Opening Framing
Every day, threat actors leave digital footprints across the internet—domain registrations, forum posts, social media activity, code repositories, leaked credentials, and exposed infrastructure. Open Source Intelligence (OSINT) is the art of finding, collecting, and analyzing this publicly available information to generate actionable intelligence.
OSINT is often undervalued compared to expensive commercial intelligence feeds, but it remains one of the most powerful tools in a threat analyst's arsenal. It's free (mostly), it's timely (you can investigate in real-time), and it often provides unique insights unavailable from any vendor. The same techniques adversaries use to research targets can be used to research adversaries.
This week covers OSINT methodology, key sources and techniques, infrastructure reconnaissance, social media intelligence, dark web monitoring, and operational security considerations. You'll learn to conduct ethical, effective OSINT investigations while understanding the legal and privacy boundaries.
Key insight: OSINT isn't about finding secrets—it's about finding connections in public information that others miss.
1) OSINT Fundamentals
Understanding what OSINT is—and isn't—sets the foundation for effective intelligence gathering:
OSINT Definition:
Open Source Intelligence (OSINT):
┌─────────────────────────────────────────────────────────────┐
│ Intelligence produced from publicly available information │
│ that is collected, exploited, and disseminated in a timely │
│ manner to an appropriate audience for addressing a specific │
│ intelligence requirement. │
│ — US DoD Definition│
└─────────────────────────────────────────────────────────────┘
Key Characteristics:
- Publicly available (no hacking required)
- Legally obtainable
- May require skill to find and interpret
- Often free or low-cost
- Timely (can be collected in real-time)
What OSINT IS:
✓ Searching public records and databases
✓ Analyzing social media profiles
✓ Reviewing public code repositories
✓ Examining domain registration data
✓ Searching breach databases (legally obtained)
✓ Analyzing publicly exposed infrastructure
What OSINT IS NOT:
✗ Hacking or unauthorized access
✗ Bypassing authentication
✗ Social engineering individuals
✗ Purchasing stolen data
✗ Accessing private systems
✗ Violating terms of service (gray area)OSINT in the Intelligence Cycle:
OSINT Applications in Threat Intelligence:
THREAT ACTOR RESEARCH:
┌─────────────────────────────────────────────────────────────┐
│ - Track adversary forum activity │
│ - Monitor social media personas │
│ - Research infrastructure registration patterns │
│ - Identify operational security failures │
│ - Discover connections between actors │
└─────────────────────────────────────────────────────────────┘
INFRASTRUCTURE ANALYSIS:
┌─────────────────────────────────────────────────────────────┐
│ - Map adversary infrastructure │
│ - Discover related domains/IPs │
│ - Track infrastructure changes over time │
│ - Identify hosting patterns │
│ - Correlate across campaigns │
└─────────────────────────────────────────────────────────────┘
ATTACK SURFACE DISCOVERY:
┌─────────────────────────────────────────────────────────────┐
│ - Find exposed assets (your organization) │
│ - Discover leaked credentials │
│ - Identify shadow IT │
│ - Monitor for brand impersonation │
│ - Track data leaks │
└─────────────────────────────────────────────────────────────┘
INCIDENT INVESTIGATION:
┌─────────────────────────────────────────────────────────────┐
│ - Research observed indicators │
│ - Find related malware samples │
│ - Discover infrastructure connections │
│ - Identify other victims │
│ - Track adversary discussion of tools/techniques │
└─────────────────────────────────────────────────────────────┘OSINT Methodology:
Systematic OSINT Process:
1. DEFINE REQUIREMENTS
┌─────────────────────────────────────────────────────────────┐
│ - What question are you trying to answer? │
│ - What information would answer it? │
│ - What is the scope and boundaries? │
│ - What is the time constraint? │
└─────────────────────────────────────────────────────────────┘
2. IDENTIFY SOURCES
┌─────────────────────────────────────────────────────────────┐
│ - What sources might have this information? │
│ - What search strategies will you use? │
│ - What tools are appropriate? │
│ - What are the legal/ethical considerations? │
└─────────────────────────────────────────────────────────────┘
3. COLLECT DATA
┌─────────────────────────────────────────────────────────────┐
│ - Execute searches systematically │
│ - Document everything (sources, timestamps) │
│ - Archive evidence (screenshots, downloads) │
│ - Maintain operational security │
└─────────────────────────────────────────────────────────────┘
4. PROCESS & ANALYZE
┌─────────────────────────────────────────────────────────────┐
│ - Organize collected information │
│ - Verify and corroborate findings │
│ - Identify patterns and connections │
│ - Assess source reliability │
└─────────────────────────────────────────────────────────────┘
5. PRODUCE INTELLIGENCE
┌─────────────────────────────────────────────────────────────┐
│ - Document findings clearly │
│ - Note confidence levels │
│ - Provide actionable recommendations │
│ - Cite sources appropriately │
└─────────────────────────────────────────────────────────────┘
6. EVALUATE & FEEDBACK
┌─────────────────────────────────────────────────────────────┐
│ - Did the intelligence answer the requirement? │
│ - What sources were most valuable? │
│ - What could be improved? │
│ - What gaps remain? │
└─────────────────────────────────────────────────────────────┘Key insight: OSINT is a discipline, not just Googling. Systematic methodology separates useful intelligence from random searching.
