OSINT: What Attackers Can Learn About You

Open Source Intelligence (OSINT) refers to information that is publicly available and legally accessible. While your organisation may not intentionally publish sensitive data, attackers can piece together fragments from multiple sources to build a comprehensive picture of your security posture, key personnel, infrastructure, and potential vulnerabilities. This intelligence gathering is often the first step in a targeted cyber attack.

What Information Are Attackers Looking For?

Modern cyber attackers conduct extensive reconnaissance before launching attacks. They systematically gather intelligence from public sources to identify weaknesses, plan social engineering campaigns, and tailor their attacks for maximum impact. Understanding what information attackers seek helps organisations better protect themselves.

Employee Information

Your staff members leave digital footprints across the internet that attackers exploit for social engineering and targeted phishing campaigns:

LinkedIn profiles reveal job titles, responsibilities, department structures, reporting relationships, professional skills, and career timelines
Social media activity exposes personal interests, family information, vacation schedules, professional frustrations, and routine patterns
Professional conferences and events show who attends industry gatherings, speaking engagements, and their areas of expertise
Email addresses and formats can be harvested from corporate websites, press releases, academic papers, and professional directories
Phone numbers and extensions appear in email signatures, contact pages, and business directories

Real-World Impact

Attackers use employee information to craft convincing spear-phishing emails that reference genuine projects, colleagues, and business relationships. A senior executive's LinkedIn profile showing recent travel to a specific city can be leveraged in a targeted email claiming to be from a hotel or conference venue in that location.

Technical Infrastructure

Publicly visible technical details reveal your organisation's attack surface and potential entry points:

Domain name information through WHOIS lookups reveals registration details, name servers, and email contacts
IP address ranges can be identified and mapped to your organisation's external-facing systems
DNS records expose mail servers, web servers, subdomains, and third-party services
SSL/TLS certificates reveal certificate authorities used, certificate expiry dates, and associated domains
Job advertisements often describe technologies, systems, and platforms your organisation uses
Technology vendors mentioned in case studies, testimonials, or press releases indicate your technical stack
Code repositories on GitHub or GitLab may inadvertently contain configuration details, API keys, or architectural information

Physical Security Information

Physical location details and facility information support reconnaissance for physical security assessments or sophisticated attacks:

Google Street View and satellite imagery show building layouts, entry points, security cameras, and perimeter defences
Building management and tenancy information reveals shared facilities, access control systems, and neighbouring occupants
Staff photos and check-ins on social media expose office layouts, badge systems, and security procedures
Delivery and visitor procedures described on websites or in communications

Business Intelligence

Strategic and operational information helps attackers understand your organisation's priorities and vulnerabilities:

Financial information from Companies House, annual reports, and investor presentations
Client and partner relationships revealed through case studies, testimonials, and press releases
Ongoing projects and initiatives mentioned in news articles, blogs, and social media
Merger and acquisition activity creates disruption periods when security may be weakened
Regulatory compliance requirements based on industry sector and geographic operations
Supply chain relationships identified through supplier directories and procurement documents

Common OSINT Sources Attackers Exploit

Corporate Websites and Digital Properties

Your own website is often the first stop for attackers gathering intelligence. Beyond the obvious contact information and services described, websites can reveal technical details through source code inspection, metadata in documents, and error messages that expose system information.

Social Media Platforms

LinkedIn, Twitter, Facebook, and Instagram provide rich intelligence about personnel, culture, and operations. Employees sharing workplace photos may inadvertently reveal security badges, screen contents, network diagrams on whiteboards, or visitor sign-in procedures.

Search Engines and Cached Content

Google dorking techniques allow attackers to find sensitive information inadvertently indexed by search engines, including configuration files, backup files, directory listings, and documents containing credentials or proprietary information.

Public Records and Databases

Government databases, business registries, property records, and professional licensing boards contain verified information about your organisation, its directors, and registered addresses.

Data Breach Databases

Previous breaches affecting your organisation or employees may have exposed credentials, which attackers test through credential stuffing attacks. Services like Have I Been Pwned catalogue billions of compromised accounts.

Dark Web Monitoring

Stolen credentials and corporate data often appear on dark web marketplaces and forums. Monitoring these channels for your organisation's information provides early warning of compromised accounts or data leaks. CyberGP offers dark web monitoring as part of our ongoing security services.

How Attackers Use OSINT

Spear Phishing Campaigns

Attackers craft convincing, personalised phishing emails using gathered intelligence about targets, their roles, current projects, and professional relationships. These targeted attacks have significantly higher success rates than generic phishing campaigns.

Social Engineering

Detailed knowledge of your organisation's structure, personnel, suppliers, and procedures enables attackers to impersonate employees, vendors, or partners convincingly over phone calls or in-person interactions.

Targeted Technical Attacks

Understanding your technology stack allows attackers to research known vulnerabilities in your specific systems and prepare exploits tailored to your infrastructure.

Physical Security Breaches

Information about facility locations, security systems, and access procedures supports planning for physical penetration attempts or helps attackers blend in by mimicking legitimate visitors.

Protecting Your Organisation from OSINT-Based Attacks

Conduct Your Own OSINT Assessment

Regularly search for your organisation online from an attacker's perspective. What can you find? What information surprises you? CyberGP offers professional OSINT investigations that systematically identify your public exposure.

Implement Information Security Policies

Establish guidelines for what employees can share on social media about their work, restrict technical details in job postings, and review content before publication to remove unnecessary sensitive information.

Train Staff on OSINT Risks

Educate employees about how seemingly innocuous information can be combined to support attacks. Include OSINT awareness in security training programmes and phishing simulations.

Monitor Your Digital Footprint

Set up alerts for your organisation name, key personnel, and domain names. Monitor paste sites and data breach databases for exposed credentials. Regular monitoring enables rapid response to data leaks.

Secure Your Technical Infrastructure

Minimise information leakage through DNS records, error messages, and banner grabbing. Use privacy protection for domain registrations where appropriate. Regularly audit what technical information is publicly visible.

Review and Remove Unnecessary Information

Audit your corporate website, social media, and public documents. Remove or redact information that provides no business value but increases your attack surface.

Professional OSINT Investigation

CyberGP's OSINT Investigation service provides a comprehensive assessment of your organisation's public exposure. We systematically gather and analyse publicly available information to show you exactly what attackers can learn about your organisation, employees, and infrastructure. Our detailed reports include prioritised recommendations for reducing your digital footprint and preventing OSINT-based attacks.

Pricing starts from £1,000. Contact us for a consultation.

Conclusion

OSINT demonstrates that cybersecurity extends beyond firewalls and antivirus software. The information your organisation makes publicly available, intentionally or accidentally, provides attackers with the intelligence they need to launch sophisticated, targeted attacks. Understanding your OSINT exposure and taking steps to minimise it significantly reduces your vulnerability to modern cyber threats.

Regular OSINT assessments should form part of your broader cybersecurity strategy, complementing technical controls, staff training, and incident response planning. By seeing your organisation through an attacker's eyes, you can identify and address vulnerabilities before they are exploited.