Basics of OSINT in the Context of Fighting Cybercrime – The Definite Beginner’s Guide
“What use are they? They’ve got over 40,000 people over there reading newspapers.” – President Nixon
This introductory guide into the world of OSINT is part of an upcoming series of articles aiming to assist both novice and experienced security practitioners including analysts for the purpose of entering the world of OSINT for cybercrime research and aims to offer a high-profile and never-published before practical and relevant in today’s nation-state and rogue cyber adversaries Internet and cybercrime ecosystem whose purpose general overview and introductory material and training course material for novice beginners including advanced Internet users hackers security consultants analysts including researchers who are interested in exploring the world of OSINT (Open Source Intelligence) for the purpose of making a difference doing their work in a better and more efficient way including to actually be fully capable and equipped to catch the bad guys online including to monitor and track them down to the point of building the big picture of their fraudulent and rogue online activities. The course including the actual learning and training material is courtesy of Dancho Danchev who is considered one of the most popular security bloggers threat intelligence analysts and cybercrime researchers internationally and within the security industry.
The primary purpose behind this guide is to summarize Dancho Danchev’s over a decade of active passive and active including actionable threat intelligence and OSINT research type of experience including cybercrime research type of experience where the ultimate goal would be to empower the student or the organization taking this course into better doing their online research work including to be fully capable of tracking down and monitoring the rogue and malicious online activities of the bad guys online where the ultimate goal would be to better position and enhance your cyber attack or malicious threat actor cyber campaign attribution skills ultimately improving your work activities and actually empowering you to learn how to do OSINT for good and most importantly to track down and monitor the bad guys.
In a world dominated by sophisticated cybercrime gangs and nation-state sponsored and tolerated rogue cyber actors the use of OSINT (Open Source Intelligence) is crucial for building the big picture in the context of fighting cybercrime internationally including to actually “connect the dots” in the context of providing personally identifiable information to a closed-group and invite-only LE community including international Intelligence Agencies on their way to track down and prosecute the cybercriminals behind these campaigns.
In this training and learning material Dancho Danchev one of the security industry’s most popular and high-value security blogger and cybercrime researcher will offer an in-depth peek inside the world of OSINT in the context of fighting cybercrime and will provide practical advice examples and case in particular on how he tracked down and shut down the infamous Koobface botnet and continued to supply never-published and released before potentially sensitive and classified information on new cyber threat actors which he continued to publish at his Dancho Danchev’s blog.
Table of Contents
- Basics of OSINT
- Current State of the Cybercrime Ecosystem
- Advanced OSINT Tactics
- Practical OSINT Advices
- Case Study on Fighting Cybercrime Using OSINT
Basics of OSINT
OSINT in the context of fighting cybercrime can be best described as the systematic and persistent use of public information for the purpose of building a cyber threat intelligence enriched data sets and intelligence databases both for real-time situational awareness and historical OSINT preservation purposes which also include to actually “connect the dots” in cybercrime gang and rogue cyber actor campaigns and cyber attack type of campaigns. A general example would consist of obtaining a single malicious software sample and using it on a public sandbox to further map the infrastructure of the cybercriminal behind it potentially exposing the big picture behind the campaign and connecting the dots behind their infrastructure which would lead to a multi-tude and variety of personally identifiable information getting exposed which could help build a proprietary cybercrime gang activity database and actually assist LE in tracking down the prosecuting the cybercriminals behind these campaigns.
“There’s no such thing as new cyber threat actors. It’s just new players adopting economic and marketing concepts to steal money and cause havoc online.“
The primary idea here is to locate free and public online repositories of malicious software and to actually obtain a sample which will be later on used in a public sandbox for the purpose of mapping the Internet-connected infrastructure of the cybercrime gang in question including to actually elabore more on the ways they attempt to monetize the access to the compromised host including possibly ways in which they make money including to actually find out what exactly are they trying to compromise. Possible examples here include VirusTotal or actually running a malware interception honeypot such as for instance a spam trap which would allow you to intercept currently circulating in the wild malare campaigns that propagate using email and actually analyze them in terms of connecting the dots exposing their Internet-connected infrastructure and establishing the foundations for a successful career into the world of malicious software analysis and cybercrime research.
“Everything that can be seen is already there“.
The next logical step would be to properly assess and analyze the recently obtained sample and to properly establish the foundation of a “connect the dots” culture within your organization where the primary goal would be to have researchers and analysts look for clues on their way to track down and monitor a specific campaign potentially coming up with new and novel cyber attack attribution research. Visualization is often the key to everything in terms of visualizing threats and looking for additional clues and possible cyber attack attribution clues where a popular visualization and threat analysis tool known as Maltego should come into play which basically offers an advanced and sophisticated way to process OSINT and cybercrime research and threat intelligence type of information and actually enrich it using public and proprietary sources of information for the purpose of establishing the big picture and actually connecting the dots for a specific cyber attack campaign.
Among the first things that you should consider before beginning your career in the World of OSINT is that everything that you need to know about a specific online event a specific online campaign that also includes the activities of the bad guys online is already out there in the form of publicly accessible information which should be only processed and enriched to the point where the big picture for a specific event or a malicious online campaign should be established using both qualitative and quantitative methodologies that also includes the process of obtaining access to the actual technical details and information behind a specific online event or an actual malicious and rogue online campaign.
Among the few key things to keep in mind when doing OSINT including actual OSINT for cyber attack and cyber campaign attack attribution is the fact that in 99% of the cases all the collection information that you need in terms of a specific case is already publicly known and is publicly accessible instead of having to obtain access to a private or a proprietary source of information and the only thing that you would have to do to obtain access to it is to use the World’s most popular search engine in terms of collection processing and enrichment.
The second most popular thing to keep in mind when doing OSINT is that you don’t need to obtain access to proprietary even public OSINT tools.
Current State of the Cybercrime Ecosystem
In 2021 a huge number of the threats facing the security industry including vendors and organizations online include RATs (Remote Access Tools) malicious software part of a larger bother malicious and fraudulent spam and phishing emails including client-side exploits and vulnerabilities which have the potential to exploit an organization or a vendor’s end points for the purpose of dropping malware on the affected host including the rise of the ransomware threat which is basically an old fashioned academic concept known as cryptoviral extortion.
With more novice cybercriminals joining the underground ecosystem market segment largely driven by a set of newly emerged affiliate based revenue sharing fraudulent and malicious networks offering financial incentive for participation in a fraudulent scheme it shouldn’t be surprising that more people are actually joining the cybercrime ecosystem potentially causing widespread damage and havoc online.
With cybercrime friendly forums continuing to proliferate it should be clearly evident that more people will eventually join these marketplaces potentially looking for new market segment propositions to take advantage of for the purpose of joining the cybercrime ecosystem and that more vendors will eventually continue to occupy and launch new underground forum market propositions for the purpose of promoting and looking for new clients for the services.
In a World dominated by a geopolitically relevant Internet cybercrime ecosystem it shouldn’t be surpising that more international cybercrime gangs will eventually continue to launch new fraudulent and malicious spam and phishing campaigns that also includes malicious software campaigns for the purpose of earning fraudulent revenue.
With more affiliate based underground market segment based networks aiming to attract new uses where they would forward the risk for the actual infection process and fraudulent transaction to the actual user in exchange for offering access to sophisticated bulletproof infrastructure including advanced and sophisticated malware and ransomware releases it shouldn’t be surprising that more people are actually joining these affiliate networks for the purpose of earning fraudulent revenue in the process of causing havoc and widespread disruption online.