Think Like an Attacker: Using OSINT to Safeguard Your Organization

In the cybersecurity world, knowledge is power. Threat actors have become increasingly adept at using Open-Source Intelligence (OSINT) to gather valuable insights about organizations, often before organizations can react and implement defensive measures. This publicly available data can be a blueprint for a threat actor’s first step toward breaching your systems, from social media profiles to exposed network infrastructures.

For those tasked with protecting organizations: CISOs, security managers, and offensive security engineers, understanding how OSINT is used to gain initial access isn’t just good practice; it’s a crucial necessity in today’s dynamic threat environment. To stay ahead of advanced threats, you must start thinking like an attacker, utilizing the same tools and techniques to identify and mitigate your exposure preemptively.

What is OSINT?

OSINT Before

OSINT referred to data collection from publicly available sources like newspapers, TV or radio broadcasts, and public records. Many intelligence agencies and governments often use OSINT to gather information on geopolitical movements or to track public sentiment. Available information was limited in its early days, and collecting it was time-consuming and manual.

The process was seen as less critical in cybersecurity circles for an extended period. Data was siloed and less interconnected, and organizations shared less online. Threat actors could still glean valuable insights, but the depth of information available was far from what we see today.

OSINT Now

OSINT has undergone a significant and rapid transformation. The rise of the internet and social media has made personal and organizational data publicly available and easily accessible. Nowadays, OSINT is not just about employee social media profiles or emails. OSINT can be leveraged to collect exposed source code, leaked credentials, or details about internal structures and exposed systems.

Example of the company’s utilization report found in the public GitHub repo:

Threat actors can leverage OSINT to mine data quickly and effectively. What once took weeks to gather can now be compiled in hours, and the insights are more profound and revealing—often the precursor to successful attacks. The speed and efficiency of modern OSINT underscore the urgency of your task to stay protected from threats.

The Role of OSINT in Achieving Initial Access

Getting initial access is one of the most challenging tasks during red team engagements or penetration testing. Threat actors are widely using OSINT as one of the options to uncover vulnerabilities and credentials, gain some knowledge about how an organization operates, or even uncover exploitable entry points.

Several examples of how OSINT can help in getting initial access:

1. Employee Information Gathering
2. Domain and Infrastructure Mapping
3. Leaked Credentials and Data Breaches
4. Supply Chain Weaknesses

Employee Information Gathering

Threat actors often start by mining social media platforms like LinkedIn, Twitter, and Facebook to collect personal and professional details about employees. Information such as job titles, contact details, and work habits can be used to craft compelling phishing emails or social engineering attacks. For example, an attacker might use details gathered from an employee’s LinkedIn profile to create a tailored spear-phishing email, increasing the likelihood of the email being opened and acted upon.

Domain and Infrastructure Mapping

Tools like Shodan, Censys, and others enable attackers to map out a company’s digital infrastructure and identify publicly exposed systems, misconfigured services, or unpatched vulnerabilities. By examining the metadata of public-facing websites or scanning for open ports, attackers can pinpoint potential targets. 

Leaked Credentials and Data Breaches

With data breaches, the risks may seem pretty straightforward.  Nowadays, a typical organization’s services landscape is a complex ecosystem of various IT services and systems that support the operations and functions of a large organization. The proliferation of development tools has streamlined the process of working. Tools like Postman, Swagger Hub, and GitHub have become indispensable in the daily operations of development and IT teams. However, the convenience these tools offer also comes with potential security risks that must be managed. Also, let’s not forget that APIs have become essential to IT operations. When talking about convenience, I don’t mean that business practices like having publicly available documentation for API should be reconsidered. The issue will appear when IT staff use the platforms mentioned above from their personal accounts and use corporate secrets in some pet projects or test scripts for convenience, not knowing that someone can go behind and look for such information. Another point is that people don’t care too much about someone else's secrets.

Maybe you can say that your organization is not at risk because you’re using 2FA. But how many AD service accounts are protected with 2FA? Are you sure that AD service accounts can’t connect to a VPN?

Don’t assume threat actors only target ransom. In many cases, stealing sensitive data is their primary goal. While employee accounts are usually well-protected, service accounts often lack adequate security measures like two-factor authentication (2FA) due to their specific use. Not every organization faces the threat of ransomware; in some instances, attackers target data that is freely accessible within the organization's ecosystem. Have you ever wondered what would happen if someone obtained valid credentials and gained access to your organization’s Azure, SharePoint, or OneDrive? How much information is available there?

Supply Chain Weaknesses 

Attackers also utilize OSINT to identify third-party suppliers and partners with weaker security postures. By compromising a less secure partner, attackers can indirectly access the primary target’s systems. This approach, known as a supply chain attack, leverages the interconnected nature of modern business ecosystems to bypass more robust security defenses.

A good example is the Ticketmaster breach that occurred in May 2024. The threat group attacked Ticketmaster by accessing their account in Snowflake, a third-party cloud-based data warehouse.

Practical Use Case

During a recent Cobalt engagement where I was tasked with pen testing an external surface,  I found AD service account credentials exposed at the public SwaggerHub collection:

Immediately, I was able to gain access to the organization’s Azure Portal:

And access to the organization’s SharePoint:

What about PoweBI?

Do you want to know how to connect to a VPN? Here we go:

This simple move provided me with valuable access and insights about the organization.

Mitigating OSINT-Based Threats

A lot has been said and published on mitigating such types of threats. I won’t make another mention of DLP and other black magic.

Here is my list of comprehensive steps:

1. Digital Footprint Monitoring
2. Employee Awareness and Training 
3. Strengthen Authentication Mechanisms
4. Vulnerability Scanning and Patching 
5. Third-Party Risk Management

OSINT is essential to Attack Surface Monitoring as covering only digital assets leaves gaps. People have become a part of the attack surface. Do not consider findings from OSINT to be simply leaks. This narrow view puts you at a disadvantage. OSINT findings provide a roadmap to better understand an organization’s operations, structure, and, in some cases, even the directions for initial access.

Conclusion and Action

In today’s cybersecurity landscape, OSINT is no longer a tool only attackers use. Organizations must incorporate OSINT into their defensive strategies as threats evolve to identify risks before they are exploited proactively. From monitoring digital footprints to understanding how attackers can use publicly available data, shifting perspectives and thinking like an adversary provides a critical offensive security advantage to defenders.

By recognizing OSINT's role in achieving initial access, organizations can better protect their assets, people, and data. Security teams integrating OSINT into their risk assessments will be better equipped to prevent attacks, mitigate vulnerabilities, and maintain resilience in an increasingly interconnected world.

Perform a comprehensive Digital Risk Assessment today to understand how your organization is exposed. Identifying publicly available and potentially exploitable data can reduce the attack risk and bolster your overall security posture.