Sunday, October 20, 2019

You're Either Doing OSINT Or.....You're A Cop or a Criminal

Editor's note: I use the term "intelligence" in this post a lot. It is not being used to denote solely government intelligent service activities. If you're a no-shit spook reading this post, you should already have some idea of what I'm driving at.

If you've been in security long enough, you've heard people abuse, misuse, and utterly diminish the meaning and subsequently, the impact of certain security-related buzzwords. Everyone is doing "threat intelligence" or being "asymmetrical" or defending against "information operations" these days. Back when I was somewhat popular, two terms everyone was using (including myself) were OPSEC and OSINT. Most of us were using these terms to articulate very briefly basic methodologies. However; brevity is a serious MOFO. Soon, everything was OSINT or OPSEC. Years later, the infection has spread and I have had enough. We'll cover OPSEC another day but I really want to set the record straight on OSINT. At its best, our collective confusion means mistakes or missed opportunities to provide better answers. At its worst, it places our stakeholders and ourselves in almost certain peril.

Let's define what OSINT is and what it is not. OSINT is an acronym to describe a type of intelligence gather technique which stands for Open Source Intelligence. I won't bore you with the book definition but I will provide you with a pretty standard definition. Don't believe me? Find your nearest neighborhood spy and ask them. I digress. OSINT is merely the collection of actionable intelligence from openly available sources. How about we steer away from saying "public" because some people denote that as being "free"? If you've actually done OSINT, you know a lot of what we do costs some cash. Just because it's "open" also doesn't mean it's always readily available to the public.

There very well could be limitations on the data you collected and whether it can be used by you or even collected in the manner in which you received it. As vague as the Computer Fraud and Abuse Act reads, it behooves anyone collecting online data to have clear legal guidelines and authorization to conduct OSINT operations online.

You would think this would alleviate confusion within the security industry about what OSINT is and what its sources consist of. Nope. Not a chance. I find everyone who has been tasked with researching something or someone online believes they are "doing OSINT" because their sources are "open".

The best way to see beyond this "fog" of confusion is to simply define what the end-result of your research will be.

  • Are we answering a series of questions posed to us by stakeholders who need them to complete their mission? Then, you're doing OSINT.
  • Are we tracking criminals to report a crime? Then, you're conducting an investigation using open sources. 
  • Has a lawyer contacted us to look into a civil case they have pending? Then, you're still doing an investigation.
  • Are we researching "people search" sites and breach data to find dates? Then, you're committing a crime and seem super creepy, dude. Stop.

Aside from being a distinct method of collecting data, a lot of what differentiates OSINT from other methodologies of collection and analysis also has to do with how you're pivoting or analyzing the data. For example, just because I find someone's address doesn't mean I have verification of that address. If I'm authorized, then a pretext and social engineering maybe needed to do that. That part is something else entirely which is called "human intelligence". This involves exploiting human beings to gain information. What if I'm looking at an image I gathered during an OSINT operation? Then, that analysis in part would require "imagery intelligence". 

Too many OSINT professionals forget there's a distinction in these INTs regardless if the collection or source analysis are in one house. This is an important distinction to make because different methodologies require different skillsets which in turn, require different training. Jumping into pretext or getting imagery wrong based on bad assumptions or inadequate training could prove disastrous for you.

I don't have a problem with OSINT collectors answering investigatory questions. I grow concerned when they use certain methods of analyzing data outside of OSINT. What happens when they "solve" a crime using imagery analysis but haven't received training which may have also shown techniques to find exculpatory information? Are OSINT collectors aware of what separates their activities from private investigators? Are their clients?

Finally, a clear distinction between OSINT has a good deal to do with reporting and documentation of your findings. Obviously, in an investigation I'm concerned with authorizations and preservation of any evidence gathered. In many jurisdictions, it's simply not enough to show up to court with a screenshot or even a map. In intelligence operations, those might be all you need to give a stakeholder what they need. My suggestion is to be in the habit of always archiving and reporting intelligence in ways that allow you and your stakeholders to pivot, if need be.

Understanding what OSINT is versus throwing out a term and conducting business based on bad assumptions and worse interpretations could provide your stakeholders and you with better actionable intelligence and less legal headaches.

About Us