“Information is power. Do you know what the Internet says about your company?”
Back in 2009 I gave a well-received talk called “Enterprise Open Source Intelligence (OSINT) Gathering” to several conferences and local security groups. More recently, I’ve been part of many discussions with my clients and others in the security community about the increase of company confidential information that is posted by employees, competitors, or even adversaries on the Internet. These conversations have prompted me to revisit this topic to see where we stand since I looked at this several years ago. The short answer is that things have changed, and in many ways quite drastically.
What is OSINT?
OSINT or Open Source Intelligence is basically a form of intelligence collection. In basic terms, it’s any information that is publically available. In modern times this means anything that is available via the Internet in the form of blogs, news, forum posts, pictures, social media, videos and much, much more. OSINT also includes publically available government data. The government and military have their own uses for OSINT as well as businesses and individuals. Basically, whenever you do a Google search on a company or individual, you’re most likely collecting some form of OSINT whether you know it or not.
How does OSINT apply to a business and why should we care?
Over the years there has been a large increase in the posting of user generated content, mainly social media. This has been a difficult transition for many companies, mainly due to the merging of personal and business lives of employees. Bring in BYOD and mobile devices to the picture and you have a “perfect storm” of information leakage, as well as a plethora of problems around company reputation and image. Moreover, many companies now have adversaries that they may not have thought much of in the past. For example, the rise of hacktivists and other groups such as Anonymous have made corporations (large and small) targets for various reasons. Some companies are targets because of the product they sell, others because of the political views of the CEO, or simply are targeted “just for the Lulz”. Not to mention that a company’s competitors are also looking for any information that might give them the leg up in very competitive market place. It’s a different world that we live in and corporations need to understand that OSINT about their company is like gold in the eyes of the competition.
How does a company deal with OSINT?
The first step is to identify the risk that specific OSINT may pose to your organization. Think about the business you’re in, what data or information do you collect, what is it that is the most damaging thing that could happen to your business? Some of these questions can be difficult, especially if the board of directors or C-level executives are targeted personally. However, without defining what we are trying to protect, collecting OSINT can be a daunting task; not to mention monitoring for new information that might be posted.
Next, you need to determine what you’re going to monitor and how. The good news is that you can set up a very simple OSINT monitoring program on the cheap. It could be as simple as Google Alerts and using open source tools to monitor Pastebin and other document repositories. It can also be more advanced, enlisting paid services to monitor for employee password breaches, security vulnerabilities and exposures of confidential information. There are many ways, depending on the type of data, to start a monitoring program. The important thing to note is that it’s very hard, if not impossible, to monitor everything. An organization must also understand that it can’t “bite off more than it can chew” in regards to information collection. Especially on the Internet.
Want to learn more?
I’ll be presenting my revised “Enterprise Open Source Intelligence Gathering” at the InfoSec World conference in Orlando on Monday, April 7 at 3:15pm. I’ll be presenting on tools, techniques and strategies to help an organization collect OSINT and how to approach a monitoring program. If you miss the presentation at InfoSec World, I’ll be giving it again during a webinar later this month. Follow me and SecureState on Twitter for more information on when this webinar is and how to sign up.