Open Source Intelligence (OSINT) & the cyber threat of being profiled

While you might not be familiar with the term “open source intelligence,” you have almost certainly used it at some point. Gathering open source intelligence could be as simple as performing an online search to research a salesperson you just met or looking up someone’s LinkedIn page to find out if they’re in your professional network.

Open source intelligence (or OSINT) gathering on its own is not illegal. In fact, government, law enforcement, and military entities often rely on it. However, in the wrong hands, this seemingly innocuous information could pose a significant threat.

In this article, you’ll learn more about open source intelligence gathering, understand where threat actors can find it, and what you can do to help protect yourself and your company.

What is open source intelligence gathering?

Open source intelligence refers to publicly accessible, or available by request, information on an individual, company, or account. Collecting this information can involve searching through social media sites, news stories, and public state records, as well as digging through the dark web.

“Cyber criminals are constantly gathering this information. They might not know the best way to launch an attack at first, but by gathering that data and finding more connections between individuals, they can start to put the pieces together. Eventually, they’ll identify the best approach for an attack,” explains Brandon Hoyt, Cybersecurity Operations Director at Huntington National Bank.

Where do threat actors find open source intelligence information?

It’s easier than you might think to uncover pages of information about someone. Below are just a few examples of common places a threat actor might begin their search for open source intelligence:

• Social media accounts often contain details a threat actor could use to gain credibility, including schools attended, professional organization memberships, and job records.
• State and county auditor sites offer a treasure-trove of information, such as tax records, addresses, phone numbers, and even other members in your household.
• Court records (probate, municipal, common pleas, federal, and state) can contain information pertaining to individuals such as social security numbers, driver’s license numbers, and telephone numbers. Additionally, signatures can often be found on case documents and county records.
• Company websites with profiles of employees provide useful information for cybercriminals to use to impersonate someone or fool others.
• Public-facing accounts on sites like Amazon or Pinterest could also provide threat actors with data on a person’s interests and activities.
• The Deep Web refers to websites, databases, and online resources that cannot be reached through standard search engines. An estimated 90% of online content is located in the deep web^†. Information located here is considered accessible by the public and therefore is still categorized as open source. It is also increasingly common for the information from an organization data breach, like usernames and passwords, to be available to the highest bidder on the Deep or Dark Web. Based on a 2022 research survey conducted by LastPass, 62% of respondents reported using the same password or a variation of a past password—with only 50% changing their password after being informed that a breach had taken place^‡. This trend allows bad actors to either use purchased credentials to gain access, or to generate similar alternative versions of passwords to compromise users.

What do threat actors do with this information?

The next step in this process is developing a report on an individual based on details found through open source intelligence gathering. This comprehensive profile often includes who an individual is, what apps they use, how much time they spend online, where they live, who they work for, and so on.

Being targeted in an open source intelligence gathering scam could lead to account compromise and identity theft and could allow cybercriminals to impersonate you in personal and professional settings. Additionally, threat actors might use the information they’ve gathered to blackmail someone.

Sometimes, however, a threat actor will not use the information themselves at all. They’ll sell it on the dark web.

How can I help prevent myself and my company from being targeted?

Anyone within an organization could be targeted through open source intelligence gathering. Fraudsters are not only targeting C-suite executives or the leadership team. Often individuals targeted in this way are ones with access to specific programs, sensitive information, or are connected to another person similarly useful to a criminal.

Prevention methods include:

• Pay attention to the information you’re sharing online, including on your company website or in press releases.
• Educate children, significant others, or extended family members about the risks of sharing information online. Advise them to exercise caution and avoid oversharing, as they can be another common vector for intelligence gathering to build a profile of you.
• Be mindful of how much data you’re sharing in app permission settings, especially on company-owned devices.
• Practice strong password management processes across internal and external sites in the case of breaches, requiring changes that limit simple variations of past passwords.
• Be aware of the data you might have publicly available, especially unused social media accounts, old email addresses, or employee profiles.
• Additionally, make sure employees are well trained in proper processes to follow when performing tasks related to payments, financial or otherwise sensitive information, or access to networks or systems. For example, a business email compromise (BEC) attack can be successful if an employee does not follow proper protocols – or a company doesn’t have strong ones in place.

Contact your relationship manager for more information about protecting your organization against cybersecurity threats such as open source intelligence gathering.