OSINT for SecOps: How to Tap into Open Source Intelligence
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00 out of 5)
Loading...

OSINT for SecOps: How to Tap into Open Source Intelligence

The concept of OSINT encompasses myriad sources of data, some of which virtually everyone accesses regularly. But open data repositories offer a wealth of additional potential that’s not widely acknowledged but can be put to use to fight fraud. Let’s explore how you can put open source intelligence to work within your organization

Editor’s Note: This is a guest blog contribution from Gergo Varga, a long-time risk analyst and tech evangelist for SEON. Gergo shares his perspective on how businesses and other organizations can use open source intelligence (OSINT) to their advantage to fight fraud and improve security.

As a term, “OSINT” may not be as recognizable as some other tech-adjacent buzzwords. In fact, we can safely say it’s not a buzzword at all. GMI reports that the open source intelligence market is projected to exceed $20 billion by 2027, which is more than a four-fold increase from the over $5 billion it was worth in 2020.  Despite its ever-increasing importance and potential, many are not aware of how helpful and wide-ranging the applications of OSINT can be. 

But what is OSINT and how can you put it to use within your organization?

Let’s hash it out.

What Is OSINT? Open Source Intelligence Explained

It would be helpful to define OSINT to start with. According to Maltego, open source intelligence, or OSINT, is “intelligence produced from publicly available information that is collected, analyzed and shared” within the context of helping a specific investigation. 

Such an investigation can range from basic personal curiosity to tedious research undertaken by national defense experts — and everything in between. For instance, the examples presented in the SEON guide on OSINT shine a light on its use by various entities, including: 

  • Journalists
  • Law enforcement and governmental services 
  • Private investigators
  • HR professionals
  • Marketers 
  • Fraud analysts
  • Cybercriminals

As such, it’s easy to see that OSINT tools and data can be used for good and bad purposes alike.

The history of exploiting open source information goes back further than many would expect. Similarly to how digital and traditional espionage homes in on intercepting secret information, OSINT operations comb through open, publicly available data to find useful information that might have slipped through the cracks, or bits of information that, when analyzed, helps reach important conclusions – in government, business, security and so many more fields. 

The use of OSINT by government bodies started with the Foreign Broadcast Monitoring Service in the U.S. in 1941 and the Digest of World Broadcasts by the BBC in 1939. Their aim? To scour through foreign publications and broadcasts in order to identify and gather information useful to the war effort. 

OSINT Is About Data Quality, Not Quantity

Any information that is openly available to the public is considered part of OSINT. Some quick examples of these data sources include:

  • All news media
  • Public online posts
  • Databases available upon request
  • Publicly searchable web pages (clear web)
  • Census data
  • Whitepapers
  • Books and journals 

Therefore, with OSINT, the question is not one of availability of data. Rather, it’s about using the right methodology that will allow one to extract the right data, clean it up, process and combine it using as few resources as possible. Ideally, this would be done using automation (which we’ll talk about later) so that intelligence experts and fraud analysts can focus on making sense of it rather than doing the manual labor.

Examples of OSINT Tools

OSINT tools both free and paid available today include:

  • Google search engine — the quintessential free OSINT tool
  • Maltego — data visualization app that helps you expedite investigations
  • Spokeo — accurate search engine for U.S. citizen records 
  • Recon-ng — to gather technical information about website domains
  • Academia.edu — for peer-reviewed academic research 
  • Shodan — search engine for internet-connected devices
  • Builtwith — website profiler that includes site relationship data

OSINT in the Service of Fraud and Security (Depending On Who Uses the Data)

A strong case in point for the ongoing and ever-important use of OSINT is found in the anti-fraud sector – as well for how far open data can take us and how much more it has to offer. Because of how most people tend to interact with the internet and online profiles and platforms, there are several data points to be gleaned from simple, readily provided first-party data: 

  • Names
  • Email addresses
  • Phone numbers
  • Dates of birth
  • Addresses and location
  • Family members, friends, and other associated parties

Relying solely on open source, non-private information, these can deliver ample information about their owners, in almost every case. Even the absence of information is important. 

Fraudsters will always take steps to hide their real identity, of course. These include several layers of proxies and onion routing, for instance: Onion over VPN (as explained by ExpressVPN in a guide); synthetic identities, using the information of existing people found in leaks or bought in the dark web; and deploying a variety of other tools that conceal their location, computer infrastructure and intentions. But the very tools they use to hide can still help us catch them, with anti-fraud platforms considering users who have VPNs and proxies activated as more suspicious, for example. 

Specifically, OSINT can help identify suspicious users in the following scenarios:

  • Onboarding a new user (various verticals)
  • Accepting a card not present (CNP) transaction (ecommerce, subscriptions, etc.)
  • Accepting a withdrawal (such as online trading, iGaming)
  • Underwriting (microfinancing, fintech, banking, etc.)

