OSINT Techniques for Analysts: How to Find Early Warning Indicators

The earliest you can predict a security risk, the more time you have to assess and respond to the threat. Not all situations are predictable through early warning signals, but a proactive approach will help you avoid or minimize asset damages should a threat escalate.

Intelligence analysts and investigators rely on open-source intelligence (OSINT) to uncover security threats and respond effectively. Public information, like social media, can alert analysts in real-time to new risks, from active shooters to insider threats. But are real-time alerts enough to keep vulnerable assets safe?

We’ve seen throughout the pandemic that organizations are often unprepared to cope with new security risks. The resources required to handle current risks can also make it hard to move from a reactive to a proactive strategy. 

According to a 2021 Ontic survey, less than half of organizations “take a proactive, always-on technology-driven approach to managing physical threats… before damaging incidents occur.”

The operative word here is before: even more than real-time alerts, intelligence analysts need early warning indicators to respond proactively. Online OSINT sources offer early warning indicators that analysts and investigators need to keep people and assets safe. It’s just a matter of knowing where to look and having the right tools to get you there.

What does “early warning indicator” mean from an analyst’s point of view, and how can you access them effectively?

What are early warning indicators

The term “early warning indicator” is often used in a financial or educational context. But for intelligence analysts, an early warning indicator is any piece of information that can signal a potential future security threat. Online sources, like social media and the deep web and dark web, are relevant early warning sources as bad actors divulge plans and engage with anonymous communities.

For example, let’s say you’re a security analyst monitoring for threats near a physical location, like an airport or company facility. You’re using an OSINT tool to find and assess risks, and get an alert from a social media source: someone near your target location just heard gunshots in the area and is posting minute-by-minute updates from the scene.

Now imagine that a few days prior, you were monitoring a more covert social site like 4chan. A user on one of these sites mentions an area near your target location and uses language that indicates violent intent—something similar to manifestos you’ve seen precipitate attacks before.

This is an early warning indicator that your team could use to stay more prepared for a potential threat rather than scrambling to respond once it’s already happening.

Why are early warning indicators valuable?

The earlier you can predict a security risk, the more time you have to assess and respond to the threat. Not all situations are predictable through early warning signals, but a proactive approach will help you avoid or minimize asset damages should a threat escalate. 

Early warning indicators are also becoming more important. The pandemic, combined with emerging social unrest, has created an environment ripe for security threats—many of which are planned or detectable through public online sources. Early warning indicators are now valuable for detecting risks like:

• Insider threats: Social dissent, burnout, and new workplace regulations have transformed the insider threat landscape. Disgruntled employees may react by disclosing confidential data or disrupting business operations, and may discuss these topics online well in advance of taking action. Organizations in government, healthcare, big tech, and media are especially vulnerable.
• Physical attacks: Some sites are used to leak violent intent and plan events. For example, the Capitol Hill insurrection was planned online for weeks prior to the attack. Users may be more candid in online settings where their identity is anonymized and they are engaging with like-minded communities with similar grievances.
• Supply chain disruptions: Early warning indicators don’t necessarily originate from bad actors. Disruptions like natural disasters or geopolitical conflicts can halt or delay the flow of goods further down the supply chain. Monitoring for these events in relevant locations can serve as early warning indicators if your organization will be impacted down the line.

OSINT techniques for early warning indicators

As an intelligence analyst, how can you more effectively find early warning indicators for proactive security? Make sure you have access to relevant data sources. If insiders or other bad actors reveal early warning signs online, it’s likely on less-regulated spaces that won’t flag more controversial content. These include chan sites (also called imageboards), alt-tech sites, anonymized messaging apps, and deep and dark web forums. Unindexed websites like paste sites are also useful for finding data disclosure, which is relevant for some insider threat cases.

Do your keyword research. Even though adversaries can be candid on anonymized sites, they often use colloquialisms. As you monitor OSINT sources, take note of relevant terms, hashtags, or phrases that could indicate harmful intent. For example, those who celebrate mass shooting events and may harbor violent inclinations themselves often reference the names or initials of past shooters. Combining these types of keywords with your organization’s name or relevant locations can help identify early warning indicators.

Invest in the right OSINT tools. Many sources that are relevant for early warnings are harder to access and monitor for search terms than more mainstream sources like Twitter. Some OSINT tools operate with proprietary web crawlers to address this gap, making covert sites easily accessible and searchable for analysts. If your goal is to find early warning indicators, make sure you invest in OSINT tools that cover fringe social sites in addition to the mainstream ones.

For intelligence analysts, public online content is a necessary source of breadcrumbs illuminating security risks and their origin. This is becoming more evident in the post-pandemic world as individuals and communities use online channels to covertly plan, suggest, or incite harmful actions. Overlooking these warning signs, when they are available, can cause avoidable damage to your assets. 

As security functions evaluate their strategy going forward, intelligence analysts must understand the value of early warning indicators and have the right OSINT techniques and data sources to find them efficiently.