惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
OSINT is re-defining what an organisation’s perimeter looks like.
Intel 471 · 2019-01-28 · via Intel 471 Blog

“The perimeter” is probably one of the most used metaphors in Information Security, and as an attacker or defender it’s often the first place analysed to identify vulnerabilities.

In this post I explore the perimeter metaphor and look at the impact of OSINT (Open Source Intelligence) when trying to defend or attack an organisation’s perimeter.

The early perimeter

Especially in the world of IT, metaphors are essential because they reduce highly complex things down to more familiar terms that humans can easily grasp (think of “firewall” and “cloud”, for example). But unless everyone in the conversation has the same understanding of what the metaphor actually represents, they aren’t talking about the same thing. Or worse, if what the metaphor used to mean no longer makes sense in today’s world, you have a problem.

[Image: https://134.209.41.85/wp-content/uploads/2019/11/0_ZI-yJLZUw0s2E0ru-1-1024x682.jpg - When you think of a perimeter, does it look anything like this? It might be closer to reality than you think.]

For a long time the perimeter metaphor made a lot of sense because if we wanted to defend an organisation we needed to find all the points of possible weakness that an attacker might target.

Back when the IT estate of organisations used to be much simpler, we would reasonably start this process at the network layer. We would tightly control all the incoming paths of communication to the resources that needed to be externally accessible, and completely close off access to everything else.

Then, with the network controlled you would work your way up the stack to tighten access at the application layer so that the exposed services were further protected, maybe through the use of authentication, encryption, sandboxing and so on. What we were left with was what we would refer to as the perimeter — the systems accessible by distrusted (or at least less trusted) users.

So far, so good; the perimeter metaphor worked reasonably well because it mapped well to reality.

Then the world changed

Blind spots started to form when we moved beyond the organisations of the early 2000s where life was lived mostly behind a firewall, to modern-day organisations that likely also include:

  • Servers hosted in a mixture of on-premise and cloud facilities
  • Cloud-based office productivity tools like Google Mail, Dropbox, …
  • Object storage in the cloud such as S3 buckets
  • SaaS platforms like Zendesk, Mailchimp, …
  • Third parties managing DNS across many alternative domains and TLDs
  • BYOD (Bring Your Own Device) in the workplace
  • Outsourcing companies handling more of the technology value-chain
  • 3rd party network connectivity with partners and suppliers
  • Shadow IT
  • Presence on social media platforms for marketing, branding and recruiting
  • Employee personal and professional presence on social media

Where is the perimeter in all of this? How could it possibly be identified, let alone controlled?

Because of these changes, the risk that organisations face is far beyond the perimeter of their own network because their own network is no longer the sole place where damage can be inflicted on their assets, brand and reputation.

This means that the perimeter (if we really still want to call it that) is no longer made up of just hostnames, IP addresses and open ports. It now also includes e-mail addresses, employee names, social media accounts, public records (Whois, certificate transparency, etc.), data leaks and any other freely available information about the organisation which might give the attacker an advantage.

Enter OSINT

My introduction to OSINT was back in 2005 when I created the first version of SpiderFoot, except I didn’t know it at the time.

Back then, OSINT wasn’t a term you would hear in InfoSec circles — it was mostly “network scanning” or “reconnaissance”. OSINT was still very much relegated to the world of three-letter government agencies, which had this to say about it:

“Today, open source [intelligence] has expanded well beyond “frosting” and comprises a large part of the cake itself. It has become indispensable to the production of authoritative analysis.”
John Gannon, former Chairman, National Intelligence Council, 2001

These days — particularly in the past couple of years — OSINT seems to be everywhere: blogs, podcasts, books, tons of tools and entire platforms dedicated to it. Just take a look at this graph from Google Trends which indicates a steadily decreasing interest in “network scanning” vs. a growing interest in “OSINT” over the past ten years:

[Image: https://134.209.41.85/wp-content/uploads/2019/11/1_8OCjOkF0wiKL3Z24scLj7Q-1024x582.png - https://trends.google.com/trends/explore?date=2009-01-01%202019-01-01&q=osint,network%20scanning]

The above image coupled with the general growth of the OSINT ecosystem indicates there is some kind of awareness-shift happening. I believe people are catching on to the idea that the perimeter of an organisation goes well beyond the network and see OSINT as a solution to gaining the necessary visibility.

The OSINT explosion

In developing SpiderFoot over the years, I’ve witnessed first hand the growing availability of OSINT that makes the task of identifying an organisation’s true perimeter possible. Services to search data leaks, find employee details, reverse-lookup Whois data and more are popping up continuously and best of all, exposing their functionality through APIs to make automation possible. When I started with SpiderFoot, it integrated with about five different data sources. Today it stands at over 150 (and I have a backlog of 100 more to implement, and growing).

The bad news is that the open nature of this information means it is also available to attackers, so the burden lies on the defender to gather as much OSINT as possible about the organisation they are defending to identify unintended exposures, and do it regularly in the same way that they would perform vulnerability scans.

If you doubt the practical applications of OSINT for an attacker, consider the following questions:

  • Why try and brute-force all the host names belonging to your target if you can just search the certificate transparency log to find all the hosts for which certificates have been issued?
  • Why try and look for unmaintained parts of the infrastructure when you can just look for hosts on the organisation’s domain which are not hosted on the same infrastructure as all of their other sites?
  • Why bother breaking into the network to get sensitive information if you can find poorly managed S3 buckets they use?
  • Why bother sending a phishing e-mail to every possible e-mail address on the domain when you can target the employees who have domain administrator rights, as mentioned on their social media profile?
  • What’s the point in getting into the organisation’s network in the first place if they use Github and Atlassian cloud services for managing their intellectual property? Then all you’d need is the credentials of an employee who has access, which are likely to be the same credentials they use for their social media account. Perhaps the same credentials recently revealed in a data leak.
  • Why spend so much time performing port scans, banner grabs and so on to identify the applications exposed by your target when you can use a service like SHODAN, Censys or BinaryEdge to get all that information, all without transmitting a single packet to the target’s network?

The new perimeter

It seems unlikely that the perimeter metaphor is going to disappear any time soon, but the definition has to change to look more broadly at all the ways an attacker can gain critical insight into an organisation and use that information to their advantage. We have to stop seeing the perimeter as the border of the network and instead see it as all the information openly available about an organisation which could be used against it.

In today’s organisations, the new perimeter is the sum of all systems that can be accessed externally plus all the information available about the organisation that could be used against it — directly or indirectly.

This information needs to be identified and controlled if not eliminated, just like the old network-centric perimeter was.

Conclusion

What’s great about OSINT is that it represents a methodology of using openly available information to understand your target. OSINT isn’t just about port scans and host name enumeration; it extends into the world of social media, cloud services, data leaks, public records and much more. OSINT makes the task of identifying an organisation’s true perimeter possible.

If you are new to OSINT, there are plenty of tools and resources available to help you get started and apply it as part of your overall security strategy. Check out this article about OSINT resources I posted recently to get more insight into resources that should be helpful. What you find about your own organisation might surprise you.