OSINT 101: How to Leverage Open Source Data to Track Down Threat Actors
Open source investigation has become a necessary skillset for threat hunters
With the professionalisation of cybercrime and the emergence of ransomware-as-a-service (RaaS) business models, cybercriminal gangs and their affiliates must maintain a presence on the clear web as well as the dark web to recruit, promote their achievements or try to attract media coverage.
Telegram channels and ransomware leak sites have become two helpful, open resources for threat hunters alongside forensics and dark web monitoring.
Researching, gathering and analysing publicly available information to produce actionable intelligence is traditionally called open source intelligence (OSINT), a term borrowed from the military.
Although cybersecurity practitioners have deployed OSINT analyses for a long time, there has recently been an explosion of OSINT tools, including some specifically designed for threat hunting.
Infosecurity has selected some tools and best practices for leveraging OSINT to track down cyber threat actors.
What Threat Hunters Can Do with OSINT
Threat hunters use OSINT in almost every step of tracking down threat actors – sometimes without calling it OSINT.
Here are just a few examples of how OSINT can be used for threat hunting:
- Detecting phishing attacks: By monitoring social media platforms (SOCMINT) and other online sources, threat hunters can identify phishing attacks and warn employees about them before they click on a malicious link or attachment.
- Investigating data breaches and security incidents: OSINT can be used to analyse data breaches, including identifying the breach’s source and the extent of the damage caused by the breach. It can be used to check exposed endpoints and find the attacker’s command-and-control infrastructure.
- Monitoring dark web activity: Although websites in the dark web are not as easily accessible as those on the clear web, an increasing number of tools can help monitor them – including hacker’s forums, marketplaces and leak sites – to identify potential threats, such as the sale of stolen credentials, malware, web access brokers, and more.
- Identifying threat actors: By gathering information about threat actors, such as their online aliases, affiliations, and infrastructure, threat hunters can identify potential dangers and vulnerabilities.
- Understand threat actors’ TTPs: Once a threat actor has been identified, OSINT can be used to understand their techniques, tactics and procedures (TTPs) and map them using frameworks like MITRE ATT&CK.
Looking for more infosecurity & cybersecurity insights?
Keep up to date with the latest trends and expert insights from Infosecurity Europe.
Unpacking the OSINT Threat Intelligence Cycle
To leverage threat intelligence sources to help align their threat hunting program, threat hunters can use the OSINT threat intelligence cycle framework developed by Sophos.
It outlines four phases that threat hunters must follow when using OSINT tools:
1. Purpose: Determine the purpose of the threat intelligence and how it will be applied. Use questions to guide the overarching goal of the threat hunting effort. A common question to ask is, “Do we see any known indicators of compromise (IOCs) or indicators of attack (IOAs) from adversary groups publicly attributed to state-sponsored cyber campaigns from this country?”
Once a question has been ratified, the next step is to deconstruct the question to identify what to harvest in the next phase of the intelligence cycle.
2. Harvest: Intelligence sources vary widely including feeds that can be purchased, information shared from industry-specific Information Sharing and Analysis Centres (ISACs), data that can be gathered from social media, and information shared from organizations such as the FBI’s InfraGard. Regardless of where the data is obtained, a key factor is confidence in the data set. All threat intelligence sources must be scrutinized and efforts should be focused on those with the highest confidence factor.
Once the groups have been identified, collect the IOCs and IOAs used by those adversary groups in previous cyber campaigns.
3. Categorise: There is no right or wrong answer to categorisation; Using something the organisation is familiar with is often the best approach. Frameworks such as STIX offer a standard language and format for classifying observables. The IOC and IOA artifacts should be associated with the adversary group and the source reference. This will allow for the threat hunting team to pivot on the IOCs/IOAs if there is a suspected true positive.
This also allows for prioritisation of the most relevant indicators to the organization based on refinement.
4. Refine: Researching what IOCs and IOAs are relevant to detection and threat hunting capabilities and identifying which IOCs and IOAs are immediately actionable and which IOCs and IOAs may pose visibility or coverage gaps. Specific questions should be asked of each category to determine if an organization can detect or threat hunt those IOCs or IOAs. An example question would be, “Is the necessary data being collected for each category easily retrievable and reviewable?”
This highlights the need for being able to historically analyse data to hunt for the IOCs. Whereas if the question was posed slightly differently, “Will detections or alerts be created based on these IOCs?” highlights the need to create rules that provide real-time alerting if the IOCs are observed.
Operational and Legal Considerations in Using OSINT
Threat hunters must be aware of the operational limitations and the security, privacy and legal risks of incorporating OSINT into their investigations.
For instance, some best practices for maintaining operations security (OPSEC) when conducting OSINT for threat hunting include:
- A separate system or virtual machines (VM) isolated from your host
- Using browser extensions to prevent fingerprinting and block trackers and cookies that could expose your real identity and location
- Using proxies or virtual private network (VPN) services to protect your identity and location
- Avoid using personal and corporate email or social media accounts when conducting OSINT
- Following ethical guidelines and respecting the privacy of individuals and organisations
Some best practices for conducting ethical OSINT investigations include:
- Obtaining consent whenever possible
- Being as transparent as possible about both the source of the data you collected and the way you collected it
- Asking yourself, “Is the way in which this tool or technique is collecting the data both legal and ethical?”
- Avoiding the gathering of sensitive or confidential information
Some Useful OSINT Tools
Here are some of the most used OSINT tools in threat hunting:
- Shodan: Aka ‘the search engine for internet-connected devices’: It allows you to discover devices (servers, webcams, routers, IoT devices…) connected to the internet, along with their vulnerabilities.
- Prowl: A free IP search tool that helps identify IoCs and IoAs. It provides detailed information about IP addresses, domains, and URLs, enabling security professionals to identify potential threats and vulnerabilities in their networks.
- SpiderFoot: It automates data extraction from diverse sources like DNS, WHOIS, and social media platforms.
- theHarvester: It scours search engines, PGP key servers, and social media platforms to detect email addresses and related data.
- Maltego: A visual link analysis tool that allows users to mine, merge, and map data from open-source intelligence (OSINT) and third-party data integrations.
These are just a sample of a myriad of search engines, websites, plugins and software that allow threat hunters to leverage OSINT for threat hunting purposes.
Enjoy this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?