Special ACFCS Report: The Front Lines – The Investigations Series: Information Overload – What is OSINT, part 1 of 2

The Skinny:

  • ACFCS unveils a new series, “The Front Lines,” by Erin O’Loughlin, Senior Director of Training for ACFCS. She is a former front-line investigator and manager for multiple large financial institutions, a crypto currency exchange, as well as a former intelligence officer for the U.S.
  • Here she will tackle issues that directly affect your everyday work life, with the goal of offering practical, tactical takeaways that can immediately help you think differently, analyze more fully and act and react more quickly looking at historical and emerging challenges through the lens of an experienced investigator.
  • In this latest piece, O’Loughlin tackles the always whirling and whirring world of open-source intelligence (OSINT). As the name implies, there is an entire industry, replete with tools, tips and tactics, to better mine what is already out there – a powerful potential arrow in the quiver of a compliance professional.
  • This knowledge can be used offensively to better calibrate customer fincrime risks and defensively to see what vulnerabilities already exist in the ether of cyberspace that fraudsters, hackers, ransomware rapscallions and organized criminal groups can use against you – in recent years to devastating effect. 

By Erin O’Loughlin – Senior Director of Training for ACFCS – former front-line investigator and manager for multiple large financial institutions, a crypto currency exchange and a former intelligence officer for the U.S. Government. 
July 20, 2021

Welcome to The Front Lines – a publication for the front-line investigator, risk officer, and compliance professional.

Here, ACFCS will discuss issues that directly affect your everyday work life, with the goal of offering practical, tactical takeaways that can immediately help you think differently, analyze more fully and act and react more quickly looking at historical and emerging challenges through the lens of an experienced investigator.

This month, The Front Lines is tackling the issue of Open-Source Intelligence (OSINT), also known as Publicly Available Information (PAI) within your investigation.

Within this piece, we will address the following issues surrounding the use of OSINT within financial crimes investigations:

  • What is OSINT?
  • How to utilize OSINT effectively and quickly
  • Open vs Deep vs Dark net searches
  • How much time should be spent on OSINT research within a particular investigation?

What is Open-Source Intelligence?

According to the OSINT Wikipedia page, it is “a multi-factor methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context.” 

In the intelligence community, the term “open” refers to overt, publicly available sources, as opposed to covert or clandestine sources.

For the private sector, such as a financial institution (FI) investigator, it is rare to be in possession of clandestine, or covert sources/information.

That said, where does an FI investigator begin their OSINT research and how much research should be conducted outside of the transaction activity review? 

The answer is right at your fingertips: Your computer and whatever web browser you choose to employ is where you should turn for an OSINT review within your investigation.

OSINT also has many dimensions, offensively for the AML professional to better find buried, lesser-known risks about individuals and entities, but also defensively.

The idea: to better understand what criminals, fraudsters and hackers already have at their disposal that could be used to steal someone’s identity, hack their systems or open the door to a devastating ransomware attack – a souring scourge that has hit epidemic proportions in the virtual world as the pandemic has pummeled our shared corporeal reality.

Some examples, according to media reports, include:

Discovering public-facing assets: The depth, breadth of the attack surface

Their most common function for many OSINT investigations is helping IT teams discover public-facing assets — these could be company websites, employee portals and online entryways that allow users to manipulate data from outside a physical premises — and mapping what information each possesses that could contribute to a potential attack surface, according to Chief Security Office (CSO) Online Magazine.

In general, they don’t try to look for things like program vulnerabilities or perform penetration testing, the realm of the cybersecurity officer. Their main job is recording what information someone could publicly find on or about company assets without resorting to hacking.

Though, ironically, in many cases, hackers have already posted some or all of their pilfered information troves as proof of their skills, to build their reputation or even, just to brag. 

Discover relevant information outside the organization: Socially acceptable?

A secondary function that some OSINT tools perform is looking for relevant information outside of an organization, such as in social media posts or at domains and locations that might be outside of a tightly defined network, according to CSO.  

Organizations that have made a lot of acquisitions, bringing along the IT assets of the company they are merging with, could find this function very useful.

IT assets may not just be the systems used to run a given company, but also detailed lists of names, passwords, intellectual property and other information. In the at-times hasty runup to close a merger, some information might get left behind and not deleted — leaving a residual risk for a breach. 

