Beyond the Noise: Extracting Actionable Insights from OSINT Reporting

In today’s cybersecurity landscape, staying informed about the latest threats and trends is crucial for organizations, professionals, and enthusiasts alike. Open-source intelligence reporting, frequently known as OSINT, plays a pivotal role in this context, offering a wealth of information that can help individuals and organizations enhance their security posture. This type of intelligence concerns cybersecurity incidents and trends and is freely available to the public, published in various media formats, such as reports, blog posts, white papers, news articles, and social media posts.

Despite its accessibility, the effective utilization of open-source threat intelligence reporting is not without challenges. The sheer volume of information and the varying reliability of sources can be overwhelming and potentially misleading. Furthermore, many times OSINT reporting can lead to an emotional response. Most professionals in the cybersecurity field read dedicated cybersecurity news and blog sites, which is a great way to stay educated. However, it can also lead to fear, uncertainty, and doubt, causing an overreaction. Therefore, it is essential to not only understand why you are reading it but also how to critically analyze and apply the information.

This blog post aims to demystify the process of reading and analyzing open-source threat intelligence and cybersecurity news sites. By providing a structured approach to selecting credible sources, extracting relevant information, and applying the acquired knowledge, this post aims to empower readers with the skills necessary to make informed decisions and enhance their cybersecurity strategies.

In the following sections, we will explore the different facets of open-source threat intelligence, provide guidelines for choosing reliable sources, offer strategies for practical analysis, and suggest ways to apply this valuable information in various cybersecurity contexts. Whether you are a cybersecurity professional, a student, or simply an enthusiast eager to learn more about the digital threat landscape, this guide seeks to equip you with the tools needed to navigate the world of open-source intelligence confidently.

What is Open-Source Threat Intelligence?

Open-source threat intelligence refers to data and information about potential or existing cyber threats freely available online. This type of intelligence is sourced from publicly accessible platforms; unlike classified or proprietary intelligence, open-source intelligence is not restricted and can be accessed by anyone. The key value of open-source threat intelligence lies in its ability to provide insights into emerging trends, tactics, techniques, and procedures (TTPs) used by threat actors, thus enabling organizations to enhance their security posture proactively.

Why Should I Read and Collect OSINT?

There are two primary reasons to read an OSINT report: for educational purposes or to inform cybersecurity decision-making and objectives. If you’re reading it for educational purposes, there’s no need to immediately escalate the matter by asking your cybersecurity team for “additional guidance.” Reacting too hastily may lead to miscommunication, resulting in advice that doesn’t align with your needs. This can divert your team’s focus and resources from more critical tasks, like delivering actionable intelligence.

However, if you are reading an OSINT report to inform cybersecurity decision-making and objectives, it’s advisable to have specific questions you are seeking to answer, and consider these questions when reading the report. If the report appears to have the data and insights to answer the questions, it may be relevant to your needs and should be prioritized for further analysis. In this context, the relevance of a report is directly tied to its utility to contribute meaningfully to your strategic and operational decision-making processes. Later in this blog post, we discuss tips and techniques for determining the report’s relevance and how to analyze the report. 

These critical questions, called PIRs or Priority Intelligence Requirements, help organizations avoid acting hastily to OSINT reporting. PIRs help focus intelligence gathering and analysis efforts to provide actionable intelligence that directly supports an organization’s decision-making and objectives.

For example, a PIR framed as “Requesting additional guidance on the phishing campaign discussed in this report?” is likely based on emotion, is too broad, and doesn’t provide the guidance cybersecurity and intel teams need, and may result in receiving information that is not helpful or wanted. A more nuanced PIR would be, “Does this report discuss any new phishing techniques we need to address?” This question is not emotionally-based and is specific enough to guide the team’s collection efforts, resulting in more detailed, relevant, and actionable intelligence. 

How Reliable is Open-Source Intelligence?

The reliability of open-source intelligence or OSINT significantly depends on the credibility and reliability of the sources. Given the abundance of available data, it is crucial to discern between accurate, timely, and relevant information and that which may be misleading, irrelevant, or even marketing hype. Reliable and credible sources are typically well-established, have a proven track record of reliability, and are recognized by the cybersecurity community for their contributions to the field.

How Do I Select Reputable Sources?

First, look for well-recognized sources in the cybersecurity field with a proven track record of expertise and credibility. Authors or organizations should have established authority, demonstrated through their contributions to the field, such as research, publications, or active engagement in the cybersecurity field.

Reputable sources should present information that is accurate, well-researched, and free from bias. They should also provide evidence or data to support their assertions, allowing readers to verify the information independently.

