The ‘So What?’ of OSINT
Unfortunately, all too often, the individuals that I conduct digital footprint assessments for do not understand the significance of the findings and the potential impacts they may have. This is why a critical aspect of any investigation; following the full report; is the face-to-face meeting that you have with the individual.
This meeting gives you the opportunity to present your findings in a manner where the individual can fully comprehend the consequences and potential risks the information poses. This article will provide you with a quick list of potential outcomes or risks that could occur as a result of someone collecting information on a subject via OSINT. Obviously this list is by no means comprehensive as each investigation will have unique risks. However, these can be applied to a large majority of cases.
You’ve Collected My Data. So What?
When I first began doing digital footprint assessments I was genuinely surprised by the lack of shock and action by the subjects after receiving a 10+ page report with their entire life on it. I quickly realised that most people do not ‘think like an attacker’, thus never understanding the true risk of the information presented.
So to make things easy for them to understand, I stopped beating around the bush, and began explaining how I, myself, would use the information to conduct an attack. This brought the report out of the hypothetical realm and into a more real-world “oh shit, this could actually happen” scenario.
So, lets discuss the most common potential risks:
- Defamation
First on our list is defamation as this is the easiest and most likely to occur. In a world where a single tweet could mean the difference between a peaceful career or being “cancelled”, if an attacker were to dox you, revealing all your your details, the impact to your career could be devastating.
Depending on whether your subject has a high profile position or is involved in controversial decisions, their career and professional reputation could come into question following the dox.
- Stalking
Stalking is an interesting one as it predominantly impacts your mental health. The thoughts of what the stalker could do next; including taking physical action on you, your family or your pets, puts victims in a constant state of fear. Their experience is not unlike torture, and leads to the victim being in a perpetual state of stress or hypertension leading to prevent the victims from sleeping properly and a slew of other serious negative impacts.
A full list of the impacts of stalking can be seen here.
- Vandalism
This one is pretty straight forward. If a person manages to find out which car you drive or where you live, they could do a number of malicious acts including keying your car, smashing your windows, painting graffiti/slurs.
Of course this would require the threat actor to be close to your location. It’s also one of the easiest to prevent/remediate in the sense that you can park your car in a secure garage/location, have security cameras to deter or assist in catching the perpetrator and just paint over or fix the vandalism.
- Theft
As with vandalism, the perpetrators would need to identify your home/vehicle location and have somewhat of a plan prior to executing the robbery/theft. They could also target you directly in the street if for example you wear an expensive watch or jewellery. The thought of someone breaking into your home while your asleep or away is unsettling, however, again easy to remediate with an insurance claim. Though you should stress to the client that perhaps the thieves could be not it in for monetary gain and are more so looking to gain leverage over you with private documents or priceless items.
- Extortion / Blackmail
Now we are into the more serious end of the risk spectrum. Extortion and blackmail are interesting, in that all the other risks listed (with the exception of stalking) could be used in some form or another to extort or blackmail you, your family or your business. Depending on your findings, each investigation would have unique extortion or blackmail opportunities.
- Kidnapping
Although unlikely, kidnapping is still a risk to many individuals, especially those travelling or located in South America, Africa, the Middle East and parts of Asia. Even if your client lives in a relatively safe western country, the risk of kidnapping should be of serious concern particularly if they have young children.
- Physical Harm
Depending on your client, threats of physical violence could be prominent and made on a daily basis, especially if they are involved in government or politics. Its up to you to sift through the threats and determine which one are credible. Does the person making the threats have physical access to the subject? Are they part of an organised crime group?
Real Life Examples
Chloe Piemonte — Coalfax
Swatting
https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-swatting/
Carol Ng — HK Leaks
and many many more……
I would also like to link back to my previous article ‘Turning a Name Into an Address’ where during the face-to-face meeting with the subject, I mentioned a snippet from a video posted online which displayed the individuals kids ‘daily schedule’.
Initially the individual did not understand why this was of concern, however I explained that considering their controversial public position and the fact that they had received viable physical threats, publicly showing what time your children go for a lunch break could leave them exposed to harm such as kidnapping. This really hit home with the client and hopefully they have now removed the video.
Conclusion
In conclusion, there is a marked difference between someone reading about unlikely risks on a piece of paper, and hearing a grown man explain how he would go about kidnapping their 9 year old daughter. Now this may sound creepy, and it is, however your primary objective for the investigation is to help the subject secure their digital footprint. If they don’t fully grasp the risks you have laid out, and consequently don’t action your recommendations because the risks are “unlikely”, then you haven’t done your job properly.
Ultimately you don’t have any control over what your subject does or does not do. You can only supply the information you have gathered and the corresponding recommendations.
I will be posting more helpful articles about OSINT, cyber security, threat intelligence and investigating, so make sure you follow me on here and on my Twitter @CassiusXIII
