ChapterPDF Available

OSINT in the Context of Cyber-Security


Abstract and Figures

The impact of cyber-crime has necessitated intelligence and law enforcement agencies across the world to tackle cyber threats. All sectors are now facing similar dilemmas of how to best mitigate against cyber-crime and how to promote security effectively to people and organizations. Extracting unique and high value intelligence by harvesting public records to create a comprehensive profile of certain targets is emerging rapidly as an important means for the intelligence community. As the amount of available open sources rapidly increases, countering cyber-crime increasingly depends upon advanced software tools and techniques to collect and process the information in an effective and efficient manner. This chapter reviews current efforts of employing open source data for cyber-criminal investigations developing an integrative OSINT Cybercrime Investigation Framework.
Content may be subject to copyright.
Chapter 14
OSINT in the Context of Cyber-Security
Fahimeh Tabatabaei and Douglas Wells
Abstract The impact of cyber-crime has necessitated intelligence and law
enforcement agencies across the world to tackle cyber threats. All sectors are now
facing similar dilemmas of how to best mitigate against cyber-crime and how to
promote security effectively to people and organizations. Extracting unique and
high value intelligence by harvesting public records to create a comprehensive
prole of certain targets is emerging rapidly as an important means for the intel-
ligence community. As the amount of available open sources rapidly increases,
countering cyber-crime increasingly depends upon advanced software tools and
techniques to collect and process the information in an effective and efcient
manner. This chapter reviews current efforts of employing open source data for
cyber-criminal investigations developing an integrative OSINT Cybercrime
Investigation Framework.
14.1 Introduction
During the 21st century, the digital world has acted as a double-edged sword
(Gregory and Glance 2013; Yuan and Chen 2012). Through the revolution of
publicly accessible sources (i.e., open sources), the digital world has provided
modern society with enormous advantages, whilst at the same time, issues of
information insecurity have brought to light vulnerabilities and weaknesses (Hobbs
et al. 2014; Yuan and Chen 2012). The shared infrastructure of the internet creates
the potential for interwoven vulnerabilities across all users (Appel 2011): The
viruses, hackers, leakage of secure and private information, system failures, and
interruption of servicesappeared in an abysmal stream (Yuan and Chen 2012).
F. Tabatabaei (&)
Mehr Alborz University, Tehran, Iran
D. Wells
CENTRIC/Shefeld Hallam University, Shefeld, UK
©Springer International Publishing AG 2016
B. Akhgar et al. (eds.), Open Source Intelligence Investigation,
Advanced Sciences and Technologies for Security Applications,
DOI 10.1007/978-3-319-47671-1_14
(Wall 2007;2005) and Nykodym et al. (2005) discussed that cyberspace possess
four unique features called transformative keysfor criminals to commit crimes:
1. Globalization, which provides offenders with new opportunities to exceed
conventional boundaries
2. Distributed networks, which create new opportunities for victimization
3. Synopticism and Panopticism, which enable surveillance capability on victims
4. Data trails, which may allow new opportunities for criminals to commit identity
In addition to the above, Hobbs et al. (2014) claim that one of the main trends of
the recent yearsinternet development is that connection to the Internet may be a
very risky endeavour.
As well as the epidemic use and advancement of mobile communication tech-
nology, the use of open sources propagates the elds of intelligence, politics and
business (Hobbs et al. 2014). Whilst traditional sources and information channels
(news outlets, databases, encyclopedias, etc.) have been forced to adapt to the new
virtual space to maintain their presence, many newmedia sources (especially from
social media) disseminate large amounts of user-generated content that has sub-
sequently reshaped the information landscape. Examples of the scale of user gen-
erated information include the 500 million Tweets per day on Twitter and the 98
million daily blog posts on Tumblr (Hobbs et al. 2014) as well as millions of
individual personal Facebook pages. With the evolution of the information land-
scape, it has been essential that law enforcement agencies now harvest relevant
content through investigations and regulated surveillance, to prevent and detect
terrorist activities (Koops et al. 2013).
As has been considered in earlier chapters the term Open Source Intelligence
(OSINT) emanates from national security services and law enforcement agencies
(Kapow Software 2013). OSINT for our purposes here is predominantly dened as,
the scanning, nding, collecting, extracting, utilizing, validation, analysis, and
sharing intelligence with intelligence-seeking consumers of open sources and
publicly available data from unclassied, non-secret sources(Fleisher 2008;
Koops et al. 2013). OSINT encompasses various public sources such as academic
publications (research papers, conference publications, etc.), media sources
(newspaper, radio channels, television, etc.), web content (websites, social media,
etc.), and public data (open government documents, public companies announce-
ments, etc.) (Chauhan and Panda 2015a,b).
OSINT was traditionally described by searching publicly available published
sources (Burwell 2004) such as books, journals, magazines, pamphlets, reports and
the like. This is often referred to literature intelligence or LITINT (Clark 2004).
However, the rapid growth of digital media sources throughout the web and public
communication airwaves have enlarged the scope of Open Source activities
(Boncella 2003). Since there are diverse public online sources from which we can
collect intelligence, this type of OSINT is described as WEBINT by many authors.
214 F. Tabatabaei and D. Wells
Indeed, the terms WEBINT and OSINT are often used interchangeably (Chauhan
and Panda 2015a,b). Social media such as social networks, media sharing com-
munities and collaborative projects are areas where the majority of user generated
content is produced. Social Media Intelligence or SOCMINT refers to the intelli-
gence that is collected from social media sites. Some of their information may be
openly accessible without any kind of authentication required prior to investigation
(Omand et al. 2014; pp. 36; Chauhan and Panda 2015a,b).
Many law enforcement and security agencies are turning towards OSINT for the
additional breadth and depth of information to reinforce and help validate con-
textual knowledge (see for instance Chap. 13). Unlike typical IT systems, which
can adopt only a limited range of input, OSINT data sources are as varied as the
internet itself and will continue to evolve as technology standards expand (Kapow
Software 2013): OSINT can provide a background, ll epistemic gaps and create
links between seemingly unrelated sources, resulting in an altogether more com-
plete intelligence picture(Hobbs et al. 2014,p.2).
OSINT increasingly depends on the assimilation of all-source collection and
analysis. Such intelligence is an essential part of national security, competitive
intelligence, benchmarking, and even data mining within the enterprise(Appel
2011, p. xvii). The process of OSINT is shown in Fig. 14.1. OSINT has been used
for a long time by the government, military and in the corporate world to keep an
eye on the competition and to have a competitive advantage (Chauhan and Panda
2015a,b). Also a great number of internet usersenjoy legal activities from
communications and commerce to games, dating, and blogging(Appel 2011, p. 6),
and OSINT plays a critical role in this context.
Fig. 14.1 The OSINT
14 OSINT in the Context of Cyber-Security 215
The current chapter aims to present an in-depth review of the role of OSINT in
cyber security context. Cybercrime and its related applications are explored such as
the concepts of the Deep and Dark Web, anonymity and cyber-attacks. Further, it
will review OSINT collection and analysis tools and techniques with a glance at
related works as main parts of its contribution. Finally, these related works are
articulated alongside the cyber threat domain and its open sources to establish a big
pictureof this topic.
