Intelligence analysis, satellite image analysis, SIGINT, IMINT - these terms are usually associated with the activities of state intelligence agencies with gigantic budgets, technology that is many years ahead of publicly available products, and secret knowledge acquired by intelligence officers.
However, recent years have brought a real revolution in terms of access to data once available only to state-owned entities. The development of social media, digital photography and the commercialisation of information services have enabled private individuals to collect and analyse information on an unprecedented scale. Information shared by users themselves on Facebook, Instagram or Snapchat allows for the mapping of relationships between individuals and the collection of information about where they currently reside. Data collection services and financial reports show the financial health of companies and allow a realistic assessment of their profitability forecasts. Finally, thanks to Google Maps, Sentinel Hub or Maxar, users gain access to satellite images allowing them to observe and collect information about any region of the globe. It was the meticulous analysis of such materials that enabled the Bellingcat service to identify the perpetrators of the downing of flight MH171 and linking Russian military equipment to the incident, and enabling Atlantic Council analysts to prove Russian involvement in Ukraine.2
Even greater changes are taking place in the area of IT security. Here, it is often private security vendors who protect companies against intrusions carried out on behalf of and under the supervision of state entities, publish reports identifying specific officers, assigning activity to specific branches. By enriching the data collected during incident response with information on domain registrations, infrastructure properties and data from social networks, analysts build a complete picture of hostile activity, taking into account the technical and political dimensions of the activity.
The collection, processing and analysis of publicly available information is the very essence of OSINT also known as white intelligence or open source intelligence. The scale of the usefulness of such sources is so great that Samuel Wilson, former head of the Defense Intelligence Agency, estimated that 90% of intelligence comes from open sources. Moreover, even as early as 1947, Sherman Kent, often considered the father of intelligence analysis, estimated that in peacetime, 80% of the information needed by decision-makers comes from this type of source.3
Among the sources in open sources intelligence, most important tend to be:
- Media - press releases, reports, journalism.
- Social media - information shared by users themselves in the form of posts, photos, videos, location tags.
- Industry and academic publications.
- Data of network infrastructure - Internet domain registrations, IP address ownership and ASN.
- Image data - satellite images, maps, photos taken on site of objects, roads, environment.
The list is of course open and does not end her - the most useful resources from my perspective can be found on the website under the Resources and Tools. However, the range of sources to be used by the information seeker will depend entirely on the purpose of the search - someone tracking the development of the infrastructure used to run cyber operations will go to different sources than someone creating a financial profile of a company. This differentiation does not mean that one cannot "learn" to use OSINT effectively. On the contrary, the researcher should first assimilate the methodology of information gathering and critical evaluation, specific sources and tools are always a secondary element. Moreover, sources can change very quickly. Especially in more niche branches of research, services providing information may disappear or be replaced by new ones. However, an effective OSINT analyst should be able to achieve their goal regardless of the tools currently available. The goal of the search is precisely the determinant of the "INT" or intelligence part. When we start to collect data in order to analyse it and draw conclusions, we should know what exactly we want to obtain. This methodology can be illustrated by two concepts derived from American intelligence doctrine - intelligence requirements and intelligence cycle. The first refers to the determination of the questions to be answered by the analytical process, the second to the cycle of activities ensuring the methodological soudness of the process.
Intelligence requirements, in fact, are specific questions that decision makers want to get answers to from given intelligence organizations. Keeping with military examples for the time being, such a requirement could be "whether a specific enemy unit will reach a certain place before May 15" or "how large forces protect a specific object". Moving more to the civil field, we can give the example of private cybersecurity companies that provide threat intelligence services - they can receive inquiries about the techniques used by groups attacking targets operating in the client's sector.
Intelligence cycle, is a systematisation of the successive phases of the process of answering these questions. The stages of the cycle are:
- Planning - setting intelligence requirements, that is deciding what question the analyst should ultimately answer.
- Data collection - here the analyst uses known and available sources to gather the necessary data.
- Processing - especially in the case of large data sets, they may require additional processing to enable human analysis - e.g.: address data obtained automatically is transformed into an Excel table.
- Analysis and production - in this phase the collected and prepared for use data are used to answer intelligence questions and production, i.e. preparation of the final outcome of the process such as: a report.
- Dissemination and feedback - products are delivered to target audiences and these audiences should evaluate them for usefulness to improve future operations.
Such a division of tasks, however, is characteristic of institutions with more formalized structures, such as intelligence agencies, where the functions of data acquisition and analysis are separated, and intelligence requirements also result from formal processes. In the practice of private individuals and organizations, analysts often put on many hats and engage in data collection and analysis at the same time. The boundary between the three middle phases can therefore be very fluid.
What does this mean for a person who wants to deal with OSINT? Of course, formalised processes and rigid frameworks are not necessary, but it is worth adopting a certain methodology to make the task easier.
- Planning is equally important regardless of the scale of our operations. Knowing precisely what we are looking for will save us time when selecting sources.
- Data collection, processing and analysis can flow seamlessly together, but the functions of these phases should not be overlooked. Moving too quickly into data analysis can lead to mistakes such as anchoring - without a full and clear picture of the data we have collected we may become fixated on one piece of information and build further analysis based on it, which obviously makes our analysis no longer objective and our view of reality heavily skewed.
- The shape of the final product, whether it is a report or a summary note or even an Excel table, depends primarily on the final recipient. If we are gathering information for our own use, let's make sure that we can later reconstruct our thought process and understand how we came to specific conclusions. On the other hand, if we are preparing a product for someone, the most important thing is that the answers to the questions posed to us are clearly laid out. It is best to apply the BLUF (Bottom Line Up Front) methodology here, i.e. to immediately present the final conclusions and then the analysis supporting them.
This is a rough outline of what OSINT is and how it can be practiced - naturally, each of the issues such as source selection or operation planning deserves a separate article or even a whole series - which is what I will be doing on counterintelligence.pl
1 Bellingcat, MH17 The Open Source Investigation Three Years Later, 2017.
2 M. Czuperski, J. Herbst, E. Higgins, A. Polyakova, D. Wilson, Hiding in plain sight: Putin's war in Ukraine, Atlantic Council, 2015.
3 DV Lande, EV Shnurko-Tabakova, OSINT as a part of cyber defense system, Theoretical and Applied Cybersecurity, 2019.
One thought on “Czym jest OSINT”