By Media Sonar
Using automated, open-source intelligence tools (OSINT) to probe the vast reaches of the Open and Dark Web in order to identify and mitigate risk is becoming a key part of many MSP’s security toolkit.
OSINT investigations can monitor for threats targeting clients as a whole or aimed directly at high-ranking executives, detect fake accounts that impersonate brands, and discover if sensitive data, such as personally identifiable information (PII) or intellectual property, is being sold or traded.
However, MSPs using OSINT tools need to make sure that they don’t cross the line into activities that may violate legal or ethical guidelines. Here are some of the do’s and don’ts when it comes to conducting OSINT investigations.
The basic rule to follow is that OSINT investigations must be limited to publicly available information – commonly defined as information that is intended for public consumption.
In today’s world of oversharing, it’s not always easy to define the intent of someone who is posting information. However, some general rules apply:
- An OSINT investigator can’t hack into someone else’s account.
- An OSINT investigator can’t pretend to be someone else and hide behind a fake identity to engage a subject in conversation or lure them into information sharing.
- An OSINT investigator can’t access data that is password protected or that requires any other type of private credential or login.
- There is a gray area when it to comes to using data scraping tools on high-volume, data-rich sites like Facebook, LinkedIn and Twitter. Anyone can search on Facebook, but Meta’s terms and conditions specifically forbid the use of automated data crawling and scraping tools. However, in 2019, LinkedIn sued a third-party research company to prevent the company from scraping data from the site. LinkedIn lost the case, but the legal fallout is unclear. So, it might be best for OSINT investigators using scraping tools on social media platforms to run it by the company attorney.
- Another key factor to consider is that OSINT investigators should probably want to remain undetected by the subject under investigation. Once the subject realizes that an investigation is underway, they might take steps to hide their tracks even more, or they could retaliate and launch an attack. So, using VPNs or other methods of remaining undetected is important.
- OSINT investigators also need to be cognizant of whether the investigation might lead to criminal charges against the subject being investigated, an insider who might be intentionally leaking information, for example. Security teams need to make doubly sure that their data collection methods comply with all legal parameters. And they need to be able to document their methods, as well as provide a chain of evidence to show that the data gathered was properly protected.
- One of the benefits of OSINT investigations is the ability to create “teaching moments” that help employees become savvier about what they post online. For example, employees organize an in-office birthday celebration for the CEO and post pictures of the event. This could give attackers a piece of information that could be used to crack the CEO’s passwords. Or an employee might post a selfie that inadvertently exposes their corporate key card dangling around their neck on a lanyard. OSINT investigators need to tread carefully when approaching the employee to make sure they don’t feel their privacy has been invaded.
What’s fair game?
The good news is that the list of data sources available for legal and ethical OSINT investigations is quite lengthy. The problem is never that there isn’t enough data – the problem is sorting through the data to extract the relevant information.
Data sources can include content that is hidden behind a paywall, photos and geospatial information. Publicly available information can include social networks, dating apps, public records, Deep and Dark Web forums, blogs, presentations, messaging apps, etc.
It’s also important to keep in mind that data derived from OSINT investigations provides only one piece of the security puzzle and should be added to a larger pool of investigative data.
Media Sonar for OSINT Investigations
Media Sonar integrates the top OSINT tools and data sources into a seamless, single platform that helps MSPs expand coverage of their client’s public attack surface to better protect digital data, reputation, bottom line and deliver on your trusted advisor promise.
Get access to the report “OSINT Best Practices: Legal & Ethical Considerations” for more practical tips and insights on this topic.