Imagine you’re an analyst working in a security operations center (SOC). An endpoint glows red on your dashboard, indicating that it’s trying to communicate with an unknown IP address. You check its running processes and see a binary that you don’t recognize, but the user may have installed it.

It could be nothing, but you’re not sure. You’ve only been in the job for six months, but on a Sunday afternoon, you’re the most senior person in the room. Your boss is at a wedding and told you not to disturb him unless there is an extreme emergency. What should you do?

If this scenario sounds familiar, it’s time to consider investing in open source intelligence (OSINT).

Break Down the Open Source Intelligence Knowledge Stack

OSINT is a component of any good threat intelligence operation. It’s essentially a collection of indicators that point to heightened risk and provide information about a particular threat. This data is key to helping security leaders recognize danger and make informed decisions about their next steps. OSINT can come from many sources in the public domain, which is why experts refer to it as open source.

Just as we think about computing technology stacks, we can think of threat intelligence as a knowledge stack. At the bottom are the low-level atomic indicators. These are discrete data points, such as IP and domain addresses, user agent strings and email addresses that might show up in system logs.

These indicators complement computed data in the form of malware hashes. A file’s hash can be a smoking gun for a forensics team if it matches hash data gathered from attacks against other organizations. Security professionals can find each of these data types in the public domain — if they know where to look.

Moving further up the stack, we can connect these indicators with behavioral ones. Attackers often have a playbook of go-to procedures they favor when compromising a target. By understanding these tactics and knowing what type of behavior to look for, security teams can more easily distinguish an ongoing attack from an innocuous series of unrelated network events.

Analysts can move into the realm of threat intelligence by combining this information, watching it play out over several attacks and adding data from other sources, such as news articles and reports. This strategy is a rarefied world where analysts collate attack data and outcomes to find out more about threat actors. In many cases, you can find detailed intelligence in published security reports from vendors and consulting firms.

Effective analysis of all this OSINT produces clearer insights into attackers’ techniques and the tools they commonly use to achieve their goals. It can also point to their intent: Some attackers may simply be out to steal personal data for sale on the black market, for example, while others may aim to lurk on networks and sabotage company processes.

Where to Find Open Source Intelligence

Good open-source intelligence comes from various sources. Magazine and online articles from trusted outlets are good places to start, as are videos from respected security conferences.

Other sources include specialist cybersecurity mailing lists, such as the SANS Institute’s Digital Forensics & Incident Response (DFIR) list (although some of these can be difficult to access). Many vertical sectors also have information sharing and analysis centers (ISACs), which are excellent sources of information, as are sector-independent fora like Facebook’s ThreatExchange and AlienVault’s Open Threat Exchange. The IBM X-Force Exchange also provides an extensive threat database that is searchable by a range of parameters, including application name, IP and URL.

Other sites dedicated to compiling information about indicators from the atomic to the behavioral include:

  • Team Cymru’s Community Services portal: This portal includes IP reputation lookup and malware hash analysis.
  • Threatminer: Search by domains, hashes, user-agent strings and registry entries.
  • Threatcrowd: Look for information on domains, IP addresses, emails and organizations.
  • URLQuery: This site profiles URLs for web-based malware.
  • InfoByIP: This site finds the domain, location, internet service provider (ISP) and autonomous system number (ASN) for IPs or domains — which is good for bulk queries.
  • Cymon: Input IPs, domains or hashes and get activity and malware reports.
  • Shodan: This site helps analysts determine which devices are publicly connected to the internet.
  • ATT&ACK: This is MITRE’s collection of attack techniques and tactics.

Open Source Intelligence in Action

How might this information be useful in practice? Imagine a harried SOC analyst staring at a strange IP address and uncertain what to do about it. He or she could use OSINT resources like these to research the IP address and file binary, as well as registration entries and any other appropriate data points.

The analysts will then be able to make an informed decision about how to triage the event, whether that means dismissing it if it doesn’t crop up in OSINT records or escalating it if the address matches a known bad actor. If the file hash correlates to malware, the analyst can quickly learn what the malware does and what indicators of compromise (IoCs) to look for. If the analyst has to call his or her boss, after all, he or she will be able to explain the problem thoroughly and recommend actions to take.

These countermeasures could include restricting or forwarding traffic from a specific IP block, disrupting it using application sandboxing or actively degrading it by redirecting an IP address to a honeypot, for example. The analyst’s specific actions would depend on what he or she knows about the attackers.

Sometimes, OSINT can help you to spot things that may not show up on your dashboard at all. Today’s attackers are sophisticated enough to avoid leaving obvious signs. Instead, they live off the land, exploiting existing legitimate tools to achieve their goals.

A fileless malware attack may use PowerShell to download a script from a command-and-control (C&C) server and move laterally through the network, contacting other machines, pilfering information from each one that it finds and circumventing your application whitelist protection in the process. Your network monitoring software might pick up the encrypted traffic stream, but what does it mean? If you’re aware of this attack technique thanks to your public domain reading, you may be able to notice it and understand it better.

The Public Domain Is a Battleground

In cybersecurity, knowledge is power, which is why it’s essential to use OSINT to its full advantage. You can be sure that intruders are already doing that — probing everything from your networks to your personnel structure to find a way inside. They’re using OSINT to gain every advantage they can, and they only have to be successful once (whereas you face the daunting task of being successful every time).

With OSINT tools and insights at your disposal, you can stay one step ahead of these attackers and keep your networks safe from evolving threats.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read