14.2 The Importance of OSINT with a View on
Cyber Security
Increases in the quantity and type of challenges for contemporary, national security,
intelligence, law enforcement and security practitioners have sped up the use of
open sources in the internet to help draw out a more cohesive picture of people,
entities and activities (Appel 2011; also Chaps. 2,3,12 and 13). A recent PWC
American Survey (2015) entitled Key ndings from the 2015 US State of
Cybercrime Surveyfrom more than 500 executives of US businesses, law
enforcement services and government agencies articulates that cybercrime con-
tinues to make headlines and cause headaches among business executives.76 % of
cyber-security leaders said they are more concerned about cyber threats this year:
Cybersecurity incidents are not only increasing in number, they are also becoming
progressively destructive and target a broadening array of information and attack
vectors(PWC 2015).
In a report of the U.S. Ofce of Homeland Security, critical mission areas,
wherein the adoption of OSINT is vital, include general-intelligence, advanced
warnings, domestic counter-terrorism, protecting critical infrastructure (including
cyberspace), defending against catastrophic terrorism and emergency preparedness
and response (Chen et al. 2012). Therefore, intelligence, security and public safety
agencies are gathering large volumes of data from multiple sources, including the
criminal records of terrorism incidents and from cyber security threats (Chen et al.
Glassman and Kang (2012) discussed OSINT as the output of changing human
information relationships resulting from the emergence and growing dominance of
the World Wide Web in everyday life. Socially inappropriate behaviour has been
detected in Web sites, blogs and online-communities of all kinds from child
exploitation to fraud, extremism, radicalisation, harassment, identity theft, and
private-information leaks.Identity theft and the distribution of illegally copied
lms, TV shows, music, software, and hardware designs are good examples of how
the Internet has magnied the impact of crime(Hobbs et al. 2014).
216 F. Tabatabaei and D. Wells
The globalization, speed of dissemination, anonymity, cross-border nature of the
internet, and the lack of appropriate legislation or international agreements have
made some of them very wide-spread, and very difcult to litigate (Kim et al.
2011). There exist different types of dark sides of the internet, but also applications
to shed on the dark sides, comprising both technology-centric and
non-technology-centric ones. Technology-centric dark sides include spam, mal-
ware, hacking, Denial of Service (DoS) attacks, phishing, click fraud and violation
of digital property rights. Non-technology-centric dark sides include online scams
and frauds, physical harm, cyber-bullying, spreading false or private information
and illegal online gambling. Non-technology responses include legislation, law
enforcement, litigation, international collaboration, civic actions, education and
awareness and caution by people (Kim et al. 2011).
Computer crime and digital evidence are growing by orders that are as yet
unmeasured except by occasional surveys (Hobbs et al. 2014). To an intelligence
analyst, the internet is pivotal owing to the capabilities of browsers, search engines,
web sites, databases, indexing, searching and analytical applications (Appel 2011).
However, there are key issues which can distract from the right direction of OSINT
projects such as harvesting data from big open records on the internet and the
integration of data to add the capability of OSINT project parameters (Kapow
Software 2013).
14.3 Cyber Threats: Terminology and Classication
is any illegal activity arising from one or more internet components
such as Web sites, chat rooms or e-mail (Govil and Govil 2007) and commonly
dened as criminal offenses committed using the internet or another computer
network as a component of the crime(Agrawal et al. 2014). In 2007, the European
Commission (EC) identied three different types of cyber-crime: traditional forms
of crime using cyber relating to, for example, forgery, web shops and e-market
types of fraud, illegal content such as child pornography and crimes unique to
electronic networks(e.g., hacking and Denial of Service attacks). Burden and
Palmer (2003) distinguished truecybercrime (i.e., dishonest or malicious acts,
which would not exist outside of an online environment) from crimes which are
simply e-enabled. They presented truecyber-crimes as hacking, dissemination
of viruses, cyber-vandalism, domain name hijacking, Denial of Service Attacks
(DoS/DDoS), in contrast to e-enabledcrimes such as misuse of credit cards,
information theft, defamation, black mailing, cyber-pornography, hate sites, money
laundering, copyright infringements, cyber-terrorism and encryption. Evidently,
crime has inltrated the Web 2.0 along with all other types of human activities
(Hobbs et al. 2014).
In this chapter, the terms computer crime, internet crime, online crimes, hi-tech crimes, infor-
mation technology crime and cyber-crimes are being used interchangeably.
14 OSINT in the Context of Cyber-Security 217
Cyber-attacks are increasingly being considered to be of the utmost severity for
national security. Such attacks disrupt legitimate network operations and include
deliberate detrimental effects towards network devices, overloading a network and
denying services to a network to legitimate users. An attacker may also exploit loop
holes, bugs, and miscongurations in software services to disrupt normal network
activities (Hoque et al. 2014).
The attackers goal is to perform reconnaissance by restraining the power of
freely available information extracted using different intelligence gathering ways
before executing a targeted attack (Enbody and Sood 2014). Meanwhile, secrecy
is a key part of any organized cyber-attack. Actions can be hidden behind a mask of
anonymity varying from the use of ubiquitous cyber-cafes to sophisticated efforts to
covert internet routing (Govil and Govil 2007). Cyber-criminals exploit opportu-
nities for anonymity and disguise over web-based communication to navigate
malicious activities such as phishing, spamming, blackmail, identity theft and drug
trafcking (Gottschalk et al. 2011; Igbal et al. 2012). Network security tools
facilitate network attackers in addition to network defenders in recognizing network
vulnerabilities and colleting site statistics. Network attackers attempt to identify
security breaches based on common services open on a host gathering relevant
information for launching a successful attack.
Kshetri (2005) classied cyber-attacks into two types: targeted and opportunistic
attacks. In targeted attacks specic tools are applied against specic cyber targets,
which makes this type more dangerous than the other one. Opportunistic attacks
entail the disseminating of worms and viruses deploying indiscriminately across the
internet (Hoqu et al. 2014). Figure 14.2 provides a taxonomy of cyber-crime types
(what) with their motives (why) and the tools to commit them (how).
To counter the ability of organized cyber-crime to operate remotely through
untraceable accounts and compromised computers and ghting against online crime
gangs it is therefore essential to supply tools to LEAs and actors in national security
for the detection, classication and defence from various types of attacks (Simmons
et al. 2014).
14.4 Cyber-Crime Investigations
14.4.1 Approaches, Methods and Techniques
Current information professionals draw from a variety of methods for organizing
open sources including but not limited to web-link analysis, metrics, scanning
methods, source mapping, text mining, ontology creation, blog analysis and pattern
recognition methods. Algorithms are developed using computational topology,
hyper-graphs, social network analysis (SNA), Knowledge Discovery and Data
Mining (KDD), agent based simulations, dynamic information systems analysis,
amongst others (Brantingham 2011).
