Cybersecurity is a growing threat—the International Criminal Police Organization (INTERPOL) reports that cyberattacks are ever-evolving alongside unprecedented rapid developments in technology, creating new means for exploiting individuals, corporations, and governments.
According to a recent report from Cybersecurity Ventures, cybercrime will cost the world $10.5 trillion by 2025. This aligns with the FBI's belief that cybercrime is at epidemic levels and represents one of the highest criminal priorities for the agency, subsequent to the threat of terrorism. While this data is concerning, it is not surprising. The number of data breaches has increased every year since 2013, with more than 14 billion records lost or stolen in the last year alone. In the face of this growing cybercrime epidemic, it is more important than ever to have the right technologies and procedures in place to protect an organization.
As such, the need to use open source intelligence (OSINT) for cybersecurity and incident response is clear. One of the most important aspects of cybersecurity is an ability to quickly and accurately understand what happened so that it's possible to stop it from ever happening again and to prevent it from happening in the first place.
This is where OSINT comes in: the collection and analysis of open source intelligence can lead to an in-depth understanding of the attack, which can be used to tailor security policies to what's likely to be most effective for the organization. As cyber attacks are both constantly changing and increasingly difficult to detect, OSINT can be invaluable to a cybersecurity team's ability to keep tabs on potential threats.
The Costs of Cybercrime
The fallout from cybercrime can be far-reaching and costly—from reputational damage to fines and penalties and from brand damage to lost business. It can also be costly to restore data and systems after a breach.
In IBM's latest annual assessment conducted by the Ponemon Institute, a prominent source of cybercrime research and data breach cost information, organizations that suffered data breaches spent an average of $3.86 million to resolve them. On average, a breach takes 280 days to be identified and contained. While the change in average total cost for a breach has decreased by 1.5% from the previous report in 2019, there has still been a 10% rise over the last five years. The study also found that breached companies were still dealing with the fallout of the data breach 12 months after it occurred and were more likely to underperform on the NASDAQ.
In the EY CEO 2019 Imperative Study, national and corporate cybersecurity were found to be the most significant threats facing the economy over the next ten years. The study reveals that the motives for cyber threats have evolved: while greed and opportunism remain driving factors, anger and activism have become integral to cyber-attacks launched to make a political point. Cyber threats are now linked to some of the world's most grappled with issues, including digitization and geopolitical instability. This transformation is the reason why many CEOs consider cyber threats a priority, as these attacks post an existential threat as much as they do a systemic one.
The Role of Incident Response (IR) in the Cybersecurity Landscape
The incident response (IR) process was developed by the International Organization for Standardization (ISO) to help organizations manage the aftermath of a security incident. IR ensures that an organization can effectively respond to security breaches or cyberattacks as they arise. The process involves investigation, mitigation, and recovery from security breaches, as well as prevention for future incidents. The core elements of the IR process include preparation, detection, triage, analysis, containment, eradication, recovery, and reporting.
The CIA Triad has been adopted as a standard in multiple information security frameworks, including the IR process. These principles highlight three separate core data security objectives:
- Confidentiality: ensuring information is not disclosed to unauthorized individuals, processes, or systems.
- Integrity: ensuring information is not modified or corrupted.
- Availability: ensuring information and system resources are available to authorized parties when they need them.
These three concepts can be used to shape the proper courses of action that need to be taken as a result of a particular event and ensure a cohesive, well-defined IR process. Increasingly, the IR process incorporates the use of OSINT tools during the inspection phase to gather information and to help identify and remediate potential cyberattacks.
OSINT Use Cases in Cybersecurity
The rise of security incidents has led to an increased demand for open-source intelligence (OSINT) tools for cybersecurity and IR. OSINT tools allow organizations to gather information from public channels to help with investigations. For the last decade, OSINT has been a major tool used by researchers, investigators, and security professionals for gaining insight into cyber-crime activities, such as the attacker's methods, motives, and tools. In particular, fields such as national security, intelligence, law enforcement use OSINT tools and techniques to identify and prevent cyber threats.
OSINT can be applied for the detection of the cyber threats in the below-mentioned areas:
Cybercrime and organized crime:
- Spot illegal actions: OSINT can help detect illegal activity occurring within or outside of an organization. For example, an investigator can use OSINT to figure out who is responsible for an incident, and where they may be located. If an incident is being perpetrated by a single person, they may be using a single IP address and can be identified through passive DNS and geolocation services.