2) OSINT Sources and Techniques
Effective OSINT leverages diverse sources, each providing different types of information:
Primary OSINT Source Categories:
SEARCH ENGINES:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - Google (and dorking operators) │
│ - Bing (different index, sometimes different results) │
│ - DuckDuckGo (privacy-focused, different results) │
│ - Yandex (good for Eastern European content) │
│ - Baidu (Chinese content) │
│ │
│ Techniques: │
│ - Advanced operators (site:, filetype:, inurl:) │
│ - Date-range filtering │
│ - Cache and archived versions │
│ - Image reverse search │
└─────────────────────────────────────────────────────────────┘
DOMAIN/IP INTELLIGENCE:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - WHOIS databases │
│ - Passive DNS (VirusTotal, PassiveTotal, SecurityTrails) │
│ - Certificate Transparency logs (crt.sh, Censys) │
│ - DNS records (MX, TXT, SPF) │
│ - Shodan, Censys (exposed services) │
│ │
│ Techniques: │
│ - Registration pattern analysis │
│ - Historical DNS pivoting │
│ - Certificate discovery │
│ - Subdomain enumeration │
└─────────────────────────────────────────────────────────────┘
SOCIAL MEDIA:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - Twitter/X (security researcher community) │
│ - LinkedIn (organizational research) │
│ - Telegram (threat actor channels) │
│ - Discord (community servers) │
│ - Reddit (discussions, leaks) │
│ │
│ Techniques: │
│ - Profile analysis │
│ - Connection mapping │
│ - Content monitoring │
│ - Geolocation from posts │
└─────────────────────────────────────────────────────────────┘
CODE REPOSITORIES:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - GitHub (public repos, gists, commit history) │
│ - GitLab │
│ - Bitbucket │
│ - Pastebin and paste sites │
│ │
│ Techniques: │
│ - Credential searching │
│ - Malware source code analysis │
│ - Developer identification │
│ - Commit history analysis │
└─────────────────────────────────────────────────────────────┘
BREACH/LEAK DATA:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - Have I Been Pwned (legitimately aggregated) │
│ - Dehashed, Intelligence X │
│ - Breach notification sites │
│ - Paste site monitoring │
│ │
│ Techniques: │
│ - Credential exposure checking │
│ - Email/domain searches │
│ - Pattern analysis across breaches │
│ │
│ ⚠️ Legal Note: Only use legally obtained data │
└─────────────────────────────────────────────────────────────┘Google Dorking:
Advanced Google Search Operators:
BASIC OPERATORS:
┌─────────────────────────────────────────────────────────────┐
│ Operator │ Example │ Purpose │
├─────────────────┼───────────────────────────┼───────────────┤
│ site: │ site:example.com │ Limit to site │
│ filetype: │ filetype:pdf │ File type │
│ inurl: │ inurl:admin │ URL contains │
│ intitle: │ intitle:"index of" │ Title contains│
│ intext: │ intext:password │ Body contains │
│ "exact phrase" │ "login portal" │ Exact match │
│ -exclude │ -site:pinterest.com │ Exclude │
│ OR │ admin OR administrator │ Either term │
│ * │ "password * file" │ Wildcard │
└─────────────────┴───────────────────────────┴───────────────┘
THREAT INTELLIGENCE DORKS:
Finding exposed credentials:
site:pastebin.com "password" "example.com"
site:github.com "example.com" password
Finding exposed infrastructure:
intitle:"index of" "backup" site:example.com
inurl:"/admin" site:example.com
Finding malware samples:
site:virustotal.com "malware-family-name"
site:any.run "malware-family-name"
Finding threat actor info:
"threat-actor-name" site:twitter.com
"threat-actor-alias" filetype:pdf
Finding infrastructure:
site:shodan.io "specific-banner-text"
site:censys.io "organization-name"
⚠️ Caution: Some dorks may return sensitive results.
