Open-Source Intelligence: Essential OPSEC Tips for OSINT Researchers
.jpg)
A frequent question I encounter is whether I have any tips or tools for maintaining OPSEC during online investigations.
My primary response is this: before offering any advice or tradecraft, I need to understand your research goals. In short, what is your threat model?
Understanding OPSEC
First, it's important to know where the term "OPSEC" comes from. OPSEC, or Operational Security, originated in the U.S. military. The aim of good OPSEC is to deny any adversary access to information that could jeopardize the secrecy or operational security of a mission.
This is the foundation of any investigation. You must first define your threat model against the specific research questions you are trying to answer.
For example, it doesn't make any sense to harden your operating system or your browser if your only task is looking up geographical data on Google Earth; however, if you're diving into websites and forums where individuals are building Remote Access Trojans (RATs), then tightening your operational security becomes essential.
Planning Your Threat Model
It can be useful to map out different scenarios that align with your threat model for a specific investigation. A visual aid, like a mind map or flowchart, can serve as a useful blueprint.
Here is a simple way to structure your thought process:
1. What tools do I need?
2. What sources will I use?
3. Which research machine should I use?
4. Who is my adversary or target?
Selecting the Right Tools
When considering the tools for your research, always evaluate what risks or potential harm they could pose to your operational security. For instance, some automated scrapers are quite "noisy" and not exactly discreet. This can become a problem if your adversary is monitoring for certain digital fingerprints. In OPSEC, leaving as few traces as possible is key - you want to blend in and navigate the internet like the majority of users.
This is the behavior you want from your tools. You don't want them to stand out. That said, some researchers intentionally make themselves visible to signal to the adversary that they are being watched.
When choosing tools, scrutinize their source code, if available. Does the tool leak sensitive information about your machine or report back to entities you're not comfortable with?
Always opt for tools that are reliable and well-tested. Keep them up-to-date to avoid security vulnerabilities. Over time, you should build a trusted toolbox, selecting the right tool for each situation, ranging from "silent" to "loud" operations.
Choosing Your Sources
Selecting sources is similar to choosing tools from your toolbox - you want to evaluate them on a scale from "silent" to "loud;" however, there's a key distinction: online sources can serve not only as tools but also as places where your adversary might be active. For example, accessing a general vehicle database poses less risk than visiting a website owned or monitored by your target.
Before diving into any source, pause, and assess the situation beforehand. What are the risks? How can you minimize your profile and blend in? Consider potential red flags, like language or time zone differences. If your target operates in a different language, adjusting your keyboard and system language settings can help you avoid standing out. Similarly, if your adversary is in a different time zone, change your time settings to match theirs and ensure your online activities align with when they'd expect someone to be active.
In some cases, maintaining OPSEC might even require you to be online at odd hours, so setting alarms to operate during your adversary's active time is a possibility.
A common source of OPSEC mistakes is cognitive bias - making assumptions based on what you think you know. To counter this, consult with colleagues, friends, or experts who can challenge your thinking and act as devil's advocates, helping to spot potential blind spots or errors in your thinking and in your operational security plan. Having a second set of eyes to give your strategy one final overlook is crucial in that you don't overlook any important details that could be critical to your investigation or that you don't include details that can give your identity or position away for that matter.
Choosing Your Research Machine
Selecting the right machine for your research is a sensitive topic, largely because it often depends on your budget and how far you are willing to take your research. The further and deeper your research, the more stringent your OPSEC needs to become.
In an ideal world, you'd have an unlimited budget to buy clean, new devices and internet connections for every investigation. In reality, this is rarely possible, as we know; however, even with a limited or zero dollar budget, there are effective steps you can take to harden your machine and obfuscate its digital fingerprints.
You can first start by physically securing your device - covering the built-in webcam and microphone, or even removing them entirely. Alternatively, you can install software that blocks access to your microphone and camera.
Using proxies or VPNs adds an extra layer of protection by masking your machine's IP address and even virtually changing your physical location by routing your internet traffic through a different country; however, be aware that this can introduce latency or slow down your network, as your traffic is being redirected through multiple geographically distant servers. Think of it like a road trip - you have several routes to the same destination, but some will take longer than others depending on the distance and complexity of the path taken.
For additional security, consider blocking tracking cookies, especially when trying to stay under the radar. Disable unnecessary browser features like auto-launching JavaScript, which could expose you to security risks, even possibly exposing your identity and true location. Lastly, always keep your OSINT machine updated with the latest patches to guard against vulnerabilities and potential leaks in the software you use for your investigations. Keeping everything current is essential to maintaining your good OPSEC.
If your budget is limited, virtual machines (VMs) are a great alternative. They allow you to emulate other devices on your current machine, such as running a virtual smartphone or tablet on your laptop, or operating different operating systems. The type of VM you use should align with the nature of your research. There are many free available options to use for your virtual machine, such as VirtualBox - free of charge.
In addition, if you're investigating individuals involved in malicious hacking, it might be helpful to mimic the kinds of machines and operating systems the use. On the other hand, if you're researching platforms like Snapchat, running a virtual smartphone and creating a credible sock puppet account could be a more effective approach.
Who is My Adversary?
In Operational Security (OPSEC), understanding your adversary is crucial for determining the appropriate countermeasures. Before selecting your machine, sources, and tools, invest time in researching your adversary. Only by doing this can you effectively gauge how "loud" or "silent" you need to be in your investigation(s). For example, investigating an Advanced Persistent Threat (APT) requires a different level of OPSEC compared to probing a 16-year old script kiddie attempting to sell illicit goods online; however, both scenarios come with associated risk, but the nature of the threat varies. A 16-year old script kiddie might have more honeypots or traps set up than at APT, but a thorough risk assessment based on your research questions will reveal the potential consequences if your OPSEC is compromised.
