security are relevant to OSINT.

Whether investigating fraud or insider threats, examining executive impersonation, or conducting background checks for HR purposes, the CISO will want insights from the network security, or maybe physical security, team to better mitigate risk.

If massive fraud is being conducted, they want to know what the network security team can do better to prevent that. And if there’s something that these fraudsters all share, such as technology or methodology, and are they sharing that information online? That type of OSINT is invaluable.

Traditional “bad guys” love to talk online and brag about what they're doing and how they're doing it. By leveraging OSINT as another source of information that's different from commercially available cyber threat intelligence, organizations can know what these criminals are saying online in the form of publicly available information and better respond to potential or active threats.

A recent example that highlights the value of OSINT is the Keeping Children Safe in Education (KCSIE) statutory guidance, which recommends that all teachers have a background check of PAI associated with them before they work as a teacher for primary and secondary schools in the UK. This information helps schools do their job better and be safer.

We Must Overcome Hesitations in the Private Sector

Over the course of my 30-year career in network security, including nearly 20 years in commercial security operations, I’ve witnessed the unprecedented growth of threat intelligence as a security tool for both offense and defense, and now, OSINT is joining the ranks. Most importantly, I’ve seen how these capabilities are not just for law enforcement and government. There are commercial and legal applications for PAI.

Despite the benefits of OSINT, some commercial industries remain hesitant, citing privacy and ethical concerns. I want to emphasize that there are absolutely companies misusing OSINT – this reluctance shouldn’t hinder its adoption, but rather prompt a thorough evaluation of existing toolsets and information sources to determine what they do and do not want out of these solutions. The ethical use of OSINT is crucial, and organizations should be discerning in selecting technologies that align with their values.

This is not so different from conversations around applications of artificial intelligence (AI), which many companies are understandably hesitant to leverage. They don’t want a black box that could be profiling people or groups in a way that's not ethical. If that’s the case, they should stay away from AI and avoid solutions that could enable unethical use of PAI or OSINT. Make sure you're using it for the right reasons and that you know where you're getting this data from and why.

The commercial sector, particularly network security professionals, can leverage OSINT to better protect themselves from a variety of threats, both within and outside of their organizations. And while incident responders might not think that spending their day digging around public social media profiles for the people that are hacking their organization is applicable, I think elements of OSINT tradecraft will increasingly become part of that job description.

My recommendation is for these professionals to consider how OSINT capabilities can enhance their day-to-day jobs.

What’s hot on Infosecurity Magazine?