CINDER
SUBMIT A TIP 
//SECOND NATURE//

Open-Source Intelligence (OSINT)

WHETHER YOU ARE HERE TO TRAIN YOURSELF IN THE FOUNDATIONS OF OPEN-SOURCE INTELLIGENCE, OR TO SHARPEN THE SKILLS YOU ALREADY HAVE, CINDER IS HERE TO FACILITATE YOUR GROWTH.
Let's get started.

THE 4 BUILDING BLOCKS

How does information found on the internet or on a street corner become OSINT?

Publicly Available Information (PAI) (Step 1)

Information that is:

  • Published or broadcast for public consumption

  • Available on request to the public

  • Accessible online or otherwise to the public

  • Available to the public by subscription or purchase

  • Able to be seen or heard by any casual observer

  • Made available at a meeting open to the public

  • Obtained by visiting place/attending event open to the public

OSINT Research (Step 2)

Activities conducted in the preparation of open-source collection such as viewing or accessing Publicly Available Information (PAI) 

**WITHOUT**

Copying, Saving, or Storing the information onto your intelligence component database

OSINT Collection (Step 3)

When Publicly Available Information (PAI) is copied, stored, or otherwise preserved IN ANY MANNER

OSINT (Step 4)

Intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement
//EYES UP//

3 PILLARS TO SUCCESSFUL OSINT ACTIVITIES

//LOCK IN//

Comprehensive Methodology

Everyone searches for things in a different way. Create a system for how YOU search. Change it, Improve it, but STICK. TO. YOUR. PLAN.

Managed Attribution

Did you know they can see you, even on the internet? Managed attribution is the ability to control your device and user persona in order to obfuscate your true identity.

KEY WORDS

These make up the foundation of your search. Break the issue you're investigating into searchable words and terms that you determine are most likely to lead you to something of interest to your investigations.
//What are we looking for again//

KEY WORDS

What are we going to search for to find what we need?

  • Entities

  • Places

  • Regions

  • Things

  • Activities

  • Slang terms

  • Internet terms

  • Literally anything you can think of 

The order of key words WILL affect the search results you receive
Remember OPSEC. Whoever it is could notice you. Don't just paste all of your key words/intelligence requirements into the search bar -- you'll give up the game. 
//remember WHAT YOU'RE LOOKING FOR//

COLLECTION PLAN

Mastery in this begins to separate the beginner from the expert intelligence collector.

  • Identifies Who, What, Where, When, Why

  • Documents you've already seen (avoids redundancy)

  • Helps you avoid rabbit holes by focusing on the most relevant areas

  • Risk assessment that documents how you plan to mitigate risk *REVISE THIS AS OFTEN AS YOU CAN*

PLANNING STEPS

  1. Define the issue and timeline

  2. Conduct initial research to inform on & define bounds for your searches

  3. Identify likely Areas of Interest

  4. Develop keywords list

  5. Collect according to your hierarchy of resources and risk assessments

  6. Process, exploit, then analyze and assess

  • Translate (if needed) & organize

  • Is what you found relevant? Does it have intelligence value?

  • Do you have enough information?

  • Revisit collection plan/risk assessment

  • initiate further collection as necessary
//MAKIMA IS LISTENING//

OPSEC

The 5 steps of Operational Security

  1. Identification of Critical Info (What information do you not want someone else to have access to?)

  2. Analysis of threats (Technical and Topical)

  3. Analysis of friendly vulnerabilities

  4. Assessment of Risk

  5. Application of appropriate countermeasures
Superscript

TIER 0 VS TIER 1

A simple risk assessment that determines threat knowledge of the OSINT activity WILL NOT (TIER 0) or COULD (TIER 1) pose a risk to imminent or on-going operations or intelligence priorities, sources, or methods.

From least work & risk to most 

  1. Safe Commercial Databases & Subscription Services

  2. U.S. Academic Institutions & Thinktanks

  3. U.S. News Media

  4. U.S. Based Social Media

  5. TIER 1
//stay safe during your searches//

Due Diligence & Risk Management

Technical Risks - OPSEC, CYBERSECURITY

  • Who owns the domain name?

  • Where is it hosted?

  • What is the website's reputation?

Topical Risks - OPSEC

  • Can I create a plausible trail to/from the website?

  • Is it possible to act casual and blend in? (similarweb, etc.)

Due Diligence Tactics, Techniques, and Procedures (TTPs)

  • Evaluate unknown links before clicking (hover for cover)

  • Check for technical threats (run through check websites ex: sitereview.bluecoat.com)

  • Look website up on Wikipedia

Action Controls

  • Stick to your plan

  • Do your risk assessments

Disruptors 

  • Archive sites

  • Proxy search engines

  • Journalists

  • Eyewitnesses

  • Experts
Counter Analysis

  • Use clean, new browsers 

  • Act Casual

  • Blend In

  • Create a plausible trail onto AND off of the website for anyone who might look (spiral in/out)

  • Don't make a pattern - vary the time of day, etc.

