Open source intelligence (OSINT) is actionable information that has been gathered from freely and publicly available sources. The type of information that can be considered OSINT is not something that an organization or other entity can reasonably expect to keep private. Anyone, regardless of affiliation or authorization, can obtain this information without running afoul of any laws or regulations. This makes OSINT valuable to the preliminary phases of a pen test, where discretion is desired. After all, the pen test process is meant to mirror that of the real-world attack process; skilled attackers will attempt to gather as much information as they can while taking as few risks as necessary.
There are many potential sources of OSINT, and most are connected to the Internet. Some examples include:
- Registration information from Whois databases.
- The target organization's public website.
- Any additional websites that may be related to the target organization.
- The social media profiles of a target organization.
- The social media profiles of individuals associated with the target organization.
- Job postings on job boards.
- Google search results.
- Online blogs, news articles, etc.
- Information gathered from querying public DNS servers.
- Mail server records gathered from public DNS servers.
- Information gathered from website SSL/TLS certificates.
Although the sources listed previously and discussed in further detail in this topic are of great value to OSINT gathering, you may also find it useful to research public information using various industry standards. For example, the following industry-recognized threat and vulnerability intelligence sources are maintained by the MITRE Corporation, which receives funding from the U.S. Department of Homeland Security:
- Common Vulnerabilities and Exposures (CVE), a dictionary of vulnerabilities.
- Common Weakness Enumeration (CWE), a database of software-related vulnerabilities.
- Common Attack Pattern Enumeration and Classification (CAPEC), a database that classifies specific attack patterns.
Another potential source of research is one or more prominent computer emergency response teams (CERTs), such as the CERT Coordination Center (CERT/CC), United States Computer Emergency Readiness Team (US-CERT), and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). These CERTs often issue public security advisories that contain useful information on a wide range of vulnerabilities.
Standards organizations like the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) can also be valuable sources of public information. For example, NIST, a U.S. government agency, publishes many documents that detail known security issues and guidance to organizations for how to mitigate them.
Finally, you should be on the lookout for instances of full disclosure. Full disclosure is the process of publishing an analysis of vulnerabilities without restrictions as to who can access this analysis. The intent is to ensure that as many users and organizations as possible are aware of the vulnerabilities so that they can take action to protect themselves. However, the side effect of full disclosure is that attackers are also privy to this information and can act on it. As a pen tester, an instance of full disclosure might provide you with valuable insight into a vulnerable piece of technology used by the target organization.