Given the extreme growth and popularity of social media, looking outside the company perimeter for sensitive information is probably helpful for just about any group.

What form that media takes can also play into tools a determined and skillful criminal can use against an individual or organization. 

For instance, if a person is prolific in their social media posts, bad guys could cobble those images together into a believable “deepfake” of the individual, something that comes with a higher likelihood the more senior the level of the corporate bigwig.

That can be taken even further with recordings and videos of a person – all items that can give more ammunition for criminals to create seemingly living, breathing digital copies crafted to do their bidding.

Collate discovered information into actionable form: Asset discovery, recovery

Finally, some OSINT tools help to collate and group all the discovered information into useful and actionable intelligence, according to the article.

Running an OSINT scan for a large enterprise can yield hundreds of thousands of results, especially if both internal and external assets are included. 

Piecing all that data together and being able to deal with the most serious problems first can be extremely helpful.

At the same time, from the perspective of a fincrime compliance professional, the more outstanding details found during an investigation can both better flesh out the real risk of a customer, it could also preview if that individual or corporate account could be at a higher risk to be compromised. 

Layers of OSINT – Deep Web vs Dark Web

Now that we know what OSINT is and where to go – your own web browser – how do you know where to search within the browser? 

First you need to know the difference between the open web, deep web, and dark web browsing. 

Open-source intelligence can be reviewed via whichever web browser chosen.

Deep web – These searches are not discoverable by means of standard search engines, which are password-protected or dynamic pages and encrypted networks. For instance, an investigator discovers a web site that details a bankruptcy case, however when you click on the link, it takes you to the district court’s log-in page. 

The deep web requires a username and password to access the records.

The dark web – a part of the internet that is only accessible by means of special software called The Onion Router (TOR), allowing users and website operators to remain anonymous or untraceable. 

This software can be easily downloaded onto any phone, tablet, or laptop, however ACFCS is not recommending this for investigators.  

When to begin OSINT?

Step one: Open your case and review what you need to review about the customer within your organization’s holdings, from the customer identification, to when the account was opened, to the transaction review, to why the case was alerted to your desktop, etc.

Step two: Concentrate on the transactions you are reviewing within the case.

Some foundational questions to consider:

  • Does it make sense for the stated purpose of said account? 
  • Does the customer identification match up to the origin of transaction locations? 
  • Does the customer account show any recent changes, like larger or more frequent transactions or to regions of the world at a higher risk for financial crime?

This may take as long or as short of a time as you may need. Even if all transactions and customer identification look normal, this may be a good time to open a web browser of your choosing. 

Step three: Open a web browser of your choosing.  If possible, turn on an incognito mode for your searches. 

This is done to limit the browsing history, cookies and site data, information you entered in forms, and permissions you provide websites.

It also enables you to sign into multiple accounts simultaneously.

For example, you could log into your work account from an incognito window while remaining in your personal account (social or professional media sites/accounts) from a normal window. 

Google Chrome, Microsoft Internet Explorer and Edge, Mozilla Firefox, and Apple Safari all have incognito mode.   

Step four: If your financial institution allows access to social media sites, make sure your personal social media user ID’s/passwords are not signed into any devices you are using within your FI’s investigation.

This is done because some websites, such as LinkedIn, allow users – with a paid subscription – to access who has viewed their profiles. 

While investigating a case that may lead to a Suspicious Activity Report (SAR), you may not wish for your subject to see that you have viewed their LinkedIn profile or other social or professional websites.

Step five: A quick, efficient way to run OSINT searches within your browser is to begin with the customer’s first and last name within quotations. This will narrow your searches to the name most closely matched to your customer. 

If a review of the first page of links does not appear to provide matching information, it is a good practice to check the next page for a quick review. If there are no matches within that page, go back to your search bar. 

Step six: Type in the customer’s email address using only the first part of the domain. 

For instance, if the customer has an email address of bestcustomer_ever@hotmail.com, simply type in “bestcustomer_ever” or a variant thereof, such as “best_customerver” or “bestcustomerever.” 

When searching for a full domain, some search engines will throw in sites for email domains, like the Hotmail website. This is not needed, so leaving out the @ domain reduces the “junk” you will see and saves you time within your review. 

Opening the OSINT tool chest: Real people, digital lives, leaked datasets

Using the right OSINT tool for your organization can improve cybersecurity by helping to discover information about your company, employees, IT assets and other confidential or sensitive data that could be exploited by an attacker, according to CSO.  

