Applying Open Source Intelligence to Cyber Crime Investigations
By Stuart Clarke
Get the latest news and insights sent straight to your inbox
Cyber crime is now the fastest-growing type of crime globally. In 2022, cyber attacks occur around every 39 seconds, with 30,000 websites hacked daily and 20 million personal records breached per month. 1
Some 64% of companies worldwide have suffered at least one form of cyber attack. UK cyber crime cases have also skyrocketed, with losses from fraud and cyber crime totalling £1.3bn between in the first 7 months of 2021, representing a threefold increase on the previous year’s figure.
As a result of this threat, businesses need to take advantage of all the tools and techniques available to battle cyber crime. One such strategy is open source intelligence (OSINT), which seeks to mobilise publicly available data in the fight against cyber criminals.
In this article, we’re going to discuss the role of OSINT within cyber crime investigations and the impact it can have when applied correctly.
Suggested reading: To learn more about the benefits of OSINT in a wide range of investigatory contexts, take a look at our free eBook — The OSINT Handbook
What is open source intelligence?
Open source intelligence is the product of open source data (OSD) that has been collected, processed and analysed before being used to drive decision-making processes in open source investigations.
OSD refers to publicly available information that can be extracted from a wide range of sources. These can include:
- Government data sources
- Crime statistics
- Health and scientific data sources
- Corporate data sources in countries where this data is publicly available
- Cyber threat intelligence
Deployed across both the private and public sectors, OSINT can be utilised in many types of investigations, ranging from anti-money laundering investigations, to fraud, to counter-terrorism.
OSINT investigations are becoming more commonplace, partly due to compliance requirements that encourage businesses to utilise OSD. However, their increase in popularity is primarily a result of the increasing amount of OSD available to investigators, and the fact that OSINT has the capacity to be applied within a wide range of investigation scenarios.
The role of OSINT in cyber security
Cyber crime is becoming the common denominator for fraudulent and criminal activity, costing organisations £3 billion from April 2021 and 2022 in the UK alone.2 That’s part of the reason why cyber security has become a top priority for organisations in recent years.
As a result, businesses are increasingly looking to utilise all the tools and cyber crime investigation methods at their disposal. While traditional methods, including penetration testing, are still of great value, organisations are looking to enhance their proactive stance even further by harnessing cyber threat intelligence and processes that facilitate collaboration.
Let’s take a look at the ways in which OSINT can add value in the context of cyber crime investigations.
1: Identifying potential external threats
By utilising publicly available data, OSINT helps investigators identify external and emerging threats to an organisation before they develop, facilitating evasive action to prevent an imminent attack.
One survey of dark web data identified the credentials of 25.9 million Fortune 1000 business accounts and 543 million sensitive employee credentials. Of these, tens of thousands of credentials applied specifically to C-level Fortune 1000 executives, many of which had high levels of user and business privileges.3 In other words, the data available on the dark web leaves organisations wide open to crimes such as social engineering or fraud.
However, identifying where and when a company or employee’s sensitive information appears on the dark web enables organisations to take proactive action. There are a series of key steps to this process:
- Firstly, organisations need to enforce and expand educational procedures and training programmes to try and ensure that company or employee information is not leaked onto the dark web.
- However, when a breach does occur, organisations can start by using OSINT tools that make it possible to extend investigative work into the dark web in a secure manner. They should also use data breach alerting solutions that help businesses immediately identify when data has been compromised.
- Researchers can then recover leaked or stolen information that may put an organisation at risk of a cyber attack in the future, and work to plug security vulnerabilities or gaps in organisational protocol.
- Messages and communications on dark web forums can expose both internal and external threats through correlations between message tone and language use, usernames, forum signatures, profile images and metadata.
A particularly high-profile instance of sensitive information appearing on the dark web occurred in 2021, when the personal data of 700 million LinkedIn users was made available for sale by hackers.4 This data included details such as full names, phone numbers, email addresses and geolocation records of LinkedIn members.
2: Enhanced incident response
There are a wide variety of cyber threats that can occur at any moment, including:
- Insider threats
- Social engineering
Traditionally, the cyber incident response (IR) process has been implemented to mitigate the threat posed by cyber attacks. IR is a set of standardised information security policies and procedures geared towards identifying, containing, and eliminating cyber attacks. The six accepted stages of IR are:
By using OSINT across the IR cycle, organisations can build a more robust risk mitigation system. This crucially helps to reduce the risk of attacks downstream as a result of a cyber incident, such as fraudulent attacks using compromised credentials.
Remember, criminals will look to maximise the impact of their activities, which means that fraud and cyber are very closely linked. Once they steal data, criminals will attempt to make as much money from that information as possible, either by using it themselves or by selling it to others to conduct financial crime. The application of OSINT within cyber crime becomes even more logical with the consideration that cyber crime is often committed to facilitate these crimes in areas where OSINT has already proven to be effective. That’s why taking a holistic approach is essential. This requires:
- Learning and developing intelligence to drive improvements.
- Addressing problems by looking at various sources of data and not point solutions.
- Leveraging education and sharing intel as it is found.
It’s also worth considering that criminals do not make the distinctions between cyber security, AML compliance and anti-fraud activities as businesses and law enforcement. However, they know they exist, and can exploit gaps accordingly. Fortunately, OSINT, teams can proactively identify and reduce risk. For example, data that has been leaked which could be used to commit fraud can enrich investigations with threat intelligence, ultimately helping to ensure a successful outcome.
By mobilising OSINT tools alongside other cyber security solutions, modern businesses can create a more secure internal ecosystem that is proactive against internal and external cyber security threats.
Stay resilient in an ever-evolving threat landscape with Videris
Fraud, cyber crime, and financial crime overlap in the digital domain. Cyber crime and cyber security breaches lie behind many cases of fraud, providing the entry point through which threat actors gain access to the systems, credentials and networks required to orchestrate their plans.
OSINT intersects with modern anti-cyber crime and anti-financial crime by offering a means to investigate potential evidence left behind by criminals and their associates.
Modern OSINT tools solve many common challenges security professionals and cyber crime investigators encounter when dealing with OSD. For example, dark web resources have long been cumbersome and risky to work with, but new generations of OSINT tools such as Blackdot’s Videris allow investigators to work with dark web resources from within a secure ecosystem.
By utilising Videris, investigators can benefit from:
- Enhanced search capabilities: Videris search extends into all three layers of the web — the surface, deep and dark web. This enables investigators to combine data from the dark web with surface and deep web sources, all without leaving the same ecosystem.
- Network mapping: Videris’ cross-matching tools expose links between individuals and associated parties and networks. Researchers can quickly discover links between named entities.*
- Notes and reporting: Videris provides team working and reporting tools to communicate results between teams and other relevant stakeholders.
- Multiple integrations: Videris integrates data from premium third-party sources like Bureau van Dijk and Refinitiv World-Check One. Using Videris Connector Framework, it’s also possible to search and collect data from any repository with an API, including cyber-related data sources like Shodan.
Videris offers a fully-fledged, cutting-edge OSINT platform for cyber security professionals and investigators. All of these features are accessible within the same seamless, secure ecosystem, with flexible deployment options to meet your specific needs. Book a demo today to find out more.
*Powered by ShadowDragon©