Use responsibly and ethically.OSINT Tool Categories:
Essential OSINT Tools:
INFRASTRUCTURE ANALYSIS:
┌─────────────────────────────────────────────────────────────┐
│ Tool │ Purpose │
├─────────────────┼───────────────────────────────────────────┤
│ Shodan │ Internet-connected device search │
│ Censys │ Internet-wide scanning data │
│ VirusTotal │ Malware/URL/IP reputation │
│ PassiveTotal │ Passive DNS, WHOIS, SSL certs │
│ SecurityTrails │ Historical DNS, subdomains │
│ crt.sh │ Certificate Transparency search │
│ DNSdumpster │ DNS reconnaissance │
│ Robtex │ DNS and network research │
└─────────────────┴───────────────────────────────────────────┘
SOCIAL MEDIA / PEOPLE:
┌─────────────────────────────────────────────────────────────┐
│ Tool │ Purpose │
├─────────────────┼───────────────────────────────────────────┤
│ Maltego │ Link analysis, relationship mapping │
│ Sherlock │ Username search across platforms │
│ Social Analyzer │ Social media profile analysis │
│ SpiderFoot │ Automated OSINT collection │
│ theHarvester │ Email/subdomain enumeration │
└─────────────────┴───────────────────────────────────────────┘
ARCHIVAL / HISTORICAL:
┌─────────────────────────────────────────────────────────────┐
│ Tool │ Purpose │
├─────────────────┼───────────────────────────────────────────┤
│ Wayback Machine │ Historical website snapshots │
│ Google Cache │ Cached page versions │
│ CachedView │ Multiple cache source search │
│ Archive.today │ On-demand page archiving │
└─────────────────┴───────────────────────────────────────────┘
SPECIALIZED:
┌─────────────────────────────────────────────────────────────┐
│ Tool │ Purpose │
├─────────────────┼───────────────────────────────────────────┤
│ FOCA │ Metadata extraction from documents │
│ ExifTool │ Image/file metadata analysis │
│ Recon-ng │ Modular reconnaissance framework │
│ Amass │ Subdomain enumeration │
│ URLscan.io │ Website analysis and screenshots │
└─────────────────┴───────────────────────────────────────────┘Key insight: Tools automate collection, but analysis requires human judgment. The tool finds data; you create intelligence.
