Open Source Intelligence (OSINT) is the practice of collecting data from publicly available sources to be analyzed and used for intelligence purposes. In the context of Cyber Threat Intelligence (CTI), OSINT is used to map adversary infrastructure, identify leaked credentials, and track threat actor discussions.
Key OSINT Tools for Analysts
While there are thousands of tools, a CTI analyst's toolkit typically revolves around these core platforms:
1. VirusTotal (The Repository)
Owned by Google, VirusTotal is a massive database of malware samples and URL scans.
- Use Case: Checking if a file hash is malicious or finding all files communicating with a specific C2 domain.
- Pivot: Analysts often pivot from a file hash to an IP address to map the Diamond Model.
2. Shodan (The Search Engine for IoT)
Unlike Google, which crawls web pages, Shodan crawls IP addresses and ports.
- Use Case: Identifying vulnerable servers, open databases, or C2 servers running specific software versions.
- Query Example:
product:"Cobalt Strike Beacon"to find active C2 servers.
3. urlscan.io (The Sandbox)
A service that browses a website for you and takes a screenshot.
- Use Case: Safely investigating a phishing link without clicking it on your own machine. It records the DOM, IP connections, and screenshots.
4. Wayback Machine (The Archive)
- Use Case: Viewing a defaced website or retrieving a malicious payload that has been deleted from a server.
Passive vs. Active OSINT
- Passive OSINT: You do not interact with the target directly. (e.g., Searching WHOIS records). This is safe and stealthy.
- Active OSINT: You interact with the target. (e.g., Port scanning the adversary's server). This is risky and can alert the threat actor.
Warning: Always adhere to Traffic Light Protocol (TLP) limits when sharing OSINT findings, as even public data can reveal the scope of an investigation.