Reading notes from Kazuki Omote; Yukihiro Nakamura. Defending Corporate Systems from Cyber Attacks: OSINT Practical Guide. Nikkei BP. Kindle Edition.
Overview
OSINT stands for Open Source Intelligence – a methodology for collecting and analyzing useful information from publicly available sources. Its main purpose is to generate intelligence from information accessible to anyone, such as the internet, public databases, news articles, and social media. OSINT is particularly important in the field of cybersecurity and has become an indispensable methodology for attack prevention, countermeasures, and risk management.
History of OSINT
The concept of OSINT is not new and has historically been used as part of information warfare. For example, during World War II in 1941, the OSS (Office of Strategic Services), the predecessor of the CIA, used OSINT to collect images of Nazi Germany’s new warships and aircraft. This enabled assessment of enemy technology and military capabilities, contributing to strategic decision-making.
Modern OSINT
In modern times, OSINT primarily targets information on the internet. Data is collected from a wide variety of sources:
- Websites and news articles: Publicly available information sources.
- Social media (SNS): Platforms like Twitter, Facebook, and Instagram where individuals and organizations publish information.
- Code-sharing sites like GitHub: Where source code and project progress are made public.
- Vulnerability databases: Databases like CVE and NVD that aggregate known vulnerability information.
- Zero-day attack information: Public information about attacks targeting unknown vulnerabilities.
OSINT Investigation Methods
Finding Data Sources
When conducting OSINT investigations, it is important to find data sources appropriate to the objective. The following tools and resources are helpful for exploring OSINT data sources:
- OSINT Framework: A collection of links to various OSINT tools and information sources.
- MITRE ATT&CK: A resource for cyber attack lifecycle and related tactics and techniques.
- Mapping Tools for Open Source Intelligence with Cyber Kill Chain for Adversarial Aware Security: A paper on mapping data sources to the cyber kill chain.
Useful Tools
The following tools are widely used to support OSINT investigations:
- Shodan: A search engine for internet-connected devices. Can check device security status. Shodan
- Censys: A platform for investigating devices and services on the internet. Censys
- Have I Been Pwned: Check if email addresses have been leaked. Have I Been Pwned
- VirusTotal: Scan files and URLs to check for malware. VirusTotal
- Aguse: Check website reputation. Aguse
- Exploit Database: A database of publicly available exploit information. Exploit-DB
- SecurityTrails: Check domain and IP address usage history. SecurityTrails
Other Important Resources
Vulnerability Information Collection
- NVD: The National Vulnerability Database, a vulnerability information database provided by the U.S. government. NVD
- JVN iPedia: Japan’s vulnerability database. JVN iPedia
- Vulmon: Provides global vulnerability information. Vulmon
SSL/TLS Strength Verification
- SSL Labs: Check server SSL/TLS configuration strength. SSL Labs
Other Investigation Tools
- Anymail Finder: Check email address leak status. Anymail Finder
- MaxMind: Investigate geographic information of IP addresses. MaxMind
- Wigle: Collect WiFi network SSID information. Wigle
- BuiltWith: Check technologies used by websites. BuiltWith
- Phishtank: A resource for reporting and verifying phishing sites. Phishtank
International OSINT Activity Examples
Report on China’s APT1 (Mandiant)
A report published by Mandiant presented detailed investigation results on China’s APT1 (Advanced Persistent Threat 1), also known as “Unit 61398.” The report identified connections to the PLA General Staff Department’s 3rd Department, 2nd Bureau, and revealed the following APT1 activities:
- Identification of specialization areas: Analysis of what sectors and industries APT1 primarily targeted. Military, energy, telecommunications, and finance were particularly targeted sectors.
- Office and infrastructure details: The location, internal structure, communication methods, and technical infrastructure of Unit 61398’s offices were identified in detail.
- Attack targets and methods identified: The attack methods used by APT1, particularly phishing emails and malware deployment methods, were revealed. This helped understand what information was targeted and for what purpose.