A Brief Overview of How OSINT Works

Once you’ve specified the information you’re looking to benefit from, the OSINT process is usually as follows:

  1. Identify one or more data sources that could help your search.
  2. Harvest the relevant information from the sources. This can be done manually or with the help of data enrichment or other tools. 
  3. The data gathered will enrich your primary dataset.
  4. Once the research has concluded, the data is ready to be reviewed and analyzed. 
A graphic that provides a basic overview of the open source intelligence (OSINT) data gathering and analysis process
A basic overview of the open source intelligence data gathering and analysis process.

How You Can Use Open Source Intelligence Data to Stop Fraudsters

Let’s consider a simple example of how you can use open source data to protect your business’s reputation and customers. Say, a fraudster wants to purchase an expensive item with a stolen credit card, which has already been checked and is live, with funds available. Said criminal sets up a variety of precautions, signs up for a new free email account, and uses that email to create an account at the ecommerce store that you own. 

With OSINT, this email address can be used in a Google search as well as queries on some popular social media networks and platforms, which – let’s say – show us that:

  • No Twitter profile is linked to this address
  • No Facebook profile is linked to this address
  • No Instagram profile is linked to this address
  • The email has never been listed in any known data breaches 

Although it is not definitive proof of anything, both of these results are red flags. Most people are going to be active on at least a couple of social networks. Meanwhile, finding an email address in a data breach shows us that the email address in question has been in use since at least the date of that breach. 

From this information, fraud analysts will be aware that this person is likely to be a fraudster. They’ll ideally also look into additional data points, such as IP analysis, behavior, browser and device hash, etc. However, the above information itself is enough to constitute a reason to deploy steps to confirm this person’s identity, like by calling them on the phone or asking them to upload proof of ID. 

Although burner phone apps are employed by scammers as well, as ROCCO Strategy explains in an article, these are almost always to set up other types of scams and unlikely to have been set up just for a run-of-the-mill reshipping scheme, of the type we’re explaining here. 

Meanwhile, OSINT data isn’t just useful because there’s so much of it; in fact, it also helps simplify the shopper journey and prevent churn, which can occur whenever users can’t complete an action, including with false positives. Since we can use their email address or phone number to look them up each step of the way, we do not need to introduce cumbersome and unpleasant steps such as biometrics, additional factors, or phone confirmation unless said user/action is deemed to be high risk.

How to Automate OSINT to Reveal Users’ True Intentions

A screenshot of SEON's reverse email tool lookup platform
A screenshot of SEON’s reverse email tool lookup platform.

We can take things further in terms of data enrichment with an OSINT tool such as Have I Been Pwned?, which finds email addresses in data leaks, or SEON’s reverse email lookup tool. Simply put, this entails starting with a sizeable set of primary data and enriching it by having the software comb through databases and source relevant information, and adding useful new attributes to the primary data. All of this allows us to draw better conclusions without going through the time-consuming task of doing OSINT research manually.

What form does this take? In fraud prevention, it can mean searching the internet for dozens of different data points linked to the email address of a new sign-up, or an ecommerce store or a new neobank account holder. Then, the findings are collated and used in conjunction with other information (e.g., geolocation and behavior analysis and fingerprinting) in order to assign each user a risk profile and rating. From there, this can automatically trigger certain steps, like hard know-your customer (KYC) checks and procedures — as Rainbird explains in a guide — or be examined by a fraud analyst as part of the manual review process.

The resulting process does not disrupt the user experience or shopper journey for your legitimate users. It takes advantage of ever-growing repositories of data and can scale up and out, improving with each version. In the world of fraud detection and prevention, OSINT-powered lookup and data enrichment is a valuable addition to our arsenal for myriad reasons, including how fraudsters do not have the time to create a complete online persona for their fake and synthetic identities. The more carefully we look into these identities using OSINT, the easier it is to see they don’t represent a real person. 

Final Thoughts on Why OSINT Works for Greater Security and Fraud Prevention

Part of the reason using social and online signals to assess shoppers’ intentions is so effective is that fraudsters are not as well prepared to surpass this security hurdle as other obstacles. They might use a mobile proxy to circumvent IP analysis modules and geolocation bans. They also hide behind other tools to avoid getting caught. 

The process of creating a completely convincing online persona that would fool OSINT data enrichment is often:

  • Too difficult for fraudsters to automate, and 
  • Too time consuming to give them a return on their investment. 

Data is wealth, and OSINT sources are getting richer and richer as more processes around the world become digitized. This is true even in developing countries as the economy becomes more global. It’s in our hands to devise and utilize the methods that can make the best use of this OSINT data. After all, this information is out there and it’s openly available to everyone. 

Author

Gergo Varga

Gergo Varga has been fighting online fraud since 2009 at various companies as a fraud and risk analyst – even co-founding his own anti-fraud startup. Gergo is the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Tech Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what's happening on the frontlines of fraud detection. Gergo lives in Budapest, Hungary, and is an avid reader of philosophy and history.