Updated: May 11, 2020
A recent survey of 338 Cyber Threat Intelligence analysts and practitioners highlighted a prevalent lack of Open-Source Intelligence (OSINT) training in the Cyber Threat Intelligence sector. 85% of participants in the survey reported that they received little or no training in OSINT techniques and risk prevention from their current employer; This is something that I believe may extend beyond Cyber Threat Intelligence, to a number of industries that rely on internet investigations. The participants in the study demonstrated through their further responses to the survey that this lack of training has resulted in poor standards of practice that could potentially result in direct harm to their organisation. OSINT training is a worthwhile investment for any company that has staff conducting any type of investigations online. As an OSINT trainer, I'm inherently biased. However, as an active OSINT practitioner, I recognise the need for OSINT training, not just to impart good techniques but also to educate practitioners in good practice.
Open-Source research and investigation is a powerful tool against crime and bad actors. However, improper use of the internet for research and investigative activity presents risks to staff, active and future investigations, and organisational hardware, as well as inviting potential legal and reputational risk to the organisation or government department. By investing in OSINT training, an organisation is improving the efficiency and effectiveness of its OSINT practitioners and is also protecting the organisation itself. Therefore, training is a necessity for any individual conducting any form of Open-Source activity on behalf of an organisation to ensure that the appropriate consideration of security, legality and ethicality is given before any activity is taken. In the survey, 38% of participants reported that they do not use managed attribution tools to mask or hide their online identities or personas. OSINT training that addresses good practice would ensure that all students understood the importance of managed attribution tools. In my training courses, I discuss the importance of the use of Virtual Private Networks (VPN's) and Virtual Machines to ensure that activity is adequately masked. To read that over a third of practitioners in the study are still not using these vital tools is disheartening. However, given the evident lack of training provided to employees, it is completely understood. Without being taught of the importance of the right software, how can we expect individuals to use them? An organisation cannot expect it's staff to conduct best practice when it is not providing them with the training required to learn it in the first place.
Ensuring the use of managed attribution tools when conducting organisational activity does not sit with the individual, whether they are trained or not. This is one of the many items that should be covered within an organisational OSINT policy. Policy should be set organisation-wide for any company that has staff conducting OSINT activity on their behalf. 29% of respondents in the survey reported that there were no oversight procedures at their company to ensure that tools are not being abused by analysts. As an OSINT specialist at a private company, I was responsible for the introduction of an official OSINT policy, setting the standard practice that should be followed when conducting internet investigations. A legitimate OSINT policy should discuss what level of OSINT activity all individuals are able to conduct, who OSINT activity can be carried out against, and what tools are required as a standard when an OSINT practitioner is conducting an active investigation to minimise risk. An example of a clear and detailed OSINT policy is provided with my course, Open-Source Intelligence (OSINT) - Tools & Techniques. This allows my students to see what an organisation should expect of its staff so that they can ensure good practice when they finish the course. This policy is written according to a law enforcement standard within the UK. A private organisation may not be bound by all of the same legislation as the Police, however, that does not mean that the same standard should not be met. By setting an organizational standard within a written policy, an organisation can determine the level of risk that it wants to expose itself to, rather than leaving this up to individual OSINT practitioners working on their behalf.
Failure to conduct OSINT activity to the appropriate standard risks the integrity of any evidence gained. An organisation needs to set an organisational standard to ensure that any collection of information from the internet for an investigative purpose is conducted in such a way that both the integrity of any evidence gained is maintained and a person’s rights are considered and respected and are only breached when lawfully allowed under the appropriate legislation.
An organisation can limit risk to both it's staff, it's investigations and the organisation itself by introducing an OSINT policy and by investing in OSINT training. I strongly advise that if your organisation doesn't have an OSINT policy in place and doesn't already provide any OSINT training that you make sure that this investment is made now. This will guarantee that anyone within your organisation conducting OSINT activity has the appropriate training, which will make certain that they can conduct their activity to the appropriate standard set within a written policy. For only £105 per individual, 12-month access can now be purchased to my online course, Open-Source Intelligence (OSINT) - Tools & Techniques. This course will provide all the necessary training needed to ensure that you or your staff can conduct high-quality OSINT investigations legally and ethically. This course is offered on-demand, which allows you and your team to complete it whenever is most convenient for you and at whatever pace suits you best.
Check out my video below, which discusses the importance of OSINT training: