Threat Inteliigence / OSINT / NETSEC / NATSEC

OPSEC in OSINT - basics and main concepts

Collecting information as part of OSINT is often based on finding traces of users' online activity, such as logging into social networks or using the same e-mail address to register on multiple portals. However, it should not be forgotten that the same applies to ourselves when we try to obtain this information, often using accounts on certain websites or simply interacting with resources on the Internet. As you can easily guess, the situation in which the purpose of our investigations is able to see what we are doing is not desirable:

  1. Especially in more sensitive situations, such as the work of investigative journalists or combating crime, identifying the data collector may directly threaten them.
  2. Drawing the target's attention to the fact that someone is looking for information about it will most often make activities much more difficult, and perhaps even prevent the effective gathering of information, when our target limits its activity or starts blurring its traces.

Therefore, OPSEC, i.e. operational security, is an inseparable part of OSINT. Derived from military terminology, this term means the identification of information that could be observed by the enemy and used to act against our activity. In the case of internet searches, it will primarily have two dimensions:

  1. Separation of our private activity, such as the use of e-mail, social networks, browsers, in such a way that the environment we use for the analysis is not "polluted" by our private activity.
  2. Using possibly passive methods of collecting information - the less interaction we have with the resources we use, the less exposure of our activity - an example would be using archived versions of pages instead of visiting them directly.

In the context of analyzing information and collecting data in the most objective way possible, the separation of private and professional activities has another very important dimension. Since user profiling currently plays a very important role in presenting content to users, the use of separate environments will ensure that the results we obtain will not be contaminated by, for example, personalization of search results.

Entire books could be written about the OPSEC itself and its individual aspects, but what are the most important principles and techniques at the beginning of the OSINT road?

  1. System virtualization. From my perspective, the most important achievement in the field of IT that supports Internet investigations is the availability and universality of solutions enabling the creation of virtual machines. The virtual system is an ideal solution for the separation of private and OSINT activities, it allows you to configure the software, browser, system functions in a manner adapted to the specific functionalities that we will use to collect information. Additionally, virtualization protects our main system against accidental malware infection, and even enables a controlled malware analysis.
  2. Alternative accounts on social networks - the so-called Sock puppets. Just as we should not use our private work environment, it is even more important not to use private accounts on social networks. Obtaining information from portals such as Facebook, Instagram or Twitter usually requires registration in order to access the user's posts or obtain an API key. Using your own accounts in such cases is actually not an option - a request to join a Facebook group, and in the case of LinkedIn, even just entering the profile reveals our identity. Therefore, it is necessary to use alternative accounts, set up specifically for the purpose of the activity.
  3. Sources of passive access to information. As a rule, we should minimize the situations in which we actively obtain information - e.g. by directly entering a website belonging to our purpose. Therefore, the optimal solution is to use websites that have already obtained the information we need. To see what a website looks like, we can use a webarchive that collects and archives copies of websites, and to obtain WHOIS data, we can use a service such as PassiveTotal which provides historically collected data.

At the beginning, the most important thing is to separate three elements from private activity - the system we use, Internet connection and accounts on all portals.

As mentioned above, fortunately, system virtualization is now so widespread that we can create a virtual system intended only for the purpose of collecting and analyzing information at virtually no cost. Free VirtualBox that allows you to take snapshots of virtual machines, and the Linux distribution of your choice like Ubuntu it is a sufficient set to create a working system. Setting up a virtual system is perhaps the most important piece of the OPSEC puzzle. Therefore, in order to properly approach the issue, I will devote more space to it in the next post on

When it comes to connecting to the Internet, the use of alternative links has two main goals - to hide our real IP address which may make it difficult to detect our activity, and to change the geolocation of our address to access resources available only in certain countries. The two most popular methods are Track and VPN. Tor Browser enables us to effectively hide the real IP address by redirecting the connection through a network of intermediaries, which means that only the address of the last one (the so-called Exit node) is visible from the recipient's side. The main advantage of Tor is its accessibility and ease of use, but the downside is that the node's Exit address list is widely known. So even if we hide our real address, we will stand out from the "normal" network traffic. The second option is VPN (Virtual Private Network), i.e. the service consists in redirecting our traffic through the provider's servers. The "outgoing" address will therefore be the address of the server belonging to the company that provides us with VPN services. The great advantage of this solution is that the providers most often offer many servers scattered around the world, which allows you to quickly change the location depending on our needs. The connection speed will also be much faster than with Tor, often comparable to our native transfer. After all, the addresses of the servers used by providers are usually not publicly known, servers are often located in popular data centers, so our traffic will not be too different from regular network traffic. The downside of a VPN is that in order to have access to multiple servers and a sufficient quality of service, we most often have to opt for a paid solution. Besides, it is worth remembering that since we redirect all our traffic to the service provider first, it becomes basically our second ISP with all the consequences and comparable visibility to our traffic. Therefore, it is crucial to trust the service provider we use.

After all, requiring a little more commitment, but the best solution is to independently set up servers that we will use to redirect traffic, e.g. to Amazon Web Services or Digital Ocean. By using a simple tool like AlgoVPN we can very quickly set up a tunnel to the server in a selected place in the world, of course if the supplier has its infrastructure there. We pay on the basis of cloud services only for the time we use our private VPN (and if we are on the free AWS period, we do not pay anything at the moment), and because the servers of a provider such as AWS are very common, our traffic does not differ much from the usual network traffic. We must remember that in this case we will not usually be anonymous for the server provider, but depending on our model, the threat does not have to be of great importance.

Accounts on social networks or e-mail addresses are a river topic. Unfortunately, lately, setting up an account without providing a phone number or even an email address (which often requires a phone number) has become almost impossible, and moreover, having "any" phone numbers such as Google Voice will also not help. Of course, in the broader context, making it difficult to put on sock puppets is understandable, and perhaps even desirable to some extent, given the increasing scale of information operations. For a person trying to conduct OSINT operations, however, this is a significant obstacle, especially in the case of websites such as LinkedIn, which prevent access to most resources without logging in. General tips for creating an account are:

  1. Different services like different e-mail providers - sometimes larger providers like Gmail or Yahoo are better received, and sometimes smaller ones like Fastmail or GMX.
  2. Mobile versions of registration pages are usually less demanding and less often require additional mechanisms to confirm the user's identity.
  3. If we already set up an account, let's think about how we will use it. Contrary to appearances, quickly adding likes, interests, friends may cause our account to be flagged as suspicious and reported for verification. Any attempts to "make the account real" in order to impersonate someone, access to a group of friends and so on, in my opinion, do not fall within the limits of the OSINT I would like to write about here - the accounts used to collect information may, in my opinion, remain empty.

In summary, if I had to choose one word that is the core of OPSEC, it would be "isolation". The biggest threat will always be the temptation to use private resources to collect information (because virtual machines, alternative accounts and turning on VPN are too much effort), from where there is a very short path to mishaps - as he found out a Russian intelligence officer who just didn't turn on the VPN 🙂 The use of a dedicated, isolated environment should therefore be a pillar on which we can base further elements increasing our safety.

Leave a Reply

Your email address will not be published. Required fields are marked *