What is OSINT

Published in

Purple Team

9 min readAug 6, 2022

We have been trying to find someone online, specifically perhaps by using an email address, or username. Here the use of OSINT comes.

OSINT is an acronym for Open Source Intelligence.

Open Source Intelligence is a multi-methods methodology for collecting and analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context. In the intelligence community, the term “Open” refers to overt, publicly available sources.

OSINT is a valuable skill set for Investigators, the security department, intelligence units, risk managers, and cyber security experts.

Open Source Information Categories

There are different kinds of information that you may encounter when conducting OSINT analysis. According to the NATO Open Source Intelligence Handbook V1.2 published in 2001, there are four categories of open information and intelligence.

Open source data (OSD): This is generic data coming from a primary
source. Examples include satellite images, telephone call data and
metadata, datasets, survey data, photographs, and audio or video
recordings that have recorded an event.
Open-source information (OSINF): This is generic data that has
undergone some filtering first to meet a specific criterion or need;
this data can also be called a secondary source. Examples include
books about a specific subject, articles, dissertations, artworks, and
interviews.
Open-source intelligence (OSINT): This includes all the information
that has been discovered, filtered, and designated to meet a specific
need or purpose. This information can be used directly in any
intelligence context. OSINT can be defined in a nutshell as the output
of open source material processing.
Validated OSINT (OSINT-V): This is OSINT with a high degree of
certainty; the data should be confirmed (verified) using a non-OSINT
source or from a highly reputable OSINT source. This is essential, as
some outside adversaries may spread inaccurate OSINT information
with the intent to mislead OSINT analysis. A good example of this is
when a TV station broadcasts live the arrival of a president to another
country; such information is OSINT, but it has a large degree of certainty.

OSINT Types

OSINT includes all publicly accessible sources of information. This information can be found either online or offline, including in the following places:

The Internet, which includes the following and more: forums, blogs,
social networking sites, video-sharing sites like YouTube.com, wikis,
Whois records of registered domain names, metadata, and digital
files, dark web resources, geolocation data, IP addresses, people
search engines, and anything that can be found online.
Traditional mass media (e.g., television, radio, newspapers, books,
magazines)
Specialized journals, academic publications, dissertations,
conference proceedings, company profiles, annual reports, company
news, employee profiles, and résumés
Photos and videos including metadata
Geospatial information(e.g., maps and commercial imagery
products)

How do experts perform OSINT?

OSINT is a very dynamic method of collecting and analyzing public data. Furthermore, there are different ways of sourcing its data. With this in mind, experts and intelligence bodies operate discreetly to be able to collect information without being identified.

They collect information anonymously by using VPNs to hide their identity. At the same time, the OSINT analyst first examines the sources of information to ensure that there are no elements that can affect the accurate interpretation of data in the future.

OSINT Organizations

Some specialized organizations provide OSINT services. Some of them are government-based, and others are private companies that offer their services to different parties such as government agencies and business corporations on a subscription basis.

Government Organizations

Government organizations working in OSINT analysis are still considered the best because of the resources available from their governments to do their jobs. The two most famous government agencies that do OSINT globally are the Open Source Center in the United States and BBC Monitoring in Great Britain.

Open Source Center

We already talked about the Open Source Center (OSC); it is the largest OSINT organization and has vast resources to do its job. OSC works closely with other local intelligence agencies in the United States and offers its services to U.S. government intelligence agencies.

BBC Monitoring

BBC Monitoring is a department within the British Broadcasting Corporation (BBC) that monitors foreign media worldwide. It has a similar role as the Open Source Center in the United States, with the main difference being that it does not belong to British Intelligence. BBC Monitoring is funded by its stakeholders in addition to many commercial and governmental entities around the world. It was first established in 1939 and has offices in different countries around the globe. It actively monitors TV, radio broadcasts, print media, the Internet, and emerging trends from 150 countries in more than 70 languages. BBC Monitoring is directed by the BBC and offers its services on a subscription basis to interested parties such as commercial organizations and UK official bodies.

Private Sector

You should not underestimate the private sector when looking at who supplies OSINT information; many private corporations have developed advanced programs and techniques to gather data from public sources for commercial gain. Indeed, most private OSINT corporations partner with government agencies to supply them with such information. In this section, we will mention the main ones around the globe.

Jane’s Information Group

Jane’s Information Group is a British company founded in 1898. Jane’s is a leading provider that specializes in military, terrorism, state stability, serious and organized crime, proliferation and procurement intelligence, aerospace, and transportation subjects. It publishes many journals and books related to security matters in addition to its OSINT sources that track and predict security matters in 190 states and 30 territories.

Economist Intelligence Unit

The Economist Intelligence Unit is the business intelligence, research, and analysis division of the British Economist Group. The main domain of the Economist Intelligence Unit is its business and financial forecasts; it offers a monthly report in addition to a country's economic forecast for the coming five years with a comprehensive view of current trends on economic and political issues.

Oxford Analytica

Oxford Analytica is a relatively small OSINT firm compared with the previous two. Oxford Analytica specializes in geopolitics and macroeconomics subjects. It has a global macro expert network to advise its clients on the best practices of strategy and performance when accessing complex markets. Its expert networks contain more than 1400 experts. Most of them are scholars on their subject, senior faculty members in top universities, and high-profile specialists in their sector.

