14 Best OSINT Tools We Use in Our SOC

In this digital age, pretty much every individual and organization leaves behind a trail of information about themselves on the internet. Their digital footprints become potential sources of intelligence that can be gathered without consent.

You may be aware that such information is out there, but collecting it is not as simple as just extracting whatever you want from the public internet. Gathering intelligence is a science – you need to understand how and where to look to find the relevant bits. This is where OSINT (Open Source Intelligence) tools come into play.

Open Source Intelligent tools help locate and assemble the required intelligence about a target from the complex web of interconnected networks. Since these tools are open source, they can be utilized by anyone – but they are most heavily used by hackers and security professionals who rely on such information daily.

These OSINT tools can be deployed for both offensive and defensive objectives depending on the user’s intent. As an information security practitioner, I aim to educate peers on the OSINT capabilities used in our daily operations. In this post, we will cover what comprises OSINT, why we need it, what intelligence we typically seek, who else leverages these techniques, and a list of go-to OSINT resources for security investigations.

 

What is OSINT?

OSINT stands for Open-Source Intelligence. It refers to the practice of gathering intelligence from publicly available sources and data. Unlike classified information, which requires special access, OSINT utilizes open source data that can be accessed legally without any restrictions. This includes information found on the internet, public records, news articles, social media platforms, commercial data sources, and more.

In the context of cybersecurity, OSINT is used by information security teams to gather intelligence about external threats targeting an organization. It helps map an organization’s digital footprint and attack surface by consolidating relevant publicly available data. This allows security analysts to identify potential vulnerabilities in the organization’s online presence which could be exploited by attackers. Common use cases for OSINT in cybersecurity include external threat intelligence, attack surface mapping, infrastructure mapping, identifying network vulnerabilities, and more.

See also  How To Set Up A Raspberry Pi For The First Time?

Why Do We Use OSINT in Our SOC?

As I said earlier, security professionals love Open Source Intelligent tools to make tedious tasks simpler. We use a handful of OSNT tools and techniques in our Security Operations Center (SOC) to strengthen our security posture:

  1. Threat Intelligence – OSINT enables us to research the latest hacking techniques, emerging threats, real-world vulnerabilities, and exploits, etc. This external threat intelligence aids us in better-securing infrastructure against modern attack vectors.
  2. Incident Response – During security incidents, OSINT facilitates quickly gathering context around suspicious indicators like IP addresses, domains, file hashes that may be involved in an attack. This accelerates incident investigation and response.
  3. Attack Surface Mapping – By employing OSINT, we can uncover exposed systems, open ports, technologies in use, subdomains, and other external-facing assets. This allows us to map potential attack surfaces and remediate risks.
  4. Infrastructure Mapping – OSINT tools conveniently visualize our entire online infrastructure footprint across cloud providers, domains, networks and services. Such holistic visibility of assets strengthens security.
  5. Breach Assessment – In case of a suspected compromise, OSINT techniques help gauge impact by scouring for organization data being sold on dark web markets and other public sources.

In essence, integrating OSINT gives our SOC greater context, visibility and insights to prepare, detect, respond and recover from security threats targeting the organization.

What Information We Try to Gather Using OSINT Tools?

In SOC, we spend most of our time in monitoring and investigating suspected events and incidents. We always in search of threat intelligence and information available on new malware, vulnerability, attack campaigns, security updates, and there are many more things to list. Bear in mind, security teams use Open Source Intelligent tools to gather data which are publicly available. OSINT can’t be used to steal the data kept under hood.

  • Threat intelligence – Technical details on the latest hacking tools, malware campaigns, vulnerabilities being actively exploited, attacker infrastructures and TTPs, etc.
  • Domain details – WHOIS records, DNS configurations, subdomains, mail servers and other technologies related to our public domains and assets.
  • Network details – Information about our external-facing infrastructure like IP addresses ranges, open ports, Internet-connected devices, services running etc.
  • Asset details – Particulars of our public-facing assets like cloud storage buckets, databases, code repositories and data stores.
  • Workforce details – Information employees have exposed related to themselves, internal systems, company data etc. on social media and professional platforms.
  • Compromised data – Monitoring various public data leak sites, paste sites, and dark web markets for any company data and credentials being sold by attackers.
See also  What You Should Know About the CVSS Base Metrics?

The goal is to collate the above external intelligence through legal and ethical means. Analyzing this data allows us to continuously assess risks, revise controls, and improve overall security posture against a dynamic threat landscape.

14 OSINT Tools We Use in Our SOC

In our SOC, we employ a mix of paid and free OSINT tools as part of our workflows to gather, analyze and visualize security intelligence. While individual tools have particular strengths and limitations, together, they enable continuous monitoring, holistic visibility, and informed decision making against a rapidly evolving threat landscape. Key tools in our Open Source Intelligent toolkit include:

Recon-ng

Recon-ng is an open-source web reconnaissance framework written in Python that is highly extensible. We leverage Recon-ng for gathering intelligence on domains, companies, individuals etc. by tapping into dozens of APIs and public data sources.

Pros:

  • Free and open-source tool
  • Easy to install and use
  • Highly customizable via modules
  • Broad API and data source coverage
  • Useful for gathering threat intelligence

Cons:

  • Command line interface only
  • Steep learning curve initially
  • Advanced workflows require scripting
  • Dependency and compatibility issues

Recon-ng allows even junior analysts to automate the process of collecting relevant data from various public sources and APIs on the internet. It has an interactive interpreter to easily configure modules and execute commands. The framework comes packed with dozens of builtins suited for common recon activities like resolving domains, finding subdomains, fetching WHOIS records etc.

But what makes Recon-ng extremely versatile is its support for community-developed custom modules. Analysts can create their own modules tailored to specific data gathering needs and integrate proprietary data feeds. This enables leveraging Recon-ng for focused objectives like gathering intel on threat actors, compromised credentials, vulnerable systems, etc. It outputs results to a database, which can then be conveniently filtered, analyzed and correlated.

See also  Authenta, an IoT Security Solution to Lookout

Given its flexibility, extensibility and automation capabilities, Recon-ng forms an integral part of our day-to-day security reconnaissance needs to uncover hidden threats and inform better decision-making.

Leave a Reply

Your email address will not be published. Required fields are marked *