Though open source intelligence (OSINT) is often seen as a development of the modern age and the product of a vast digital space, open-source intelligence found its roots long before the internet was established. Looking at the history of OSINT, we can begin to analyze a bridge between what could be considered “old school” and “new school” OSINT and determine what a modern-day intelligence landscape looks like when both pathways intersect.
Following the attack on Pearl Harbor, the newly established Office of Strategic Services created a branch specifically dedicated to open-source intelligence: the Research and Analysis Branch. This branch studied everything from newspaper clippings, journals, and radio broadcasts from around the world to collect data that may give away intelligence on the enemy. In this case, old school OSINT refers to information and intelligence that could be easily accessed and collected before the digital age, such as public records, newspapers, and broadcasts.
For a while after World War II, open-source intelligence faded into the background and became an often-underused method of gathering information. However, the events surrounding the Arab Spring brought new energy to the field of open-source intelligence, as young people in the Arab world used the internet to coordinate protests and uprisings. This movement created a flood of citizen information on major political developments and shed light on this new power in the Information Age.
New school OSINT can refer to information and intelligence that can be gathered through the internet, specifically targeting social networks and web pages.
Both old school and new school OSINT have their merits. Old school OSINT gives insight into hard data on a particular target, such as where they live, the property they own, businesses they run, their age, and public appearances they have made. Public records, either local or federal, expose this information to anyone searching for it. This information is often available online, or by physically visiting a town hall.
New school OSINT is more nebulous. New school OSINT could include the information a target chooses to post on social networks such as Facebook, TikTok, LinkedIn, or Twitter. This information may touch upon their interests, friends, or organizations they are a part of. While a researcher may not know hard details about the target’s recorded life, they may be able to get a sense of their personality, how they communicate, who they communicate with, and most importantly, what motivates them. New school OSINT may also include data collected by hackers during breaches and later dumped on the dark web, such as emails and passwords.
It is easy for older researchers to favor old school OSINT, and for newer researchers to favor the social networks with which they grew up using. However, a complete picture of a target cannot be built without both styles of research. Likewise, a user cannot defend against social engineering attacks that utilize OSINT without considering both avenues that an attacker may have taken.
Limiting the number of public records available on you or your organization can be difficult, as often these same records exist for legal and transparency purposes. It is important to remember that just because someone knows where you live or where you work doesn’t mean they’re a legitimate party. Whether it’s through email, phone, or in person, you must verify these individuals as they would anyone else, even if they seem to know everything about you.
New school OSINT is slightly easier to defend against, as in these cases, much of the power is in the user’s hands. Users are recommended to lock down their privacy settings to prevent unwanted snooping and limit the information they share on social media. Before posting anything, it is important to consider how such information may be used against you, or to manipulate you in a social engineering attack.
Ultimately, the best defense against any social engineering attack is preparation. If users know how to strengthen their defenses and be on the lookout for social engineering attacks, they are less likely to fall for spearphishing and attacks that utilize open-source intelligence.
This post was originally published on the OCD Tech blog.