Four Cardinal Virtues of good open source research - Digital Threat Digest
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
Last week, Bellingcat released their ‘Seven Deadly Sins of Bad Open Source Research’. The article lays out the glaring errors they’ve observed by practitioners online, especially regarding the conflicts in Gaza and Ukraine. I thought these lessons were useful even for intelligence analysts like me who think of themselves as a little more discerning than the usual OSINT twitter profile. We all sin. My key takeaways were the importance of avoiding confirmation bias and understanding the limitations of OSINT tools.
I’d like to respond to their 'Seven Deadly Sins' with my own 'Four Cardinal Virtues'.
The first of these being prudence in attribution. While it’s important to make judgements clear, don’t be overconfident when linking behaviour or infrastructure to a specific threat actor. Be upfront about the evidence’s limitations and likelihood of assessments. This is important when the intelligence informs stakeholder activity, as it can help them prioritise their responses and also inform other researchers building on the work in the future.
The second is doing the research. It can be tempting to rush into projects, excited about the possibilities of identifying new campaigns or behaviours. However, becoming properly acquainted with previous research first can avoid embarrassment and wasted efforts down the line. Read third-party fact-checking reports carefully, do your homework on a geography, and ensure that you have properly got to grips with key terms and phenomenon.
The third virtue is to be thorough in your investigations. This means taking the time explore the entire attack surface of a website to make sure that you have generated and followed as the many of the leads as possible. You can also try multiple tools for the same signal. This helps to overcome the limitations of individual tools and generates all new intel available from a given source.
Lastly, collaboration is key. Open-source research can feel like a solo endeavour. You may be working alone at home or even feel like you’re racing against fellow analysts to be the first to identify or attribute threat behaviour. Reach out via DMs or share your insights with your team if you’re at a dead-end. There’s no shame in someone else identifying a new detail you may have overlooked; you’ve both contributed, and you’ve learnt something for next time.
So go forth and be righteous in your practice. Let your investigations be bless-ed.
Subscribe to the Digital Threat Digest.
More about Protection Group International's Digital Investigations
Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.
Disclaimer: Protection Group International does not endorse any of the linked content.
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).