Cyber Defense

The 5 Biggest Mistakes Made During an OSINT Investigation

The 5 Biggest Mistakes Made During an OSINT Investigation

By: Micah Hoffman (@WebBreacher) - SANS Certified Instructor

I've learned that you can get better at something by learning from others' mistakes and misfortunes. When I was growing up, I watched America's Funniest Home Videos on TV. Nowadays, "fail" videos are all over the internet. We see what happens to the people in these videos and learn without having to experience the consequences.


Below are some of the mistakes that I've seen people (including myself!) make so that you can avoid them.

  1. Not having a plan/process - When you start with a plan, you have a framework for what you want to get accomplished. Without one, assessments can flounder, and staff can lose focus.
  2. Not documenting accurately enough — I've seen people get excited about their OSINT work and dive into the assessment; gather important data to meet their customer's goals. When the time comes to write the report or deliver results, their data lacks references, URLs, dates, hashes, and how they obtained the content and generates more work for them and the team.
  3. Not taking precautions to protect yourself and your system — Don't use your own accounts for your work. Plain and simple. Create sock puppets or seek other methods to retrieve the data. Also, you need to consider what information is coming from your system and network that may give away who you are and where.
  4. Not corroborating data - "It must be true. I found it on the internet." I had an employee tell me that once...and she was not kidding. Always seeks to validate, verify, and corroborate data discovered. A corollary of this is to ensure that you note when data may be less-than trustworthy.
  5. Not cleaning your system after the assessment— You have finished your report and are ready for your next case. Make sure that all your previous work is archived or deleted from your system. Revert your virtual machine if you are using one. Ensure that you have logged out of all sock puppet accounts. You don't want to contaminate your next case with the previous one's data.

Want to learn more about the OSINT and Analysis? Take a look at the SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis course written by Micah Hoffman. The course will teach you current, real-world skills, techniques, and tools that law enforcement, private investigators, cyber attackers, and defenders use to scour the massive amount of information across the Internet, analyze the results, and pivot on interesting pieces of data to find other areas for investigation.

Post a Comment


* Indicates a required field.