3) Infrastructure Reconnaissance
Infrastructure OSINT reveals adversary operational patterns and enables proactive threat discovery:
Infrastructure OSINT Workflow:
STARTING POINT → PIVOT → EXPAND → CORRELATE
Example Investigation:
Starting Point: Suspicious domain from phishing email
evil-login.com
Step 1: WHOIS Analysis
┌─────────────────────────────────────────────────────────────┐
│ $ whois evil-login.com │
│ │
│ Registrar: NameCheap, Inc. │
│ Creation Date: 2024-03-01 │
│ Registrant: WhoisGuard Protected │
│ Name Servers: ns1.hostingprovider.com │
│ │
│ Intelligence: Recently registered, privacy protected │
│ Pivot: Check other domains on same name servers │
└─────────────────────────────────────────────────────────────┘
Step 2: DNS Records
┌─────────────────────────────────────────────────────────────┐
│ $ dig evil-login.com A │
│ evil-login.com → 192.168.100.50 │
│ │
│ $ dig evil-login.com MX │
│ (no MX records - not used for email) │
│ │
│ $ dig evil-login.com TXT │
│ (no SPF/DKIM - confirms not legitimate email sender) │
│ │
│ Pivot: What else is hosted on 192.168.100.50? │
└─────────────────────────────────────────────────────────────┘
Step 3: Passive DNS
┌─────────────────────────────────────────────────────────────┐
│ Query: 192.168.100.50 on PassiveTotal/VirusTotal │
│ │
│ Results: │
│ - evil-login.com (2024-03-01 to present) │
│ - secure-banking.net (2024-02-15 to present) │
│ - account-verify.org (2024-02-20 to present) │
│ │
│ Intelligence: Same IP hosts multiple phishing domains │
│ Pattern: Credential theft theme │
│ Pivot: Investigate other domains │
└─────────────────────────────────────────────────────────────┘
Step 4: Certificate Transparency
┌─────────────────────────────────────────────────────────────┐
│ Query: crt.sh for evil-login.com │
│ │
│ Results: │
│ - Let's Encrypt certificate issued 2024-03-01 │
│ - Also covers: www.evil-login.com │
│ │
│ Query: Other certs for 192.168.100.50 │
│ - Found 5 additional domains on same IP │
│ │
│ Intelligence: Adversary getting free SSL certs │
│ Pattern: Let's Encrypt for legitimacy appearance │
└─────────────────────────────────────────────────────────────┘
Step 5: Shodan/Censys
┌─────────────────────────────────────────────────────────────┐
│ Query: 192.168.100.50 on Shodan │
│ │
│ Results: │
│ - Port 80: nginx │
│ - Port 443: nginx with Let's Encrypt │
│ - Port 22: OpenSSH 7.4 │
│ - ASN: AS12345 - BulletProof Hosting Ltd │
│ - Country: Moldova │
│ │
│ Intelligence: VPS on bulletproof host │
│ Indicator: Same hosting pattern = same actor │
└─────────────────────────────────────────────────────────────┘Subdomain Enumeration:
Subdomain Discovery Techniques:
CERTIFICATE TRANSPARENCY:
┌─────────────────────────────────────────────────────────────┐
│ Tool: crt.sh │
│ Query: %.targetdomain.com │
│ │
│ Finds: All certificates ever issued for subdomains │
│ Value: Discovers dev, staging, internal subdomains │
└─────────────────────────────────────────────────────────────┘
DNS BRUTE FORCE:
┌─────────────────────────────────────────────────────────────┐
│ Tool: Amass, Sublist3r, dnsenum │
│ │
│ $ amass enum -d targetdomain.com │
│ │
│ Technique: Tests common subdomain names │
│ Wordlists: Common names (www, mail, vpn, dev, staging) │
└─────────────────────────────────────────────────────────────┘
SEARCH ENGINE:
┌─────────────────────────────────────────────────────────────┐
│ Google: site:*.targetdomain.com │
│ │
│ Discovers: Indexed subdomains │
│ Limitation: Only publicly linked/indexed │
└─────────────────────────────────────────────────────────────┘
PASSIVE SOURCES:
┌─────────────────────────────────────────────────────────────┐
│ Sources: SecurityTrails, DNSdumpster, VirusTotal │
│ │
│ Value: Historical subdomains, no active scanning │
│ Benefit: Stealthy, won't alert target │
└─────────────────────────────────────────────────────────────┘
Defensive Application:
- Enumerate YOUR subdomains before adversaries do
- Find forgotten/exposed development systems
- Identify shadow IT
- Verify DNS hygieneIP and ASN Analysis:
IP/ASN Investigation:
ASN INTELLIGENCE:
┌─────────────────────────────────────────────────────────────┐
│ What to check: │
│ - ASN owner (legitimate ISP vs. bulletproof host) │
│ - Country of registration │
│ - Reputation of ASN │
│ - Other malicious activity from same ASN │
│ │
│ Tools: BGP Ranking, Robtex, Hurricane Electric BGP │
│ │
│ Red Flags: │
│ - Known bulletproof hosting ASNs │
│ - High ratio of malicious IPs in ASN │
│ - ASN in countries with weak cybercrime enforcement │
└─────────────────────────────────────────────────────────────┘
IP REPUTATION:
┌─────────────────────────────────────────────────────────────┐
│ Sources: │
│ - VirusTotal: Community votes, historical detections │
│ - AbuseIPDB: Reported abuse, confidence score │
│ - GreyNoise: Internet scanning/noise context │
│ - Talos Intelligence: Reputation score │
│ │
│ Context Matters: │
│ - Cloud IPs may have shared reputation │
│ - Historical malicious ≠ currently malicious │
│ - Legitimate services can be abused │
└─────────────────────────────────────────────────────────────┘
PORT/SERVICE FINGERPRINTING:
┌─────────────────────────────────────────────────────────────┐
│ Shodan Queries: │
│ - "Cobalt Strike" beacon detection │
│ - ssl.jarm:specific_jarm_hash │
│ - http.title:"specific page title" │
│ - product:"specific software" │
│ │
│ Value: │
│ - Find C2 infrastructure by fingerprint │
│ - Discover infrastructure before it's used │
│ - Track adversary tool preferences │
└─────────────────────────────────────────────────────────────┘Key insight: Infrastructure patterns are harder to change than individual indicators. An adversary might rotate IPs daily but use the same hosting provider for months.
4) Social Media and Dark Web Intelligence
Social media and underground forums provide unique insights into threat actor activities and emerging threats:
Social Media Intelligence (SOCMINT):
SECURITY RESEARCHER COMMUNITY:
┌─────────────────────────────────────────────────────────────┐
│ Platform: Twitter/X │
│ │
│ Value: │
│ - Real-time threat discovery │
│ - Malware sample sharing │
│ - Vulnerability disclosure │
│ - IOC sharing │
│ - Technique discussions │
│ │
│ Key Accounts: Follow security researchers, vendors, │
│ incident responders, malware analysts │
│ │
│ Searches: │
│ - #threatintel #malware #ransomware │
│ - Specific malware family names │
│ - CVE numbers │
│ - Threat actor names │
└─────────────────────────────────────────────────────────────┘
THREAT ACTOR ACTIVITY:
┌─────────────────────────────────────────────────────────────┐
│ Platforms: Telegram, Discord, Forums │
│ │
│ Observable Activity: │
│ - Ransomware group announcements │
│ - Data leak postings │
│ - Tool/service advertisements │
│ - Recruitment posts │
│ - Operational discussions (rare but valuable) │
│ │
│ Caution: │
│ - Observe only, don't participate │
│ - Screenshot and archive │
│ - Maintain operational security │
│ - Legal/policy considerations │
└─────────────────────────────────────────────────────────────┘
LINKEDIN INTELLIGENCE:
┌─────────────────────────────────────────────────────────────┐
│ Value: │
│ - Organizational research │
│ - Technology stack discovery │
│ - Employee identification (for social engineering risk) │
│ - Vendor/partner relationships │
│ │
│ Defensive Use: │
│ - Identify what adversaries could learn about you │
│ - Find exposed sensitive information │
│ - Assess social engineering risk │
└─────────────────────────────────────────────────────────────┘Dark Web Monitoring:
Dark Web Intelligence:
WHAT'S ON THE DARK WEB:
┌─────────────────────────────────────────────────────────────┐
│ - Ransomware leak sites (victim data) │
│ - Stolen credential markets │
│ - Malware/tool marketplaces │
│ - Hacking forums and communities │
│ - Data breach dumps │
│ - Initial access broker listings │
│ - Corporate data for sale │
└─────────────────────────────────────────────────────────────┘
MONITORING APPROACHES:
In-House Monitoring:
┌─────────────────────────────────────────────────────────────┐
│ Requirements: │
│ - Tor browser and infrastructure │
│ - Trained analysts │
│ - Operational security measures │
│ - Legal/policy approval │
│ │
│ Pros: Direct access, flexibility, no vendor filter │
│ Cons: Resource intensive, risk, expertise needed │
└─────────────────────────────────────────────────────────────┘
Commercial Services:
┌─────────────────────────────────────────────────────────────┐
│ Providers: Recorded Future, Flashpoint, Intel 471, │
│ DarkOwl, Searchlight │
│ │
│ Services: │
│ - Credential monitoring │
│ - Brand mention alerts │
│ - Data leak detection │
│ - Threat actor tracking │
│ │
│ Pros: Safer, broader coverage, processed data │
│ Cons: Cost, potential gaps, delayed reporting │
└─────────────────────────────────────────────────────────────┘
RANSOMWARE LEAK SITES:
┌─────────────────────────────────────────────────────────────┐
│ What to Monitor: │
│ - Your organization name (obvious) │
│ - Partners and suppliers (supply chain) │
│ - Competitors (industry trends) │
│ - Sector peers (targeting patterns) │
│ │
│ Value: │
│ - Early warning of sector targeting │
│ - Ransomware group activity patterns │
│ - Negotiation outcomes (inform your planning) │
│ - Stolen data exposure (if you're a victim) │
└─────────────────────────────────────────────────────────────┘Credential and Breach Monitoring:
Credential Exposure Monitoring:
LEGITIMATE SOURCES:
┌─────────────────────────────────────────────────────────────┐
│ Have I Been Pwned (HIBP): │
│ - Free API for domain monitoring │