With this in mind, here are some basic tips and tools to help improve your overall OPSEC:
There are two sides to OPSEC: your OPSEC and your adversary's OPSEC. You must always keep both in mind.
Key considerations for both sides:
- Identify where and in what format valuable information exists.
- Assess how well that information is protected.
- Understand the personal or professional impact if compromised.
- Know your adversary's capabilities and tactics.
Once you have these insights, search for OPSEC weaknesses by conducting online reconnaissance. This reconnaissance should be passive and should align with your research questions.
For instance, if you're profiling a particular individual, you might search for things like:
- Full name
- Location (home/work)
- Social Security Number (SSN) (if in the U.S.)
- Date of birth (DOB)
- Email accounts and passwords
- Online digital footprint
- Employment details
- Financial information
- Phone numbers (mobile/work/landline)
- Social media activity (posts, photos, videos) - be extra observant with this information and observe key details like background items as they often reveal landmarks or precise locations (e.g., a group picture in front of the Eiffel Tower would be most obvious - look for items such as certain shops, restaurants, or stores in the background, or a certain tree the group or individual are posing in front of).
- Connections to family, friends, or colleagues - with this information you can social engineer these entities into potentially revealing and disclosing more information to you about your target.
If you're conducting more technical OSINT, you might focus on:
- IP addresses
- DNS information
- Code snippets or reused code (fingerprinting)
- Indicators of Compromise (IOCs) or indicators of Attack (IOAs)
- Known attack methods or techniques
- Port scanning
- Open database or servers
- Leak sites and pastebins
- Malware or Remote Access Trojans (RATs) for sale
These data points can serve as pivot points for exploiting weaknesses in your adversary's or your own OSPEC.
OPSEC Tips for Conducting OSINT Research
1. Avoid Fingerprinting Based on Correlation: Fingerprinting can occur due to factors such as:
- Browser or IP fingerprinting
- Time of online activity or time zone settings
- Word choices and patterns of communications
- Browsing habits and behaviors
2. Be Mindful at All Times
- Adjust your activities to match the threat level.
- Use residential internet (ethernet) or 4G/5G instead of public or corporate connections (which may reveal ISP).
- Use Proxy, VPN, or TOR to mask your true identity and location.
- Manage settings like referrers, user agents, and tracking blockers.
- Avoid logging into major accounts (Google, Yahoo, Microsoft, Apple, etc.) with fake credentials.
- Consider the risk of an account is compromised - is it linked to any other important accounts?
3. Think Before You Act
- Don't link anything to your true personal identity. Keep work and private activities 100% separate.
- Avoid conducting research in your personal environment.
- Don't use office WiFi, ethernet, or terminals for online investigations.
- Never connect personal devices or accounts to your research machine and/or research activities.
4. Low Profile/Blending In
Maintaining a low profile and blending in is crucial for good OPSEC. Here are some strategies to help you stay under the radar:
- Study the platform: Understand the culture and norms of the platform you're using. How do people typically behave there?
- Craft your story (alibi): Develop a believable backstory that aligns with your presence on the platform.
- Stay active: Make sure your online profile appears legitimate. Don't create an account and leave it dormant - engage at a realistic level.
- Avoid a 9-to-5 online presence: Vary your online activities and times to avoid a "9-to-5 office hours" pattern.
- Language settings: Adjust your language settings to blend in, including keyboard preferences.
- Time zone: Match your time zone to the platform or region you are interacting with. You can do this within your virtual machine without actually making changes to your live/production operating system. You should be using a research machine that IS NOT your personal laptop or PC. It should be a burner, meaning you use it once, then burn it. If you need to use it again, rebuild (using a setup image or snapshot preferably that saves your configurations from last recon activities).
- Word choice: Pay attention to your language. Use slang, leetspeak (l33t/1337), or professional terms based on your audience.
Remember that your device tells a story. You can use tools like Whoer and Device Info to see your device's fingerprint. Depending on your research, you may want to blur or obfuscate this fingerprint or harden your browser further.
Useful Add-ons and Extensions for Firefox and Chrome Browsers
1. HTTPS Everywhere
- Encrypts your connections where they would otherwise be unencrypted, protecting sensitive data and preventing interception, eavesdropping, or man-in-the-middle (MiTM) attacks.
2. Privacy Badger
- Blocks trackers, but may break some websites (e.g., login page functionality). If this happens, you can disable it for that site, though this will introduce an OPSEC risk.
3. uBlock Origin
- Blocks trackers and ads, and helps prevent WebRTC IP leaks (can be activated in Settings).
4. User-Agent-Switcher
- Mimics different operating systems and browsers, allowing you to view websites in mobile or tablet mode.
5. Canvas Defender
- Prevents browser fingerprinting by adding random noise to your canvas, even in Incognito Mode or with a VPN.
6. ScriptSafe (For Advanced Users)
- Blocks JavaScript, which can break websites but offers extra security by preventing adversaries from injecting malicious scripts. It also includes many anti-fingerprinting features.
7. Location Guard/Manual Location
- Spoofs your HTML5 geolocation, making it seem like you're in a different geographical location.
Additional Tips
- Use Two-Factor Authentication or Multifactor Authentication (2FA/MFA) whenever possible.
- Store passwords in a password manager like LastPass or KeePass, Ensure you have backups, images, snapshots and remember your master password or passphrase!
- DO NOT REUSE PASSWORDS ACROSS MULTIPLE SITES.
By following these practices, you can maintain better OPSEC while conducting OSINT research.
Rate This Article
Thanks for reading: Open-Source Intelligence (OSINT), Sorry, my English is bad:)