Red Teaming
KimCrawley,
Nov 18
2021
OSINT is a popular way for defensive cybersecurity professionals to research cyber threats that they need to understand. OSINT is also used offensively by pentesters to research the target they’re testing. OSINT stands for “open source intelligence,” and it’s a broad area that encompasses many different sources and methodologies. This is a skill we have an HTB Academy course for, OSINT: Corporate Recon by Cry0l1t3.
OSINT encompasses many different types of research. Generally, if you’re looking for information that you’re allowed to have access to according to the law, and you’re not interacting with your targets or other people, it’s OSINT. Effective OSINT can help both the red team and the blue team make all of our companies, computer systems and networks more secure, with thorough and lawful research. Unfortunately, OSINT is often misunderstood by laypeople. Let’s address some of these misconceptions, shall we?
When I speak to other people who do OSINT in their everyday work, they tell me that outsiders think OSINT is doxxing! That’s a terrible myth, because doxxing is a cyber threat and often illegal.
What is doxxing? Doxxing, or “to dox” is a term that emerged in the 21st century. It’s a pretty new word, but thankfully Merriam-Webster stays on top of the evolution of the English language. Here is their official definition:
Definition of dox
transitive verb
informal
: to publicly identify or publish private information about (someone) especially as a form of punishment or revenge
… Facebook, like other platforms, wants to prevent users from being doxed or otherwise targeted for harassment …— Karissa Bell
On general principles, I support Internet anonymity and look askance at people's efforts to "out" or "dox" anonymous Web commenters whose views they disagree with, much less for simple sport.— Damon Poeter
This isn't the first time the LAPD has been doxxed. In 2011, a group affiliated with the online hackers Anonymous claimed responsibility for posting personal information of more than 40 officers, including their home addresses, campaign contributions, property records, and names of family members after they claimed the LAPD oppressed them by shutting down the Occupy L.A. Movement.— Christine Pelisek
Other Words from dox
doxing or doxxing noun, plural doxings or doxxings informal
So doxxing involves exposing information on targets you aren’t allowed access to. Posting someone’s credit card numbers and government identification numbers in a public forum is both illegal and immoral. It constitutes an information security attack, because confidentiality is a central pillar of the CIA Triad of infosec.
OSINT is finding information that you're allowed to have access to without breaking the law. Did you know that back in the 20th century, it was common for almost everyone’s phone number to be published in a publicly distributed book? In the United States and Canada, pretty much every city or municipality had its own annual Yellow Pages (commercial) and White Pages (residential) book. The only known phone numbers that wouldn’t be published were from people and organizations that specifically contacted Yellow Pages or White Pages to opt out. As a child, I also remember that White Pages published everyone’s street address! From a 21st century vantage, this seems kind of risky.
My point is if it was 1992 and you found my phone number and address because it was in the Toronto White Pages, that would be OSINT. OSINT is a process of gathering information without violating rights, with the intention of keeping private information secret. Doxxing is the publication of information for the purpose of harming a person, company or reputation, and the information published need not be based on fact. And as doxxing is unethical and usually illegal, it isn’t OSINT.
Another popular misconception is that using Google search isn’t OSINT. I think that’s because Google searching is something pretty much everyone does these days. It’s not a niche hacker skill.
But Google and other search engines are tools for finding publicly available information across billions of webpages. That’s information that’s “open source,” and you can acquire intelligence from it. Therefore, Google searches can be OSINT!
There are also other search engines that cybersecurity professionals frequently use when doing OSINT:
Shodan to explore publicly exposed networking devices and servers
Startpage as another way to use Google’s search engine, but without tracking
Ahmia.fi, to search websites on the Tor Network
Maltego, to acquire OSINT from a variety of sources, complete with graphical analysis
Recon-ng as a web reconnaissance tool
Because OSINT is a term used in the hacker community, people sometimes assume that OSINT always uses computers and the internet. But that’s not true, OSINT can be done offline using good old fashioned research sources and techniques!
I already mentioned the possibility of using White Pages and Yellow Pages books in the 1990s. Do you know where the teenage 1990s’ version of me would go if I wanted to find a phone number that’s outside of my Toronto hometown? I’d head to the Mississauga Public Library (Central Branch), and scour the building’s five floors to find the shelves that had all of their White Pages and Yellow Pages books. That section of the library not only had White Pages and Yellow Pages books from all over Canada, but also most of the fifty US states.
Which segues into the fact that public and academic libraries are still excellent OSINT sources, in 2021 and beyond. Even with the internet, there is information in old books that might not be available online. Not all of those old books have been digitized. There may also be newspapers and magazines going back several decades or more, with offline-only information that you can find in a library’s microfiche catalogue. Using those old fashioned microfiche machines is a comforting memory to me. A librarian can be your friend and ally in your OSINT work, helping you to explore all of the “open source” information at the library through the many mediums it manifests in.
Check out What is OSINT? to learn more.
And check out my interview with HTB Academy OSINT: Corporate Recon author Cry0l1t3.