Open-source intelligence (OSINT) is a framework that involves gathering, analyzing, and interpreting publicly available data to gain insights into cyber threats, adversarial activities, and attack techniques. OSINT identifies innocuous-seeming information that, if analyzed with an attacker’s mindset, could reveal critical loopholes in an enterprise’s security posture.
Wiz Experts Team
8 minutes read
What is OSINT?
Open-source intelligence (OSINT) is a framework that involves gathering, analyzing, and interpreting publicly available data to gain insights into cyber threats, adversarial activities, and attack techniques. OSINT identifies innocuous-seeming information that, if analyzed with an attacker’s mindset, could reveal critical loopholes in an enterprise’s security posture.
Ethical vs. malicious OSINT
OSINT operations are often carried out ethically by threat intelligence analysts and information security experts who use data collected from websites, publications, social media, public databases, domain registries, the dark web, and other public data sources to uncover both known and zero-day threats.
Aside from its legitimate use cases, OSINT is also deployed by malicious adversaries to uncover accidentally exposed assets, leaked (sensitive) data, or other information that they can leverage in coordinated cyberattacks.
When OSINT is done legitimately, it typically follows a six-step process outlined by OWASP, including target identification, source gathering, data aggregation, data processing, analysis, and respecting ethical boundaries. This process is usually facilitated by a wide range of OSINT tools such as Intelligence X and Maltego.
From intelligence gathering and shadow IT discovery to risk assessment, enterprises can benefit from OSINT both directly and indirectly.
How organizations directly benefit from OSINT
As an organization with internet-facing apps and services, conducting in-house OSINT operations offers you a wide range of benefits:
Intel gathered from hacker forums and other sources can serve as an early warning system, uncovering security weaknesses or potential attacks before they can do damage.
OSINT can help enhance your cyberdefense strategies and overall operational security (OPSEC) by mapping out cloud misconfigurations and paths to potentially vulnerable public-facing assets.
With OSINT, you can detect third-party vulnerabilities and software supply chain risks to help you make informed decisions about which third-party software to incorporate into your stack.
How organizations benefit from OSINT indirectly
When organizations partner with cybersecurity providers who integrate OSINT into their services, they can enjoy powerful and dynamic tools designed to enhance the security of their IT stack. Enterprises also stand to benefit considerably from the expertise of providers’ threat intel analysts. These researchers are adept at uncovering cloud misconfigurations, such as exposed Azure Blob storage or AWS S3 buckets, which internal teams may overlook.
Additionally, security providers can dedicate a lot more resources to monitoring open sources for zero-day vulnerabilities and attacks in their planning stages. The intel gathered can then be fed into their cyber threat intelligence (CTI) systems, providing enterprises with the latest threat actor TTPs, and empowering CISOs and cybersecurity engineers to make informed decisions about securing critical infrastructure.
Though extremely beneficial, gathering and processing OSINT can be a painstaking, time-consuming process without the right tools. Below are the top 9 tools to make the most of your OSINT journey:
1. Babel X
Babel X, powered by Babel Street, is a multilingual, AI-powered OSINT platform that scrapes and analyzes intel from publicly available information (PAI) sources, including social media, blogs, dark web forums, and more. Trained to understand 200+ languages, Babel X uses its advanced machine learning algorithms and natural language processing (NLP) capabilities to filter noise from OSINT gathered and translate content into users’ preferred languages. It then indexes the data and highlights critical intelligence, optimizing your decision-making.
Features and use cases
Babel X supports active and passive scans, data visualization via charts, geospatial mapping, and more. You can conduct your OSINT on Babel X using Boolean searches for fast scans or configure searches by keyword, timeframe, geolocation, or file type for fine-grained filtering. You can also integrate its APIs to directly feed Babel X intel into your platforms for proactive threat detection. Still, for enterprise users seeking to tap into its array of features, Babel X’s steep price point may require careful consideration.
2. BuiltWith
BuiltWith is a website profiling tool for analyzing the DNS records, content management systems, third-party libraries, and other IT infrastructure on which a target’s website is built. BuiltWith identifies the unique patterns left by even the most obscure infrastructure elements. It then stores all intel gathered in its indexed database, including historical data, such as when a certain technology was added to or removed from a website.
Features and use cases
Enterprises can use BuiltWith to gather intel on the existing or potential vulnerabilities of their website based on its infrastructure components. This is particularly useful for attack-surface mapping and software supply chain risk management. Though BuiltWith has a few OSINT use cases, it isn’t a full OSINT tool. For example, it does not provide insights into attackers' latest TTPs or targets.
3. DarkSearch.io
DarkSearch is a search engine for collecting dark web intelligence from data dump sites, black hat forums, various document formats, IRC chat rooms, game chats, and more. It works by crawling Tor2web and indexing intel into structured data for faster query responses.
Features and use cases
You can query intel on DarkSearch by using Boolean logic or keyword searches. You can also integrate third-party APIs to export query results for further processing. Additionally, DarkSearch alerts users in real time through designated emails whenever new scans reveal critical intel. Still, by scanning only the dark web, DarkSearch may miss out on vulnerabilities and threats that are directly under its nose in the publicly available surface web.
4. FOCA
Fingerprinting Organizations with Collected Archives (FOCA) is a specialized tool for gathering hidden metadata from publicly available documents, including Microsoft and open Docs, SVGs, PDFs, Excel spreadsheets, PowerPoint files, and Adobe InDesign files. These documents are typically indexed files downloaded from corporate domains, public websites, and search engines.
