clear light bulb

7 Foundations of OSINT

This is a guest blog written by Bosintblanc of the NCPTF.

Open-source intelligence is a fascinating discipline with many intricate moving pieces. I have strived to learn all that I can. As I have done that I realized that part of what makes OSINT difficult to teach and learn is that it is made up of many individually complex topics which one could devote an entire career to.

Understanding a broad discipline like OSINT can be difficult and taken as a whole learning it can be quite daunting. However, I have always found with challenging or complex topics the easiest thing to do is break them up into smaller parts. To that end, I wanted to create a list of the core skills that form the basis of OSINT and how you continue to hone them at both the beginner and advanced levels. A note: this list is not meant to be exhaustive or for that matter comprehensive. You will likely have skills that help you OSINT that maybe I do not have, and depending on your exact focus some of these may be more important than others. Many of the skills take years of dedication and learning to master. Entire books could be written (and have been 😜) on each topic alone! This is intended as a resource to introduce you to fundamental skills and help you start learning them or if already along your learning journey to help you continue to learn. 

The #OSINTFUNdamentals:

1. Curiosity

Fundamentally, to progress in OSINT you must be interested in uncovering answers. As you investigate you must often explore topics, cultures, and people that are unfamiliar to you. You’ll have to be willing, and I would say eager, to explore those topics. A lot of times I have heard people say something along the lines of, “Oh I went down a rabbit trail, and it didn’t pan out. I guess that was a waste of time.” With OSINT you have to switch the mentality to no time is wasted in which I learned something I did not know before.

Challenge to learn curiosity

Beginner: Read 1 non-fiction book on a topic that you find interesting but have no practical use for. Make it something that doesn’t relate to your job or hobbies in other than a highly tangential way.

Advanced: Learn a skill that you are not already practicing that is unrelated to your job or hobbies. You don’t have to master it. Heck, you don’t even have to be good! The goal is learning how to learn and ideally how to do so quickly.

Real-World Example:* In an investigation that I worked on, a crucial piece of information came from noticing the target had posted a Youtube video on a particular style of espresso making. Perusing the comments of several other Youtube videos about that style I discovered additional profiles used by that individual. 

2. Diligence

There comes a time in almost every investigation when you’ll hit a wall. The leads won’t pan out, your tools will be providing you no information, and you won’t have any ideas about where to go. What we often don’t talk about is that investigations can get downright boring. You may be scrolling endlessly through social media profiles or combing up and down streets for hours on Google maps. This is where it’s necessary to exercise diligence.

Sometimes we will hit dead ends and that’s okay, but you truly want to make sure that you’ve exhausted every option and turned over every stone because that last piece of information that you find may be the key to blowing an investigation wide open.

Challenge to learn diligence

Beginner: For 2 weeks, skip no task that takes longer than 60 seconds to do. If you see the trash needs to be taken out, do it immediately. Make your bed… EVERY morning. The repetition of doing menial tasks will build into your muscle memory perseverance in the face of seemingly zero rewards.

Advanced: Choose any task that seems moderately difficult to you and do it every day for 1 month for at least 15 minutes a day. This could be exercising, playing an instrument, reading a book. Make it something that you always have said you would do if you only could find the time. We make time for what we value, and as OSINT professionals we MUST value sticking in when the going gets tough because it certainly will get tough.

Real-World Example: I was trying to source the current home location of a target. I knew generally what they did and the region they worked in but lacked a specific organization and address that were attached to them. I dug and dug for quite a while until I came upon a picture they had posted of their WIFI SSID. Using Wigle.net I was able to place their SSID to the specific block they lived on. Using a hunch from the knowledge I had gained over a long investigation I searched the region for companies I thought they were likely to work for. There was one location about five minutes from where they lived. When I searched the staff page I found their picture which had up until that point eluded me! **

3. Analytic and Intelligence Framework

We all have biases and flaws in our decision-making and processing of information. Due to this, it’s of utmost importance that we follow methodical and analytical processes which will help us to curb those imperfections, which could otherwise completely derail our investigations.

Biases are inherent to humanity. Our brains are wired to find meaning and unfortunately that often comes at the expense of the truth. By applying analytic technique we are able to test our theories and hypotheses against what is verifiable and what is known. 

Challenge to learn Analytic & Intelligence Technique

Beginner: Read Structured Analytic Techniques for Intelligence Analysis by Randold Pherson & Richard J. Heuer JR.***  Then buy and complete any 5 logic puzzles or games. As you do complete them try to use techniques you learned in Structured Analytic Techniques.

Advanced: Apply techniques you learned in Structured Analytic Techniques to a process in your job, volunteer work or personal life.

Real-World Example: This one comes up for me quite often in verification. How do I know that “x” account is “y” person? You always go back to what you KNOW and not what you think. I know (this is made up completely) that John lives in Nebraska and his wife’s name is Tanya. I find a breach data email that’s [email protected] but currently, I cannot conclusively say that it belongs to him because I maybe THINK that but I don’t know it. If I see that the PW in the breach is Johnlovestanya, the likelihood that the account I’m looking at is correct increases significantly. 

4. Community and Networking

Something I love about organizations like NCPTF, Tracelabs, ILF, and OSINTCurious (just to name a few) is their commitment to the idea that OSINT is a team sport. One person working on an investigation is unlikely to have all the experiences, expertise, and knowledge. In a team, however, we can lean on each other’s wisdom and talent. Each person has a different piece of the puzzle. I have been amazed and privileged to learn from the breadth of knowledge and talent present in the #OSINTforgood community.