218 F. Tabatabaei and D. Wells
Fig. 14.2 Cyber Crime types: Which-Why-How (Type, Motives, Committing Tools and techs)
14 OSINT in the Context of Cyber-Security 219
Table 14.1 Tools for the collection, storage and classication of open source data
Tools purpose Application/description of tool(s)
Data encoding The term encoding refers to the process of putting a sequence
of characters into a special format for transmission or storage
purposes. In a web environment, relevant datasets are recovered
from data services available either locally or globally on the
internet. Depending on the service and the type of information,
data can be presented in different formats. Modelling platforms are
required to interact with a mixture of data formats including plain
text, markup languages and binary les (Vitolo et al. 2015; n.d.).
Examples: The Geoinformatics for Geochemistry System (database
web services adopting plain text format), base 64online Encoder,
XML encoder
Data acquisition The automatic collection of data from various sources (e.g., sensors
and readers in a factory, laboratory, medical or scientic
environment). Data acquisition has usually been conducted via data
access points and web links such as http or ftp pages, but required
periodical updates. Using a catalogue allows a screening of
available data sources before their acquisition (Ames et al. 2012;
Vitolo et al. 2015).
Examples: Meta-data catalogues
Data provenance This term is used to refer to the process of tracing and recording the
origins of data and its movement between databases. Behind the
concept of provenance is the dynamic nature of data. Instead of
creating different copies of the same dataset, it is important to keep
track of changes and store a record of the process that led to the
current state. Data provenance can, in this way, guarantee
reliability of data and reproducibility of results. Provenance is now
an increasingly important issue in scientic databases, where it is
central to the validation of data for inspecting and verifying
quality, usability and reliability of data (particularly in Semantic
Web Services) (Buneman et al. 2000; Szomszor and Moreau 2003;
Tilmes et al. 2010; Vitolo et al. 2015).
Examples: Distributed version Control Systems such as Git,
Data storage This term refers to the practice of storing electronic data with a
third party service accessed via the internet. It is an alternative to
traditional local storage (e.g., disk or tape drives) and portable
storage (e.g., optical media or ash drives). It can also be called
hosted storage,internet storageor cloud storage. Relational
databases (DB) are currently the best choice in storing and sharing
data (Vitolo et al. 2015; n.d.).
Examples: Postgre SQL, MySQL, Oracle, NoSQL
220 F. Tabatabaei and D. Wells
OSINT analytic tools provide frameworks for data mining techniques to analyse
data, visualize patterns and offer analytical models to recognize and react to
identify patterns. These tools should combine/unify indispensable features and
contain integrated algorithms and methods supporting the typical data mining
techniques, entailing (but not limited to) classication, regression, association and
item-set mining, similarity and correlation as well as neural networks (Harvey
2012). Such analytics tools are software products which provide predictive and
prescriptive analytics applications, some running on big open sources computing
platforms, commonly parallel processing systems based on clusters of commodity
servers, scalable distributed storage and technologies such as Hadoop and NoSQL
databases. The tools are designed to empower users rapidly to analyse large
amounts of data (Loshin 2015). The most predominant tools and techniques for
OSINT collection and storage are summaries in Table 14.1.
14.4.2 Detection and Prevention of Cyber Threats
Techniques to make use of open sources involve a number of specic disciplines
including statistics, data mining, machine learning, neural networks, social network
Table 14.1 (continued)
Tools purpose Application/description of tool(s)
Data curation Data curation is aimed at data discovery and retrieval, data quality
assurance, value addition, reuse and preservation over time. It
involves selection and appraisal by creators and archivists;
evolving provision of intellectual access; redundant storage; data
transformations. Data curation is critical for scientic data
digitization, sharing, integration, and use (Dou et al. 2012; n.d.).
Examples: Data warehouses, Data marts, Data Management Plan
tools (DMPTool)
Data visualization (and
This term refers to the presentation of data in a pictorial or
graphical format (e.g., creating tables, images, diagrams and other
intuitive ways to understand data). Interactive data visualization
goes a step further: moving beyond the display of static graphics
and spreadsheets to using computers and mobile devices to drill
down into charts and graphs for more details, and interactively (and
immediately) changing what data you see and how it is processed
(Vitolo et al. 2015; n.d.).
Examples: Poly Maps, NodeBox, FF Chartwell, SAS visual
Analytics, Google Map
Distributed version control systems have been designed to ease the traceability of changes, in
documents, codes, plain text data sets and more recently geospatial contents.
DMP tools create ready-to-use data management plans for specic funding agencies to meet
funder requirements for data management plans, get step-by-step instructions and guidance for
your data and learn about resources and services available at your institution to help fulll the data
management requirements of your grant.
14 OSINT in the Context of Cyber-Security 221
analysis, signal processing, pattern recognition, optimization methods and visual-
ization approaches (Chen and Zhang 2014; also Chapters in Part 2 of this book).
Gottschalk et al. (2011) presented a four-stage growth model for Knowledge
Discovery to support investigations and the prevention of white-collar
crime in
business organizations (Gottschalk 2010). The four stages are labelled:
1. Investigator-to-technology
2. Investigator-to-investigator
3. Investigator-to-information
4. Investigator-to-application
Through the proper exercise of knowledge, such processes can assist in problem
solving. This four-part system attempts to validate the conclusions by nding
evidence to support them. In law enforcement this is an important system feature as
evidence determines whether a person is charged or not for a crime (Gottschalk
et al. 2011) and the extent to which proceedings against them will succeed (see
Chaps. 17 and 18).
Lindelauf et al. (2011) investigated the structural position of covert criminal net-
works using the secrecy versus information trade-off characterization of covert
networks to identify criminal networks topologies. They applied this technique on
evidence for the investigation of Jemaah Islamiyahs Bali bombing as well as
heroin distribution networks in New York. Danowski (2011) developed a
methodology combining text analysis and social network analysis for locating
individuals in discussion forums, who have highly similar semantic networks based
on watch-list membersobserved message content or based on other standards such
as radical content extracted from messages they disseminate on the internet. In the
domain of countering cyber terrorism and inciting violence Danowski used a
Pakistani discussion forum with diverse content to extract intelligence of illegal
behaviour. Igbal et al. (2013) presented a unied data mining solution to address the
problem of authorship analysis in anonymous textual communications such as
spamming and spreading malware and to model the writing style of suspects in the
context of cyber-criminal behaviour.
Brantingham (2011) offered a comprehensive computational framework for
co-offending network mining, which combines formal data modelling with data
mining of large crime and terrorism data sets aimed towards identifying common
and useful patterns. Petersen et al. (2011) proposed a node removal algorithm in
the context of cyber-terrorism to remove key nodes of a terrorism network. Fallah
(2010) proposed a puzzle-based strategy of game theory using the solution concept
of the Nash Equilibrium to handle sophisticated DoS attack scenarios. Chonka et al.
(2011) offered a solution through Cloud TraceBack (CTB) to nd the source of DoS
attacks and introduced the use of a back propagation neutral network, called Cloud
White-collar crime is nancial crime committed by upper class members of society for personal or
organizational gain. White-collar criminals are individuals who tend to be wealthy, highly edu-
cated, and socially connected, and they are typically employed by and in legitimate organizations..
222 F. Tabatabaei and D. Wells
Table 14.2 Categorization of methods using open source data for cyber-criminal investigations
Domain (Which) Author (Who) Methodology description (How)
Data mining Criminal networks Iqbal et al.
