Home > SOC Analysis

OSINT Tools & Techniques

Open-Source Intelligence (OSINT) is the process of collecting and analyzing information from publicly available sources to support threat detection, incident response, attribution, and investigation.
In SOC operations, OSINT provides external visibility—helping analysts discover attacker infrastructure, validate indicators, track malicious activity, and enrich alerts with context.

This chapter explains OSINT in full-scale SOC depth, including tools, workflows, techniques, validation steps, and practical investigation examples.

What OSINT Means in SOC

OSINT helps analysts:

  • Enrich IPs, domains, URLs, and file hashes

  • Identify malware families

  • Detect attacker infrastructure

  • Trace phishing campaigns

  • Validate suspicious executables

  • Find related IOCs

  • Identify attacker TTPs

  • Discover external exposures

  • Support threat hunting

OSINT is never used alone; it enhances SIEM, EDR, network logs, and threat intelligence feeds.

OSINT Investigation Workflow (SOC-Level)

The OSINT process follows a structured workflow:

  1. Identify the indicator
    (IP, domain, URL, hash, email, username)

  2. Perform reputation checks
    Using security intelligence services.

  3. Cross-verify across multiple OSINT tools
    Avoid trusting single-source data.

  4. Analyze patterns
    Registration dates, ASN, TTL, DNS history, malware history.

  5. Trace relationships
    Find linked domains, IPs, samples, campaigns.

  6. Correlate with SIEM logs
    Determine relevance to internal environment.

  7. Document findings
    Add enrichment to incident tickets.

  8. Feed verified indicators into detection rules
    Update SIEM/EDR with new intelligence.

This structure ensures correctness and avoids false attribution.

Core OSINT Tools and Their SOC Use Cases

Below are the tools SOC analysts use daily with precise application scenarios.

IP, Domain & URL OSINT Tools

VirusTotal

Purpose:

  • File, URL, IP, domain analysis

  • Sandbox behavior

  • Relationship mapping

  • Known malware attribution

Use cases:

  • Validate if domain → part of malware campaign

  • Identify file hash → malware family

  • Check outgoing C2 traffic

AbuseIPDB

Purpose:

  • IP reputation and abuse reports

Use cases:

  • Identify brute force IP

  • Confirm scanning sources

  • Validate external attacker IPs

AlienVault OTX

Purpose:

  • Community-contributed threat intelligence

  • Pulse-based IOC clusters

Use cases:

  • Find related indicators

  • Validate emerging campaigns

  • Enrich alert context

GreyNoise

Purpose:

  • Distinguish internet noise from targeted attacks

Use cases:

  • Determine if scanning IP is benign background noise

  • Prioritize real threats

Talos Intelligence (Cisco)

Purpose:

  • IP/domain reputation

  • WHOIS enrichment

  • Email threat data

Use cases:

  • Identify phishing infrastructure

  • Validate malicious emails

URLScan.io

Purpose:

  • Automated URL crawling and screenshotting

Use cases:

  • Analyze phishing URLs safely

  • Extract additional IOCs

  • Identify redirect chains

PassiveTotal / RiskIQ

Purpose:

  • Passive DNS

  • Infrastructure linking

  • Historical records

Use cases:

  • Find related malicious domains

  • Understand attacker infrastructure lifespan

File & Malware OSINT Tools

Hybrid-Analysis

Purpose:

  • Deep malware sandbox analysis

Use cases:

  • Identify malware behavior

  • Extract dropped files

  • Find network indicators

Any.Run

Purpose:

  • Interactive malware sandbox

Use cases:

  • Analyze malware in real time

  • Capture C2 traffic

  • Observe persistence creation

MalwareBazaar

Purpose:

  • Malware samples repository

Use cases:

  • Download samples for internal sandbox testing

  • Track malware families

Hashdd

Purpose:

  • Multi-engine hash lookup

Use cases:

  • Validate hash reputation quickly

Email OSINT Tools

MXToolbox

Purpose:

  • Email DNS, MX, SPF, DKIM checks

Use cases:

  • Identify spoofing

  • Validate phishing email origins

ThreatCrowd

Purpose:

  • Crowd-sourced IOC graphing

Use cases:

