BLOG

The Value of Open Source Intelligence

8 minute read

Answered in This Post

  • What is Open Source Intelligence?
  • How Does Open Source Intelligence Work?
  • What are the Benefits and Challenges of Open Source Intelligence?
  • What are the Most Impactful Use Cases for OSINT?
  • How Does ZeroFox Leverage Open Source Intelligence?

Business leaders rely on timely and accurate open source intelligence (OSINT) to support strategic decision-making across a number of use cases. In this week’s blog post, we’re emphasizing the value of open source intelligence and how enterprises can use OSINT to manage risk and secure both physical and digital assets.

What is Open Source Intelligence?

Open source intelligence is intelligence produced from publicly available data or information, and collected, analyzed, and distributed in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.

Intelligence sources may be categorized as “overt” (publicly available) or “covert” (not publicly available). Open source intelligence deals exclusively with public data sources that are widely available, free, and legal to access. 

These include the world wide web (“the web”), social media (Facebook, Twitter, Instagram, Linkedin, etc.), traditional media sources outlets (newspapers, magazines, television, and radio), public government data, academic and professional publications, commercial data, and technical literature.

The ZeroFox Threat Intelligence Collection Framework
Source: zerofox.com/threat-intelligence

The Best Sources of OSINT? Social Media and the Web

In today’s digital world, the Internet and social media are considered the best Open Source Intelligence sources for five major reasons:

  1. Ease of Access – Both the web and social media platforms may be accessed and monitored by intelligence experts from anywhere in the world.
  2. Quantity of Data – Both the web and social media platforms already host massive amounts of publicly available data that may be useful for intelligence operatives.
  3. Frequency/Timeliness of Updates – Both the web and social media platforms have billions of users who are constantly exchanging information and publishing new content – and it’s all publicly available for intelligence operatives.
  4. Searchability – Intelligence and security operatives can use software technology to search and filter for specific types of data on the web and on social media platforms.
  5. Automation – Intelligence and security operatives can use software and AI automation technologies to monitor the web and social media platforms at scale.

How Does Open Source Intelligence Work?

Now that we know about the most important data sources for OSINT, we can explain how open source intelligence is developed using the threat intelligence cycle.

The Open Source Intelligence Cycle

The development of intelligence from public data sources follows the open source intelligence cycle, which may be summarized as follows:

  1. Planning and Direction – Establishing specific intelligence requirements.
  2. Data Collection – Collecting data and information from publicly available sources.
  3. Data Processing – Validating and correlating data to confirm its relevance and usefulness.
  4. Data Analysis and Production – Transforming the data as accurate, complete, and relevant intelligence that addresses the identified intelligence requirements.
  5. Intelligence Distribution – Distributing the intelligence to the right audience at the right time to support strategic decision-making.
  6. Evaluation and Feedback – Collecting feedback on the effectiveness and impact of the OSINT cycle to facilitate continuous improvement.
The Threat Intelligence Cycle
Source: https://www.zerofox.com/blog/cyber-threat-intelligence-cycle/

[Learn more about the Cyber Threat Intelligence Cycle]

There are two important take-aways here:

  1. Intelligence must have a purpose. Successful intelligence initiatives begin with a clearly-defined goal, purpose, requirement, or intended use case that guides the data collection process and creates a definition for success. 
  2. Intelligence is not collected, it is developed. Intelligence operatives collect data, which functions as an input in the open source intelligence cycle. Through the processes of data validation, correlation, analysis, and production, intelligence operatives transform the raw data into finished intelligence that satisfies their initial requirements.

It’s also important to remember that open source data can be combined with data from covert sources to help satisfy intelligence requirements – it isn’t a choice between one or the other. 

5 High-Impact Use Cases that Show the Value of Open Source Intelligence

To demonstrate the value of open source intelligence, we identify five high-impact use cases where enterprises can leverage publicly-available data to manage risk, address vulnerabilities, and secure people, data, and physical assets.

For each use case, we provide a brief overview and explain how OSINT can help.

Identifying and Detecting Cyber Threats

Overview

Digital crime is on the rise and identifying cyber threats has become one of the most important applications of open source intelligence for enterprise security teams. Cyber threat intelligence helps security teams identify cyber adversaries who may wish to target their organizations and understand their behaviors, motivations, and TTPs to better prevent and mitigate cyber attacks.

