In my first article on Cyber Security Threat Intelligence Analysts, (CTI analysts) we covered what a CTI analyst is and discussed how they can bridge the gaps between IT, Security, and the Business. We discussed how this is beneficial to the maturity of the business, but what exactly did we mean by this?

In the second article of our CTI analyst series, we’ll cover the unique benefits a CTI analyst brings to an organization by enhancing:

Strategy and planning of IT and security by taking a holistic view

Intelligence on the cybersecurity landscape and industry trends

Collaboration with the recognized bodies and regulations

Enhancing the strategy and planning of the business

Have you ever prepared for a meeting with a new contact by visiting LinkedIn and checking out their profile? If not, it might be beneficial to take a few moments to do this. You may find some common connections. Using public social media sites to identify someone is an example of what we commonly refer to as open-source intelligence (OSINT).

What is OSINT?

OSINT is essentially looking at publicly available data, be it government records such as Companies House in the United Kingdom or social media posts on Facebook or Twitter. It can consist of checking out popular search engines to look for articles and pictures relating to your target or even searching historic records like the WayBackMachine or ancestor sites for family connections.

OSINT is a powerful tool. Not only does it identify the image a target wishes to present to the world, but it can also reveal a lot about the target’s carefully selected interests, ‘likes’ and publicly posted updates. OSINT can also reveal information and habits about us we might not expect because it’s reviewed by a skilled person. In many situations, these experts can identify malicious actors and discover relationships, information which can be used to enhance a family’s privacy and security plan.

How do businesses use OSINT?

Interestingly, many organizations’ use of OSINT has been neither formalized nor widely adopted. It often appears that various public postings that could be detrimental or harmful to the organization have to reach a wide audience before they are noticed and before action is taken. A prime example of this was the story of a Canadian CP rail conductor who was fired for a second time after the company expressed concerns over social media posts, including “racy” boudoir photos allegedly taken on rail company property.

Given the previous behavior of the Canadian CP rail conductor, should the organization should have been monitoring her public online activity before it became a very public story? It may have been possible to deal with the situation quietly and professionally, an opportunity that OSINT may have been able to identify before it became national news. An OSINT program is the ultimate proactive measure – identifying those potential situations and suggesting mitigative action before the court of public opinions makes the call for you.

In order to establish or gain support for an OSINT program, an organization often needs an illustrative example of how effective an OSINT program can be. What I have found beneficial is to examine the Board’s or a senior executive’s digital footprint and what information might be exposed in the process. Sadly, all too often, the information leak or scandalous situation only comes to light post-incident.

What would the OSINT program look for? One example is when a staff member has publicly disclosed an upcoming vacation or company event that could be used for targeted phishing.

Applying OSINT as Counterintelligence

“Counter-intelligence means activities concerned with identifying and counteracting threats to the security of your organization and staff.”

The first step of a malicious actor’s playbook is information gathering or reconnaissance – i.e. identification of your target(s) and any valuable information that can be used. This information gathered is ultimately turned into intelligence:

Information Intelligence Collected data relating to a specific target, fact, or event. Reviewing information and being able to answer the ‘so what’? Or ‘what does the information mean’?

If your OSINT program has gathered the available information on your organization and staff, steps can be taken to make exploitation of that information more difficult. Scrubbing the public data of geo-location information of sensitive facilities and deleting staff photos with sensitive information (presence of CCTV & alarm and motion detector locations) are examples of making it more difficult for malicious actors. If you can’t remove it, identify and train staff to be aware of it.

What public information should be redacted?

The answer to that question is found in the threat models which target your organization, staff and executive members. This can range from the physical threat of break-in or robbery to the travel plans of executives’ trips to potentially hostile regions where there is a chance of kidnap for ransom. Note: travel plans of executives should never be released on social media without an abundance of caution, planning and specific redactions made.

Applying OSINT as Cyber Counterintelligence

Consider how much data we share daily. In our personal lives, most mobile numbers are connected to your full name, and your IP address is connected to the sites you access without controls. You also need to remember how your activities can expose the email addresses that you freely give for contact, your shopping habits through credit card usage and/or your location through fitness apps. These small pieces here and there add up and can eventually be used to identify who you are, including who your connections are.

Now, consider an organization and all its individual employees. Those employees often have a LinkedIn account which tells us their roles and responsibilities, technologies they’ve gained certifications in or skills they have developed. This information, when used properly, can become valuable intelligence on how the organization runs, who’s responsible for what, and even possibly who could be targeted by a malicious actor looking to exploit the power of an authority figure through social engineering.

A sensible balance between presenting public information about the organization and its structure needs to be found, and the OSINT program can provide an understanding and context of that information and the risk of being exploited. In situations where an organization contains highly sensitive information, a DNS entry for “classified-portal.3letteragency.gov” is probably a bad idea.

Imagine the benefits of a dedicated team who looks out for information that could save the organization from reputational damage by looking for:

Counterfeit or stolen property listed online

Employee conduct, threats and harassment on social media

Frustrated, angry or threatening customer correspondence

Damaging reviews of product, services or work environment

Leaked merger, acquisition & organizational partnership discussions

Sensitive information publicly disclosed – accidentally or intentionally

Inaccurate, harmful or out of date information

Presence of fake websites, fake invoices or scams targeting customers, staff or the organization

Staff disputes, associations or controversial commentary in a public forum

Credentials from data breach & compromised accounts belonging the organization

Research and validation of the background of prospective employees or board members

Unsavory relationships, membership or pending court action related to the organization

Outcomes from OSINT program intelligence

From experience, it is all too easy to make roles and responsibilities implied and assume that all parties know their role. (Hint: it rarely aligns with each party’s assumption.) Therefore, to be explicitly clear, the OSINT program is specially trained to gather intelligence and create tailored guidance, and it will not act upon this intelligence unless approved. At times, areas of the OSINT program and ways of monitoring and identification may come into conflict with the rights of staff and customers to speak and associate freely. Therefore, there is still a need for an ethics board’ any actions taken must be decided by senior leaders who are working under an HR- and possibly legal counsel-sanctioned investigation.

Perhaps the guiding principle of the OSINT program should be the aphorism known as “Hanlon’s razor”: “Never attribute to malice that which is adequately explained by stupidity.”

The OSINT program will build intelligence and give recommendations, resilience prevention, detection and responses. Following this, the senior staff either directly take action or advise on actions to be taken, both in response and future prevention, via keeping in mind considerations like implementing more robust acceptable use policies, training, active monitoring and controls.

About the Co-Author:

Ian Thornton-Trump , CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cybersecurity analyst/consultant for multi-national insurance, banking and regional health care. His most memorable role was being a project manager, specializing in cybersecurity for the Canadian Museum of Human Rights. Today, as Chief Information Security Officer for Cyjax Ltd., Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cybersecurity consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations. In his spare time, he teaches cybersecurity and IT business courses for CompTIA as part of their global faculty and is the lead architect for Cyber Titan, Canada’s efforts to encourage the next generation of cyber professionals.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.