Deepwatch’s ATI team and the intelligence community at large employ stringent criteria to vet and select open-source intelligence. These criteria include evaluating the source’s historical accuracy, reputation, and methodology. We maintain a curated list of sources, which undergoes regular review to ensure continued relevance and reliability. When managing publicly available sources, we emphasize the importance of corroborating information across multiple sources and the need for a structured approach to assessing the credibility and value of the information gathered. This methodological rigor ensures that the intelligence we rely on is of the highest standard and can be trusted for critical decision-making.

How Do I Read Open-Source Intelligence?

When reading open-source intelligence (OSINT) to inform decision-making, it’s vital to read it with a critical eye to extract valuable insights while discerning the relevance and reliability of the information. In this part of the guide, we will provide you with essential tips and techniques to navigate and analyze OSINT reports effectively.

Wait, How Do I Determine if a Report is Relevant?

That is a good question. Determining the relevance of an open-source intelligence (OSINT) report is a critical step in ensuring that the effort you invest in analysis and application is truly beneficial to your cybersecurity posture or research objectives. Not every piece of intelligence will be pertinent to your situation or needs. 

Begin scanning reports that might contain the information you need. Once you select a report, read it thoroughly, considering the publisher’s expertise on the topic and the context in which the information is presented. This initial step helps set the right expectations and understand the intelligence’s potential biases or limitations.

Then, evaluate how the information within the report aligns with your PIRs or Priority Intelligence Requirements, providing information that assists in answering these critical questions. For instance, if one of your PIRs concerns common initial access vectors of ransomware attacks, a report detailing the intrusion chain of a ransomware attack and mitigation strategies will be more relevant than a general overview of the ransomware family. 

You should also consider whether the report pertains to your geographic location or sector. Some cyber attacks can be highly specific, with the activity varying between particular regions or industries. A report that details a ransomware attack on a European financial institution might not be as pertinent for a healthcare provider in North America. However, some of the information might be useful, especially if any details apply to your specific IT environment. 

Finally, the threat landscape evolves rapidly, so the report’s publication date and the data period it covers are crucial. Information that was accurate and relevant six months ago may not be as pertinent now. Prioritize reports that are recent and reflect the current threat environment.

By systematically evaluating each report against these criteria, you can efficiently determine its relevance and ensure that your efforts in analyzing and applying the intelligence are well-targeted and effective. This process not only streamlines your consumption of OSINT but also enhances the overall quality and impact of your cybersecurity initiatives.

Analyzing Open-Source Intelligence

Now that you have determined that the report is relevant to your needs, you are ready for deeper analysis. When reading the report, apply critical thinking to analyze the report. Question the information, look for inconsistencies, and consider alternative explanations or viewpoints. You may find it beneficial to copy the content to a document to aid in your analysis, or you can make notes as you read the report. 

Begin separating the facts from assumptions, assessments, and marketing. Assess whether the report presents information balanced and unbiasedly. Be cautious of sensationalized language or content that seems overly skewed towards a particular viewpoint. Good threat intelligence reports provide evidence to back up their claims. These claims could be in the form of data, citations, or corroborated facts from multiple sources. Verify claims through additional sources, be wary of accepting conclusions without sufficient evidence, and consider alternative assumptions and hypotheses.

When analyzing the report, you should also consider the broader context, which is crucial for interpreting it effectively. Consider the geopolitical, economic, and/or sector-specific dynamics that might influence the content and relevance of the intelligence. You should also compare the information with past events or trends. This can help identify patterns, understand the evolution of a threat, or assess the novelty of the reported information.

Finally, intelligence reports should inform you of what is not known about the threat, also known as intelligence gaps. These gaps in knowledge will lead to the development of further questions (PIRs), which drives further collection efforts. For example, a report may not detail how the attackers gained initial access, with this knowledge gap, you now have a new Priority Intelligence Requirement and can start collecting additional reports and information to answer this question. 

Adopting a systematic approach to collecting, reading, and analyzing OSINT can enhance your ability to discern valuable intelligence, understand its implications, and apply it effectively in your cybersecurity endeavors.

How Do I Act on the Intelligence?

Once you have the answers to your PIRs, what do you do next? In this section, we will explain how you can make the most of the intelligence you’ve acquired.

Using the insights from threat intelligence to inform your organization’s cybersecurity strategy and policy-making takes strategic planning. This planning can involve evaluating and adjusting your defensive posture or security protocols based on the identified threats and trends.

