Open Source Intelligence

What is Open Source Intelligence?

Open source intelligence (OSINT) is threat intelligence produced by collecting and analyzing data from publicly available sources. 

Open source intelligence is defined in the United States Code as: 

“Intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement”.

Why is Open Source Intelligence Important?

Open source intelligence encompasses a rich variety of data sources that can yield valuable information about cyber threat actors, their motivations, behaviors, targets, and the tactics, techniques, and procedures (TTPs) they use to execute attacks. Open source intelligence can also reveal cyber threat indicators such as fraudulent domains or fake social media accounts that could be used to carry out an attack.

In addition to proactively hunting down and identifying threats, open source intelligence provides a valuable source of information for ethical hackers and penetration testers. These cybersecurity professionals can use open source intelligence to identify potential weaknesses in enterprise networks and remediate them before they can be targeted by cyber adversaries.

Where To Find Open Source Intelligence

Open source intelligence is characterized by being publicly available - but that doesn’t always mean it’s easy to find. Here’s a quick run-down of where the leading threat intelligence experts are finding the best open source intelligence:

  • Social Media - With billions of daily users engaging across platforms, social media offers a rich and versatile source of threat intelligence for cybersecurity experts.
  • The Web - The world wide web consists of the surface web (websites indexed by Google), the deep web (unindexed web pages) and the dark web (web pages hidden from the public and accessed through a specialized browser. 
  • Public Government Data - Public government data includes government reports, analysis, audits, and other information released by government organizations.
  • Academic and Professional Publications - Cybersecurity experts can learn more about digital threat actors and their attack by reading academic journals and cybersecurity research publications that investigate the technology behind emerging cyber threats.
  • Commercial Data - Commercial data includes financial and industrial assessments, databases, industry research reports, and other informational assets that may contain information about newly discovered software vulnerabilities or an emerging threat.
  • Grey Literature - Grey literature includes many types of information released outside of traditional publishing and distribution channels, including technical reports, patents, newsletters, corporate white papers, and business documents.

Identifying Cyber Threats with Open Source Intelligence

Many different types of cyber threats can be identified, detected, and prevented with open source intelligence. Here are five different types of cyber threats that can be identified by gathering data from public information sources:

Impersonation Attacks

An impersonation attack takes place when a cyber adversary pretends to represent your brand or poses as one of its executives as part of a scam or cyber attack. Impersonation attacks can be detected and identified by monitoring social media, domain registries, and the web for fraudulent cyber attacker infrastructure


As phishing attacks have become increasingly common, there are now publicly available databases of known phishing domains, messages, and related cyber threats. These data sources enable enterprise SecOps teams to quickly identify phishing attacks against their organizations and implement the appropriate educational and defensive measures to avoid being exploited.

Data Breaches and Leakage

Open source intelligence can reveal important evidence of planned or recently executed data breaches, often by discovering leaked data or stolen access credentials on paste sites or in the deep web. 

Software and Hardware Vulnerabilities

Information about new vulnerabilities is published on a daily basis by software and hardware vendors, enterprise organizations, and cybersecurity researchers. A comprehensive open source intelligence program analyzes these updates and alerts enterprise security teams to known vulnerabilities in their networks that pose a security risk.

Leaked or Exposed Assets

Leaked credentials or exposed data assets can be identified as part of the open source intelligence gathering process. Once exposed, these assets frequently end up for sale or trade on deep/dark web forums or illicit marketplaces. Detecting these assets gives enterprises the opportunity to engage cyber adversaries and recover the assets before they can be used to harm the organization.

How to Access Open Source Intelligence

  • Manual Research - SecOps teams can access open source intelligence by manually exploring publicly available data sources to learn about cyber attackers and emerging threats. Gathering open source intelligence through manual research can be effective, but the process is labor-intensive and challenging to implement at scale.
  • OSINT Tools - Open Source Intelligence tools exist to help streamline the process of collecting and analyzing data from public sources. OSINT tools can provide functionality that ranges from metadata search, code search, and phone number research, to email search and verification, image analysis, and wireless network detection.
  • Threat Intelligence Software - Threat intelligence software platforms like ZeroFox use artificial intelligence to monitor the public attack surface, generating open source intelligence at scale that can help enterprises prioritize the right defensive measures to safeguard their networks against cyber attacks.

ZeroFox Leverages Open Source Intelligence to Safeguard Your Enterprise

ZeroFox provides enterprises protection, intelligence, and disruption to dismantle external threats. 

The AI-driven ZeroFox platform monitors the public attack surface at scale, capturing data from the surface web, social media, mobile app stores, eCommerce marketplaces, and other sources to generate high-quality open source intelligence and insights into emerging cyber threats.

Check out our free white paper Why InfoSec Needs to Care About Social Media to learn how you can leverage social media as a repository of open source threat intelligence and safeguard your brand, people, and data against digital threats.