How to use OSINT for your organization
So, you have decided to enlist the help of an OSINT researcher. Congratulations! On this page, we’ll help you with crafting your first OSINT job request in the best way possible, so you’ll quickly get the results you want.
Think: what question needs to be answered to solve your issue? Your natural response could be to ask a lot of questions: “Who’s behind this site? And what is their address? Are they selling pirated goods? Who buys there? And how? What does AS mean? Why is their website yellow?”.
You will get the fastest and best results if you can define your main investigative question. Tip: If you have 20 investigative questions, pick the most important one, and make it you main investigative question. This question will be used by the researcher to decide the best way to investigate.
Another thing that can be very helpful is knowing why: for what purpose do you want your investigative question answered?
Example: You want to know who owns a particular website, because you suspect they are selling illegal copies of the bags you produce, and you want to sue them.
If you just ask: “Who owns website X?”, your researcher will not look any further than that. Your result might be: “The owner could not be found”. End of investigation.
Now let’s say you ask:
We want to know who owns website X, because we suspect they are selling fake copies of our handbags. The reason we suspect this, is because some customers told us they could buy our handbags cheaper at website X, but we have no knowledge of this party. If they really sell fake copies or our handbags, we will sue the organization.
That’s better! Now the researcher knows:
The answer of the investigation might still be: “owner could no be found”, but there is a higher possibility that the researcher will be able to give you enough data the get a police investigation started or how to get the site removed, and will advise you what action to take next.
Aside from one central investigative question, you may have certain wishes about the speed with which the investigation is going, or how the results should be presented. Here are some things to think about:
Be clear about your time path. ASAP might mean ‘1 day’ to you, but might mean ‘2 weeks’ for someone else. Be as specific as possible: OSINT researchers might have multiple assignments at the same time, and if you want quick results, look for a researcher that will devote all their time to you assignment.
For example:
Full-time researchers only. Results no later that April 5th, 12:00 GMT, final report no later than April 12th, 16:00 GMT..
Be sure to communicate what languages the researcher needs to know for the investigation, and in what language you want the results.
For example:
Researcher must be fluent in Japanese (reading and listening), and all reporting must be in Word format, in written English. Screenshots must be translated.
It can be very disappointing if you expect colorful graphs as a final result, and you get bare text files instead. To save time and disappointment, tell your researcher up front what format the results must have. For example, if you want to cut and paste their results in your own report, you probably want results in Word format instead of PDF. Moreover, be sure to specify in what language the end report should be.
Note: If your organization uses a standard template, let your researcher know before the start of the investigation.
Research reports can come in many forms:
Written
This is the most common form of reporting. Be specific in what form the written report should be: Word format, text files, or a PDF file?
Slideshow
This option might save you a lot of time: the researcher will present the results in slideshow format, so you can use it in your presentation. Common formats are PowerPoint and Keynote, but PDF files can also be used.
Presentation
If you don’t want to peruse dozens of pages of written results, you can ask your researcher to give you a presentation instead. You researcher can walk you through the results, and answer any questions you have.
Other options
The options above are not your only options. Results can be presented as spreadsheets, screenshots, screen recordings,
For example:
Results should be reported in English, in Word format, all website URLs involved should be collected in a separate Excel spreadsheet.
If the results of the investigation will be used in court, state so in your job description. In most cases, an audit trail is needed, along with a description of the steps that have been taken to get to a final conclusion.
For example:
The results of this investigation might be used in court, so an audit trail, including timestamps, search queries and visited URLs is needed.
Ask yourself: how confidential should the investigation be? If you want serious confidentiality, you might want to use vetted researchers only, and have them sign an NDA.
Another question is: what exactly should be confidential? If you are preparing a takeover, you probably don’t want the world to know you are interested in that organization, but if a researcher is spotted by that organization, there would be no harm done. On the other hand, if you want to investigate hostile cybercrime actors, you might want to shield the fact that your organization is doing research into these groups.
Be as specific as possible when stating confidentiality. For example:
Due to the nature of the project, strict confidentiality is needed. Researchers must sign an NDA, and must provide proof of identity. This project cannot be used as a referral.
Due to the sensitive nature of our anti-corruption project, the organizations that are researched cannot know they are under investigation for corruption. To avoid alerting the organizations, the use of active OSINT, spiders, bots, and other automated tools is not allowed. Researchers should stay anonymous and be able to use Polish IP addresses.
What sources should your researcher use? There are literally tens of thousand of open sources that a researcher can tap in to. Some of these sources are paid, some for registered members only.
For example:
Researchers must have access to Lexis-Nexus, Domaintools, Shodan, and Spiderfoot. Due to GDPR, sources like pipl.com are not allowed.
Researchers must be comfortable with the dark web (TOR), and be able to crawl .onion sites.
Certain tools can yield much faster results, but are costly to acquire. If you have a preference for tools your researcher should use, state so clearly in your job description. If automation is required, state so in your job description.
For example:
Researchers must be comfortable with using Maltego, Spiderfoot and Paliscope.
Automation required: Researchers must be able to crawl hundreds of sites without appearing to be a bot.