
Investigator Spotlight: An Expert Q&A Series with Will Daughtry of Henry County Emergency Management
Will Daughtry of Henry County Emergency Management shares how digital evidence is transforming investigations.
Open-source intelligence (OSINT) can supercharge the capabilities of a Global Security Operations Center through next-gen data analytics, real-time threat monitoring, and amplified investigations. At the recent Global Security Exchange (GSX) conference, I demonstrated how OSINT provides powerful capabilities to security teams for global threat management. Advanced video forensics, facial recognition, and license plate readers expand the information and intelligence used by corporate security teams. OSINT can be used to analyze online activity and publicly available information on the open, and dive into the deep and dark web, to uncover early threat indicators and disrupt bad actors.
GSOCs are staffed by a team of security professionals who work around the clock to identify and track potential threats. Keeping up with the latest technology developments and briefings is essential for GSOCs to be more proactive in responding to a host of cyber threats and attacks.
The digital landscape is expanding exponentially. Closed Circuit Television (CCTV) cameras proliferate while online platforms create a living trove of intelligence. At the same time, sensors transform cities into data-rich environments even as more sophisticated cyber threats emerge. New analytical capabilities harness artificial intelligence (AI) and machine learning (ML) to extract insights from massive datasets. Video and image forensics, video analytics, LPRs, image analytics and facial recognition are the foundation of a global security operations center.
An OSINT web intelligence platform powered by AI is an important component of this ecosystem that can enrich investigations and help generate the insights GSOC security teams and intelligence units need to keep corporations and communities safe. OSINT provides seamless search and analysis of publicly available sources on the open web and other integrated data sources, as well as the ability to dive into the deep and dark web, allowing security professionals to generate actionable insights.
At the GSX conference, I provided techniques and guidance for effectively incorporating OSINT into global security operations centers. When implemented properly, OSINT unlocks powerful capabilities that amplify a GSOC’s intelligence advantage, including the ability to search for unique identifiers, extract insights from Exchangeable Image File Format (EXIF) metadata, accelerate breach investigations, and more.
Using OSINT to find unique identifiers
OSINT helps corporate investigators search for unique identifiers that can be used to corroborate suspects. While names may return multiple results online, unique identifiers like email addresses tend to consistently link back to individuals. Email especially stays with a person forever, even old unused accounts. When OSINT analysts can connect email addresses, phone numbers, nicknames, or other digital breadcrumbs back to forensic evidence like data from a suspect’s device, it strengthens investigations. At the same time, public information online must be verified. The internet contains many unvetted digital breadcrumbs, so analysts must carefully confirm that OSINT findings connect to the right target. Thorough vetting and corroboration are crucial when leveraging OSINT. With proper verification, OSINT delivers powerful evidence while adhering to rigorous standards needed for prosecution.
OSINT and forensic data
OSINT can extract EXIF metadata embedded in digital photos and videos to gather intelligence around the date, time, location, device, editing history, and other details. Analyzing EXIF data enables investigators to establish a timeline of events, verify image authenticity, and potentially track the source camera or smartphone. OSINT tools can quickly analyze and visualize metadata attached to online content like documents, images, and website code. Metadata provides critical context around files, accounts, activities, and authorship that can strengthen the intelligence value of collected OSINT. Moreover, importing exfiltrated OSINT into digital forensics tools allows analysts to visualize connections, timelines, relationships, and patterns across massive datasets.
Mitigating breaches
A cybersecurity audit leveraging OSINT can uncover leaked technical data on hacker forums that provide insights into the threat actor’s methods, tools, and processes. This enables more targeted incident response. Ongoing monitoring of deep and dark web sites can also detect attempted sale of stolen data. If a corporation is a victim of a data breach, security teams can extract metadata from stolen files and trace usernames, machines, and internal systems that are compromised. This identifies all points of access needing shutdown and systems that need patching. In addition, they can monitor external chatter around the breach across online platforms, forums, code repositories, and other sources, to gauge wider impacts and public perception. GSOC teams can also leverage OSINT to conduct cyber threat hunting within internal systems and identify additional footholds, compromised credentials, or backdoors left by attackers. Consulting counsel is important when investigations uncover sensitive employee or customer data that may trigger legal obligations around breach disclosure and protections. OSINT findings may have legal impacts. Keeping stakeholders updated is critical when OSINT reveals new indicators of compromise or sensitive details. Transparency builds trust and furthers intelligence leads.
OSINT was used to identify a fake credential ring, that claimed to have sold over 2,000 viable passes at $5 per pass at a large US sporting event in 2023. This event draws hundreds of thousands of people each year. The event can be easily compromised with the sale and use of fraudulent credentials, allowing unknown persons to enter the area for potentially nefarious reasons. Credentials can allow unfettered access and bypass physical security measures thus posing a serious security risk if those who enter have ill intentions.
OSINT allows GSOCs to monitor a broad range of threat indicators across the surface, deep, and dark web to identify emerging risks targeting their corporate infrastructure, data, personnel, or physical locations. Analysis of internal corporate data alongside external OSINT can help uncover malicious insiders through digital footprints, behavioral patterns, and unauthorized system access. Furthermore, Intelligence gained from monitoring threat actor communications and plans in the digital underground enables GSOCs to proactively fortify defenses and security practices ahead of impending attacks.
The bottom line is that OSINT gives GSOCs an information advantage against adversaries by tapping into massive open sources of intelligence with advanced analytics to detect, counter, and investigate security threats.
Johnmichael O’Hare, Director, Business Developtment, PenLink
Lieutenant Johnmichael O’Hare retired from the Hartford Police (CT) in 2018. His career elevated investigative units that specifically attacked narcotics and firearms violence. In 2013, he was tasked with creating a Real-Time Intelligence Center that could support critical functions & provide analytical and forensic back support. He currently serves as a Director of Business Development at PenLink with a focus on Threat Network Identification & Interdiction in the Web Intelligence Realm.