Information Gathering Types

OSINT sources can be collected using three main methods: passive, semi-passive, and active. The usage of one in favor of another is dependent on the scenario in which the gathering process operates in addition to the type of data that you are interested in. The three gathering techniques are generally used to describe the ways in which footprinting works, in other words, acquiring technical information about the target IT infrastructure (types of OS, network topology, server names, and so on).

Passive Collection

This is the most used type when collecting OSINT intelligence. Indeed, all OSINT intelligence methods should use passive collection because the main aim of OSINT gathering is to collect information about the target via publicly available resources only. In this type, your target knows nothing about your intelligence-collecting activities. This kind of search is highly anonymous and should be done secretly. From a technical perspective, this type of gathering reveals limited information about the target because you do not send any traffic (packets) to the target server — either directly or indirectly — and the main resources that you can gather are limited to archive information (mainly outdated information), unprotected files left on target servers, and content present on the target website.

2. Semipassive

From a technical view, this type of gathering sends limited traffic to target servers to acquire general information about them. This traffic tries to resemble typical Internet traffic to avoid drawing any attention to your reconnaissance activities. In this way, you are not implementing an in-depth investigation of the target’s online resources, but only investigating lightly without launching any alarm on the target’s side. Although this type of gathering is considered somehow anonymous, the target can know that there is reconnaissance happening if they investigate the issue (by checking the server or networking device logs). However, they should not be able to attribute it to the attacker’s machine.

3. Active Collection

In this type, you interact directly with the system to gather intelligence about it. The target can become aware of the reconnaissance process since the person/entity collecting information will use advanced techniques to harvest technical data about the target IT infrastructure such as accessing open ports, scanning vulnerabilities (unpatched Windows systems), and scanning web server applications, and more. This traffic will look like suspicious or malicious behavior and will leave traces on the target’s intrusion detection system (IDS) or intrusion prevention system (IPS). Conducting social engineering attacks on the target is also considered a type of active information gathering. As we said earlier, active collection and semi-passive collection are types of information gathering, but you usually do not use them in OSINT gathering. The passive collection is preferred because it can harvest information from public sources secretly, and this is the essence of OSINT.

Understand the OSINT Framework

OSINT Framework is one of the most comprehensive collections of free and paid tools to use for gathering information. Furthermore, the site filters resources into appropriate categories based on what your looking for.

The categories include social networks, public records, videos, photos, digital currency, archives, dark web, and more.

Benefits of OSINT

In today’s information age, no one can underestimate the vital role that OSINT plays in the different intelligence arenas. The benefits of OSINT span many areas in today’s world. The following are the main ones:

• Less risky: Using publicly available information to collect intelligence has no risk compared with other forms of intelligence such as using spying satellites or using human sources on the ground to collect information, especially in hostile countries.

• Cost effective: Collecting OSINT is generally less expensive compared with other intelligence sources. For instance, using human sources or spying satellites to collect data is costly. Small businesses with limited intelligence budgets can exploit OSINT sources with minimal costs.

• Ease of accessibility: OSINT sources are always available, no matter where you are, and are always up-to-date. OSINT sources can be used by different parties in any intelligence context; all you need are the required skills/tools to harvest and analyze OSINT properly. For example, military departments can predict future attacks by analyzing activities on social networking sites, while corporations can use it to build their new market expansion strategies.

• Legal issues: OSINT resources can be shared between different parties without worrying about breaching any copyright license as these resources are already published publicly. Of course, some limitations apply when sharing gray literature; we already covered this in a previous section.

• Aiding financial investigators: OSINT allows specialized government agencies to detect tax evaders, for instance. Many famous celebrities and some giant companies are involved in tax evasion, and monitoring their social media accounts, vacations, and lifestyles has a great value for a government inspector who may be chasing them for undeclared income.

• Fighting against online counterfeiting: OSINT techniques can be used to find false products/services and direct law enforcement to close such sites or to send warnings to users to stop dealing with them. This is a great advantage of OSINT, especially when fighting against counterfeit pharmaceutical and natural health products.

• Maintaining national security and political stability: This might be the most important role of OSINT; it helps governments to understand their people’s attitudes and act promptly to avoid any future clashes. Wise governments utilize OSINT in their future strategies, especially for their domestic policies.

Challenges of Open Source Intelligence

All intelligence gathering methodologies have some limitations, and OSINT is not exempt from this rule. In this section, we will mention some of the challenges that face OSINT gathering.

• Sheer volume of data: Collecting OSINT will produce a huge amount of data that must be analyzed to be considered of value. Of course, many automated tools exist for this purpose, and many governments and giant companies have developed their own set of artificial intelligence tools and techniques to filter acquired data. However, the tremendous volume of data will remain a challenge for the OSINT gatherer.

• Reliability of sources: Bear in mind that OSINT sources, especially when used in the intelligence context, need to be verified thoroughly by classified sources before they can be trusted. Many governments broadcast inaccurate information to mislead the OSINT-gathering process.

• Human efforts: As we already mentioned, the sheer volume of data is considered the greatest challenge for OSINT collection. Humans need to view the output of automated tools to know whether the collected data is reliable and trustworthy; they also need to compare it with some classified data (this is applicable for some military and commercial information) to assure its reliability and relevance. This will effectively consume time and precious human resources.

Any type of comments are welcome. Thank you for your time :)).