- Retrieve suspicious traces: OSINT can help detect anomalies in data in order to prevent future illegal activity from occurring. For example, a spike in traffic to a website that is causing a server to slow down could be due to a mass attack (DDoS, etc.), or it may be due to a spike in customers.
- Monitor malicious groups: Monitoring can provide valuable insight into the activities of an adversary, perhaps by tracking social media activity for possible threats or scanning the Dark Web to uncover potential hacks.
Cyber security and cyber defense:
- Footprinting: One of the key aspects while performing reconnaissance on a target, footprinting is the process of identifying the people, places, and other details that exist in a target's environment to understand how they operate.
- Forensic analysis: Commonly used by law enforcement, investigators can gather information, including websites that a suspect has visited, messages sent or received on a mobile device, or even deleted data. This information can corroborate other evidence or be used to identify new suspects.
- Proactive auditing: Identify areas in which an organization may be vulnerable to an attack and then take proactive steps to reduce or eliminate the vulnerability. For example, this might be in terms of implementing information security policies to protect an organization.
Categorization of Cyber-Criminal Investigation Using OSINT
Cyber-investigation refers to the tactics and techniques used to gather information about individuals or groups from publicly available sources. Cyber-criminal investigations use OSINT to find information about the offender. The OSINT is collected from online sources such as social media, forums, blogs, and the community, which provide a wide range of publicly available information.
Open-source data methods and techniques for cyber-criminal investigations can be categorized into the following categories:
Data mining is the process of extracting structured data information from a source (e.g., database) to identify patterns:
- Text mining handles the extraction of unstructured textual data (e.g., social media feeds)
- Optimization method is a strategy based on game theory to handle DoS attack scenarios
- Web mining gathers and analyzes information about a subject by examining its “digital footprints” on the Internet
- Machine learning is an approach to this by using statistics or algorithms that let computers learn from data and then make decisions based on that learning process
Social network analysis is the process of mapping the relationships between individuals and taking into account online content (i.e., blogs, messages, pictures, comments, etc.) they have created in order to profile them:
- Node removal algorithms in OSINT is the practice of removing a node from a network, such as in the context of cyberterrorism to remove key nodes of a terrorism network
- Network extraction is a subsection of OSINT that deals with collecting information from computer networks (e.g., an Internet provider)
- Semantic networks analysis is a type of analysis that is used on large bodies of data to identify and cluster related information. This information is then used to identify relationships between the different pieces of data
Statistical methods present data in a manner helpful for detecting patterns or anomalies in data:
- Regression models determine how changes in one variable affect changes in another and can help decision-makers to predict future trends and determine past events by analyzing the relationships between independent variables and dependent variables
Conceptual knowledge-based frameworks created based on the factors and motivations of the adversary (e.g., characteristics of the source nation)
Cloud computing can be used to collect OSINT data from a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
The Cybercrime Investigation Framework
The cybercrime investigation framework is a conceptual model to outline the factors involved in investigating cybercrimes. The following are the most crucial components:
Attacker and target: includes understanding the underlying factors and background of the cybercrime:
- Motivation/goal: monetary gain, espionage, making political statements, etc.
- Domain/type: brute-force attack, credential stuffing, phishing, malware, etc.
- Profile of targeted system/organization/enterprise: using public records to create a comprehensive profile
- Tools and techniques used to commit cyber crime: encryption tools, web vulnerability scanning tools, etc.
Tools and techniques for the investigation: involves implementing common techniques during the investigation process, including background checking and digital forensics:
- Detection: using tools to track and identify adversaries
- Prevention: using information gathered to prevent development of cyber threats
- Open source (records) collections and storage: gathering as much information as possible about the incident
Cyber threats continue to grow and evolve with the rapid development of the internet and technology. Cybercrime is a serious threat to citizens, corporations, and governments as it can result in the theft of personal and financial information, malware, identity theft, data breaches, and denial of service attacks, among other things. As a result, it has become a major focus of intelligence and law enforcement agencies across the world.
The amount of open sources available on the Internet is growing, and it is becoming increasingly important for cybersecurity and incident response personnel to process it in an effective and efficient manner. The constant circulation of new information requires advanced tools and techniques to collect, process, and analyze the information for effective decision making. A solution to effectively manage the information flow is by implementing a methodology for OSINT processing.