Proposing a framework that consists of three miner,2.topic
miner and 3. information visualizer. It is a unied framework of data mining
and natural language processing techniques to collect data from chat logs for
intuitive and interpretable evidence that facilitates the investigative process
for crime investigation.
Available from: Online Messages (Chat Logs) extracted from Social
Activity boom in cyber
cafes, and anomaly
Ansari et al.
Describing a typical fuzzy intrusion detection scenario for information mining
application in real time that investigates vulnerabilities of computer networks
Available from: Data available via ISPs
Malware activities
detection using fast-ux
services networks (FFSN)
Wu et al.
Investigating detection solutions of Fast-ux domains by using Data Mining
techniques (Linear Regression) to detect the FFSN
and analysing the feature
Available from: Data in two classes: white and black lists. The white list
includes more than 60 thousands benign domain names; the black list has
about 100 FFSNs domain names detected by
Cyber terrorism resilience Koester and
Providing a supporting framework via FCA (Factor Concept Analysis) to nd
and ll information gaps in Web Information Retrieval and Web Intelligence
for cyberterrorism resilience
Available from: Small terrorist data sets based on 2002, 2005, London,
Text Mining Counter Cyber Terrorism Srihari (2009) Using Unapparent Information Revelation (UIR) method to propose a new
framework for different interpretation. A generalization of this taskinvolves
query terms representing general concepts (e.g. indictment, foreign policy)
Intrusion Detection
Adeva and
Atxa (2007)
Proposing detection attempts of either gaining unauthorised access or
misusing a web application and introducing an intrusion detection software
component based on text-mining techniques using Arnassystem
Social Network
Cyber terrorism (detecting
terrorist networks)
Chen et al.
Providing a novel graph-based algorithm that generates networks to identify
hidden links between nodes in a network with current information available to
14 OSINT in the Context of Cyber-Security 223
Table 14.2 (continued)
Terrorist network ghting Kock Wiil
et al. (2011)
Offering a novel method to analyse the importance of links and to identify key
entities in the terrorist (covert) networks using Crime Fighter Assistant
Available from: Open sources: 9/11 attacks (2001), Bali night club bombing
(2002), Madrid bombings (2004), and 7/7 London bombings (2005)
Network attacks (intrusion
He and
Using an Automatic Semantic Network with two layers: rst mode and second
mode networks. The rst mode network identies relevant attacks based on
similarity measures; the second mode network is modied based on the rst
mode and adjusts it by adding domain expertise
Available from: Selected data from the KDD CUP 99 data set made available
at the Third International Knowledge Discovery and Data Mining Tools
Optimization methods
(based on game
Preventing DDoS attacks Spyridopoulos
et al. (2013)
Making a two-player, one-shot, non-cooperative, zero-sum game in which the
attackers purpose is to nd the optimal conguration parameters for the
attack in order to cause maximum service disruption with the minimum cost.
This model attempts to explore the interaction between an attacker and a
defender during a DDoS attack scenario
Available from: A series of experiments based on the Network Simulator
(ns-2) using the dumbbell network topology
Trust management and
DoS attacks
Li et al. (2009) Proposing a defence technique using two trust management systems (Key
Note and Trust Builder) and credential caching. In their two player zero-sum
game model, the attacker tries to deprive as much resources as possible, while
the defender tries to identify the attacker as quickly as possible
Available from: KeyNote (open-source library for the KeyNote trust
management system) as an example to demonstrate that a DoS attack can
easily paralyze a trust management server
Cyber terrorism Matusitz
A model combining game theory and social network theory to model how
cyber-terrorism works to analyse the battle between computer security experts
and cyberterrorists; all players wish the outcome to be as positive or
rewarding as possible
224 F. Tabatabaei and D. Wells
Table 14.2 (continued)
Related works for
Cyber-crime investigation Katos and
Bendar (2008)
Presenting an information system to capture the information provided by the
different members during a cyber-crime investigation adopting elements of
the Strategic Systems Thinking Framework (SST). SST consists of three main
aspects: 1. intra-analysis,2. inter analysis and 3. value-analysis
Computer hacking Kshetri (2005) Proposing a conceptual framework based on factors and motivations, which
encourage and energize the cyber offendersbehaviour:
1. Characteristics of the source nation
2. Motivation of attack
3. Prole of target organization (types of attack)
Preventing white collar
Developing an organizing framework for knowledge management systems in
policing nancial crime containing four stages to investigation and prevention
nancial crimes:
1. Ofcer to technology systems
2. Ofcer to ofcer systems
3. Ofcer to information systems
4. Ofcer to application systems
Detecting cyber-crime in
nancial sector
Lagazio et al.
Proposing a multi-level approach that aims at mapping the interaction of both
interdependent and differentiated factors with focusing on system dynamics
theory in the nancial sector. The factors together can facilitate or prevent
cyber-crime, while increasing and/or decreasing its economic and social costs.
Capturing and analysing
military intelligence to
prevent crises
Song (2011) Proposing a military intelligence early warning mechanism based on open
sources with four modules (1. collection module, 2. early-warning intelligence
processing, 3. early warning intelligence analysis, 4. preventive actions) to
help the collection, tracking, monitoring and analysis of crisis signals used by
operation commanders and intelligence personnel to support preventive
Creates a fully qualied domain name to have hundreds (or thousands) IP addresses assigned to it
A knowledge management tool for terrorist network analysis
This training dataset was originally prepared and managed by MIT Lincoln Labs
14 OSINT in the Context of Cyber-Security 225
Protector, which was trained to detect and lter against such attack trafc.
Mukhopadhyay et al. (2013) suggested a Copula-aided Bayesian Belief Network
(CBBN) to assess and to quantify cyber-risk and cyber vulnerability assessment
In summary, the eld of computational criminology includes a wide range of
computational techniques to identify:
1. Patterns and emerging trends
2. Crime generators and crime attractors
3. Terrorist, organized crime and gang social and spatial networks
4. Co-offending networks
Current models and methods are summarized Table 14.2 according to providing
cyber-crime types (which), author (who), methodology (how) and open sources
used for testing.
While many approaches seem to be helpful for cyber-crime investigation,
existing literature suggests that social network analysis (SNA), data mining, text
analysis, correlational studies and optimization methods specically with focus on
big data analysis of open sources are the most practical techniques to aid
Techniques / Methods
Data Mining
Text Mining Information Extraction
Method Game Theory
Web Mining Link Analysis
Machine Learning
Social Network
Node Removal
Network Extraction
Semantic Networks
Statistical Method Regression Models
Conceptual Knowledge-
based Frameworks
Cloud Computing
Fig. 14.3 Categorization of cyber-crime investigation methods and models
226 F. Tabatabaei and D. Wells
practitioners and security and forensic agencies. Currently available techniques can
be categorized in a schematic diagram such as Fig. 14.3.
14.5 Conclusions
The impact of cyber-crime has necessitated intelligence and law enforcement
agencies across the world to tackle cyber threats. All sectors are now facing similar
dilemmas of how to best mitigate against cyber-crime and how to promote security
effectively to people and organizations (Jahankhani et al. 2014; Staniforth 2014).