For example, if one of your PIRs concerns the most effective mitigations for a specific tactic, technique, and procedure (TTP), it’s likely you want to ensure your current defenses can protect your organization from this TTP. In that case, you should evaluate whether your current defensive measures can defend against these TTPs and develop a plan if they don’t. For example, if threat actors are using a new technique to deliver a malware strain targeting entities similar to yours, test your current defenses against this new technique and make adjustments as needed.

While integrating indicators of compromise (IoCs) can help detect potential threats, they should not be the sole source to defend against threats. IoCs, such as IP addresses, domains, and hashes, have a lifespan that, as time goes on, diminishes the value of the IoC. IoC lifespans are directly affected by bad actors changing an IP address or domain or slightly modifying malware to change its hash. These factors directly contribute to an increase in noise and false positives, causing valuable resources to be spent on poor alerts and analyst burnout. 

You can also use intelligence to prioritize risks and vulnerabilities within your organization. By understanding which threats are most relevant and imminent, you can allocate resources more effectively to address the most critical risks and vulnerabilities first. However, this effort takes a significant amount of time and resources to effectively track threats and determine the most relevant and imminent ones. 

Incident response plans should also be updated to include scenarios and responses based on the latest threat intelligence. Having predefined actions for anticipated threats can significantly reduce response times and mitigate the impact of an attack. Furthermore, you should use the insights from threat intelligence to conduct regular training and simulation exercises with your incident response team. This keeps your team prepared and informed about the latest threat actors and techniques.

Additionally, many organizations use threat intelligence platforms, or TIPs, to store the reports they collect. These platforms are invaluable and allow various reports to be quickly correlated together and provide a means to manage various indicators of compromise. However, these platforms require reports to be “machine readable.” 

However, this machine readable requirement is causing a troubling predicament. Within the cybersecurity intelligence field, there is a thought process to include as many images as possible, which, while they have their place, is causing a troubling trend, the improper and overuse of images. Images are not machine readable and the valuable information they may contain will be lost when it is parsed by your TIP. Images should be used to graphically explain a concept that may be hard to explain or grasp in words, or show evidence supporting an assessment. Many times we have come across reports with images showing log events, PowerShell commands, IoCs, MITRE ATT&CK techniques, etc., this is neither helpful nor advisable as they can not be ingested by TIPs. This is something at Deepwatch we try to avoid. While our reports may be text heavy, they can be easily parsed and ingested by various threat intelligence platforms. 

By thoughtfully acting on and integrating the intelligence you’ve gathered into your defensive strategies, you can enhance your organization’s cybersecurity posture, improve your response capabilities, and contribute to a culture of security awareness and collaboration.

Sharing the Intelligence

Once you have collected, vetted, analyzed, and acted on the intelligence, you should share key threat intelligence findings with relevant stakeholders within your organization, third parties, and the larger cybersecurity community. Tailor the communication to the audience, ensuring that technical teams, executives, and non-technical staff understand the implications of the intelligence. Furthermore, many threat intelligence platforms allow intelligence to be shared with others, typically in various standardized formats. 

You should also encourage collaboration between departments (e.g., IT, security, legal, and public relations) in your organization to ensure a unified approach to understanding and mitigating cyber threats. Intelligence should inform not only technical defenses but also legal and communication strategies in case of incidents. Sharing your insights and learning from others can help build a collective defense posture and foster a more resilient cybersecurity community.

Wrapping Up

The strategic consumption of open-source threat intelligence reporting is an invaluable practice for anyone invested in the cybersecurity field. Cybersecurity professionals, organizations, and enthusiasts can significantly enhance their understanding of the cyber threat landscape and improve their defensive strategies by carefully selecting, analyzing, and applying the insights gained from various public sources. However, It is crucial to approach this wealth of information with a critical mind, discerning the valuable data from the noise and ensuring that the intelligence is reliable and relevant.

The ability to effectively utilize open-source intelligence reporting can serve as a force multiplier for cybersecurity defenses, providing early warnings of emerging threats, insights into attacker tactics, and benchmarks for security posture improvement. Yet, the true value is realized not just in the acquisition of this intelligence but in its strategic analysis and application—informing policy decisions, guiding incident response planning, and fostering a proactive security culture within organizations.

Ultimately, the practice of leveraging OSINT reporting should be a continuous, evolving strategy that adapts to new threats and integrates with the broader cybersecurity initiatives of an organization. As the digital landscape evolves, so too should our methods for harnessing the wealth of available information to safeguard our assets and fortify our defenses against an ever-changing array of cyber threats. Engaging with a community of peers, sharing insights, and staying informed through credible sources will empower cybersecurity professionals and enthusiasts to stay one step ahead in the ongoing battle against cyber threats.

↑