May 30, 2022
Now that we’ve covered some basics of what OSINT is, why we use it, and how it might benefit us, let us look at the core of what makes up our collective intelligence effort. Do note that even though we should be familiar with this, every analyst should develop their own techniques, methods, and even tools, depending on the case they’re investigating. Think of what we’re describing below as a loose guideline that can be used in your investigations.
Also, please note that the Intelligence Cycle, as described below, is of a broader scope, and doesn’t necessarily pertain to OSINT investigations exclusively. However, from our perspective it is vital to be at least familiar with it, which is why we chose to dedicate that much space to it.
The Intelligence Cycle is the process of compiling raw data into intelligence that can be used to make decisions, be it for LE use, or for business driven purposes. In its nature, the Intelligence Cycle is cyclical (hence Intelligence Cycle) – meaning that what we've discovered previously can influence the following routes of our investigation. The goal here is to remain open to new information, and understand that it can impact the current state of affairs in our investigation.
The Intelligence Cycle consists of five parts:
This part involves the management of the whole investigation, from identification of our intelligence needs, to delivering of the said intel. It is both the beginning and the end of the cycle, because it involves defining our needs (planning), the end, because once finished our new intel can produce new informational needs. This is due to the fact that our intel needs to work hand-in-hand with our decision making, which might change once we reach the end – thus leaving us at the beginning of the cycle once more.
To collect intel effectively, we need to have a good plan that we’ll stick to, as well as some sort of direction. Since in this phase we’re collecting raw data, open sources can be a treasure trove for us here; also, in the context of a pure OSINT investigation, here we would implore the analyst to pay most of their attention, and deploy their critical thinking ability as much as possible. Data can be extremely volatile, and we need to understand not only the data points itself, rather we should visualize the broader picture. (Once more, the Intelligence Cycle is a bit more broader, and goes beyond only open source data)
In this step, we convert the raw data that we’ve gathered into a format an analyst can work with. This entails managing our information, through whatever techniques we may deem necessary for our particular investigation. We reduce the data, arrange, and process it in such a way that it can be of use to the one who would be consuming it.
It follows that this step will differ greatly if we are, for example, processing our data for a LEA, or if its an investigation where we would be the consumer of the said information – if we are maybe gathering intel for a penetration test; at least before compiling the report for our client.
Analysis and production pertains to us converting all of the information that we’ve processed, into a finished product. This intel is evaluated, integrated, and further analyzed. The data is integrated into one coherent whole, what was evaluated is put in context, and then produced into a finished piece of intelligence – which includes assessments, and implications of the intel, in that particular context.
In this final phase, we distribute our intel to the consumer, the same ones who initiated the process with their intelligence needs and requirements. Then, based on the information, the consumer would make their decisions, which may trigger the Intelligence Cycle again.
It is apparent that this type of approach is generally more geared toward LEA’s, or some businesses, but, as an aspiring OSINT analyst, we should be aware of how these things are usually done. There’s a lot of things for us to unpack here, and even though we might not use or need to follow the exact same steps, we will, however, still act somewhat in convergence with the model above.
The main takeaway, for us, is the fact that this kind of approach has a great impact on how we can further use our own critical thinking and deductive skills, since critical thinking is the most important skill an OSINT analyst needs to possess – in our opinion. That is, the ability to think rationally about the topic, in an organized way, so that we can best understand the connection of the facts that are presented to us.
For example, we should always look to define our problems and/or questions as precisely as we can. We also need to find different sources – in order to understand different points of view. Further, we should evaluate the reliability of said sources, understand if they’re biased, and if that’s the case, then we would be interested in how’s and why’s.
Once we’ve weeded out some of those crucial questions, and further crystallized our picture, we would try and understand what’s most important of the facts that we’ve gathered. Finally, once we do all of that successfully, we need to know how to present this coherently, to whomever might be the party to which our investigation refers to.
With all this in mind, of course every analyst’s process will differ, but the way in which we go on about our investigation, should be grounded around some of the same core principles. Remember, your greatest and most important tool is your ability to rationalize, analyze, connect the dots, and make good deductions based on all of that – your critical thinking ability.
Before concluding our article, we would like to mention one more thing – the OSINT Framework.
This is a web-based platform, which bundles a lot of different OSINT tools – on many different themes, such as: IP address, Images, Social Networks, People Search Engines, Public Records, Metadata, Dark Web, and many more.
Most of them are free to use, but there’s a number of tools that are subscription-based. Nevertheless, this can be a great starting point for your investigation, and is something every OSINT analyst should be well aware of, in our opinion.
OSINT Framework Homepage
To conclude, we’d just like to mention that the idea behind ‘teasing’ with the OSINT Framework in this article is due to the fact that our next article will focus on some of the tools one might use in their investigation, so we felt it was a good inclusion and a natural transition; at least now that we’ve laid some groundwork, and explained, albeit briefly, some of the core intelligence gathering ideas.
As we will see, there’s a myriad of tools out there, and everybody has their own preferences, but the ideas behind them are generally nested around their theme/functionality.
Lastly, here’s another teaser for you, before we go delving into the tools in our next article!
Our Path to Product-Led GrowthMichael Assraf June 21, 2022
CISAnalysis - June 20, 2022Kent Weigle June 20, 2022
Vicarius and Advent One Partner to Expand APAC OperationsEvan Kling June 20, 2022
Crowdsourcing: Utilizing Humanity’s Greatest AssetKent Weigle June 16, 2022
The Good News and Bad News About 0-Day AttacksVicarius June 14, 2022