top of page

Redefining OSINT To Win the Cybercrime War

A large percentage of investigators in the private sector enter the industry either via law enforcement, government or the military and transition into private investigations as a second career. Others are employed by insurance companies, library sciences, research bodies or other corporations, and a small percentage of investigators come straight out of school into private investigations, security, risk management, data analysis or another related field.

How and if someone receives formal training in online open-source intelligence (OSINT) gathering, analysis and investigations will influence which tools they employ, their knowledge of privacy and security, and their competence in applying available technology. Coupled with the skills to validate data and sources and derive useful intelligence from the abundance of raw data available via open sources on the world wide web, these attributes form the framework of successful online investigations. As it is, many online sleuths get extensive training using online tools available for free or at low cost using video tutorials demonstrating specific skills or software, in message forums or via social media. There is currently no industry standard or required qualification for OSINT investigations anywhere in the world.

Although the term “OSINT” is only now gaining recognition as a stand-alone discipline, it has been utilized since the second world war when intelligence centres and departments were created by governments to monitor, translate and verify information obtained from news media and foreign governments, along with telegrams and voice communications. The period before the widely adopted use of the world wide web can be considered to be OSINT 1.0, which was focused on telecommunications, news media and translation. The earliest available evidence of the intelligence cycle being used in military training dates back to 1948, however, research suggests it was in use before then in one form or another.

The internet revolutionized the OSINT industry by making previously unavailable information attainable. By creating and automating the processes used for gathering, analyzing, verifying and sharing data along with revolutionizing communications through the adoption of email and other direct messaging systems, users rapidly developed and deployed platforms to give every internet-connected individual a global voice. The period known as Web 2.0 brought us user-generated content, blogs, social networks, geolocation tools, and mobile apps, and accelerated the adoption and transformation of technology in every sector of business and society.

As available data and sources have expanded, finding ways to adapt established intelligence protocols to accommodate novel algorithms and processes has become more difficult, and although in theory, the intelligence cycle is a fluid framework that is still relevant for many types of data, particularly structured data or information that follows a uniform format, unstructured data is becoming more challenging to process.

Further, while data transactions are faster than ever they are also less secure, and tools designed to enhance security can be complex and cumbersome. This is the aspect of OSINT investigations that I believe is failing, resulting in substandard intelligence products and unsafe dissemination. The ever-increasing likelihood of sensitive data falling into the wrong hands or being intercepted and tampered with during transmission further puts clients, subjects and investigators at risk.

Those professionals in the private sector who investigate high net worth individuals, international organized crime, money laundering, fraud, human and organ trafficking, child sexual exploitation, financial crime including cryptocurrency-related crime, gangs, terrorism, ransomware, hacking and any other cybercrime, have security mechanisms available at each stage of the intelligence cycle. Their effectiveness is very much dependent on their technical competence, integrity, attention to detail, and their ability to anticipate or detect threats in the online realm, as well as the tools and methods being deployed to move data around.

It is my belief that the greatest vulnerabilities to the intelligence process do not lie in the steps we all recognize, rather in the transitions between the steps during which data must invariably be exposed or moved from one platform, program or system to another. It is these “gaps” that I also believe renders the intelligence cycle obsolete, along with the definition of OSINT itself.

While robust end-to-end encryption exists, along with virtual private networks and virtual machines, these can be slow, difficult to install and manage, and not compatible with some of the tools required by investigators to effectively mine both structured and unstructured data. They are also increasingly the target of attacks, are ineffectively built and maintained, or are of questionable origin and integrity. Of the professional investigators I have spoken to, only a very small number feel competent in their use of such technologies, with generation Z and other “digital natives” being most likely to use encryption and VPN’s, and being most comfortable writing script and code to increase functionality and security. Even then, because OSINT is derived from publicly available, and therefore, unclassified, information, it is often considered non-sensitive and low risk and is treated as such. While encryption is still relatively secure, the sharp rise in data breaches orchestrated via a combination of social engineering, phishing and hacking increases the security vulnerability every time the data is accessed, decrypted, or moved.

While a wealth of information exists about digital footprints, oversharing of personal information on social media, privacy and security best practices, identity theft, data breach vulnerability and social engineering, we are in the midst of an a cybercrime crisis, with the global cost of cybercrime now estimated to be around 3.2 trillion dollars per year. This number is expected to increase to over 6 trillion US dollars by 2021. We are rapidly losing the war on cybercrime and there is no slow-down in sight.