Extracting unique and high value intelligence by harvesting public records to create
a comprehensive prole of certain targets is emerging rapidly as an important
means for the intelligence community (Bradbury 2011; Steele 2006). As the amount
of available open sources rapidly increases, countering cyber-crime increasingly
depends upon advanced software tools and techniques to collect and process the
information in an effective and efcient manner (Kock Wiil et al. 2011).
This chapter reviewed current efforts of employing open source data for
cyber-criminal investigations. Figure 14.4 provides a summary of the ndings in
the form of an integrative Cybercrime Investigation Framework.
Adeva JJG, Atxa JMP (2007) Intrusion detection in web applications using text mining. Eng Appl
Artif Intell 20:555566
Agarwal VK, Garg SK, Kapil M, Sinha D (2014) Cyber crime investigations in India: rendering
knowledge from the past to address the future. ICT and critical infrastructure: proceedings of
Detection Tools and
Prevention Tools and
Open source (Records)
Collection and Storage
Tools and Techniques
Open Source
Analysis and
Strategies to
protect cyber
Profile of Tar geted
System/Organ ization /
Cyber crime
Motivation / Goal
Cyber crime
Incr easing Op en
Source types
Cyber Crime
(Cyber Crime
Committing and
Combati ng (Detection
and Prevention)
Tools and techniques to
commit cyber crime
The Growth of Social
Media an d Revolution
of Big Data
Fig. 14.4 Cybercrime investigation framework
14 OSINT in the Context of Cyber-Security 227
the 48th annual convention of CSI, vol 2, Springer International Publishing Switzerland,
pp. 593600. doi:10.1007/978-3-319-03095-1_64
Ames DP, Horsburgh JS, Cao Y, Kadlec J, Whiteaker T, Valentine D (2012) Hydro desktop: web
services-based software for hydrologic data discovery, download, visualization, and analysis.
Environ Model Software 37:146156
Ansari AQ, Patki T, Patki AB, Kumar V (2007) Integrating fuzzy logic and data mining: impact on
cyber security. Fourth international conference on fuzzy systems and knowledge discovery
(FSKD 2007). IEEE Computer Society
Appel EJ (2011) Behavior and technology, Internet Searches for Vetting, Investigations, and
Open-Source Intelligence. Taylor and Fransic Group, pp. 317. ISBN 978-1-4398-2751-2
Boncella RJ (2003) Competitive intelligence and the web. Commun AIS 12:327340
Bradbury D (2011) In plain view: open source intelligence. Comput Fraud Secur 59
Brantingham PL (2011) Computational Criminology. 2011 European intelligence and security
informatic conference. IEEE Computer Society. doi:10.1109/EISIC.2011.79
Burden K, Palmer C (2003) Internet crime: cyber crimeA new breed of criminal? Comput Law
Secur Rep 19(3):222227
Buneman P, Khanna S, Chiew Tan W (2000) Data provenance: some basic issues. University of
pennsylvania scholarly commons. Retrieved from
Burwell HP (2004) Online competitive intelligence: increase your prots using cyber-intelligence.
Facts on Demand Press, Tempe, AZ
Chauhan S, Panda K (2015) Open source intelligence and advanced social media search. Hacking
web intelligence open source intelligence and web reconnaissance concepts and techniques.
Elsevier, pp. 1532. ISBN: 978-0-12-801867-5
Chauhan S, Panda K (2015) Understanding browsers and beyond. Hacking web intelligence open
source intelligence and web reconnaissance concepts and techniques. Elsevier, pp. 3352.
ISBN: 978-0-12-801867-5
Chen A, Gao Sh, Karampelas P, Alhajj R, Rokne J (2011) Finding hidden links in terrorist
networks by checking indirect links of different sub-networks. In: Kock Wiil U
(ed) Counterterrorism and open source intelligence. Springer Vienna, pp. 143158. doi:10.
Chen H, Chiang RHL, Storey VC (2012) Business intelligence and analytics: from big data to big
impact. Bus Intell Res 36(4):124
Chen LP, Zhang CY (2014) Data-intensive applications, challenges, techniques and technologies:
A survey on Big Data. Inform Sci 314347
Chertoff M, Simon T (2015) The impact of the dark web on internet governance and cyber
security. Global Commission on Internet Governance. No. 6
Chonka A, Xiang Y, Zhou W, Bonti A (2011) Cloud security defence to protect cloud computing
against HTTP-DoS and XML-DoS attacks. J Netw Comput Appl 34:10971107
Clark RM (2004) Intelligence analysis: a target-centric approach. CQ Press, Washington, DC
Danowski JA (2011) Counterterrorism mining for individuals semantically-similar to watchlist
members. In: Kock Wiil U (ed) Counterterrorism and open source intelligence. Springer Berlin
Heidelberg, pp. 223247. doi:10.1007/978-3-7091-0388-3_12
Dou L, Cao G, Morris PJ, Morris RA, Ludäscher B, Macklin JA, Hanken J (2012) Kurator: a
Kepler package for data curation workows. International Conference on Computational
Science, ICCS 2012, Procedia Computer Science, vol 9, pp. 16141619. doi:10.1016/j.procs.
Enbody R, Soodo A (2014) Intelligence gathering. Elsevier Inc, Targeted cyber attacks. ISBN
Fallah M (2010). A puzzle-based defence strategy against ooding attacks using game theory.
IEEE Trans Dependable Secure Comput 7:519
FlashPoint (2015) Illuminating The Deep & Dark Web: the next Frontier in Comprehensive IT
Security. FlashPoint
228 F. Tabatabaei and D. Wells
Fleisher C (2008) OSINT: its implications for business/competitive intelligence analysis and
analysts. Inteligencia Y Seguridad 4:115141
Ghel R (2014) Power/freedom on the dark web: A digital ethnography of the Dark Web Social
Network. New media and society
Google 2014 Learn about Sitemaps. ps://
Gottschalk P (2010) White-collar crome: detection, prevention and strategy in business enterprises.
Universal-Publishers, Boca Raton, Florida, USA. ISBN-10: 1599428393, ISBN-13:
Gottschalk P, Filstad C, Glomseth R, Solli-Sæther H (2011) Information management for
investigation and prevention of white-collar crime. Int J Inf Manage 31:226233
Govil J, Govil J (2007) Ramications of cyber crime and suggestive preventive measures.
Electro/information technology. Chicago, pp 610615. IEEE. doi:10.1109/EIT.2007.4374526
Gregory M, Glance D (2013) Cyber-crime, cyber security and cyber warfare. Security and
networked society. Springer, pp 5195. ISBN: 978-3-319-02389-2
Harvey C (2012) 50 top open source tools for big data. Retrieved 01 July 2015, from http://www.,3).html
He P, Karabatis G (2012) Using semantic networks to counter cyber threats. IEEE. doi:10.1109/
Hobbs Ch, Morgan M, Salisbury D (2014) Open source intelligence in the twenty-rst century.
Palgrave, pp. 16. ISBN 978-0-230-00216-6
Hoque N, Bhuyan H, Baishya RC, Bhattacharyya DK, Kalita JKV (2014) Network attacks:
taxonomy, tools and systems. J Netw Comput Appl 40:307324. doi:10.1016/j.jnca.2013.08.
