Monday, July 22, 2013

OSINT...Oh What?

Introduction

I recently participated in a brief Twitter conversation that started with a statement that the terms "OSINT" (Open Source INTelligence) and "OPSEC" (OPerational SECurity) are too military-sounding (they are military terms after all) and thus might turn some audiences off from understanding the underlying concepts, particularly those audiences who really ought to understand and apply them.  I wanted to comment more on these concepts, but 140 characters makes it tough to do.  Hence, I decided to write a couple of blog posts to discuss what these terms specifically mean, why they are applicable in the private sector, and some potential alternative terms that might be more widely accepted outside the government.

In this first of two posts, I discuss OSINT.  In a follow-on post I will discuss OPSEC.

What is OSINT?

Intelligence

To understand open source intelligence, you first must understand the intelligence part of the term.  Joint Publication 1-02 (JP 1-02), "Department of Defense Dictionary of Military and Associated Terms", defines intelligence as:
"The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations..."
That's a mouthful, but in layman's terms intelligence is the final product of the analysis of (potentially) disparate pieces of information into a coherent meaning.  The "interpretation of...information" is the key element in this definition, as intelligence is the outcome of human judgement that gives meaning and application to raw information.  Even before you have information to analyze, you have raw data that may have even less apparent value or meaning.  The following graphic illustrates the relationship among data, information, and intelligence:

Source: Joint Publication 2-0, "Joint Intelligence", June 22, 2007
Retrieved July 21, 2013, from http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf

Here's a very simplistic example of this relationship in information security terms:

  • Data:  Raw log files collected from disparate network nodes.
  • Information:  A timeline of network activity derived from processing the log files.
  • Intelligence:  An assessment of an attacker's tactics based on what activity took place on the network derived from analysis of the timeline.  This is probably combined with other data and information sources and might also include an estimate of future attacker actions or even attribution to a specific threat group based on observed tactics.

A key philosophy usually followed in military operations is that of intelligence-driven operations.  That is, operations must be informed, directed, and focused by intelligence.  For example, a military commander's mission may be to defeat an insurgency.  To do this, the commander must understand the local culture and power structures, identify key community leaders and insurgent personalities, and myriad other details.  These things require the collection of relevant information and analysis of that information to guide the commander's actions to reach his goals.  The alternative is to play "whack-a-mole", constantly chasing the latest problems without really solving the underlying issues.

Intelligence-driven operations in information security might mean understanding the specific threats against your company or industry, including their tactics and capabilities, and organizing your defenses to counter those specific threats instead of deploying broad, generalized defenses that may not stop the threats you actually face.  Threats must also be taken into context with your specific vulnerabilities and the threat's ability and intent to exploit those vulnerabilities, which equals your risk (the risk equation includes other factors, such as asset criticality, but calculating risk a whole other discussion).

Open Source

Now let's address the open source in open source intelligence.  JP 1-02 defines open source intelligence as:
"Information of potential intelligence value that is available to the general public."
This definition is contradictory to the definition of intelligence since we've already established that information and intelligence are not synonymous (amazing, two government documents contradicting one another!).  I'd say this is really a definition of open source information rather than open source intelligence.  Intelligence information is information "of potential intelligence value", but information is not intelligence.  A more accurate definition of open source intelligence, using the definition of intelligence as the root, is:
"The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of information available to the general public..."
Whether or not information is available to the general public, i.e., "open source", is in the eye of the beholder.  So far I've discussed information and intelligence from the government's point of view.   In that context, open source means information that the government does not keep to itself.  In other words, the average private citizen can access open source information without government clearance or authorization.

Now, just because open source information, and the derived open source intelligence, is not obtained through sensitive government methods doesn't mean it isn't useful.  In fact, the government has organizations devoted to the collection and analysis of open source information.  From the Director of National Intelligence's Open Source Center:
"Information does not have to be secret to be valuable. Whether in the blogs we browse, the broadcasts we watch, or the specialized journals we read, there is an endless supply of information that contributes to our understanding of the world. The Intelligence Community generally refers to this information as Open Source Intelligence (OSINT). OSINT plays an essential role in giving the national security community as a whole insight and context at a relatively low cost.

OSINT is drawn from publicly available material, including:

  • The Internet
  • Traditional mass media (e.g. television, radio, newspapers, magazines)
  • Specialized journals, conference proceedings, and think tank studies
  • Photos
  • Geospatial information (e.g. maps and commercial imagery products)"

OSINT in the Private Sector

"Open source" information in the context of a private business has essentially the same meaning as it does in a government context: information openly available to people and organizations outside the company.  A simplification would be to say open source information is non-proprietary and closed source information is proprietary, which is the point I put forward in the conversation that sparked this post.  However, a corporation might make certain proprietary information publicly available, either for free or for a fee, so proprietary information might also be open source.

With that said, I propose two simple replacement terms for OSINT in the private sector: openly available (thanks, @kylemaxwell) and publicly available (with the understanding that public means outside the company) intelligence.  "Publicly available" might be slightly more accurate because it connotes any information available in any manner outside a company, including information available for a fee or based on some organizational membership.  It is also the term used in the Open Source Center quotation above.  Openly available might cause some people to associate the term only with information available with no restrictions whatsoever, although that distinction might be splitting hairs.

Conclusion

It is important to understand the value of publicly-available information to prevent one from dismissing certain sources of information as being unreliable or not useful simply because the information is easily obtained.  Any information, regardless of the source, has potential value.  I think intelligence, however, is a more important concept to grasp than whether or not the intelligence is derived from public (open source) or non-public (closed source) information.  The value of information in practice is based on the application of human analysis and judgement to draw conclusions, make connections between seemingly unrelated or disparate pieces of information, and drive decisions and actions that make the best use of available resources.

That is intelligence.