Role of OSINT

Intelligence and security operatives rely on publicly available information sources for timely and accessible cyber threat data. Historical threat data is abundantly available on the web, including in knowledge bases like MITRE ATT&CK. Security teams can also access public threat data repositories and threat intelligence feeds that are continuously updated with new reports from the community. 

Security teams can even identify and detect cyber threats in real-time by using software technology and automation to monitor the public attack surface at scale.

Ethical Hacking and Penetration Testing

Overview

In addition to identifying and detecting external threats, enterprise SecOps teams are also concerned with identifying and detecting security weaknesses or deficiencies in their own networks that might leave them vulnerable to a cyber attack. 

Through activities like ethical hacking and penetration testing, security teams search for these vulnerabilities so they can be corrected before cyber adversaries have a chance to exploit them.

Role of OSINT

Public information sources provide valuable data that supports ethical hacking and penetration testing activities. Enterprise security teams can use the publicly available National Vulnerability Database (NVD) to identify possible vulnerabilities in their networks. New software vulnerabilities may be reported online by developers, posted on social media by well-meaning community members, or even posted on hacker forums where cyber criminals share information about vulnerabilities and exploits. 

By monitoring these public channels, security teams can gather information on emerging vulnerabilities that have the potential to impact their security posture.

Managing Third Party Cyber Risks

Overview

Third party cyber risk management focuses on identifying, detecting, and mitigating digital risk from external parties in your organization’s supply chain that may have access to privileged enterprise systems and data. 

This includes identifying cyber adversaries and detecting threats that may be targeting third-party organizations in your supply chain, and discovering vulnerabilities in third-party networks that could impact your organization’s security posture.

Role of OSINT

Enterprise security teams that leverage open source data for cyber threat intelligence, ethical hacking, and penetration testing can use the same information sources to identify cyber threats and detect vulnerabilities that could be impacting their vendor partners.

Detecting Leaked or Exposed Assets

Overview

The newest Cost of a Data Breach report from IBM found that in 2021, it took enterprise organizations an average of 287 days to identify and contain a data breach. Security teams can accelerate the detection and resolution of data breaches by leveraging open source intelligence techniques to proactively detect data leakage, exposed credentials, and other potential indicators of a security breach.

Role of OSINT

Leaked data or stolen credentials from enterprise targets are frequently posted in publicly accessible locations. They may appear on paste sites or in illicit hacker forums hosted on the deep and dark web. Security teams can monitor these public data sources for evidence of enterprise data leakage or exposed credentials. 

Free online tools like Have I Been Pwned can also be used to check whether any corporate email accounts or mobile phones have been compromised in a data breach.

Securing Events and Physical Locations

Overview

Physical security intelligence is a longstanding application for OSINT, especially when working to predict and counteract threats against VIPs at public events.

Physical security measures play an important role here, but open source intelligence gathering is essential for maximizing situational awareness and anticipating threats.

Role of OSINT

Security teams can monitor publicly available news sources and social media for indicators of geopolitical unrest that might threaten the physical security of assets, people and data in remote locations.

Threat actors are increasingly using social media and the web to make threats and coordinate attacks against physical locations around the world. Security teams can monitor the public attack surface to identify and detect threats against specific events and locations, and enact timely countermeasures to mitigate their impact.

ZeroFox Leverages OSINT to Deliver Actionable Threat Intelligence

ZeroFox leverages a combination of open source intelligence, covert intelligence sources, and human intelligence (HUMINT) to equip our customers with accurate, relevant, and complete threat intelligence.

The ZeroFox Platform monitors the public attack surface, providing extreme visibility and leveraging AI-driven correlation and analysis to detect text, image, and video-based threat indicators at scale.

Then, our global team of expert human threat analysts work to validate those indicators and deliver actionable intelligence on threats targeting your organization, supply chain partners, industry vertical, or the locations where you do business. 

Our tailored approach to intelligence empowers our enterprise clients with the visibility and awareness they need to address cyber threats and emerging vulnerabilities, manage supply chain risk, counteract data leakage, and effectively secure events and physical locations around the world.

Want to learn more?

Check out our free webinar Brand Threat Intelligence: The First Line of Defense to learn how open source intelligence is helping enterprises protect their data, people, customers, and reputation in a digital-first world.

See ZeroFox in action