Igbal F, Fung BCM, Debbabi M (2012) Mining criminal networks from chat log.
2012 IEEE/WIC/ACM international conferences on web intelligence and intelligent agent
technology. Macau, pp. 332337. IEEE. doi:10.1109/WI-IAT.2012.68
Iqbal F, Binsalleeh H, Fung BCM, Debbabi M (2013) A unied data mining solution for
authorship analysis in anonymous textual communications. Inf Sci 231:98112
Jahankhani H, Al-Nemrat A, Hosseinian-Far A (2014) Cybercrime classication and character-
istics. In: Akhgar B, Staniforth A, Bosco F (eds.) Cyber crime and cyber terrorism investigators
handbook. Elsevier Inc., pp. 149164. doi:10.1016/B978-0-12-800743-3.00012-8
Kang MJ (2012) Intelligence in the internet age: the emergence and evolution of Open Source
Intelligence (OSINT). Comput Hum Behav 28:673682. doi:10.1016/j.chb.2011.11.014
Kim W, Jeong OR, Kim Ch, So J (2011) The dark side of the Internet: attacks, costs and responses.
Inform Syst 36:675705
Kapow Software (2013)
Retrieved from
Katos V, Bednar PM (2008) A cyber-crime investigation framework. Comput Stand Interfaces
30:223228. doi:10.1016/j.csi.2007.10.003
Koops BJ, Hoepman JH, Leenes R (2013) Open-source intelligence and privacy by design.
Computer Law and Security Review. 2(9):676688
Kshetri N (2005) Pattern of global cyber war and crime: a conceptual framework. J Int Manage
Koester B, Schmidt SB (2009) Information superiority via formal concept analysis. In.
Argamon S, Howard N (eds) Computational methods for counterterrorism. Springer,
pp. 143171. doi:10.1007/978-3-642-01141-2_9
Kock Wiil U, Gniadek J, Memon N (2011) Retraction note to: a novel method to analyze the
importance of links in terrorist networks. In: Wiil UK (ed) Counterterrorism and open source
intelligence. Springer Vienna, p. E1. doi:10.1007/978-3-7091-0388-3_22
Lagazio M, Sherif N, Cushman M (2015) A multi-level approach to understanding the impact of
cyber crime on the nancial sector. Comput Secur 45:5874
14 OSINT in the Context of Cyber-Security 229
Li J, Li N, Wang X, Yu T (2009) Denial of service attacks and defenses in decentralized trust
management. Int J Inf Secur 8:89101. Springer
Lindelauf R, Borm P, Hamers H (2011) Understanding terrorist network topologies and their
resilience against disruption. In: Kock Wiil U (ed.) Counterterrorism and open source
intelligence. Springer, Vienna, pp 6172. doi:10.1007/978-3-7091-0388-3_5
Loshin D (2015) How big data analytics tools can help your organization. Retrieved from http://
Matusitz J (2009) A postmodern theory of cyberterrorism: game theory. Inform Secur J: Glob
Perspect 18:273281. Taylor and Francis. doi:10.1080/19393550903200474
Mukhopadhyay A, Chatterjee S, Saha D, Mahanti A, Sadhukhan SK (2013) Cyber-risk decision
models: To insure IT or not? Decis Support Syst 56:1126. Retrieved from
Nykodym N, Taylor R, Vilela J (2005) Criminal proling and insider cyber crime. Digital Invest
2:261267. Elsevier
Omand D, Miller C, Bartlett J (2014) Towards the discipline of social media intelligence (2014).
In: Hobbs, Morgan, Salisbury (eds.) Open source intelligence in the twenty-rst century.
Palgrave, 2444. ISBN 978-0-230-00216-6
Petersen RR, Rhodes CJ, Kock Wiil U (2011) Node removal in criminal networks. 2011 European
intelligence and security informatics conference. IEEE Computer Society, pp. 360365.
PWC cyber security (2015)
assets/2015-us-cybercrime-survey.pdf. Retrieved from
Simmons C, Ellis C, Shiva S, Dasgupta D, Wu Q (2014) AVOIDIT: a cyber attack taxonomy.
Annual symposium on information assurance. Ofce of Naval Research (ONR).
Song J (2011) The analysis of military intelligence early warning based on open source
intelligence. Int Conf Intell Secur Inform (ISI). p. 226. IEEE
Spyridopoulos T, Karanikas G, Tryfonas T, Oikonomou G (2013) A game theoric defence
framework against DoS/DDoS cyber attacks. Comput Secur 38:3950
Staniforth A (2014) Police investigation processes: practical tools and techniques for tackling
cyber crime. In: Akhgar B (ed.) Cyber crime and cyber terrorism investigators handbook.
Elsevier, pp. 3142
Srihari RK (2009) Unapparent information revelation: text mining for counterterrorism. In:
Argamon S, Howard N (eds) Computational methods for counterterrorism. Springer, Berlin
Heidelberg, pp 6787
Steele RD (2006) Open source intelligence. In Johnson LK (ed.) Strategic intelligence:
understanding the hidden side of government (intelligence and the quest for security).
Praeger, pp. 95116
Sui D, Cavarlee J, Rudesill D (2015) The deep web and the darknet: a look inside the internets
massive black box. Wilson Center, Washington
Szomszor M, Moreau L (2003) Recording and reasoning over data provenance in web and grid
services. On the move to meaningful internet systems, pp. 603620.
Tilmes C, Yesha Ye, Halem M (2010) Distinguishing provenance equivalence of earth science
data. Int Conf Comput Sci (ICCS). p. 19
Vitolo C, Elkhatib Y, Reusser D, Macleod CJA, Buytaert W (2015) Web technologies for
environmental Big Data. Environ Model Softw 63:185198
Wall DS (2005) The internet as a conduit for criminal activity. In: Pattavina A (ed) Information
technology and the criminal justice system. Sage Publications, USA. ISBN 0-7619-3019-1
Wall DS (2007) Hunting shooting, and phishing: new cybercrime challenges for cybercanadians in
the 21st century. The ECCLES centre for american studies
Wall DS (2008) Hunting shooting, and phishing: new cybercrime challenges for cyber canadians
in the 21st Century. The Eccles Centre for American Studies. The
British Library Publication
Wang SJ (2007) Measures of retaining digital evidence to prosecute computer-based cyber-crimes.
Comput Stand Interfaces 29:216223. Elsevier
230 F. Tabatabaei and D. Wells (n.d.).
Wu J, Zhang L, Qu S (2010) A comparative study for fast-ux service networks detection. Netw
Comput Adv Inf Manage (NCM). pp 346350. IEEE
Yuan T, Chen P (2012) Data mining applications in E-Government information security, 2012
international workshop on information and electronics engineering (IWIEE). Proc Eng 29:235
14 OSINT in the Context of Cyber-Security 231
... Open Source Intelligence. There are few works [68,75,93,129,152] that survey different techniques in open source intelligence (OSINT) from the perspective of cyber security. Glassman et al. discussed how the world wide web provides access to immense information that can be potentially used for decision making and problem solving [68]. ...