  • KEEP WORK AND HOME SEPARATE AS MUCH AS POSSIBLE

Fresh Start TTP: Clear all sensitive data prior to collecting

  • Clear clipboard

  • Clear browsing history

  • Delete cookies, Flash Files, Trackers

  • Web form info (never let browser autofill fields)

  • Then build plausible trail by collecting trackers, HTTP referrals
Hyperlink and HTTP Referrer TTPs
Hover for Cover

  • Hover mouse over hyperlink

  • Look at destination URL (bottom left)

  • Evaluate destination URL

Use HTTP referers to "act casual"

  • Create plausible trail. Build pattern of referral activity

be careful of url shorteners (bitly, QR Codes, etc.)

  • If possible, expand shortened URL with tool/website

don't click a live hyperlink from a government website
//Information is everywhere//

Grey Literature

Literature, writing, or media that may not enter normal channels or systems of publication, distribution, bibliographic control, or acquisition by booksellers or subscription agents. (Yearbooks, Business cards, Newsletters, etc.)

  • Could require Human Intelligence to collect

  • Large volume of information, low signal to noise ratio (You aren't likely to find DROVES of useful information)

  • Context is as important as Content

  • Before the "what" and "why", know the "who", "to whom", "by what means", and/or "what venue"

  • Message

    Is the content tailored, or in relation to other messages in similar/different venues?

  • Audience

    What is the average knowledge base? The socioeconomic / cultural / multicultural / geographic homo/heterogeneity of the audience?

  • Medium

    What is the range/volume, complexity, and/or communication method?

  • Author

    What is/are their background / qualification(s) / agenda(s) / source(s)?
//LOCAL ART//

EPHEMERA

  • Includes any type of transitory (brief or temporary) document
  • Usually reflects a temporary interest topic for a specified audience in a limited context
  • Not usually untended to be retained, stored, or published for sale
Benefits

  • May be current

  • Often free

  • Relevant & unique

  • Provides insight into specialized communities

  • Usually a local source

  • Identifies local & niche keywords
Challenges

  • Hard to find if you aren't a local

  • Documents not well published

  • Older items may not be archived online

  • Format and citation information may be nonexistent

  • Quality varies
//LISTEN UP - SOMEONE WANTS YOU TO BELIEVE SOMETHING//

PROPAGANDA

  • Any form of communication that can be *but is not always* misleading in nature, designed to influence the opinions, emotions, attitudes, or behaviors of any group to benefit the sponsor
  • Frequently spread by Ephemera and/or Grey Literature
  • Often draws upon cultural and/or ideological assumptions
  • Objective work may rely on subjective sources
  • Message, audience, and medium provide information about the source
  • JUST BECAUSE IT'S PROPAGANDA DOESN'T MEAN IT'S FALSE
  • JUST BECAUSE IT'S FALSE DOESN'T MEAN IT ISN'T USEFUL

"WHITE PROPAGANDA"

  • Message delivered overtly by the source

  • "Join ICE" commercial on Fox News (ICE was likely the source)

"GREY PROPAGANDA"

  • Source of propaganda not stated, may be difficult to determine

  • Poster that says, "The Government is Lying to you" and nothing else

  • (Many different possible sources)

"BLACK PROPAGANDA"

  • Source of propaganda misrepresented, usually to discredit 

  • Poster with Party logo and the text "We'll eat your babies!" (Party on the poster is almost certainly NOT the source)
//Here we Go//

WEBS

They're just interconnected information sharing systems when you really think about it!

Surface Web

  • Indexed content

  • Can be found with traditional search engines (Google, Bing, etc.) and accessed with traditional browsers (Safari, Firefox, etc.)

Deep Web

  • Indexed & Unindexed content

  • Cannot be found with traditional search engines. Might require passwords or network permissions 

  • Information databases

  • Protected information

  • For-fee subscription services (Netflix)

  • Information behind company firewalls (NIPR)

Dark Web

  • Intentionally hidden content

  • Can be accessed with special software like TOR

  • Might require passwords or permissions
//INFORMATION FIREHOSES//

DIFFERENT MEDIAS

Traditional Media

One to Many

  • Major news networks

  • TV, Print, Radio

  • Research, Libraries, Experts

  • One of the largest sources of PAI

  • Essential component of INFO OPS

  • Thousands of sources in numerous languages

  • Independent/alternative news sources increasingly available

  • Different cultures may have different journalistic standards & traditions

New Media

Many to Many

  • Full Media Spectrum

  • Intended to share, collaborate, network, and generate social interactions

  • Photo sharing

  • blogs

  • message boards

  • etc.