│ - Email/password exposure checking │
│ - Breach notification service │
│ - Legitimate aggregation of breach data │
│ │
│ Commercial: SpyCloud, Recorded Future, Constella │
│ - Deeper breach database access │
│ - Password hash analysis │
│ - Automated monitoring │
└─────────────────────────────────────────────────────────────┘
MONITORING STRATEGY:
┌─────────────────────────────────────────────────────────────┐
│ Monitor: │
│ - Corporate email domains │
│ - Executive names/personal emails │
│ - IT administrator accounts │
│ - Service accounts (if identifiable) │
│ - Vendor/partner related accounts │
│ │
│ Actions When Found: │
│ - Force password reset │
│ - Review account activity │
│ - Check for credential reuse │
│ - Implement MFA if not present │
│ - Alert affected user │
└─────────────────────────────────────────────────────────────┘
PASTE SITE MONITORING:
┌─────────────────────────────────────────────────────────────┐
│ Sites: Pastebin, GitHub Gists, paste.ee, etc. │
│ │
│ Monitor For: │
│ - Company name mentions │
│ - Domain/email exposure │
│ - API keys and credentials │
│ - Internal document leaks │
│ │
│ Tools: Pastebin alerts, custom scrapers, commercial tools │
└─────────────────────────────────────────────────────────────┘Key insight: Dark web monitoring is about early warning, not prevention. If your data is on the dark web, breach has already occurred—the goal is rapid detection and response.
5) OSINT Operational Security and Ethics
Effective OSINT requires protecting your own operational security while respecting legal and ethical boundaries:
Operational Security (OPSEC) for OSINT:
WHY OPSEC MATTERS:
┌─────────────────────────────────────────────────────────────┐
│ - Adversaries may monitor who's researching them │
│ - Web servers log visitor IP addresses │
│ - Search queries can be tracked │
│ - Account creation leaves traces │
│ - Revealing investigation can tip off targets │
└─────────────────────────────────────────────────────────────┘
OPSEC MEASURES:
Network Level:
┌─────────────────────────────────────────────────────────────┐
│ - VPN for general research │
│ - Tor for sensitive investigations │
│ - Separate network/machine for OSINT │
│ - Don't use corporate network for adversary research │
│ - Consider residential proxies for social media │
└─────────────────────────────────────────────────────────────┘
Account Level:
┌─────────────────────────────────────────────────────────────┐
│ - Sock puppet accounts (not linked to real identity) │
│ - Dedicated email addresses │
│ - Phone numbers not linked to organization │
│ - Consistent personas (don't mix identities) │
│ - Assume accounts may be compromised │
└─────────────────────────────────────────────────────────────┘
Browser Level:
┌─────────────────────────────────────────────────────────────┐
│ - Dedicated browser profile for OSINT │
│ - Clear cookies between investigations │
│ - Disable JavaScript for sensitive sites │
│ - Use browser fingerprint protection │
│ - Don't log into personal accounts │
└─────────────────────────────────────────────────────────────┘
Physical/Behavioral:
┌─────────────────────────────────────────────────────────────┐
│ - Separate machine or VM for OSINT │
│ - Don't discuss active investigations publicly │
│ - Screenshot everything (sites may disappear) │
│ - Document your methodology │
│ - Know when to stop (don't chase every lead) │
└─────────────────────────────────────────────────────────────┘Legal and Ethical Considerations:
Legal Boundaries:
GENERALLY LEGAL:
┌─────────────────────────────────────────────────────────────┐
│ ✓ Searching public websites │
│ ✓ Viewing public social media profiles │
│ ✓ Using search engines │
│ ✓ Checking breach notification services (HIBP) │
│ ✓ Reviewing public records and databases │
│ ✓ Analyzing publicly posted malware samples │
│ ✓ Passive reconnaissance (no active probing) │
