As an OSINT practitioner and trainer, I am often asked for a standard methodology in collecting OSINT. I'm here to dispel the appeal of a "one-size fits all" approach to online research.
I have been asked in recent months by several people if I could create a class or period of instruction on OSINT methodology.I have mulled on the repeated question and decided there really is no standard OSINT methodology so that OSINT analysts have a step-by-step approach to collecting OSINT. I firmly believe that each analyst conducts OSINT collection using many different methods based on several factors. In order to dispel this thinking about OSINT methodology, we first need to define what methodology is and define another less appreciated aspect of collection OSINT Frameworks.
OSINT framework vs OSINT methodology
When looking at OSINT collection practices, there are two approaches to standardization. One calls for an exact methodology, a "one-size fits all" approach to apply to a variety of industries, analysts and sought-after questions. The other, is a framework — a structure for where to seek information that adapts to the person, problem or context of the research at hand.
So when we look at the definitions of methodology and framework, here are the key differences:
- Methodology - prescriptive and defines steps to by taken, why the steps are essential and how to accomplish each step
- Framework - non-prescriptive and is intended to be adapted to fit the problem
To break it down even further, a methodology refers to solving problems systematically, whereas frameworks refers to a skeletal structure around which solutions are built. So in a methodology, problems are filtered through a standard set of practices; whereas in a framework, the practices are shaped around the problem at hand.
For instance, looking at a well-known example found at OSINT Framework, what you will first see is an OSINT tree that is positioned on the far left of your screen. This tree becomes expandable when you click on one of the categories listed (see image below).
If you click on these, they will display useful resources that form sub-trees. The resources or tools that are displayed will help you in finding the information you are looking for with regard to that category. Again, this framework does not give you a step-by-step on how to gather or collect the information but rather, the resources to find the information you seek.
OSINT framework: using the details of your research to help inform collection
That's why there really isn’t an OSINT methodology.
As we look into that OSINT framework and we talk about how it provides resources and tools to help with an investigation, you may be asking why there is no OSINT methodology. As a trained intelligence analyst and long-time OSINT practitioner, my way of conducting research or collecting OSINT data is going to be different than most OSINT practitioners out there. This is based on several factors like the kind of training I’ves received, work and life experiences and success or failure in previous OSINT collection/research. Another major factor is the type of OSINT collection/research I am undertaking.
I am going to start my collection and research differently for a fraud investigation than when investigating if an IP address is nefarious or not. In preparation for this blog, I asked several people I know in the OSINT community their thoughts. They all concluded that their starting point for collection may differ from mine based on not only how they think but also how they have conducted research in the past.
Creative thinking over Groupthink
Another thing that I think needs to be mentioned is that if there was a step-by-step process or methodology to collecting OSINT, we would begin to have a Groupthink mentality over a creative thinking mentality. Groupthink is a mode of thinking in which individual members of a small cohesive group tend to accept the viewpoint or conclusion that represents the perceived group consensus, whether or not the group believes it to be valid, correct or optimal. Creative thinking, meanwhile, is a process of innovating problem-solving from analyzing the facts to brainstorming to working with others.
Accepting a Groupthink mentality stifles the analysis when it comes to OSINT, which will then lead to bad reporting. This is why there is a framework for things like intelligence analysis and even OSINT but no real step-by-step methodology or process. Great reporting relies on innovative approaches and new ideas, something a one-size fits all mindset will suppress. Building a team of people from diverse backgrounds can help create better output for your organization, something acclaimed CTI team builder A.J. Nash discusses as a guest on NeedleStack.
What is the answer?
So you must be thinking or saying to yourself, “So what is the answer if there is no methodology?” Well, as OSINT practitioners we need to first begin by understanding that this statement is true, and start looking at how we can make conducting research easier for everyone. We need to start looking at the factors that influence how we collect OSINT to make ourselves better and then share these ideas throughout the OSINT community. The next thing is to understand that the topic you are trying to find using OSINT will greatly influence how you conduct your research. Once that has been accomplished this needs to make it into the training that analysts are receiving. The subject and topic of the research should be the main influence for your methodology.
We need to get analysts to stop thinking in a linear manner and start thinking contextually. This can be stated another way, logical vs analytical thinking. Again, I equate analysts thinking to not involving steps and being able to go from A to C to B to D and then back to A, whereas logical thinkers have to start with A, find the answer and then go to B, find the answer and go to C, and so on and so on.
Lastly, we need to think about the experience, both work and life experiences that can influence how we do things. I thankfully had some research experience prior to going to college as an intelligence analyst for several years and learned some great ways to conduct research. More senior OSINT practitioners in the community need to continue to talk about these things so that the younger OSINT practitioners can learn from us.
Changing the mindset
Overall, the fact that several people have been asking for an OSINT methodology training goes to show that analysts may not be thinking outside the box when it comes to their analysis. This can lead to stale analysis and poor reporting. In order to continue to be good analysts we need to get out of this thinking that someone has a step-by-step approach to conducting OSINT. OSINT is more of a form of art then it is a process that can be followed.
Instead of methodology, look for frameworks to help you develop better collection methods, tips and resources to benefit your practice, reporting tools to provide better output and secure methods to keep yourself and your company safe. Silo for Research can power secure, anonymous OSINT investigations on the surface, deep and dark web. Learn more about Silo for Research.
Tags Anonymous research Dark web research Financial crime Fraud and brand misuse Law enforcement OSINT research SOC Threat intelligence