Discovering that information first and then hiding or removing it could reduce everything from phishing to denial-of-service attacks.

That information could also flesh out AML, fraud and cyber risks for a bank’s customer or yield evidence that a customer is not who they seem and are tied to larger illicit group.

But what OSINT tools are out there, what do they do and how do you use them?

Here is a sampling of some of the top tools used for OSINT, detailing what areas they specialize in, why they are unique and different from one another, and what specific value they might be able to bring to an organization’s cybersecurity efforts, along with if they are paid or free, according to CSO.

  • Maltego
  • Mitaka
  • SpiderFoot
  • Spyse
  • BuiltWith
  • Intelligence X
  • DarkSearch.io
  • Grep.app
  • Recon-ng
  • theHarvester
  • Shodan
  • Metagoofil
  • Searchcode
  • SpiderFoot
  • Babel X

Some snapshots: What they do, how they do it, what is different

Maltego

Maltego specializes in uncovering relationships among people, companies, domains and publicly accessible information on the internet.

It’s also known for taking the sometimes enormous amount of discovered information and plotting it all out in easy-to-read charts and graphs. The graphs do a good job of taking raw intelligence and making it actionable, and each graph can have up to 10,000 data points, according to the article.

Spiderfoot 

Spiderfoot is a free OSINT reconnaissance tool that integrates with multiple data sources to gather and analyze IP addresses, CIDR ranges, domains and subdomains, ASNs, email addresses, phone numbers, names and usernames, BTC addresses, etc.

Available on GitHub, Spiderfoot comes with both a command-line interface and an embedded web-server for providing an intuitive web-based GUI.

The application itself comes with over 200 modules making it ideal for red teaming reconnaissance activities, to discover more information about your target or identify what you or your organisation may be inadvertently exposing on the internet.

Spyse

Spyse describes itself as the “most complete internet assets registry” geared toward cybersecurity professionals. 

Relied on by projects like OWASP, IntelligenceX, and the aforementioned Spiderfoot, Spyse collects publicly available data on websites, their owners, associated servers, and IoT devices. 

This data is then analyzed by the Spyse engine to spot any security risks in and connections between these different entities.

A free plan is available, although for developers planning on building apps using the Sypse API, paid subscriptions may be required.

OSINT Framework

While these tools offer a wealth of OSINT data, there are many other tools and techniques available that help you fully understand your organization’s public footprint.

An excellent resource for discovering more tools is the OSINT Framework, which offers a web-based interface that breaks down different topic areas of interest to OSINT researchers and connects you to the tools that can help you sniff out the info you need.  

The tools that the OSINT Framework will point you to are all free of charge, though some require registration or have more fully featured paid versions available.

Some are simply tools that help construct advanced Google searches that can yield a surprising amount of information.

The OSINT Framework is maintained by Justin Nordine, and has a project page on GitHub.

To read more details on the full list of OSINT tools, click here

I Don’t Have This Much Time!

Never fear, these steps outlined above can be swiftly executed within a matter of minutes and are not intended to reduce the time of your investigation but to enhance it. 

OSINT searches can provide either corroboration of what you are seeing within the customer’s account, or contradiction. 

For instance, you may be feeling better about the customer you are investigating when you do not find anything negative about them, such as any postings by individuals who have claimed to have been scammed by your customer or any legal documents that outline any type of crimes where they are the defendant. 

To Be Continued….

Now that you have some tips and tricks under your belt regarding OSINT collection for your case, the next The Front Lines post will delve into the subsequent steps of your case, to include:

  • What is Negative News?
  • What is ‘negative news’ and is it a part of the OSINT investigation?
  • How to address OSINT results within the narrative of the SAR template.
  • Is OSINT the same as evidence for law enforcement purposes?

About the author

Erin O’Loughlin comes to ACFCS with deep-rooted experience gained working inside the financial crimes/compliance industry in a variety of roles, including AML investigations for Bank of America, scouring dark web markets to identify proactive risk on the TOR network for Western Union, and supervising crypto fraud and money laundering investigations for Coinbase.

 

Prior to entering the private sector, O’Loughlin served as an operations officer in the Central Intelligence Agency for ten years. 

She was posted in both overseas and domestic positions, specializing in Counter Terrorism, conflict resolution, mediation, and due diligence.