└─────────────────────────────────────────────────────────────┘
LEGAL GRAY AREAS:
┌─────────────────────────────────────────────────────────────┐
│ ⚠️ Violating Terms of Service (scraping, fake accounts) │
│ ⚠️ Accessing breach data from unofficial sources │
│ ⚠️ Active scanning of infrastructure you don't own │
│ ⚠️ Creating fake profiles to connect with targets │
│ ⚠️ Automated scraping of social media │
│ ⚠️ Downloading data from leak sites │
│ │
│ Guidance: Consult legal counsel, document decisions │
└─────────────────────────────────────────────────────────────┘
ILLEGAL (Do Not Do):
┌─────────────────────────────────────────────────────────────┐
│ ✗ Accessing systems without authorization │
│ ✗ Bypassing authentication or access controls │
│ ✗ Purchasing stolen credentials or data │
│ ✗ Hacking into accounts or systems │
│ ✗ Impersonating law enforcement │
│ ✗ Stalking or harassment │
│ ✗ Violating privacy laws (GDPR, etc.) │
└─────────────────────────────────────────────────────────────┘
ETHICAL CONSIDERATIONS:
┌─────────────────────────────────────────────────────────────┐
│ - Minimize collection of non-relevant personal data │
│ - Protect privacy of uninvolved individuals │
│ - Consider impact of your investigation │
│ - Don't publish information that could cause harm │
│ - Report illegal content appropriately │
│ - Document and justify your methodology │
│ - Follow organizational policies │
└─────────────────────────────────────────────────────────────┘Documentation and Attribution:
Documenting OSINT Investigations:
DOCUMENTATION REQUIREMENTS:
┌─────────────────────────────────────────────────────────────┐
│ For Each Finding Document: │
│ - Date and time of collection │
│ - Source URL or location │
│ - Method used to find information │
│ - Screenshot or archive │
│ - Hash of downloaded files │
│ - Analyst who collected │
│ - Relevance to investigation │
└─────────────────────────────────────────────────────────────┘
ARCHIVING EVIDENCE:
┌─────────────────────────────────────────────────────────────┐
│ Methods: │
│ - Screenshots with timestamps (system clock visible) │
│ - Archive.org saves (wayback machine) │
│ - Archive.today snapshots │
│ - Local HTML saves │
│ - PDF prints of web pages │
│ │
│ Why: Websites change, content disappears │
│ Legal: May need evidence for legal proceedings │
└─────────────────────────────────────────────────────────────┘
INVESTIGATION LOGGING:
┌─────────────────────────────────────────────────────────────┐
│ Maintain Investigation Log: │
│ │
│ 2024-03-15 09:00 - Started investigation of domain X │
│ 2024-03-15 09:15 - WHOIS lookup via whois.com │
│ 2024-03-15 09:30 - Passive DNS query on VirusTotal │
│ 2024-03-15 10:00 - Found related domain Y │
│ 2024-03-15 10:15 - Shodan query for IP 192.168.x.x │
│ ... │
│ │
│ Value: Reproducibility, legal defensibility, knowledge │
│ transfer, methodology improvement │
└─────────────────────────────────────────────────────────────┘Key insight: Good OSINT is defensible OSINT. Document everything so you can explain and justify your methodology.
Real-World Context
Case Study: Tracking Ransomware Infrastructure
A threat analyst received an IP address from a ransomware incident. Starting with this single indicator, OSINT expanded the picture: Shodan revealed it was a VPS running nginx with a specific configuration pattern. Passive DNS showed five other domains resolving to the same IP over two months. Certificate transparency revealed the adversary registered certificates for all domains within 24-hour windows. WHOIS showed consistent registration patterns—same registrar, privacy protection, registration clustering. This infrastructure fingerprint enabled the analyst to proactively discover new ransomware infrastructure before it was used in attacks, providing early warning to the security community.