... Glassman et al. discussed how the world wide web provides access to immense information that can be potentially used for decision making and problem solving [68]. Tabatabaei et al. listed several tools that can be used for the collection, storage, and classification of open-source data [152] in the context of security. Some other papers discussed OSINT for a specific purpose such as reliable web searching [129] or password cracking [93]. ...
... Organization information includes the organization's background, resources, employee contacts and work details, physical access and security policies, etc. [152]. Whether adversaries target a particular organization depends primarily on the organization's resources and if those resources are valuable, vulnerable, and accessible at the same time. ...
Full-text available
Adversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a categorization of reconnaissance techniques based on the source as third-party, human-, and system-based information gathering. This paper provides a comprehensive view of adversarial reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber attacks as well as insights that can improve defensive strategies, such as cyber deception.
... Curation is an essential element for finding the most valuable information by efficiently using a limited "time resource" in the Big Data era. Data curation is provided for the goals of data search, data quality assurance, value addition, reuse, and preservation over time, which includes the creators/recorders and the selection and evaluation of record repositories [16]. In the past, the curation process was carried out using simple information collection. ...
... If anyone accesses and modifies data in an open space, the reliability of data may degrade. In addition, users may accept and spread incorrect information because of the tempered data, laying a cornerstone for cybercrimes like fake news [16]. erefore, a guarantee of data integrity is an essential requirement in the OSINT process. ...
... erefore, a guarantee of data integrity is an essential requirement in the OSINT process. (iii) Guarantee of data reliability: data reliability was an essential element when users used the collected data [16]. To guarantee data reliability, it was required to validate the data integrity and data sources. ...
Full-text available
Recently, users have used open-source intelligence (OSINT) to gather and obtain information regarding the data of interest. The advantage of using data gathered by OSINT is that security threats arising in cyberspace can be addressed. However, if a user uses data collected by OSINT for malicious purposes, information regarding the target of an attack can be gathered, which may lead to various cybercrimes, such as hacking, malware, and a denial-of-service attack. Therefore, from a cybersecurity point of view, it is important to positively use the data gathered by OSINT in a positive manner. If exploited in a negative manner, it is important to prepare countermeasures that can minimize the damage caused by cybercrimes. In this paper, the current status and security trends of OSINT will be explained. Specifically, we present security threats and cybercrimes that may occur if data gathered by OSINT are exploited by malicious users. Furthermore, to solve this problem, we propose security requirements that can be applied to the OSINT environment. The proposed security requirements are necessary for securely gathering and storing data in the OSINT environment and for securely accessing and using the data collected by OSINT. The goal of the proposed security requirements is to minimize the damage when cybercrimes occur in the OSINT environment.
... Organization Background and Details. Organization information includes the organization's background, resources, its employees' contacts, technical, and work details, physical access and security policies, etc. [138]. Whether adversaries target a particular organization depends primarily on the organization's resources and if those resources are valuable, vulnerable, and accessible at the same time. ...
... Publicly available resources are one of the primary data sources for adversaries. Open Source Intelligence (OSINT) is the combined collection of publicly available data obtained from open data sources such as media (e.g., newspapers, magazines articles), Internet presence (e.g., organization website, blogs, forums, social media), commercial or business data, and published reports (e.g., technical reports, articles, business documents) [72,120,138]. OSINT may rely on both online and offline information. Online information includes organization websites, blogs, social media (e.g., Facebook, Twitter), forums, and online magazines. ...
... Adequate information can lead to effective social engineering attacks, such as gaining physical access using reverse social engineering [48]. • Logistics Details: Adversaries can look for logistics information such as financial and business processes or intelligence, employee and management hierarchy, resource arrangement, and other activities [138]. Supply chain management is also important since it may leak important data regarding the organization [42]. ...
Full-text available
Adversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a categorization of reconnaissance techniques based on the technical approach, including target footprinting, social engineering, network scanning, and local discovery. This paper provides a comprehensive view of adversarial reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber attacks as well as insights that can improve defensive strategies, such as cyber deception.
... Mining public records to develop a full profile of specific targets to derive unique and highvalue intelligence is quickly becoming a valuable tool for intelligence agencies. [57]. Layton et al., (2013) [58] studied the investigation of the use of authorship analysis to determine when malicious profiles were created by the same person. ...
... Tabatabaei& Wells [57] 2016 ...
Purpose: Research serves as a springboard for new ideas, and every scholarly research begins with a review of the literature. This literature review to familiarize oneself with the domain of research and to establish the credibility of the work. It also aids in the integration and summarization of the subject. Methodology: The necessary literature on the chosen topic have been gathered from multiple secondary data sources such as journals, conference proceedings, books, research papers published in various reputable publications, and then shortlisted the literature which are relevant for the work. The shortlisted literatures were carefully evaluated by reading each paper and taking notes as needed. The information gathered is then analyzed in order to identify the problem areas that may exist in the chosen topic. Findings/Result: It has been observed that the chosen topic, Opensource Intelligence (OSINT) practice requires more robust and intelligent solutions from AI and its subfields. The capability of OSINT for intelligent analysis strengthens tightly integrating machine learning and automated reasoning techniques. To avoid human errors, the dependency on humans in decision-making ought to reduce. To eradicate any incorrect information, a truth discovery process is mandatory. OSINT is able to discover new knowledge by correlating intelligence from other OSINT sources. Even though Artificial Intelligence has entered the OSINT field, there is still a long way to go before OSINT fully prepares for the much-anticipated Web 3.0. Originality: A literature review have had been carried out using secondary data gathered from various online sources, and new knowledge in the form of findings was derived in order to construct a theoretical framework and methodology for future research. It has been ensured that no judgments or decisions are made with a biased mindset or under the influence of any predetermined mentality. A concerted effort has been made to identify a research topic for further investigation. Paper Type: Literature Review.
... Therefore, this section provides a brief overview of the works related to OSINT tools and other investigations in the field. Tabatabaei et al. [5] conducted a detailed survey about the OSINT tools in the context of cybersecurity. The survey focused on the tools and methods that are used for cybercrime investigation. ...
Full-text available
Open-source intelligence (OSINT) tools are used for gathering information using different publicly available sources. With the rapid advancement in information technology and excessive use of social media in our daily lives, more public information sources are available than ever before. The access to public information from different sources can be used for unlawful purposes. Extracting relevant information from pools of massive public information sources is a large task. Multiple tools and techniques have been developed for this task, which can be used to identify people, aircraft, ships, satellites, and more. In this paper, we identify the tools used for extracting the OSINT information and their effectiveness concerning each other in different test cases. We mapped the identified tools with Cyber Kill Chain and used them in realistic cybersecurity scenarios to check their effusiveness in gathering OSINT.
... The tools and techniques used to collect and analyze public forum conversations have potentially novel applications to open-source intelligence (OSINT) practitioners. Social network analysis is already recognized as one of the many available OSINT tools [4], [5], while dynamic network analysis techniques combine network analytics and semantical analytics, affording an understanding of both network structure and content. The use of such tools has been proven through repeated studies within just the last few years; these methods have been applied to terrorism and online extremism [6], hate speech and COVID-19 [7], fake news, misinformation, and disinformation [8] and recent elections [9]. ...