  • Find related phishing infrastructure

  • Map relationships between email domains and IPs

Social & Human OSINT Tools

LinkedIn

Purpose:

  • Discover employee details used in spear-phishing

Use cases:

  • Track targeted campaigns

  • Identify impersonation attempts

GitHub

Purpose:

  • Detect leaked keys, malware code, attacker tools

Use cases:

  • Find exposed credentials

  • Trace malware repositories

Social media search

Use cases:

  • Track announcements from ransomware groups

  • Identify attacker claims

Network & Infrastructure OSINT Tools

Shodan

Purpose:

  • Exposed services

  • Internet-facing vulnerabilities

  • Open ports

Use cases:

  • Validate attacker scan results

  • Check what systems of your organization are exposed

  • Identify attacker C2 servers

Censys

Purpose:

  • Advanced internet-wide scanning

Use cases:

  • Validate SSL certificates

  • Identify infrastructure overlaps

ASN & WHOIS Lookup Tools

Use cases:

  • Identify hosting provider

  • Spot newly registered malicious domains

  • Detect high-risk TLDs

OSINT Techniques Used in SOC Investigations

Below are practical techniques applied daily in SOC environments.

1. Indicator Enrichment

Example:
Firewall alert:

DST=91.22.113.10

OSINT checks:

  • VirusTotal → C2

  • GreyNoise → not noise

  • OTX → part of active malware cluster

  • WHOIS → disposable hosting provider

Outcome:

  • Immediate escalation.

2. Pivoting to Find Related Indicators

Example:
Suspicious domain:

sync-update-info.net

Pivot techniques:

  • Passive DNS → other subdomains

  • SSL certificate reuse → associated domains

  • WHOIS → same email

  • OTX → campaign cluster

Outcome:

  • Discover 15 additional malicious domains.

3. Infrastructure Age Analysis

Example:
Domain created 2 days ago → high suspicion
TI rule:

block domains < 7 days old

OSINT helps apply policy decisions.

4. Malware Family Identification via Hash

Example:
Sysmon log shows:

Hash = 8F1C...23E9

OSINT:

  • VirusTotal

  • Hybrid-Analysis sandbox

  • MalwareBazaar

Outcome:

  • Identified as QakBot loader.

  • Immediate host isolation.

5. Safe Analysis of Phishing Pages

Using URLScan.io:

  • Render page

  • Extract hidden fields

  • Capture IP and server details

Outcome:

  • Granular IOCs collected safely.

6. Tracking C2 Patterns

Cobalt Strike indicators:

  • Unique JARM fingerprints

  • Specific SSL certificates

  • Characteristic beaconing patterns

OSINT tools like Shodan and PassiveTotal help attribute them.

7. Identifying Whether Alert Is Targeted

GreyNoise tells whether:

  • IP is scanning entire internet (noise)

  • IP is focusing on your organization (targeted)

This influences severity ratings.

Real SOC OSINT Scenario

Scenario: Suspicious Outbound DNS Query

query: checkin.update-sync.biz

OSINT steps:

  1. Passive DNS → multiple random subdomains

  2. VirusTotal → flagged as malware domain

  3. OTX → associated with AsyncRAT

  4. Shodan → hosted on bulletproof infrastructure

  5. Domain age → 3 days old

  6. Relationship graph → linked to 10 other malicious domains

Outcome:

  • Confirmed C2 domain

  • Host isolated

  • Lateral movement investigation begins

OSINT transformed a basic DNS alert into a confirmed malware incident.

Intel Dump

  • OSINT supports SOC investigations with external intelligence on IPs, domains, URLs, hashes, and emails.

  • Key tools include VirusTotal, OTX, GreyNoise, Shodan, URLScan.io, Hybrid-Analysis, Any.Run, and Passive DNS services.

  • OSINT techniques include enrichment, pivoting, infrastructure linkage, phishing analysis, sandbox extraction, and C2 pattern identification.

  • OSINT workflows help validate alerts, enhance investigations, and discover hidden attacker infrastructure.

  • OSINT is not raw data; it becomes powerful only when correlated with internal logs and applied to SOC detection and hunting.

HOME LEARN COMMUNITY DASHBOARD