Now that people upload terabytes of data to the web each day, open-source intelligence, or OSINT, analysts have become a valuable resource for many businesses.
But while OSINT can go a long way towards keeping people and property safe, common mistakes can compromise investigations and jeopardize security.
So in this post, let's review the most common beginner OSINT analyst mistakes we've seen here at Liferaft and how to fix them.
1. Forgetting to prepare a framework
Ten years ago, OSINT analysts struggled to uncover and access information. Today, teams have a tough time filtering through the sheer volume of content online. That makes it easy for investigators to lose focus and start falling down rabbit holes.
For this reason, every analyst and security team should develop their own OSINT framework. This should answer questions such as:
- What do you want to accomplish?
- What data sources will you use?
- How will you prepare and present your findings?
- What type of tools will you exploit?
- How will you store any data collected?
When you have a plan, you have a system for what you want to get done. That can save time, keep investigations on track, and avoid regulatory hiccups.
2. Forgetting to cover your digital footprints
While you can use the web to gather intelligence on targets, targets can use the web to gather intelligence on you.
Every time you go online, you leave a trail of digital footprints. This includes data such as IP addresses, system configurations, and other information.
All of which could reveal your identity to a person of interest, tipping them off that they are the subject of an investigation.
This might result in your target deleting potential evidence. Or even worse, they may even retaliate against your organization.
Covering your digital footprints online, therefore, requires practicing effective operational security. That means going far beyond using a VPN or your browser’s ‘Incognito Mode.'
Some organizations accomplish this by creating a separate “dirty” network. Investigators use these platforms to anonymously browse sketchy websites and download files.
Alternatively, some OSINT analysts prefer managed attribution services. These technologies allow users to surf the web on their day-to-day devices while cloaking how they appear to external parties.
3. Forgetting to verify data
Nationstates have created entire organizations dedicated to peddling fake news. But even well-meaning individuals and news outlets make mistakes, passing on rumors or false reports.
This creates a big problem for rookie OSINT analysts.
Relying on incorrect information can dramatically skew the findings of your report. That can result in executives making poor choices, which can jeopardize the safety of people and property.
The best way to verify anything you discover online is to cross-check your source with others.
If many have reported the same or similar activity from an event, you can be confident your information is accurate. If you can’t verify your information, note that fact in the report.
4. Forgetting to document findings
Many rookie OSINT analysts dive right into their assessment, gathering relevant information to complete their assignment. But when the time comes to prepare a report, their data lack dates, URLs, and references.
This results in two problems.
First, it creates a lot of work for teams to retrace their footsteps and find previous data. Second, analysts may not be able to recover information that has been deleted or removed from the internet.
For these reasons, it always pays to document your findings throughout the course of an investigation. That will enhance the credibility of your final report and save you time in the long run.
5. Forgetting to cast a wide net
But over time, users can migrate to new platforms. That can result in organizations overlooking threats if they’re not watching the right sites.
To address this, OSINT investigators and security teams have to go beyond the most popular social media platforms. Instead, analysts must keep an eye on the lesser-known parts of the web, such as dark web forums, paste sites, and chan boards.
Not only will this reduce the chance of missing a critical threat or relevant intelligence. But information collected from these lesser-known communities often contains the most intelligence value for OSINT analysts.
6. Overlooking accidental insider threats
Most security leaders focus on nefarious threat actors; malicious insiders, organized crime, violent customers, etc. But increasingly, teams have realized the ‘accidental insider’ represents an underappreciated risk to organizations.
These individuals are regular, ordinary stakeholders that accidentally breach security protocols.
This might happen out of general ignorance of rules and regulations. Or perhaps they’re looking for a convenient way to finish an assignment. Regardless, their activities can jeopardize corporate security.
For example, an excited employee starting their first day at work might publish a picture of their ID badge on social media. Nefarious individuals outside of the organization, however, can use these images to print fake passes.
That would make it easy to trespass onto company property and access secured facilities.
To address this problem, monitor social media for mentions of your company’s name alongside phrases such as ‘office photo,’ ‘first day at work,’ or ‘got my ID badge.’
If you cover VIP or executive protection, be sure to watch the social media activities of your principal’s relatives and close contacts.
In many cases, these scans reveal accidental leaks of sensitive information.
7. Ignoring the wider social media landscape
Over time, social media users tend to migrate from one platform to another.
Thing is, most security professionals don’t pay attention to these shifting demographics. Oftentimes, they have never even heard of these new platforms.
As a result, they can often overlook relevant threats to their organization.
In 2021, for instance, established platforms banned individuals involved in the riots at the U.S. Capitol Building. That triggered a stampede of users to switch over to a growing collection of ‘alt-tech’ social networks, such as Gab, Telegram, and others.
To avoid this problem, keep up with new and emerging social networks. Such small, lesser-known sites often have lots of intelligence value for analysts.
8. Borrowing tools from the marketing department
Some security teams try piggybacking off the marketing department by using their social media surveillance tools. This approach, in theory, allows businesses to quickly automate a threat monitoring program without making a big investment in new software.
But this approach has two issues.
First, software tools designed for marketers often only pull in data from platforms every few hours. That can cost responders precious minutes or even hours during a crisis.
Second, marketing tools focus almost exclusively on the largest social networks. As a result, OSINT analysts may overlook vast swaths of the web where threats can hide.
For this reason, be sure to ask vendors about their crawl time and breadth of coverage. Moreover, it often makes sense to consider tools built specifically for security teams.
9. Failing to check your biases
We're all hard-wired with dozens of mental shortcuts that help our brains make sense of large amounts of data: confirmation bias, availability bias, stereotyping bias, etc.
These mental heuristics helped our ancestors survive for thousands of years on the African savanna. But during an investigation, such cognitive biases can result in faulty analysis.
Experienced OSINT practitioners, therefore, don't pretend they're above this problem. Instead, they have the humility to admit that they struggle with common heuristics like everyone else.
And through the course of the intelligence cycle, they take specific steps to address these pitfalls.
The Bottom Line for OSINT Analysts
Open-source intelligence can go a long way towards keeping your people and assets safe. But common mistakes throughout the intelligence cycle can compromise your investigation and analysis. After reading this post, hopefully, you will no longer commit these fouls.
Can you think of any other common OSINT mistakes?