Features and use cases
You can run FOCA queries through Google, Bing, and DuckDuckGo to uncover intel like compromised usernames, emails, internal IP addresses and paths, and attackers’ TTPs. While FOCA is a great starting point for OSINT gathering, its inability to scan unindexed files, webpages, the deep/dark web, and other critical OSINT sources is a major limitation.
5. Intelligence X
Intelligence X is a search engine for monitoring dark web activities and for discovering leaked credentials or exposed sensitive data. It gathers OSINT across multiple platforms, including deep web/dark web forums hosted on Tor, I2P sites, deactivated webpages, and mainstream sources like Facebook, Pastebin, and GitHub. Intelligence X continuously crawls the internet with focus on more obscure sources that are not typically indexed by traditional search engines.
Features and use cases
Intelligence X allows you to query intel from eight different categories. You can use Intelligence X to uncover adversarial activities or mentions directed at your organization, identify documents containing your organization’s sensitive data recovered from dump sites, and more. Despite these benefits, Intelligence X users must carefully weigh its pros against its cons as the tool can be quite costly and complex to use for enterprise users.
6. Maltego
Maltego is a graphical link analysis tool for gathering OSINT on threat actors, organizations, domains, and more. It has a transform-based architecture for conducting automated, customizable queries. Maltego supports data visualization via interactive graphs to enable users to map data relationships (for example, the relationship between an organization and a hacker group).
Features and use cases
Maltego scrapes metadata from social media, identity databases, the dark web, and other OSINT sources, providing real-time, AI-powered monitoring capabilities. With its support for 120+ platforms, you can use Maltego to conduct complex OSINT investigations on specific targets or discover cyber threats and attacks in the wild.
7. Mitaka
Mitaka is an open-source web browser extension for analyzing malware, assessing a URL or email address’s credibility, and generally finding indicators of compromise (IOCs) across IPs, domains, and more. Mitaka gathers intel from a wide range of sources including IP reputation databases, SSL/TLS certificate checker kits, and threat intelligence feeds like MalwareBazaar.
Features and use cases
Once configured, Mitaka automatically runs alongside your browser, scraping threat data such as CVEs, viruses, and malware in target websites via browser extensions. While it is useful for investigating malware and phishing attacks, Mitaka’s ability to interfere with browser activity can lead to password exposure via a third-party backdoor.
8. Recon-ng
Recon-ng is a command-line open-source OSINT and pen testing tool. Recon-ng gathers OSINT from databases and IP addresses, DNS lookups, search engines, and more.
Features and use cases
To collect OSINT on organizations, individuals, and more, search Recon-ng’s modules such as ‘bing_domain_web’ for domain information gathering, ‘ip_geolocation’ for collecting data on target’s location, and ‘ssl_search’ for uncovering target’s compromised SSL certificates.
9. SpiderFoot
SpiderFoot is an open-source OSINT tool with 200+ modules for gathering information on target organizations, domains and IP addresses, networks, emails, and usernames. It offers automation capabilities for routine OSINT tasks like DNS queries, threat intelligence checks, breach detection, WHOIS lookups, and more.
Features and use cases
SpiderFoot pulls data from 100+ public sources including social media, websites, threat intelligence feeds, and DNS records. It supports data cross-correlation for mapping the relationships between different entities and provides data visualization tools to graphically map connections between various intel. Enterprises can use intel gathered by SpiderFoot to identify common threat patterns and manage their attack surface.
Enhancing your cybersecurity with solutions powered by Wiz Threat Intelligence (Wiz TI)
Wiz Threat Intelligence (Wiz TI) lets you benefit from OSINT without the hassle of conducting your own extensive scans. And in addition to OSINT, Wiz Advisories are generated using legitimately accessed private data that enrich findings beyond what OSINT alone can provide.
Wiz TI continuously identifies indicators of compromise (IoCs); explores tactics, techniques, and procedures (TTPs) used by threat actors; and discerns threat behaviors in real time. With these insights, organizations are better informed on how to mitigate risks and improve their ability to detect and respond to actual threats. Key features of Wiz TI include:
Wiz Threat Center: This is where the Wiz Threat Research team shares emerging threats, targeted technologies, defenses, and insights detailing how your environment may be impacted.
In-depth investigation: The Wiz Research team conducts extensive research to uncover and investigate new cloud threats, using tools like the Wiz Runtime Sensor. By staying up-to-date about the latest threats as they emerge, you can develop cyberdefense strategies to get ahead of attackers.
CVE Numbering Authority (CNA): In recognition of its efforts in threat and vulnerability research towards a safer and more transparent cloud, Wiz has been authorized as a CNA by the Common Vulnerability and Exposures (CVE) Program.
TTPs analysis: Wiz investigates various TTPs used by threat actors (for example, TTPs used in EKS attacks) to provide you with insights into the most vulnerable components of your stack and why they’re vulnerable.
These capabilities collectively enhance Wiz's ability to detect, analyze, and respond to cloud security threats. Because Wiz TI’s information is based on research from both open-source and private data, the Wiz platform always has the latest intelligence to protect your stack and ensure its continued resilience, even as new threats, TTPs, and CVEs emerge.
We also have some interesting capabilities coming soon. Stay tuned for:
A portal right in your Wiz platform that incorporates reports from the Cloud Threat Landscape to keep you informed about threat actors and what they’re doing
A feature that helps you correlate findings in your environment and attribute them to specific threat actors.
Unmatched Cloud Threat Intelligence
Learn why CISOs at the fastest growing companies rely on Wiz for advanced cloud intel.
Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.
Vulnerability management involves continuously identifying, managing, and remediating vulnerabilities in IT environments, and is an integral part of any security program.
API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.
In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.