Conference Paper
Organizational risk and resilience as well as insider threat have been studied through the lenses of socio-psychological studies and information and computer sciences. As with all disciplines, it is an area in which practitioners, enthusiasts, and experts discuss the theory, issues, and solutions of the field in various online public forums. Such conversations, despite their public nature, can be difficult to understand and to study, even by those deeply involved in the communities themselves. Who are the key actors? How can we understand and characterize the culture around such communities, the problems they face, and the solutions favored by the experts in the field? Which narratives are being created and propagated, and by whom-and are these actors truly people, or are they autonomous agents, or "bots"? In this paper, we demonstrate the value in applying dynamic network analysis and social network analysis to gain situational awareness of the public conversation around insider threat, nation-state espionage, and industrial espionage. Characterizing public discourse around a topic can reveal individuals and organizations attempting to push or shape narratives in ways that might not be obvious to casual observation. Such techniques have been used to great effect in the study of elections, the COVID-19 pandemic, and the study of misinformation and disinformation, and we hope to show that their use in this area is a powerful way to build a foundation of understanding around the conversations in the online public forum, provide data and analysis for use in further research, and equip counter insider threat practitioners with new insights.
This book presents refereed proceedings of the Third International Conference on Advances in Cyber Security, ACeS 2021, held in Penang, Malaysia, in August 2021. The 36 full papers were carefully reviewed and selected from 92 submissions. The papers are organized in the following topical sections: Internet of Things, Industry 4.0 and Blockchain, and Cryptology; Digital Forensics and Surveillance, Botnet and Malware, DDoS, and Intrusion Detection/Prevention; Ambient Cloud and Edge Computing, SDN, Wireless and Cellular Communication; Governance, Social Media, Mobile and Web, Data Privacy, Data Policy and Fake News.
The Internet has had a profound impact on our daily lives since its inception. It has become a determining element in how we interact and do business, particularly in terms of our ability to access information, jobs, our ability to stay connected, our company’s chances of survival, our ability to thrive in the workplace, and education, etc. There are several everyday problems for which the Internet provides resources, such as software and hardware solutions that we may rely on in times of crisis. The abundance of software and computational services offered by the Internet has introduced new challenges for what was previously unknown, i.e., within the plethora of resources available, users cannot work out which tool to use to solve the problem. The collection and review of freely accessible material, often from online sources that are freely accessible to the general public, is referred to as open-source intelligence (OSINT). With the plethora of OSINT tools available, it has become difficult for users to choose the best tool for the given problem. This article presents a framework for identifying OSINT tools that are most appropriate for solving given problems. The proposed framework is user-friendly and provides tools based on MIME types or advanced search features. The framework has been evaluated by subject experts and has shown to be an invaluable resource for end-user tool recommendations.
Full-text available
Nowadays, time, scope and cost constraints along with knowledge requirements and personnel training constitute blocking restrictions for effective Offensive Cyberspace Operations (OCO). This paper presents RedHerd, an open-source, collaborative and serverless orchestration framework that overcomes these limitations. RedHerd leverages the ‘as a Service’ paradigm in order to seamlessly deploy a ready-to-use infrastructure that can be also adopted for effective simulation and training purposes, by reliably reproducing a real-world cyberspace battlefield in which red and blue teams can challenge each other. We discuss both the design and implementation of the proposed solution, by focusing on its main functionality, as well as by highlighting how it perfectly fits the Open Systems Architecture design pattern, thanks to the adoption of both open standards and wide-spread open-source software components. The paper also presents a complete OCO simulation based on the usage of RedHerd to perform a fictitious attack and fully compromise an imaginary enterprise following the Cyber Kill Chain (CKC) phases.
Full-text available
Business intelligence and analytics (BI&A) has emerged as an important area of study for both practitioners and researchers, reflecting the magnitude and impact of data-related problems to be solved in contemporary business organizations. This introduction to the MIS Quarterly Special Issue on Business Intelligence Research first provides a framework that identifies the evolution, applications, and emerging research areas of BI&A. BI&A 1.0, BI&A 2.0, and BI&A 3.0 are defined and described in terms of their key characteristics and capabilities. Current research in BI&A is analyzed and challenges and opportunities associated with BI&A research and education are identified. We also report a bibliometric study of critical BI&A publications, researchers, and research topics based on more than a decade of related academic and industry publications. Finally, the six articles that comprise this special issue are introduced and characterized in terms of the proposed BI&A research framework.
Full-text available
Over the last two decades, businesses, consumers, and governments around the globe have moved into cyberspace and cloud environment in order to conduct their businesses. Many people spend a significant part of their daily life in cyberspace, creating and enjoying new types of social relationships which were not possible or financially affordable 20 years ago. However, criminals have identified rewards from online frauds therefore, the risks and threats have increased too.Securing the cyber space will be an enabler and will result in better use of the digital environment. Therefore, securing it requires a joint effort by all stakeholders which includes the law enforcement agencies, governments, the technology industries, and the individuals in the society.
Researching an individual?s, firm?s or brand?s online presence has become standard practice for many employers, investigators, and intelligence officers, including law enforcement. Countless companies and organizations are implementing their own policies, procedures, and practices for Internet investigations, cybervetting, and intelligence.
The digital world has become a battleground for the forces of good and evil. There is an ever increasing awareness that the digital world provides an unlimited opportunity to further one’s goals.
We are living through a revolution in how we communicate. Every month, 1.2 billion of us now use Internet sites, apps, blogs and fora to post, share and view content.1 Loosely grouped as new, ‘social’ media, these platforms provide the means by which the Internet is increasingly being used: to par. ticipate, to create and to share information about ourselves and our friends, our likes and dislikes, movements, thoughts and transactions. The largest, Facebook, has over a billion regular users, but the linguistic, cultural and functional reach of social media is much broader, from social bookmarking to niche networks, video aggregation and social curation.2 Linkedln, a spe. cialist business network, has 200 million users, the Russian-language VK net. work 190 million users and the Chinese QQ network 700 million users.3
Cyber Crime and ensuing victimization is not individual incidence. It is conjointly hampered or inspired by the group of people within which it is located. Are group of people characteristics relevant for victimization online? This paper examines the cyber crime activities within the perspective of augmentation. Our methodology analyses historical information and its relationship with structural characteristics of the communities that are exposed to cyber crime. We discover that cyber crimes are increasing in context of years, however targeted towards specific age group. The ensuing policy insight is for creating public awareness campaigns in upcoming years.
The criminals and terrorists behind contemporary cyber threats to society are well organized, and the impact on the victims from their activities can be devastating. Therefore, the complex nature and sophistication of cyber crime and cyber terrorism demands a dedicated response, especially from investigators who are critical to the success of tracking cyber criminals and bringing them to justice. This chapter considers the core investigative competencies which provide the practical tools and techniques for conducting professional cyber investigations. The key investigative skills of decision making, problem solving, developing hypothesis, embracing innovation, and the importance of contact management, are all explored in the context of contemporary cyber investigations.