Four Cardinal Virtues of good open source research - Digital Threat Digest
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
Last week, Bellingcat released their ‘Seven Deadly Sins of Bad Open Source Research’. The article lays out the glaring errors they’ve observed by practitioners online, especially regarding the conflicts in Gaza and Ukraine. I thought these lessons were useful even for intelligence analysts like me who think of themselves as a little more discerning than the usual OSINT twitter profile. We all sin. My key takeaways were the importance of avoiding confirmation bias and understanding the limitations of OSINT tools.
I’d like to respond to their 'Seven Deadly Sins' with my own 'Four Cardinal Virtues'.
The first of these being prudence in attribution. While it’s important to make judgements clear, don’t be overconfident when linking behaviour or infrastructure to a specific threat actor. Be upfront about the evidence’s limitations and likelihood of assessments. This is important when the intelligence informs stakeholder activity, as it can help them prioritise their responses and also inform other researchers building on the work in the future.
The second is doing the research. It can be tempting to rush into projects, excited about the possibilities of identifying new campaigns or behaviours. However, becoming properly acquainted with previous research first can avoid embarrassment and wasted efforts down the line. Read third-party fact-checking reports carefully, do your homework on a geography, and ensure that you have properly got to grips with key terms and phenomenon.
The third virtue is to be thorough in your investigations. This means taking the time explore the entire attack surface of a website to make sure that you have generated and followed as the many of the leads as possible. You can also try multiple tools for the same signal. This helps to overcome the limitations of individual tools and generates all new intel available from a given source.
Lastly, collaboration is key. Open-source research can feel like a solo endeavour. You may be working alone at home or even feel like you’re racing against fellow analysts to be the first to identify or attribute threat behaviour. Reach out via DMs or share your insights with your team if you’re at a dead-end. There’s no shame in someone else identifying a new detail you may have overlooked; you’ve both contributed, and you’ve learnt something for next time.
So go forth and be righteous in your practice. Let your investigations be bless-ed.
Subscribe to the Digital Threat Digest.
More about Protection Group International's Digital Investigations
Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.
Disclaimer: Protection Group International does not endorse any of the linked content.
Tuesday night saw the celebration of a major political event, a commemoration of political stability and continuity: Guy Fawkes Night.
What is a data breach? A data breach occurs when sensitive, protected, or confidential information is accessed, shared, or stolen by an unauthorised person.
In the mid-20th century, Gilbert Ryle threw sand in the eye of Cartesian dualism, calling the idea of a separate mind a 'category mistake' and dubbing it the 'ghost in the machine'—essentially suggesting that Descartes had outed himself as harbouring an imaginary friend.