What is Open Source Intelligence (OSINT) And How to Conduct OSINT Investigations in Maltego
If you are just getting started in infosec or cybersecurity, you have probably heard of the term OSINT. OSINT plays a crucial role in all sorts of investigations. If investigating means to move from a question to an answer, OSINT can often be employed to find the answer.
Many tools and databases allow users to query OSINT data. Maltego is one of them. Integrated with various OSINT data sources, Maltego gives users the ability to access these data and map the data relationships into a graph.
In this infographic blog, we will give you a brief overview of OSINT, how investigators use it in a practical case, and the types of OSINT data queryable in Maltego.
Infographic | Open Source Intelligence (OSINT) 🔗︎
First, let’s take a look at this infographic:
Download this infographic to share with your friends, family, and colleagues!
What is OSINT? 🔗︎
OSINT is an intelligence-gathering method used to collect and analyze publicly available information and data for investigative purposes. OSINT data sources encompasses pretty much anything you can find on the internet, from an IP address to public governmental records.
In a very broad sense, OSINT gathering can even encompass performing a Google search or reading through a public forum about learning how to fix a leaking pipe.
Who Uses OSINT? 🔗︎
OSINT techniques are practiced by all sorts of investigators and analysts across a range of industries—cybersecurity operations analysts, law enforcement officers, fraud investigators, threat hunters, researchers, investigative journalists, and many more.
This means that OSINT practices can be applied to a wide range of use cases, especially those involving network infrastructure footprinting, malware and threat analysis, person of interest investigations, phishing attacks, and fraudulent activities.
Two Types of OSINT Approaches: Offensive vs. Passive 🔗︎
There are two types of approaches when it comes to OSINT information gathering: offensive and passive. As the terms suggest, the main difference between the approaches lie in whether contact is made with the target.
Offensive OSINT 🔗︎
Offensive OSINT approach, also called active OSINT approach, makes contact with the target in order to gather real-time or more accurate data. However, this also exposes the investigators to a higher risk of detection by the target. Once the target is alerted and becomes aware that someone is trying to gather intelligence about them, they would very likely shut down external access to the data or try to trace the source to the investigators for counter attacks.
An example of offensive OSINT would be scanning a target website.
Passive OSINT 🔗︎
Passive OSINT approach is a comparatively safer practice that gathers historical data or data hosted by third-party sources. Although the data retrieved might not be 100% up-to-date, investigators remain distant from the target and thus have a lower risk of being detected. Historical data also comes in handy when real-time data is not available anymore—such as after the malicious actors remove the website.
An example of passive OSINT would be looking up historical DNS records.
Which OSINT Approach does Maltego Use? 🔗︎
Maltego offers a number of Transforms from various OSINT data integrations. Ranging from infrastructure data to threat intelligence, person of interest information, and to cryptocurrency activities, these Transforms query data both actively and passively.
However, it does not mean that Maltego users are at risk of exposing their IP addresses or identities when performing active OSINT queries. Since all the Transform queries run through Maltego’s public server by default (except for certain deployment options), even when the target under investigation notices these data query requests, they would only be able to see that Maltego is querying such data.
OSINT Framework in Maltego: What OSINT Data is Queryable in Maltego 🔗︎
As you start exploring OSINT practices in your investigations, you will start hearing more about the term “OSINT Framework.” OSINT Framework is a collection of tools for OSINT information gathering and investigations. While some of the data are hosted on third-party sites or governmental databases, some of the data sources are integrated into Maltego and can be queried by Maltego Transforms.
As mentioned before, OSINT covers numerous types of data, which means there are also numerous tools and services one can use to gather information. In Maltego alone, users can query all types of data thanks to data integrations with Shodan, WHOIS, TinEye, The Wayback Machine, VirusTotal, ATT&CK and MISP, Pipl, Orbis, and more.
This makes Maltego a powerful link analysis tool for investigators from various fields and industries who can leverage Maltego and its data integrations to conduct all sorts of investigations—network footprinting, cybersecurity research, threat analysis, POI investigation, fraud investigation, IoT vulnerabilities analysis, and more.
In the graph below, you can find an overview of Maltego’s OSINT capabilities:
Get Started with OSINT Investigations in Maltego! 🔗︎
We hope you find this infographic and blog useful for you to get a better understanding of what OSINT is and how to use OSINT for investigations. Feel free to download the infographic here to share it with your friends, family, and colleagues!
Use Cases & Tutorials: OSINT with Maltego 🔗︎
If you want to learn more about real-life investigations using OSINT and Maltego, here are a few of our favorite use cases: