Full Report
Cybercriminals are skilled at using public information to their advantage. Knowing how they gather this data can help…
Analysis Summary
# Tool/Technique: Open Source Intelligence (OSINT) Collection Against Individuals/Organizations
## Overview
The process utilized by cybercriminals to gather intelligence, including personal data, organizational details, and system weaknesses, from publicly available sources (social media, public records, job postings, news articles) to craft highly targeted and convincing social engineering or phishing attacks.
## Technical Details
- Type: Technique (Information Gathering/Reconnaissance)
- Platform: Any platform where information resides publicly (Web, Social Media, Public Databases)
- Capabilities: Identifying targets, learning habits/interests, finding key employees, discovering organizational weaknesses.
- First Seen: Not specifically dated; this is a foundational intelligence gathering methodology.
## MITRE ATT&CK Mapping
- TA0043 - Reconnaissance
- T1593 - Harvesting Information
- T1593.001 - Social Media
- T1598 - Spearphishing for Information
- T1598.003 - Email
- T1593.002 - Public Records
- T1593.003 - Website
## Functionality
### Core Capabilities
- Collecting personal data (birthdays, anniversaries, interests, relationships) from social media.
- Exploiting public databases (names, addresses, phone numbers, potentially financial data if breached).
- Analyzing job postings to understand internal company projects or identify employee roles for impersonation.
- Reviewing news articles and public research for organizational context or security understanding.
### Advanced Features
- Compiling disparate pieces of public data into comprehensive victim profiles.
- Using gathered intelligence to craft highly personalized and convincing social engineering payloads (phishing, vishing).
- Impersonating trusted sources (colleagues, banks, IT support) using tailored context.
## Indicators of Compromise
- File Hashes: N/A (This is a methodology, not malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The collection phase primarily involves passive browsing or querying open sources.)
- Behavioral Indicators: Suspicious reconnaissance activity targeting public or employee social media profiles leading directly into tailored attack attempts.
## Associated Threat Actors
- Cybercriminals
- Hackers exploiting data breaches
- Attackers utilizing social engineering tactics
## Detection Methods
- Signature-based detection: Not applicable.
- Behavioral detection: Monitoring unusual external scanning or research patterns targeting employee information profiles immediately preceding targeted attacks. Auditing access/viewing logs on internal or proprietary developer forums/documents that might be indexed publicly if misconfigured.
- YARA rules if available: Not applicable.
## Mitigation Strategies
- Limiting the sharing of personal, professional, or sensitive information on social media and public profiles.
- Regularly auditing and tightening privacy settings across all online platforms.
- Implementing security awareness training focusing specifically on external reconnaissance and social media threats for employees.
- Regular security assessments to find and fix misconfigured public-facing documentation or databases.
## Related Tools/Techniques
- Phishing (T1566)
- Spearphishing (T1566.001)
- Impersonation (T1550)