What is OSINT? Open Source Intelligence (OSINT) is a catch-all name for any intelligence (meaning actionable, verified fact) produced solely from sources available openly in the public domain. This includes sources with limited distribution (message boards) and paid sources. It is important to separate information from intelligence.
The key is that intelligence can be used, has clear sourcing and is rated for reliability. Information is the ‘raw material’ an analyst or algorithm uses to produce intelligence. Risk management is significantly enhanced by knowing more about the risks faced, their severity and likelihood.
With useful metrics for these, an appropriate risk response can be developed. When an organisation is operating without the benefit of high-quality intelligence the risk treatment plans are less accurate. OSINT can be a key source of intelligence to support a risk management process.
Specifically for vendor risk management (VRM), OSINT enables a client to identify areas of concern that a vendor/supplier might be asked to explain. Here at C2 Cyber Ltd we assess many thousands of data points per supplier, but distill these into four key areas to enable our customers to compare and contrast their vendors:
- Configuration of online technologies is an indicator grouping used to describe the level of maturity and configuration security seen on a vendor’s public-facing web technologies. Example data points include whether servers broadcast their technology stack, detail processing technologies (knowledge of which makes planning an attack easier).
- Email security, anti-spoofing measures and DMARC are simple to execute but rarely configured correctly or at all. This is measurable across a vendor landscape.
- The attack surface is another area that is critical in measuring the vulnerability of a vendor. This measure contains data on domains, sub-domains, the number of ports open and other attributes of a web-facing service.
- The Social measures attributable to a company are more subjective, but also measurable to provide a score where vendors can be compared and monitored. Customer and Employee advocacy on review and rating sites is key here, providing big-data benchmarking from well-known public review sites. The level to which privileged users (admins, firewall engineers etc) advertise their wares on social media and business sites is also an actionable insight into the security maturity of a current or prospective vendor.
The aim with all of these measures is not to penalise, but to identify areas that the vendors in a client supply chain find hard, and deliver training, awareness and technical recommendations to enable ‘all the ships to rise together’. Webinar delivered best practice training, vendor-specific reporting and remediation recommendations are all part of the C2 Cyber VRM service, powered in part by OSINT insight.
In summary; OSINT does not provide all the answers, as it can only see what’s visible to the outside of a vendor, and rarely shows the external architecture (unless something has gone very wrong!). OSINT does support an efficient and detailed view of vendors that is difficult to do at scale without automation and a great deal of OSINT expertise deployed at the technology platform level. Whilst all of this is possible manually, it is not efficient enough to be done often in VRM services built on a consultancy model.