Organized criminals, terrorists, and corrupt governments and corporations have the time, resources and motivation to invent new, technologically advanced and dynamic ways to steal people’s money and data, while law enforcement, governments and the private sector are continually pushed to do more with less and often lack the knowledge, resources or time to stay on top of technological developments. They require fast results at the lowest cost which invariably leads to cutting corners on security and training.

For many years it has been argued in intelligence communities that the intelligence cycle is antiquated and inadequate for today’s technological environment, however, with no other framework available through which an investigator can follow a semi-structured format in investigations and OSINT production, in particular, it continues to be prescribed as the most appropriate guide for intelligence production.

The steps in the cycle, while labelled differently depending on the environment and version used, follow a very similar path:

  • Direction (also known as/includes planning, requirements)

  • Collection (also known as/includes gathering, collation)

  • Processing (also known as/includes validation, verification, exploitation)

  • Analysis (also known as/includes visualization, production)

  • Dissemination (includes decision making)

Each of these steps necessitates a broad scope of actions, often utilizing a variety of technical and digital tools. These actions include, but are not limited to, electronic or cellular communication, locating, storing, moving, analyzing and otherwise processing raw data, verifying sources and data, reformatting information, and sharing of highly confidential intelligence. Each of these steps may incorporate several micro-steps including direct messaging, downloading software and/or the use of cloud-based systems, transfer of data between hardware devices, the use of virtual machines, peer review and word processing.

There are hundreds of tools continually in development for each of these steps, some of which have become industry standards; in most cases, these are limited to certain functions relating to specific types and formats of data. While these tools are valuable to investigators and we would be severely hobbled without them, they bring a new set of problems in that, the ingestion of information and the resulting product is often incompatible with other data processing tools, the data therein cannot easily be verified or processed, cannot be presented or disseminated in a useable format, and cannot be transmitted securely to and from the platform.

As the quantity and complexity of data increases, and as organized criminals become more aggressive and creative in their efforts to obtain private information, it is my belief that the investigations industry is urgently in need of the following:

  • An impenetrable method of obtaining data from the client, including the secure transmission of large files of all media types.

  • A secure system for data storage and movement, both online and offline.

  • A secure way of accessing online data that not just protects but establishes the integrity of the investigator, the data and the investigation process.

  • Integrated analysis of structured and unstructured data from a variety of sources and in a variety of formats.

  • A standardized process for verifying data AND it’s source regardless of structure or origin.

  • Logical written, and perhaps audio and visual reporting methods for sharing intelligence in a format usable by the client.

  • A secure way of transmitting the intelligence product to the client that maintains it’s unquestionable integrity up to and including the point of delivery.

  • A secure method for longer-term storage of evidence, communications, raw data, investigation process, timelines, and personal data that is not dependent on software or hardware versions or updates, or specific technical knowledge.

I believe that the most urgent requirement is around the security of dynamic data to prevent loss as a result of corruption, interception, or theft. This would be followed by secure custodial systems for maintaining operational integrity, minimizing risk and securing static data. The next step would be to create conformity around the integrity of the data itself via source and data verification and then ensuring the data, once verified, cannot become corrupted. The final logical step would be to produce an intelligence product in a format that meets the needs of the client and can be transmitted securely while maintaining the integrity of the data and investigation.

While the blockchain shows great promise for data custody and control, we must be aware of the development of counter-intelligence tools including homomorphic encryption and deep fakes. Both public and private sector investigators and security workers face challenging times as technology advances and those with harmful intent, from low-level criminals that stalk and harass to cross-jurisdictional organized criminals’ intent on inflicting fear, exploitation, and terror innovate and iterate unencumbered. While those on the side of good struggle to legislate, regulate and investigate effectively, the rate of successful prosecutions continues to decline and currently sits at around 0.05%[1] in developed nations. Law enforcement, government, military and the intelligence community hold the legislative key to cybercrime reduction while corporations, start-ups and other private sector stakeholders possess the technological and innovative solutions necessary to exceed the capabilities of cybercriminals. The public and private sectors must commit to unprecedented collaboration at all levels if we are to take the internet back from the tightening grip of bad actors and win the cybercrime war.

bottom of page