By John O-Hare, Director of Sales and Business Development at Cobwebs Technologies
Open-source intelligence (OSINT) can supercharge the capabilities of a Global Security Operations Center through next-gen data analytics, real-time threat monitoring, and amplified investigations. At the recent Global Security Exchange (GSX) conference, I demonstrated how OSINT provides powerful capabilities to security teams for global threat management. Advanced video forensics, facial recognition, and license plate readers expand information and intelligence used by corporate security teams. OSINT can be used to analyze online activity and publicly available information on the open, and dive into the deep and dark webs, to uncover early threat indicators and disrupt bad actors.
GSOCs are staffed by a team of security professionals who work around the clock to identify and track potential threats. Keeping up with the latest technology developments and briefings is essential for GSOCs to be more proactive in responding to a host of cyber threats and attacks.
How OSINT empowers GSOCs
The digital landscape is expanding exponentially. Closed Circuit Television (CCTV) cameras proliferate while online platforms create a living trove of intelligence. At the same time, sensors transform cities into data-rich environments even as more sophisticated cyber threats emerge. New analytical capabilities harness artificial intelligence (AI) and machine learning (ML) to extract insights from massive datasets. Video and image forensics, video analytics, LPRs, image analytics and facial recognition are the foundation of a global security operations center.
An OSINT web intelligence platform powered by AI is an important component of this ecosystem that can enrich investigations and help generate the insights GSOC security teams and intelligence units need to keep corporations and communities safe. OSINT provides seamless search and analysis of publicly available sources on the open web and other integrated data sources, as well as the ability to dive into the deep and dark web, allowing security professionals to generate actionable insights.
Tips and techniques for incorporating OSINT into a GSOC
At the GSX conference, I provided techniques and guidance for effectively incorporating OSINT into global security operations centers. When implemented properly, OSINT unlocks powerful capabilities that amplify a GSOC’s intelligence advantage, including the ability to search for unique identifiers, extract insights from Exchangeable Image File Format (EXIF) metadata, accelerate breach investigations, and more.
- Using OSINT to find unique identifiers
OSINT helps corporate investigators search for unique identifiers that can be used to corroborate suspects. While names may return multiple results online, unique identifiers like email addresses tend to consistently link back to individuals. Email especially stays with a person forever, even old unused accounts. When OSINT analysts can connect email addresses, phone numbers, nicknames, or other digital breadcrumbs back to forensic evidence like data from a suspect’s device, it strengthens investigations. At the same time, public information online must be verified. The internet contains many unvetted digital breadcrumbs, so analysts must carefully confirm OSINT findings connect to the right target. Thorough vetting and corroboration are crucial when leveraging OSINT. With proper verification, OSINT delivers powerful evidence while adhering to rigorous standards needed for prosecution.
- OSINT and forensic data
OSINT can extract EXIF metadata embedded in digital photos and videos to gather intelligence around date, time, location, device, editing history and other details. Analyzing EXIF data enables investigators to establish a timeline of events, verify image authenticity, and potentially track the source camera or smartphone. OSINT tools can quickly analyze and visualize metadata attached to online content like documents, images, and website code. Metadata provides critical context around files, accounts, activities and authorship that can strengthen the intelligence value of collected OSINT. Moreover, importing exfiltrated OSINT into digital forensics tools allows analysts to visualize connections, timelines, relationships and patterns across massive datasets.
- Mitigating breaches
A cybersecurity audit leveraging OSINT can uncover leaked technical data on hacker forums that provide insights into the threat actor’s methods, tools, and processes. This enables more targeted incident response. Ongoing monitoring of deep and dark web sites can also detect attempted sale of stolen data. If a corporation is a victim of a data breach, security teams can extract metadata from stolen files and trace usernames, machines, and internal systems that are compromised. This identifies all points of access needing shutdown, and systems that need patching. In addition, they can monitor external chatter around the breach across online platforms, forums, code repositories, and other sources, to gauge wider impacts and public perception. GSOC teams can also leverage OSINT to conduct cyber threat hunting within internal systems and identify additional footholds, compromised credentials, or backdoors left by attackers. Consulting counsel is important when investigations uncover sensitive employee or customer data that may trigger legal obligations around breach disclosure and protections. OSINT findings may have legal impacts. Keeping stakeholders updated is critical when OSINT reveals new indicators of compromise or sensitive details. Transparency builds trust and furthers intelligence leads.
OSINT in action at a GSOC
OSINT was used to identify a fake credential ring, that claimed to have sold over 2,000 viable passes at $5 per pass at a large US sporting event in 2023. This event draws hundreds of thousands of people each year. The event can be easily compromised with the sale and use of fraudulent credentials, allowing unknown persons to enter the area for potential nefarious reasons. Credentials can allow unfettered access and bypass physical security measures thus posing a serious security risk if those who enter have ill intentions.
GSOCs must tap into online data and OSINT
OSINT allows GSOCs to monitor a broad range of threat indicators across the surface, deep and dark web to identify emerging risks targeting their corporate infrastructure, data, personnel or physical locations. Analysis of internal corporate data alongside external OSINT can help uncover malicious insiders through digital footprints, behavioral patterns and unauthorized system access. Furthermore, Intelligence gained from monitoring threat actor communications and plans in the digital underground enables GSOCs to proactively fortify defenses and security practices ahead of impending attacks.
The bottom line is OSINT gives GSOCs an information advantage against adversaries by tapping into massive open sources of intelligence with advanced analytics to detect, counter and investigate security threats.