Case Study: Threat Actor OPSEC Failure
Security researchers tracked a cybercriminal who made a critical mistake: they used their personal email address when registering an early domain. This email, linked to social media accounts, revealed their real identity. Their Telegram account (found through username patterns) showed them advertising malware services. GitHub commits under a related username contained code fragments matching their malware. LinkedIn revealed their professional background. The entire profile was built from public information—no hacking required. This led to law enforcement action and demonstrated how OSINT connects dots across platforms.
OSINT Resource Quick Reference:
Quick Reference - Top OSINT Resources:
INFRASTRUCTURE:
- Shodan.io - Internet device search
- Censys.io - Internet scanning data
- VirusTotal.com - File/URL/IP analysis
- SecurityTrails.com - DNS history
- crt.sh - Certificate transparency
SOCIAL/PEOPLE:
- Twitter/X - Real-time threat intel
- LinkedIn - Organizational research
- GitHub - Code and credential search
- hunter.io - Email discovery
REPUTATION:
- AbuseIPDB.com - IP abuse reports
- URLhaus.abuse.ch - Malicious URL database
- MalwareBazaar - Malware samples
HISTORICAL:
- web.archive.org - Wayback Machine
- archive.today - Page archiving
- Google cache - Cached pages
AGGREGATORS:
- IntelX.io - Search engine for leaks
- OSINT Framework - osintframework.com
- Maltego - Link analysisOSINT is a fundamental skill that enhances all other threat intelligence capabilities. Master it, and you'll find information others miss.
Guided Lab: Infrastructure Investigation
In this lab, you'll conduct a comprehensive OSINT investigation starting from a single indicator.
Lab Environment:
- Web browser with OSINT bookmarks
- Starting indicator (domain or IP)
- Investigation template
- Screenshot tool
Exercise Steps:
- Start with provided indicator
- Perform WHOIS analysis
- Query passive DNS sources
- Check certificate transparency
- Analyze with Shodan/Censys
- Search for related domains
- Check reputation sources
- Document all findings with evidence
- Map relationships between discovered entities
- Produce investigation summary
Reflection Questions:
- What pivot points were most valuable?
- What patterns did you discover?
- How confident are you in your conclusions?
Week Outcome Check
By the end of this week, you should be able to:
- Define OSINT and its role in threat intelligence
- Apply systematic OSINT methodology to investigations
- Use advanced search operators effectively
- Conduct infrastructure reconnaissance using multiple sources
- Leverage social media for threat intelligence
- Understand dark web monitoring approaches
- Maintain operational security during OSINT activities
- Navigate legal and ethical considerations
🎯 Hands-On Labs (Free & Essential)
Practice OSINT workflows before moving to reading resources.
🎮 TryHackMe: OH SINT
What you'll do: Conduct an OSINT investigation and correlate public clues.
Why it matters: Builds practical OSINT analysis habits.
Time estimate: 1-2 hours
🔍 urlscan.io: Infrastructure Pivoting
What you'll do: Pivot from domains to related hosts and fingerprints.
Why it matters: Infrastructure mapping reveals adversary relationships.
Time estimate: 60-90 minutes
📝 Lab Exercise: OSINT Dossier
Task: Build a dossier on one domain using WHOIS, CT logs, and metadata.
Deliverable: One-page summary with sources and confidence notes.
Why it matters: Structured reporting makes OSINT actionable.
Time estimate: 90-120 minutes
🧩 Lab: Vendor Exposure OSINT
What you'll do: Map a supplier's tech stack and public exposure signals.
Deliverable: Exposure notes with sources and confidence ratings.
Why it matters: Supply chain risk starts with open-source visibility.
Time estimate: 60-90 minutes
💡 Lab Tip: Track sources for every claim so your OSINT is defensible.
🧩 Supply Chain OSINT
OSINT can reveal vendor exposures, outdated components, and leaked credentials that create downstream risk.
Supply chain OSINT focus:
- Vendor technology stack signals
- Publicly exposed repos or buckets
- Certificate transparency trends
- Third-party breach disclosures📚 Building on CSY101 Week-14: Map exposure findings to control gaps.
Resources
Lab
Complete the following lab exercises to practice OSINT techniques for threat intelligence.