For the month of March, TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us here.

OSINT & Recon

OSINT stands for Open-Source Intelligence. It is the action of gathering information that is publicly available and analyzing it for intelligence purposes.

First, let’s look at what type of data can be considered Open-Source.

Data or information that is readily available to anyone via free-to-use resources such as Google, Social Media Platforms, or public information shared about employees on their company websites can be considered Open-Source. Certain data types can also be made available via formal requests that often contain Personally Identifiable Information(PII). 

In the United States, we have the Freedom of Information Act, which allows our citizens’ limited access to federal agency records—helping ensure that citizens are informed, which is central to a functioning democracy. Information might not be readily available; however, it can be requested and provided with the confidence granted by the FOIA. You can find more information here. Information obtained through these methods is considered OSINT and free, making this method Open-Source.

That begs the question, is OSINT data only applicable to free information

There is some debate as to whether that is the case. There are paid services, such as Dehashed, where you can gain access to their database for a small fee. This database contains lots of information regarding data breaches and credentials. The service is available to the public as no specific requirements, such as a professional license or certifications, are required for access.

Once you step into the realm of requiring a special license or certification to access data, it is no longer considered OSINT. Even if the unique requirements are easily met, it is not readily available nor obtainable without additional steps as the public does not have access.


Recon, short for reconnaissance, is the action of gathering information irrespective if it is OSINT or not. Merriam-Webster defines reconnaissance as 

“a preliminary survey to gain information .. especially : an exploratory military survey of enemy territory.”

Let’s look at this scenario where a single vehicle is in a massive parking lot, and it’s being repossessed, how was it located there at all? Sometimes a GPS tracker is installed in the vehicle by the dealership. Other times it is a tool called an Automated License Plate Reader (ALPR). This excerpt from www.eff.org summarizes ALPRs perfectly:

“Automated license plate readers (ALPRs) are high-speed, computer-controlled camera systems that are typically mounted on street poles, streetlights, highway overpasses, mobile trailers, or attached to police squad cars. ALPRs automatically capture all license plate numbers that come into view, along with the location, date, and time. The data, which includes photographs of the vehicle and sometimes its driver and passengers, is then uploaded to a central server.”

This data is not OSINT. However, OSINT has the potential to provide the same results depending on the target’s personal Operations Security (OPSEC). Humans are social beings and often time overshare their personal lives on social media. Bought a new car? Take a selfie, and the make, model, and license plate number are in plain view. The same applies to a new house, apartment, or favorite coffee shop. This personal information has been given freely in exchange for likes, emojis, and reposts. Geo-locating someone who frequently posts on social media can become effortless, and the need to have special licenses or certifications is bypassed altogether.

What purpose does gathering and analyzing all this information serve?

When done as part of an ethical hacking engagement, all this information is leveraged to better position the Pentesters when engaging their selected targets. This information improves their chances of successfully phishing, vishing, and smishing their target. Instead of generic and often ignored phishing emails or text messages, a pentester can craft enticing communications that attract their target’s attention and increase their chances of acquiring credentials or other sensitive information.

Utilizing Open-Source Intelligence allows for better remediation recommendations when briefing the client post engagement and providing a thorough report. This allows for higher quality work overall and can serve as a catalyst for future engagements.

How to defend against OSINT and Recon

Removing all sensitive information from social media is the most immediate action to defend oneself. Even if it might seem insignificant, it is better to err on the side of caution and remove it. Next is to avoid posting future sensitive information on social media. This does not only apply to personal social media accounts but business ones as well. For example, have you taken a team picture as part of a marketing campaign? There is a good chance an employee ID is visible.

What about employee contact information? 

Companies should avoid posting email addresses, phone numbers, or extensions on their public website. Instead, use generic contact information such as info@companyname.com and only list the main office number.

What about the data that is already out there?

There are numerous websites that harvest your personal data and store it in their databases, making it publicly available. You can Google search your own name and city to view what information exists. Each site you find should have an option to opt-out or remove your data via email request. Additionally, there are services where you can pay a fee, and the company will do this for you. However, not all websites with your information are included in the paid service. These services will scan the internet as best they can and continually process removal requests on your behalf.

What about my organization?

TCM Security can help! Contact us to inquire about our pentesting services. We can perform OSINT and Social Engineering on your organization and inform you of the strengths and weaknesses. In addition, we offer remediation recommendations and a debrief where we discuss the engagement findings and how we can work together to improve your security posture.