Using Open Source Intelligence (OSINT) for Attack Surface Analysis

As the world grows more interconnected through social media and digital communications, relevant information available to attackers grows exponentially. Open-source intelligence (OSINT)is the practice of collecting data from published or otherwise publicly available sources. OSINT operations, whether practiced by IT security pros, malicious attackers, or state-sanctioned intelligence operatives, use advanced techniques to search through the vast haystack of visible data to find the information to achieve their goals. The use of publicly available resources distinguishes OSINT from other forms of intelligence gathering. 

OSINT has many practical applications. Attackers use OSINT as a tool for reconnaissance. Social engineering uses OSINT to research targets before an attack. Public records are the number one source for OSINT, but data mined from the dark web is also valuable and readily available. 

OSINT – Sources and Tools 

OSINT in cybersecurity is about leveraging data, to determine what actions are needed to help detect and prevent cyber-threats before they can impact an organization.

Using OSINT tools in your organization can improve cybersecurity by helping to discover information about your company, employees, IT assets, and other confidential or sensitive data that an attacker could exploit. Below are just a few examples of OSINT tools and sources.  


Maltego is a data mining tool used to mine OSINT resources and create graphs for visualizing connections. The graphs allow an analyst to connect information such as names and email addresses, organizational structure, domains, and documents.  

Maltego collects data from various sources, including free OSINT data, commercial threat intelligence feeds, SEIM alerts, underground forums, cryptocurrency blockchain, social media intelligence, or internal data like case management files, logs, systems, and data repositories. 


Shodan and tools like it can shed light on many typical issues facing cybersecurity efforts. Shodan is a search engine that lets users find specific types of computers (e.g., webcams, routers, and servers) connected to the Internet. In the example of a server, there can be information about the server software, what options the service supports, a welcome message, or anything else that the user can find out before interacting with the server. 

Shodan can be leveraged to find exposed databases, compromised passwords, open ports, and services. For example, as part of an attack surface analysis, the analyst might find a misconfigured corporate server with NTP exposed to the Internet a huge potential vulnerability.  


Information on LinkedIn is a popular source of OSINT. For example, LinkedIn scrapper tools can be used by attackers is for reconnaissance to learn and study about a person or company before targeted phishing attacks.  

Linkedin is a good resource when performing recon on an entire organization. An attacker can find all employees, their names, job titles, locations, and emails. It is a simple yet powerful data source often used in attack surface analysis before a penetration test. OSINT from LinkedIn can be used to gather emails, names, as well as subdomains, IPs, and URLs using multiple public data sources. Some people even publish their birthday on Linkedin – which can be useful info for an attacker. 

Dark Web Data Breach Dumps 

Many Corporations and organizations have been a victim of serious breaches. Breached data is the data available publicly by entities that have caused the data breach. The use of the data after it’s leaked is beneficial in OSINT investigations. 

Data breaches can include names, phone numbers, addresses, credit card details, passport numbers, and other sensitive data. Breached data can be essential to building a dossier early in an OSINT investigation. This information can show newer data points and confirm existing data about the target. 

Breached data is routinely uploaded to forums, paste bins, and file storage sites where it is sold and shared. Items for sale on the Dark Web include credit cards, malicious services like malware, D Dos-as-a-service, and data dumps. 

Using OSINT for Attack Surface Analysis 

As part of attack surface analysis before penetration testing, understanding your OSINT footprint is essential. Your attack surface consists of more than just open ports, hostnames, and IP addresses. Email addresses, employee names, SaaS platforms, cloud-based tools and storage, public records, data breaches, social media accounts, and more are now all potential areas of risk. 

The intelligence stage is the critical element required to define Tactics, Techniques, and Procedures that may be used to reach the target and accomplish mission objectives. The number of entry points of the corporate network defines the number of attack vectors available for the mischievous person. 

Potential attack vectors include: 

  • Information systems with access to the Internet (e.g., servers, work stations, and administrative control panels of special equipment.).  
  • Mobile devices of the employees  
  • Accounts of the cloud platforms and services used by the employees 

With an attack surface that extends far beyond an organization’s physical network, traditional methods of scanning and reconnaissance are no longer enough. Identifying what OSINT information is available about your organization is critical to your ability to address potential risks adequately. 

Please read this blog to learn more about how proper Attack Surface Analysis can defend against Feedback Loops

Why Truvantis 

IT security departments are increasingly tasked with performing OSINT operations on their organizations to shore up operational security. Many businesses do not have in-house expertise and choose to outsource OSINT operations. 

When you select Truvantis as a trusted third-party security partner, you get intelligence-driven operations designed to uncover vulnerabilities associated with real-world risk exposure. Truvantis cybersecurity engagements include Attack Surface Analysis using OSINT and other tools and comprehensive, full-spectrum testing. 

The Truvantis approach gives insights into issues that impact operational security objectives. Key decision-makers are then empowered to make well-informed decisions. Teams are empowered to focus on mission objectives. 

Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today. 

Contact Us
Speak to an expert to help scope your next pen test.
Schedule a call
Contact Us
Attack Surface Analysis
Purchase your initial attack surface analysis now. Find out how the attackers will be targeting you before they break in.