惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Latest
Security Latest
Recorded Future
Recorded Future
人人都是产品经理
人人都是产品经理
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Tor Project blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
T
Threatpost
T
Tenable Blog
有赞技术团队
有赞技术团队
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
C
Cisco Blogs
H
Heimdal Security Blog
Attack and Defense Labs
Attack and Defense Labs
A
About on SuperTechFans
Last Week in AI
Last Week in AI
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
I
Intezer
V
V2EX
Cyberwarzone
Cyberwarzone
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
T
The Blog of Author Tim Ferriss
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
PCI Perspectives
PCI Perspectives
P
Privacy International News Feed
D
Docker

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
OSINT for Attack Surface Monitoring
Intel 471 · 2020-10-13 · via Intel 471 Blog

In this series of posts, Victoria Willis explores how OSINT (Open Source Intelligence) can be applied in the areas of Cyber Threat Intelligence, IT Asset Discovery, Security Assessments and Attack Surface Monitoring. In this fourth and final post of the series, the focus is on the relevance of OSINT when attempting to monitor your “attack surface.” Check out the previous posts on using OSINT for Cyber Threat Intelligence, OSINT for IT Asset Discovery. and OSINT for Security Assessments.

What’s Exposed?

If you’re looking to beef up your attack surface monitoring efforts, understanding your OSINT footprint is essential. OSINT, or Open Source Intelligence, refers to the gathering of publicly available information on an individual or organization. This information represents a collection of data that can be gathered by a malicious actor and used to identify systems and users, as well as gather information about them. This can lead to increased (and possibly unintended) visibility of an organization’s assets and associated information security risks.

Although OSINT can be used by malicious actors, it also provides valuable information on what an organization’s attack surface looks like to the public. For organizations, OSINT can be used as a reconnaissance effort to better understand what their footprint looks like to the outside world. Attackers will often use OSINT through both manual methods and tools to research their targets for potential information that may be weaponized in support of launching an attack. Due to the potential for an individual or group with malicious intent to use OSINT against an organization, it’s important that organizations have an understanding of what data can be found on them in the wild.

With the use of OSINT, security leaders can verify information they wouldn’t want to be public and use that data to ultimately reduce their attack surface exposed to potential threats. Security operations can also leverage OSINT as an early warning system for identifying problems that may have already occurred, like a data breach.

In the modern digital landscape, your attack surface consists of much more than just open ports, host names and IP addresses. Email addresses, employee names, SaaS platforms, cloud-based tools and storage, public records, data breaches, social media accounts and more are now all potential areas of risk. Exposed emails and information available on social media can be used to help attackers lead targeted phishing attacks, for example. Or, a malicious actor might use credentials from a recent data breach to gain access to intellectual property stored in a cloud-based service.

With an attack surface that now extends far beyond an organization’s own network, traditional methods of scanning and reconnaissance are no longer enough. The amount of publicly available information is constantly expanding; identifying what information is available about your organization is critical to your ability to adequately address potential risks.

To fully understand the scope of information that may be publicly accessible, organizations need to utilize multiple sources of OSINT for data collection. Through OSINT, organizations can actually begin to piece together a complete picture of what their attack surface looks like to the world, and what unintended exposures may be available to the eyes of malicious actors.

While this information can help give organizations a full picture of what their attack surface looks like to the public, the growing availability and scope of OSINT really puts the onus on security leaders to gather as much data as possible for proactively identifying new exposures.

Automating Attack Surface Monitoring

Using multiple OSINT sources to gather information is critical to getting a full view of an organization’s attack surface visibility — but the process of obtaining all the information necessary through many sources can be overly complicated and time-consuming. There are new sources of OSINT cropping up all the time and different sources provide different APIs; this can create many additional steps in the information collection process. Normalizing and correlating the data can also be a tremendous undertaking in addition to keeping up-to-date with API changes over time. However, automated OSINT tools gather the critical information organizations need for accurate attack surface monitoring, allowing users to focus their energy on analysis and response.

An automated OSINT solution like SpiderFoot is one platform that has been created with this use case front and center. Users can monitor over 100 different sources of OSINT to gather intelligence on IP addresses, domain names, email addresses, names and more. As part of a new generation of reconnaissance tools, SpiderFoot integrates easily with third-party APIs like Shodan, HaveIBeenPwned, AlienVault OTX and more. For OSINT automation, the ability to integrate with third-party APIs and correlate the results is key to overall effectiveness and there are many different sources of APIs, such as internet scanners, passive DNS services, and reputation systems. Compatibility with this vast array of sources is critical to helping security professionals better understand and assess their organization’s attack surface visibility.

Using the Monitor feature of SpiderFoot, your attack surface monitoring can be automated.

SpiderFoot streamlines both the processes of data collection and continuous monitoring, automatically triggering notifications via email, Slack and others when an organization’s OSINT footprint is detected. Taking the automation a step further, this can help security operations run more efficiently through integration with their SIEM, vulnerability scanners and risk dashboards to support incident response and overall information security risk management.