Advancing OSINT to Turn Data into Intelligence

by | Jul 13, 2020 | Adversary Research, Blog

While cyber threat analysts are critical to determine what cyber threats are relevant to their respective organizations so they can take the appropriate action, open source intelligence (OSINT) and investigations can often be the added value to address the “how”, “why”, and sometimes “who” that brings much-needed context.

Furthermore, this relatively new discipline and skillset is needed to address many more threats outside of cyber crime, according to a recent podcast from Nisos’ own Mike Eller.

A solid open source analyst needs problem-solving skills, an inquisitive mindset, persistence, and strong attention to detail to pick up on mistakes an online threat may make. In addition to cyber crimes, open source investigators often are called to tackle extortion, blackmail, disinformation, general problems such as missing persons, protective intelligence, and geopolitical analysis.

While some misperceive OSINT as “high speed googling”, it’s a critical skillset to turn data into intelligence for organizations solving a vast array of global problems and threats.

Analysts are often aware of the different syntax and ways search engines index information on the internet. Although people may delete information, it’s on the internet forever and can be retrieved. Data such as VEH registrations, IP registrations, chat logs in social media, and online forums are just a few of many examples.

While analysis will always be a human over a computer exercise, automation has started to allow analysts to come to conclusions at a much greater scale than five years ago.

Often this automation allows analysts to determine various signatures of online threats whether they be groups or individual personalities.

Three elements of automation are:

  1. Collection and Aggregation: Whether it’s global netflow data, dark web forum data, mobile handset data, passive DNS, or credential breaches available on the internet, big data processes allow data scientists and engineers to put simple search queries in front of analysts to connect disparate pieces of information into actionable data points and intelligence.
  2. Stylometrics Attributes: Many advances have taken place in language analysis that identify common traits and behaviors in stylometric attributes that further a case to provide additional context.

    For example, perhaps an attacker uses a comma in the wrong place, creates his usernames in a certain format, or makes a consistent misspelling. This information can often be cross-referenced with real identities that provide a missing piece of the context puzzle.

  3. Translation: Tools are available to review online videos and transcribe the audio into readable text enabling more extensive research. An analyst can have a spreadsheet of transcribed and, if needed, translated text and use it in the matter of minutes instead of watching the videos for hours. In the disinformation space, this capability is critical to separate what is real and what is coordinated inauthentic behavior.

Table of Contents

Elements of Automation

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks