Chief Information Security Officers (CISOs) require a comprehensive set of tools, services and skilled people to succeed in the never-ending battle against cybercrime. They stand as the last line of defense to protect their organizations from losing data, money, reputation and, in extreme cases, the business itself. Adding OSINT-driven threat intelligence to the CISO toolkit can be a game-changer, delivering insights that enable a more proactive rather than reactive approach to cybercrime defenses.

Whether launched by criminal syndicates, nation-states or their proxies, ransomware and other forms of cybercrime have become a constant threat that requires real-time analysis and defense to effectively identify, mitigate and counter these attacks. To minimize risks and avoid surprises, CISOs must utilize technical tools and expertise, as well as threat intelligence to gain predictive insights on cybercrimes.

CISOs commonly adopt a two-pronged strategy. The first approach is to use technical tools and expertise, sometimes as a security operations center (SOC), either internally or as a service. The second is to educate and develop IT personnel and other staff who should be able to detect phishing and business email compromise (BEC) attacks in their day-to-day work. Open-source intelligence (OSINT) can be the missing third prong of an effective cybersecurity strategy. 

The intersection of OSINT and cybersecurity

OSINT is the process of collecting, filtering and analyzing publicly and commercially available data from across the surface web, the deep web and the dark web. It has recently grown in popularity as a primary intelligence discipline in national security and defense circles due to the need to quickly detect risks across overwhelming and exponentially increasing volumes of online data and is now being adopted in the corporate sector as well for similar reasons. 

The open web consists of the sites people use daily, which everyone can access, such as public websites, social media sites, chat groups and discussion forums. The deep web constitutes the hidden part of the web that is not indexed by traditional search engines, including sites are secured with some form of protection, such as passwords or additional security measures to ensure only authorized people can gain access. The dark web has a mystical aura but is simply a part of the encrypted internet and is only accessible with specialized tools, such as The Onion Router, or “Tor.” What gives the dark web its aura are the criminal actors that take advantage of its anonymity to share information and plan attacks.

With specialized OSINT capabilities, SOC teams scan the dark web chatter between cybercriminals, extracting volumes of information on their activities. The discussions range from what new or improved tools and techniques are available to which companies or industries are in the spotlight, new data on supply chain vulnerabilities to exploit and more. It is also possible to identify breaches almost immediately after they occur when people boast about their achievements or release personal information or intellectual property.

Large volumes of data are collected in this manner and analyzed to deliver usable information. The growth of artificial intelligence (AI) augments this analysis as algorithms can pick up trends and indicators that are undetectable by human analysts. 

Cybercrime insights hidden in plain sight

Many ransomware gangs are starting to post data stolen from their victims on the open web to encourage them to pay up because their data is potentially exposed to over 2 billion people using the web each day. Although unfortunate for the victims, this situation can provide valuable data analysis and intelligence-gathering information. It highlights compromised companies, information, passwords and newly found vulnerabilities.

OSINT threat intelligence also aids in supply chain risk management, delivering relevant insights about partners, service providers and other companies along the supply chain. A cloud provider, for example, could be under attack, which, if successful, will impact its customers’ ability to operate. Similarly, compromised downstream partners, such as retail outlets or resellers, can pose unique threats to an organization’s operations.

Without OSINT threat intelligence to enhance their cybersecurity strategies, corporations lose a critical edge in their proactive defense posture, leaving them at risk of data loss, brand reputation damage, compliance fines, revenue loss and more.

Pre-emptive defense strategies – the role of OSINT

The need for OSINT is not secondary to cybercrime tools, education and skills; it supplements, supports and enhances cybersecurity strategy with intelligence on attackers’ targets, malware, motivations, methods and more. Effective OSINT solutions enable the practical use of AI-enabled analytics by filtering mountains of data to identify and alert suspicious activities that may indicate an imminent breach.

The State of Ransomware 2023 report highlights that “an exploited vulnerability was the most common root cause of ransomware attacks (36%), followed by compromised credentials (29%).” Only 3% were due to a brute force attack — what most people define as hacking. OSINT threat intelligence, therefore, can potentially play a vital role in helping to prevent more than 50% of ransomware attacks. 

People like to talk, and cyber criminals are no different; perhaps they are even more inclined to boast when defeating a large corporation. OSINT specialists within SOCs can gain insights into what industries and companies are being targeted, newly released malware and what new vulnerabilities they exploit — even before the Cybersecurity and Infrastructure Security Agency (CISA) or law enforcement agencies release a public warning.

More than data loss

Corporate governance, risk management and compliance are critical factors affecting corporate reputation and the sentiment of stakeholders, especially investors. Similarly, cyber resilience quickly evolved into a reputational influencer. Publicly traded companies must now report material cyber breaches within four days, and annual reports must include information on the business’s cyber governance and hygiene.

Managing their organization’s cybersecurity posture and dealing with constant threats, especially ransomware, places CISOs under extreme pressure. Coping with the demands is only possible if a cybersecurity strategy complemented by OSINT is integrated into technology platforms to deliver more timely and predictive insights about potential cyber risks facing the company and its supply chain. This strategy empowers CISOs to be prepared to proactively mitigate vulnerabilities.