OSINT and personal security with Christina Lekati

Christina Lekati is a psychologist who works on the human element of cybersecurity. Her specialization is social engineering and open-source intelligence (OSINT) threats. Lekati is a Senior Social Engineering Trainer & Consultant at Cyber Risk GmbH, a cybersecurity and risk management consultancy based in Switzerland. At Cyber Risk GmbH, Lekati develops social engineering security training classes for security teams, employees, and executive boards. She also serves as the lead OSINT analyst on vulnerability assessments performed for corporations and high-value targets. In addition, Lekati works to help others learn more about OSINT: She is an executive board member at the OSINT Curious project, an organization that provides OSINT-focused learning resources, and speaks at cybersecurity conferences and training events around the globe.

Open-source intelligence (OSINT) is relatively unknown to people outside of the cybersecurity industry. But it is a tremendously powerful information gathering technique — one used to devastating effect by hackers, scammers, and nation-state actors. 

OSINT and its uses

Open-source intelligence expert Christina Lekati defines OSINT as “information gathering through publicly available resources.” That covers a wide spectrum, of course: everything from traditional media and public records to social media sites like Facebook, Twitter, and LinkedIn. But what really distinguishes OSINT is the way it’s used, says Lekati:

Open-source intelligence means that you take all of the information you’ve collected and analyze it in order to answer specific intelligence questions. In other words, you’re putting the information into a context — and towards a goal.

In the hands of threat actors, OSINT is a powerful weapon. For example, information gleaned from public sources can be used to plan an attack on a high-value individual, such as the CEO of a large company. Lekati explains how this might work in practice:

If somebody is targeting a high-value individual, they will first use their social media to identify where they live and work. With that, they can begin to predict things like their route to work, what time they’re likely to be in the office, what time they’re going to be away from home, and so on. Images found on social media, or Google Maps, or satellite images will provide additional information: For example, does this person’s home have a fence around it, or is it exposed to the street? With all of that information, they can begin to plan an attack strategy — perhaps to harass this individual in public or cause property damage.

A growing threat

Despite the fact that OSINT has serious real-world consequences, many companies still don’t take it seriously enough. Lekati says that this is even true of people working in infosec:

People tend to underestimate the power of OSINT. Either that, or they don’t think it applies to them. Even when talking to corporate security teams, we’ll often hear people say, “We don’t have any information exposed that could be used to create actionable intelligence against us.” And we ask, “OK, but have you actually run an OSINT vulnerability assessment?” And the answer is no. 

But the problem is, if you haven’t run that assessment, how do you know whether or not you’ve accidentally leaked something? Because that’s usually how it happens. People think they’ve done everything right; they think their security is perfect…but it’s not. You need a specialist to help you do an assessment before you can judge that for yourself.

The risk is compounded by the fact that nation-state actors are getting serious about OSINT, adds Lekati:

Nation-states are becoming much more organized in terms of how they collect intelligence on other countries and individuals. They’re undertaking massive data collection efforts. And all of that data can be used to predict the behaviors of key individuals, or create full profiles within their data set that they can exploit. 

And the rather grim fact is that many of these countries have long-term strategies. In other words, we don’t really know how they’re going to use the data they’re collecting today in the future. We just know that it’s not going to be good!

OSINT for the rest of us?

Lekati’s focus is on mitigating OSINT vulnerabilities for high-value individuals and enterprises, but she points out that OSINT should concern everyday computer users as well:

People often think that OSINT threats don’t pertain to them because they’re not a CEO or a politician or something like that. They’ll say, “Oh, come on, I’m not important enough for these cybercriminals to worry about. I don’t have much money in my bank account. Why would somebody want to go through all the effort just to steal money from me?” But it doesn’t work that way.

Romance scammers, for example, are a huge hazard on the Internet. And they often use OSINT to find their victims. They use social media to identify women or men who are recently divorced, or maybe just people who talk about being lonely on their social media accounts. It’s all publicly available information. And they collect that. They exploit that. 

There’s an interesting statistic to come out of last year’s FBI Internet Crime Report. They found that confidence and romance scams were the number three most popular type of cybercrime — and also number three in regards to monetary gain. So cybercriminals do prey on individuals. And they make a lot of money out of it.

OSINT tips for individuals and families

Lekati says that there are a number of steps that individuals and families can take in order to protect themselves from OSINT and social engineering threats. Here are some of her top recommendations:

1. Treat online connections differently

   Don’t treat online connections as if they’re people you have met in person. It’s not the same. Basically, don’t trust people on the Internet too readily. Remember that just because somebody is leaving nice comments on your photos or complimenting you doesn’t mean that they have your best interests in mind. Sure, be friendly — but don’t give away your trust so quickly. And always keep in mind that the very first step in a scam is to establish a certain level of rapport with the victim. That’s how these threat actors operate!

2. Trust your gut

   Threat actors establish rapport through conversation before they spring the trap. It’s only after they know that the target likes them, and likes talking to them, that they will start to make all sorts of weird requests: for information, for money, etc. The problem is that at that point, the target is already on the hook. So as a general rule, even if you like somebody you’ve met online, trust your instincts if you start feeling weird about their requests or about what they’re saying to you. Keep in mind that you may be dealing with a scammer, and take steps to protect yourself. Do some research on their profile, for example. Or educate yourself about online scams. There are lots of case studies, news stories, and so forth out there — so try to see if what’s happening to you has happened to someone else before.

3. Keep your social media private

   Keeping social media accounts private is good advice for everyone. It reduces your digital footprint — and thus your overall OSINT vulnerability. With children, this can be a bit more difficult. Especially when you’re dealing with teenagers and peer influence, it’s very hard to convince a kid to have a private account. But what you can do is have a conversation with them about what it means to be online and what risks that entails. And monitor the situation a bit by making sure they have some basic privacy measures in place.

4. Don’t respond to fear tactics

   Many threat actors use fear tactics to intimidate their targets into doing something that they normally wouldn’t do. If you get an email or a phone call that is trying to provoke fear somehow — for example, a threat that if you don’t act right away, then something bad will happen to you — find a way to investigate the issue independently. If it’s a phone call, hang up and call back on an official number that you’ve researched yourself (not the one that the caller provided). Or if it’s an email, reach out via an official email address that you’ve found on your own, not to the one that emailed you. And then just ask about it: “Hey, I got this request to verify my account, or to handle an issue with my account, could you please walk me through what I have to do? Can you please tell me whether this is valid or not?”

5. Educate yourself — and others

   The world is becoming more digitized, and more of our information is online than ever before. Because of this, attackers are going to have a lot more information on who their target is — and they’ll be able to better tailor their attacks.

   People need to educate themselves about OSINT and social engineering. We live in a digital era, and you need to know how to protect yourself in a digital era. If you moved to a dangerous city, a city with a lot of crime, you’d find ways to protect yourself and the people in your life. But it’s the exact same thing when we’re online … only we don’t realize it. We don’t feel the threat. But it’s there. And cybercriminals that prey on people count on this ignorance. But if you are aware of these issues, if you know, for example, how to recognize when something sketchy is happening, that gives you a huge advantage.

   And once you learn about OSINT, share what you’ve learned with others. Have a conversation with your friends and family. Bring it up at dinner: “Hey, I read this crazy story about this new online scam, here’s what to do about it.” In the future, knowledge of OSINT tactics will definitely be used for attacks — but hopefully that knowledge can be used for defense as well.

SecureMac thanks Christina Lekati for taking the time to talk to us. To learn more about Christina’s work, follow her on Twitter and LinkedIn or visit her personal website.