What makes a good OSINT Analyst? To me, the most important asset an OSINT Analyst can possess is an inquisitive mind. A person can be taught how to use/create tools or write reports but it is vastly more difficult to teach a person how to be analytical. That isn’t to say it can’t be taught and/or learned over time with practice. That being said, there are some things to keep in mind if you are trying to learn the art of curiosity.
Ask a lot of Questions
In classical rhetoric, the “elements of circumstance” created by Aristotle have been used to analyze rhetorical questions for ages. They also apply to modern-day analysis and can be used as a foundation for an investigation.
Quis, quid, quando, ubi, cur, quem ad modum, quibus adminiculis
(Who, what, when, where, why, in what way, by what means)
A condensed yet equally valuable version of the elements is called the “5W’s and an H” or Who, What, When, Where, Why, and How. These questions have been used in rhetoric, religious study, police investigations, journalism, and by lawyers since ancient Greece. It is said that an investigation can not be truly complete until all of the Ws and the H can be answered. Applying the same elements to our OSINT investigations we can ask and answer similar questions.
Consider we are using OSINT to provide a commercial client with a scenario to illustrate where they are vulnerable to an attack:
Who is the threat actor?
What do they want to do (cause damage, steal files)?
When did they/will they most likely attack?
Where will they target the organization?
Why do they want to target this organization?
How will they attack/what process will they take?
Using these questions we can begin to fill in the blanks using passive intelligence. We can research contracts, social media, breach data, resumes, and job postings all to begin to craft a narrative.
Who is the threat actor? A random hacker
What do they want to do (cause damage, steal files)? Steal proprietary files
When did they/will they most likely attack? Over a business holiday
Where will they target the organization? Through known credentials
Why do they want to target this organization? To profit
How will they attack/what process will they take? Spear Phish high privilege target
Be Curious and Craft a Storyline
By answering the 5W’s a narrative begins to emerge from our collected data. It is now up to us as analysts to connect the dots in a succinct way. The catch is, that anyone who has done research knows that when information starts to be uncovered it is easy to get stuck in a rabbit hole. As the genius physicist/chemist Michael Faraday said:
Everything is connected, so if you pick any thing, any one thing, and sought a complete understanding of it, you would end up studying the whole universe.
Faraday was definitely on to something. If we spend all our time digging deep into just one part of our investigation we can easily miss out on a ton of other juicy details. However, if we only do a light dive into a ton of topics we may never get into anything revealing. If the information being gathered is compelling, chances are it will guide you to tell a persuasive story.
Trust your Gut (But Beware of Cognitive Bias)
In a 2013 edition of the Journal of Investigative Psychology and Profiling, Michelle Wright discusses a study on the Intuition of Homicide Detectives. The study revealed a ‘cycle of cognition’ that detectives use to determine a narrative of circumstances. What these cycles tell us is that with time and training we are capable of developing the skills to generate hypotheses and make useful and actionable decisions based on the clues we are given.
Practice and time will ultimately be the only way to learn to trust our gut in the development of a theory. A major pitfall to be aware of when relying on intuition is having a cognitive bias.
Cognitive bias is how we interpret a situation based on our experiences. There are many different types of cognitive bias such as The Framing Effect, which is drawing different conclusions on the same information depending on how it is presented. A good example of The Framing Effect is Robb Willer’s TED Talk on How to Have Better Political Conversations. In his talk, Robb discusses an experiment where both liberals and conservatives were given an essay on saving the environment. The essay the conservatives received was framed to appeal to them, using words like that invoked moral purity. What they found was that conservatives were significantly more supportive of progressive ideas when framed in a way that appealed to them.
Being cognizant of our potential biases during investigations will make the information more actionable because it will be based on facts.
Use Gap Analysis
In short, Gap Analysis is a strategy that allows us to reduce the amount of investigative work by evaluating all known information and zeroing in on what is most important. (Nixintel’s blog on Gap Analysis is a fantastic read to learn more about this method.) Much like the 5 W’s, we do this narrowing of details through simple questions:
1. What do we know
2. What does the information mean?
3. What do I still need to know?
4. How do I find out?
Practicing Gap Analysis can be a very effective way to increase your skills as an analyst. The more practice we have in quickly identifying gaps in information, the more effective we will be at OSINT. I think back to what Sherlock Holmes said in the Adventures of Sherlock Holmes:
“Data data data. I cannot make bricks without clay.”
However, without quality clay, Holmes would not be making any bricks at all!
Be Curious About What Others Know
In OSINT there is an endless cascade of tools and methodologies for each use case we run across. For a beginner in the field, this onslaught of learning materials can be quite overwhelming. We find ourselves asking questions like “do I need to know Python?” and “how do I get started with Maltego?” The best way to develop our own methodology and data collection skill is to forget fancy tools and focus on the characteristics we see in other great investigators. Keeping an open mind and learning from those around us will be a much greater commodity for our future than any tool. As soon as we close ourselves off to new ideas and processes, we stop growing as both OSINT analysts and people.
Getting involved and learning from others is well within reach! Check out OSINT Twitter on Mentoring Monday, follow great OSINT blogs, and contribute to open-source projects. Being sure to get in contact with people who align with our goals and inspire us.
Reflect on Your Own Wins and Failures
Too often we may find ourselves reflecting only upon our failures (or perceived failures) and not giving any pause for our wins. Taking time to jot down processes that worked, failed, or that need adjusting can help keep us on track for learning new things. An added bonus to logging our wins is when we need to revise your resume we will have a list of great things to add.
During an OSINT investigation, we will undoubtedly run into roadblocks that should be noted as topics for reflection prior to the next investigation. An example of this could be spending too long manually looking into personnel. Our reflection would answer questions such as:
1. What part is taking the most time?
2. Is this necessary for the investigation?
3. What could I change in my process?
4. Could any part be automated?
5. Who could I ask for input/advice?
Be Skeptical and Verify
Fortunately, being skeptical comes super easy for me, I even have a tattoo that says “Trust No One.” Skepticism does not always come naturally, however, and some may have to hone this skill. While I can admit trusting no one person is extreme, it is absolutely a good idea not to trust everything found during an investigation. There is nothing worse than finding what we think is a juicy piece of intel only to find out later that it wasn’t what it seemed. Be sure to look at intel from all sides and, verify, verify, verify. At best we waste our time chasing pointless leads, at worst we accuse someone of something they were innocent of.
In philosophy, skepticism is a highly analytical method of obtaining knowledge through systematic doubt and continual testing. This definition echoes the ways in which an OSINT investigation should consist of continuously questioning and verifying all findings.
In ancient Greece, skepticism was not just an idea, it was an attitude and it was so influential it was thought of as a movement. My all-time favorite anecdote is of Heraclitean philosopher (and influence to Plato) Cratylus who refused to discuss anything and would only wag his finger stating “communication is impossible because meanings are constantly changing.”
I feel seen Cratylus.
Wright, Michelle. “Homicide Detectives’ Intuition.” Journal of Investigative Psychology and Offender Profiling, vol. 10, no. 2, 2013, pp. 182–199.