Challenge to learn Community & Networking

Beginner: POLITELY reach out to one person (feel free to make it me if this idea makes you uncomfortable 😜) on Twitter and ask them to send you one blog/book/technique that’s been particularly helpful to them.

Advanced: Join one OSINT community and become an active participant. Start volunteering with Tracelabs, apply to volunteer with an organization whose doing OSINT for good, join the Searchlight team discord. Whatever you do, be an active participant. Strive to comment or post at least once a day.

Real-World Example: I needed to pull down whole years of a business’s SEC filings in their entirety from the GOV website, which is quite cumbersome. I put out a call on Twitter just asking if anyone knew a tool that I could do that and in about 15 minutes someone gave me an amazing tool that changed the game for me. ****

5. Technique and Tools

The reality is, OSINT does not require tools or techniques but some information is MUCH more accessible and quicker to obtain through tools. While it is important not to become overly reliant upon them, tools will make your life easier in the long run. What kind of tools you use will largely depend on your skill set and focus.

Challenge to learn Tools & Techniques

Beginner: Learn five new tools or techniques and attempt to use them in your day job, volunteer work, or personal projects.

Advanced: TRY to develop one tool or technique of your own and use it in your day job, volunteer work, or personal projects. The important thing is that you attempt to both create and use it, not whether it works or not.

Real-World Example: I recently used socialbearing.com to breakdown login patterns of the followers of a Twitter account to show that it was also controlled by the profile being investigated. 

6. Ethics and Verification

This section will be relatively short but possibly the most important section of this entire blog. Do NOT commit crimes, do not be a vigilante or use OSINT to hurt or endanger people. End of lesson. Your operational practices will often be defined by the organization that you are a part of, but if you are not a part of one it is vitally important you establish what is ethical. Even if you are a part of an organization, I would encourage you to think carefully about what is meaningful to you. If there isn’t organizational alignment, you may not be in the right place. There isn’t a way to learn this, it’s just something you should do!

The information gathered in OSINT can have a very tangible effect on people’s lives, so it’s vitally important that we do our due diligence to be sure that we are certain of our theories before spreading them widely.

Real-World Example: Thankfully I don’t have a personal story to share here ;p. You can take a look at some of the weak verifications and non-ethical OSINT (much of it was very well done and ethical just for clarification) that was done in the US capital insurrection as to how bad it can get when OSINT is not performed ethically. *****

7. Communication

Remember that the primary goal of intelligence gathering is to gain knowledge that you did not already have. Your goal may be finding a missing person or figuring out what a bad actor may be up to, but ultimately you’re going to need to be able to convey that information in a way that can be understood.

Communication for intelligence disciplines is very much about structuring the information you find to the audience who is receiving it. A report that I write for a corporate day job is going to be very different from something I might prepare for law enforcement. To take it one step further, a technical breakdown I write for other IT security people is very different from what I would provide a c-suite member even within the same organization. The desires, language, and overall structure of these organizations vary greatly. I say this to say if you find yourself getting upset that someone doesn’t “get” your report, a lot of times the first thing you need to look at is: Was there a language mismatch between you and the culture to which you were delivering the report?

Challenge to learn Communication

Beginner: If you have never written a report before I suggest jumping in Tracelabs and getting your feet wet submitting leads. Make sure you understand their requirements and follow their standards. This will give you experience in how to structure OSINT in a way that can be comprehended within their context.

If you’ve submitted reports before I suggest continuing to find and read other people’s work so you can learn from them. Read Bellingcat, look up declassified intelligence reports, read cyber threat intelligence articles and reports (if that’s relevant to you ;p). The important thing to do as you’re doing this is to be critical. Do you agree with the reasoning in their reports? Check their evidence. Do they support their arguments?

Advanced: My firm belief is that when you teach, you’re often learning as much as the people you are teaching to. Find a way to share your knowledge, whether that’s a blog, Twitter, or a conference talk. The process of writing out your thoughts and being forced to make them understandable will help you highlight gaps in your knowledge. *hey it’s like that’s what’s happening in this blog. WOW 😊.

Real-World Example: In the recent Tracelabs Global search party my team Dwayne “the Sock” Johnson succeeded to a second-place finish. I believe that is in part because leading up to it, we focused on how we were going to communicate during the event. We met before the event to talk over how we thought we should approach it, we set up a Discord and outlined our internal structure within the team. We talked about not only how we would communicate but what we would communicate.

Thanks for sticking with me through the #OSINTFUNdamentals. Please don’t hesitate to reach out to me with feedback or to tag your fundamental tips with the hashtag above. BosintBlanc signing out for now!

Sources: 

*: I like the book Open Source Intelligence Techniques by Micahel Bazzell. I got the idea for real-world examples from him. Buy the book here: https://www.amazon.com/Open-Source-Intelligence-Techniques-Information/dp/B08RRDTFF9

** I learned about Wigle from @Sector035‘s 2019 OSINT Quiz! Have you done it? IT ROCKS!

*** @christina_lekati recommended this book on Twitter and I am in LOVE with it. 

**** @jms_dot_py of Hunchly fame saved my bacon and is such a cool guy and all-around genius follow him!

***** https://www.washingtonpost.com/technology/2021/01/16/sleuths-falsely-identify-rioters/

Leave a Reply