[FIC 2022] A look back at the OSINT & Cyber Investigation Day
On the initiative of Antoine Violet-Surcouf, Managing Director and Partner of Avisa Partners, and with the support of the French OSINT communities, professionals of the sector met in Lille on June 7 for the International Cybersecurity Forum (FIC). In addition to a presentation of methods, the evolving challenges of this field and its organizations in an increasingly digitalized environment were discussed. The result was a full house, with the industry’s three main communities in attendance, as well as the whole ecosystem: institutions, major companies, law firms, software publishers etc.
Did someone say OSINT?
OSINT (Open Source Intelligence) refers to intelligence obtained from open sources in various contexts (law enforcement, cyber-protection, journalism and fact checking). This expression includes many subfields such as SIGINT, which deals with electromagnetic wave data (such as GPS tracking of planes and ships in real time) and SOCMINT, which monitors social media. As both study information sources that are available online, Serge Cholley, Director of Defense and Security at Eutelsat, chose to introduce the day by pointing out it would be wiser to speak of cyber intelligence. The rest of the day was split up into three parts, each one dedicated to an issue specific to OSINT.
1. Guaranteeing the security of businesses with OSINT
For some, including Hugo Benoist and Sylvain Hajri, co-founders of the OSINT-FR community, OSINT makes it possible to collect information that cybercriminals can use to prepare cyberattacks. In order to deal with this, it is essential to control what they call “the attack surface”, i.e. all the information that can identify IT and organizational vulnerabilities. Tracking this information preventively is actually the mission of their respective companies (BreacHunt for Hugo Benoist and Epieos for Sylvain Hajri).
Also, raising awareness among a company’s employees is essential. Indeed, as Artus Huot de Saint-Albin, OSINT manager at Axis&Co and coordinator of the AEGE OSINT club, has shown, employees are the preferred targets of cybercriminals.
At the same time, OSINT is used by analysts to monitor threatening events in real time (terrorist attacks, clashes, etc.) and ultimately to alert, in real time, the security managers of organizations that could be targeted. Alexis Pinon, Manager of Digital Investigations at Avisa Partners, also demonstrated how, using certain techniques, OSINT made it possible to identify potential witnesses who could facilitate the work of authorities, track possible attackers, identify vulnerabilities in the field etc. These methods could also be useful in the protection of VIPs, as demonstrated by Éric Ruffié, founder and president of Vigilact.
No matter the context, all agree on the need for caution. OSINT is not just about picking up information easily found on the deep web. It requires assessing its truthfulness, comparing it with other proven information and tracing back its origin. While everyone practices OSINT, using various tools, free or not, not everyone is an expert in the codes and the precautions to take when using them.
2. OSINT serves the people
There is a fine line between protection and investigation. Hervé Letoqueux, one of the founders of Open Facto, a fact-checking network, presented the work undertaken to identify those responsible for the delivery of arms to Libya, in violation of the embargo that had been decided. As for Éric Marlière-Albrecht, from the Central Office against ICT Crime, he showed how information left online (tweets, number plates, metadata, security flaws) is subject to processing to facilitate the work of field investigators, who must confirm (or invalidate) the witness statements received. In addition, both men reminded those in attendance that OSINT requires teamwork, which, in turn, requires drawing up rules for collaboration during the investigation, as well as training to spread best practice
Margaux Duquesne, a former journalist and founder of the Millennium Investigations private investigation agency, presented the sources used to look for missing persons. She made a point of putting OSINT into perspective. It is not a “magic wand” but a tool that complements field work, and requires some level of general knowledge and good analytical skills. Eric Emeraux, from the Central Office for Combating Crimes against Humanity and Hate Crimes, confirmed this assessment, citing the hunt for international criminals as an example. According to him, OSINT is a new resource enabling investigation with no skill requirements in cyberspace, where the only limits are of a technical nature. This forces investigators to think in terms of “the legal worth of collected data”. OSINT must allow for perpetrators to be brought to justice.
This conclusion was also shared by Arie Ben Dayan, Sales Director at Cellebrite, an Israeli company that enables the “non-manual” collection of data, and its formatting, so that analysts can present it in an intelligible manner. According to him, AI contributes to this by studying connections between different groups of data or identified individuals. The important part lies in the notion of “intelligence”, which is the understanding and anticipation of phenomena as identified by cybersecurity.
Another essential aspect is the transparency of the investigation process and the sources cited. For Open facto and the Central Office for Combating Crimes against Humanity and Hate Crimes, the priority is to make research explainable and justifiable according to the following formula: “Replicate my investigation, and you will come to the same conclusion I did”. This priority is explained by the collaboration of analysts with press titles or courts. Margaux Duquesne and Éric Marlière-Albrecht encouraged the investigator’s invisibility and the protection of sources in regard to the search for missing persons and the surveillance of threatening players.
3. A bulwark against interference attempts
This observation introduced the third and last part, centered on the use of OSINT in the surveillance of geopolitical players and their operations. Alexandre Alaphilippe, from the EU-Disinfolab NGO, showed how OSINT managed to shed light on a disinformation attack by a thinktank close to the Indian government to create fake news (involving the European Parliament) with the complicity of the country’s main press agency. Nicolas Quénel, an independent journalist who collaborated with EU-Disinfolab, listed a few examples of information manipulation attempts and the potential pitfalls faced by analysts during open source investigations if personal knowledge and analytical skills were not put to use. Mathieu Gaucheler, from Paterva, the software publisher that created the Maltego software, explained OSINT through another lens: the detection of players close to Russia Today attempting to bypass the ban on the news website, decided at the start of the conflict in Ukraine, in order to broadcast Russian propaganda in Europe.
Charlotte Graire from Airbus CyberSecurity then presented the role of OSINT in the cyber struggle for influence strategy (L2I) adopted by the company’s directors against disinformation attacks. Using a machine learning solution, Airbus heads of monitoring identify and digest influence attacks broadcasted in different formats (videos, social media, blogs) before storing and analyzing them. To this end they have useful information at their disposal when studying the content: what are the hashtags associated with a post shared on social media? Has an image been photoshopped? Their work presents the channels and broadcasting tactics as well as the arguments used. Finally, they study the cognitive effects of these campaigns: what are the reactions? Are they “impactful” in the long term?
Gabriel Ferréol, Director of Viginum, concluded by explaining the characteristics of disinformation attacks: multifaceted, adaptable, and asymmetrical, each one with its own “kinetics” (a very quick effect or a long term one). According to the definition adopted by French authorities, these are attacks by foreign players, “targeting the part of the debate addressing the Nation’s fundamental interests”.
The members of this agency (launched in July 2021) use OSINT to identify and foil digital interferences in the information field. This work is carried out with the help of collaborators from various ministries (Ministry of Defense, the Interior, Foreign Affairs), the French Data Protection Authority, the committee for the regulation of elections and its European counterparts. Then there is the collaboration of experts from various fields (data analysis, political communications, web marketing), which has proven to be necessary in order to conduct analysis on several scales and thus identify reactions and narratives implemented during these attacks.
It should be noted that OSINT has drawn attention since the conflict in Ukraine started on February 24, which should not lead to any misunderstandings. The field remains separate from espionage and law enforcement investigations. It represents a collection of vague elements from the nooks and crannies of cyberspace and entails constant questioning of their explanatory worth. If a piece of information is not authentic, it does not mean it is non-information, but rather information that warrants research of further information. Who created this disinformation, to what end?
Cyber protection, the fight against fake news, or the protection of the online reputation of a person or organization, thus make OSINT’s improvement necessary in the coming years. See you in 2023!
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition