Whenever we first engage with organisations to help them optimise their cyber security posture, they’re often surprised at the number of hidden attack vectors that need to be given careful consideration. While the fundamentals of cyber best practice are well-documented at this point, new threats are constantly emerging, which means this is very much a journey rather than a destination – one that employees at all levels must be involved in.
One of the newest, most challenging attack vectors is OSINT – a concept that has been around for some time now, but only recently emerged as a potential security risk.
What is Open-Source Intelligence (OSINT)?
OSINT is simply the practice of collating publicly available information, much of which may seem trivial in isolation, into an actionable form. Crucially, this is not limited to the data gathered by search engines, although this certainly plays a part. Sources might include websites, social media, public records that can be made available on request, broadcast media, public events, the ‘deep web’ (i.e. the part of the internet that is not indexed by search engines), and even any conversation that could be overhead by a casual observer. US public law specifies that OSINT:
- Is produced solely from publicly available information, as opposed to data acquired through illegal means
- Is collated, analysed, and shared with an appropriate audience
- Is produced to fulfil a specific intelligence requirement
This practice has many positive applications in fields such as cyber security, marketing, and law enforcement, where it is used to establish customer personae and proactively mitigate potential threats. Unfortunately, it has also been seized upon by a growing number of bad actors, who are utilising it to gain access to corporate infrastructure.
How our personal data acts as a backdoor to corporate infrastructure
This is a new and increasingly complex attack vector that cyber security teams cannot afford to ignore, so it is helpful to begin by considering how OSINT is currently being used for criminal purposes.
As regular readers of this blog will know, despite the increasing sophistication of cyber criminals’ tools and techniques, the leading cause of data breaches remains simple human error. Utilising information on employees’ personal online profiles, as well as easily accessible corporate information (e.g. logos, office addresses, official titles), bad actors are able to create highly personalised phishing campaigns that can be extremely difficult to spot until a breach has occurred.
Bear in mind that the targets of such campaigns will not necessarily be the obvious candidates, like executives or members of internal IT teams. It’s far more likely that lower-level employees, or even employees from third-parties engaged as part of supply chains, will be targeted, or even friends and family who are otherwise unconnected to the organisation.
The interconnected nature of modern business and modern supply chains means that it just takes one set of compromised credentials to gain access to the wider corporate infrastructure, where critical data can then be held to ransom.
Establishing good cyber hygiene in our personal and professional lives
While it’s impossible to account for every possible OSINT-based attack strategy, there are definitely proactive measures you can take today to minimise the risk of a breach. As with so many aspects of modern cyber security, it all begins with ensuring employees at all levels – and across the supply chain – are fully aware of the risk of phishing attacks and similar threats and understand how to spot them. Regular training from trusted cyber security specialists should therefore be provided.
With the near omnipresence of social media in our personal and professional lives, it is also important that employees are aware of the risk these platforms present when it comes to OSINT-based attacks. Far too many of us regularly post information that could be linked to our employers without realising that it is now easily accessible to bad actors. This doesn’t just mean listing our employers in our profile information. It can also mean something as simple as a photo with friends or colleagues that offers clues as to who we work for, where we work, and our job roles – all of which can be used to craft an extremely convincing phishing communication.
While it’s not necessary to completely do away with the ‘social’ part of social media, it’s important that employees take the time to review their privacy settings, so they understand who can actually see the contents of their pages, and be conscious of what they put online, avoiding anything that could potentially create a security risk.
It’s certainly a lot to consider, but with regular training at all levels and a rigorous, standards-based approach to cyber best practice, you can minimise the risk of OSINT leading to a data breach. If you’re in any doubt about your current level of cyber hygiene, in or out of work, don’t hesitate to contact us and take the next step towards a true corporate cyber security culture.
More data is publicly available than ever before… And it’s a major cyber security risk
Open-Source Intelligence (OSINT) is a regularly used to enhance marketing activities and cyber security, but is increasingly used as part of cyber-attacks, which means training is essential.
