OSINT and business intelligence
If business intelligence and OSINT are two terms that are gaining visibility among the general public in France (this is less true in Anglo-Saxon countries, which have a more developed intelligence culture), they remain relatively vague for most non-practitioners. Business intelligence is regularly associated with espionage, while an individual who explains his passion for OSINT is often asked if he is not a creepy stalker.
Yet these are two rather noble concepts, one of which, open source intelligence, serves the other. The person reading this post on osintfr.com normally has a little idea of what OSINT is, but business intelligence can be vague: is it market research? Marketing? Intelligence? There are several definitions, but the most complete one seems to be this one: it is “the systematic research and interpretation of information available to all, in order to decipher the intentions of the actors and to know their capacities”. And so, like OSINT, business intelligence is strictly limited by the legal framework, since it is only a matter of collecting information accessible to all.
Based on two types of missions, this article aims to show how OSINT is used in a business intelligence firm, which will both demystify this activity and present some particularly valuable tools.
Investigating a case of online destabilization
Typical case in a business intelligence firm: investigating the destabilization of a physical or moral person on the Web. This can take the form of blogs or Twitter, Instagram or Facebook accounts denigrating a company. Let’s take the case of a company that notices a significant drop in its sales without any event justifying it.
As a beginning, Google queries identify a galaxy of websites and individuals that are critical of the company’s products. All of these sites present themselves as independent bloggers or online comparators. When reading the articles, one realizes that all these sites are relatively new. The significant drop in sales seems to find a beginning of explanation.
We now have some material to investigate: first, by examining their content (purpose, “about us” section, legal mentions, etc.). The first observation is that the sites look strangely similar, as if they had been copied and pasted with minor modifications. Another similarity: the biographies of the “bloggers” are all incoherent and accompanied by profile photos that seem to have been taken straight from https://thispersondoesnotexist.com/. The legal notices are limited to information about the host, which is not very useful. At this stage, we can already assume a destabilization, but no element allows us to identify the author.
Fictional illustration (not far from real cases)
After having fully exploited the content of the site (without forgetting archives.org!), let’s move on to the technical elements. When registering a domain name, it is indeed necessary to provide certain information, such as the name, email, number and address of the person who registered it. These data, which can be consulted on a whois (such as viewdns.info), can however be anonymized. We then end up with something like this:
It’s bad luck, but it’s always possible to use a joker: the whois history! However, to do so, you must subscribe to a paying solution, such as http://domaintools.com/. Indeed, the information is anonymous at the time of the whois consultation, but it can happen that the owner of the domain name has first filled in his information in clear text, before considering that it would be good to ask for anonymization. But the Web doesn’t forget much… And, in this case, several histories give the same email address and the same identity, from which it is possible to rebound.
Screenshot from here
Back to Google: a search for “first name last name” brings up several LinkedIn profiles, one of which seems interesting: the person describes himself as an SEO pro. No certainty, but it’s worth following. Second stroke of luck, the individual (we’ll call him Boris) shared a CV a few months ago, in which his email address appears… the same one used for domain name registration. Bingo, we know that this is the right person. Now we have to understand why, one day, Boris decided to create several sites to denigrate a company that does not even operate in his field of activity.
We must then understand who he is and try to identify if, in his relations, there is someone who has an interest in denigrating a company. Since Boris has his own company, we can try to consult the articles of association for free via Pappers (for French companies, if he is in the UK, we would look at this one). Since these indicate that Boris is married, it is not uninteresting to look at who his wife is. Google searches don’t turn up much, but Pappers shows that she owns a business that is a competitor to the company being disparaged online! At this point, the cluster of evidence starts to become substantial and we can start with the hypothesis “Boris created these sites to denigrate a competitor of his wife” and try to find other evidence to support this.
These online manipulation techniques are not uncommon and are not limited to the private sector. In a recent study, Openfacto identified more than 1,300 Russian-speaking sites managed by the GRU, the military intelligence.
Conducting a due diligence
Another classic case of business intelligence is due diligence. In France, the Sapin II law impose to companies with more than 500 employees and a turnover of more than 100 million euros to evaluate their partners (subcontractors, subsidiaries) in order to prevent all practices related to corruption and breaches of integrity. This is a due diligence type of mission that will focus on several aspects, including judicial and reputational elements. Beyond these elements, it also allows to validate the interest of a possible merger with regard to the capacities of the company, its reputation, its dynamics, etc. A due diligence can also be carried out before a service is provided.
After a brief press review to familiarize oneself with the company to be investigated, it is very often useful to retrace its history. The starting point is obviously to identify the company in question in order to obtain the articles of association (if this is possible, as not all countries have good and available business registers): this will allow you to understand which key people are attached to the company and whether the founders are still present.
In addition to Google searches and consulting the “About Us” or “Our History” pages, it is extremely interesting to use archive.org, as this resource will show how the company described itself at different moments of its existence, thus shedding light on its strategy, successes and failures. The elements to find are endless (names of former managers, their biographies, contacts, etc.) but here are a few useful examples for business intelligence:
- Browsing through the versions of a consulting firm’s website, we see that the company was present in Paris, Moscow and Istanbul in 2013, then Paris, Moscow and Malta in 2016, and now it lists Paris and London. This then triggers several questions: why did they go there? For what reasons did the branches close? Are the leaders of these branches identifiable? If so, they could possibly be contacted.
- Browsing through the archives, it is also possible to compare sections over time. Let’s imagine a “Who are we?” section presenting a dozen people at a given moment, then 9 one month later, then 4 three months later. First observation: the company loses its employees (or only updates the departures…). If we look at the history in detail, we notice that the founder’s son had been appointed director a few months before these massive departures. We can then hypothesize that the appointment did not pass, followed by a wave of departures. Of course, it has then to be confirmed by other elements.
- In a 2007 archive, the School of Economic Warfare promotes a “strategy for conquering Asian markets” program, which no longer exists today. This may show, for example, that the school has tried to diversify its activities.
Once the history, activity and status have been studied, it is time to look at possible criminal records or other “dirty laundry”. To obtain this type of information, which is more difficult to access while remaining within the framework of OSINT, there are many specialized databases. Here are some sources and what can be found in them:
- Wikileaks: an NGO that publishes leaks and has become known for revealing thousands of American diplomatic cables. An analyst doing research on the Cambodian company The Royal Group would be very interested to learn that the manager was considered a “relatively young and ruthless gangster”. Because the individual is known, the information was then relayed by the press, but there are thousands of pieces of information of no interest to the general public that can only be found in Wikileaks;
- ICIJ: the International Consortium of Investigative Journalists also provides a search engine exploring known leaks (Paradise & Panama papers, Luxleaks, Luanda leaks, etc.). This can help to prove the involvement of a person or a company in a financial arrangement in tax havens. If it is not illegal to have interests in a company present in a tax haven, it is still an alert that must be investigated;
- OCCRP Aleph: search engine of the Organized Crime and Corruption Reporting Project, which aggregates leaks and databases (business registers and official documents). It is a good complement to the ICIJ.
Of course, due diligence requires consulting many more resources, but the goal here is to show some of what is being done from open sources.
Conclusion
In the end, the missions and the way of working in an IE firm do not really differ from the journalistic approach and the (excellent) investigations published by the Fox Project on disinformation or Openfacto on embargo violations. It is always about unraveling complex situations from open sources. Each assignment is unique, but the key is always the same: be methodical, consult resources, and be analytical. Complex cases are those that require many bounces before finding relevant information. Finally, one must also keep in mind that not everything is identifiable in OSINT, but that open source intelligence can provide clues and identify sources.