OSINT DEFENSE & SECURITY FRAMEWORK (ODSF)

Develop and maintain an inventory of all public-facing digital assets and data sources related to the organization.

Perform regular OSINT audits by simulating an outsider's reconnaissance. Leverage the same tools and techniques an attacker would.

Include in the assessment any third-party or affiliate digital assets that could indirectly expose the organization. Business partners, subsidiaries, marketing agencies, or contractors might publish information about your organization. Map every third party that handles your data or represents your brand online. For each, identify what info of yours might be on their sites (e.g. client lists, case studies naming your company, shared infrastructure). This extends the footprint inventory beyond the strict corporate boundary, recognizing that attackers will exploit the weakest link (e.g., a vulnerability on a contractor’s site leaking your project details)

Analyze the findings from the footprint inventory for sensitivity and risk.

Properly retire and remove external-facing assets that are no longer in use.

Based on the Footprint Assessment, remediate exposures.

Implement measures to limit personal identifiable information (PII) of staff available online.

Establish clear policies and procedures that govern what information can be made public, and how.

In cases where information must be public but could still pose a risk, take steps to anonymize it.

Continuously track the development of new OSINT tools and techniques to stay ahead of emerging threats.

Manage the organization’s official public presence in a security-conscious manner. This subcategory covers how to securely maintain necessary public-facing content (website, social media, press releases, etc.) so that it informs or markets to legitimate audiences without oversharing or introducing security weaknesses.

Apply guidelines for official social media accounts.

Manage what information is released in external communications.

Be aware that content can inadvertently reveal technology stack or security posture.

Systematically remove employees information from data broker sites. Focus on all personnel whose exposure could create security risks, not just executives. This includes IT staff, security personnel, finance teams, and anyone with access to sensitive systems or data.

In jurisdictions with strong privacy laws, make use of legal rights to remove data.

Ensure design of public-facing apps and sites avoids exposing personal identifiers.

Extend security awareness training to include personal digital privacy tips for employees.

Ensure that external privacy notices and practices align with applicable laws.

Establish a practice that any images published are stripped of metadata.

Cleanse office documents of metadata before publishing.

Manage metadata from devices used to create content.

Consider physical OSINT in media beyond digital metadata.

Integrate metadata scrubbing into workflows.

Spot-check files that have been released publicly to ensure compliance.

Identify and manage organizational content stored in internet archive services.

Manage and remove sensitive information from search engine caches.

Properly retire and sanitize legacy platforms and services.

Control access to and availability of historical organizational documents.

Control what information is revealed through app store listings and metadata.

Secure mobile application APIs against OSINT reconnaissance.

Implement controls to prevent information leakage through mobile apps.

Regularly assess organization mobile apps for OSINT exposure.

Incorporate specific modules in security awareness training that demonstrate the connection between what people share and the attacks they might face.

Make training recurrent, not one-off. Social engineering tactics evolve, and people may forget.

Conduct internal phishing simulations and other social engineering tests to assess training effectiveness.

Encourage an organizational culture where it's okay to verify and double-check requests.

Provide specialized training for employees more likely to be targeted due to their access.

Train employees to recognize how physical items can be weaponized using OSINT knowledge.

Define what constitutes a 'sensitive request' and require independent verification.

For critical transactions or data access, require at least two people to approve or be involved.

Move sensitive communications to authenticated, secure channels rather than open email.

Use technology and processes to catch impersonation attempts early.

Use a robust email security solution to filter out malicious emails.

Implement protections against malicious websites.

Implement MFA to protect against credential theft.

Ensure strong password practices to counter information gained from OSINT.

Deploy honey tokens or decoys to detect malicious activity.

Develop guidelines to minimize information exposure in home working environments.

Implement controls to prevent information leakage during remote meetings and presentations.

Enhance security for remote connectivity to prevent OSINT exploitation.

Establish procedures for handling physical documents in remote environments.

Ensure it's easy for employees to report suspected phishing or social engineering attempts.

Take immediate steps when a social engineering incident is confirmed.

After containment, investigate the incident thoroughly.

Provide appropriate support to those affected by incidents.

Ensure social engineering scenarios are covered in broader incident response plans.

Establish resilient out-of-band communication channels for critical incidents.

Design and implement believable but fictitious employee profiles across relevant platforms.

Incorporate canary profiles into security awareness training and processes.

Deliberately place traces of the canary profile where attackers conducting reconnaissance might find them.

Establish mechanisms to detect when canary profiles are targeted.

Use canary profile triggers as evidence of targeting.

Regularly update and maintain canary profiles to ensure continued effectiveness.

Establish verification procedures to counter voice deepfake attacks.

Develop protocols to verify the authenticity of video communications.

Implement measures to identify AI-generated communication attempts.

Develop robust authentication mechanisms for use during suspected deepfake attacks.

Compile a list of all domains owned or registered by the organization and their subdomains.

Identify all IP address ranges owned or used by the organization.

For each discovered host, identify what services are exposed.

Track cloud services and third-party components with public presence.

Implement processes for ongoing discovery of new assets.

Perform frequent vulnerability scans of all internet-facing systems.

Establish a process to rapidly patch critical vulnerabilities on external systems.

Harden configuration of servers and services to minimize information exposure.

Conduct regular penetration testing focusing on external footprint.

Secure remote access systems that are externally accessible.

Review and secure code in public repositories.

Apply strong security measures to private code repositories.

Manage risks when sharing code with third parties or publishing packages.

Continuously monitor public code platforms for sensitive information.

Train developers on secure coding and secrets management.

Include OSINT perspective in vendor evaluations.

Understand infrastructure managed by third parties that could affect your exposure.

Secure shared workspaces and collaboration tools.

Track what others publish about your organization.

Apply least privilege and verification to third-party integrations.

Implement technical controls to prevent automated data harvesting from organization websites.

Defend against sophisticated AI-powered OSINT gathering techniques.

Secure APIs against automated data harvesting.

Manage how information flows between systems to prevent automated collection.

Conduct a thorough audit of each executive's public personal information.

Systematically remove or suppress executives' info from public sources.

Work with executives to sanitize their online presence.

Limit personal details in official company communications.

Extend protection to executives' families who could be targeted.

Secure executive email accounts with enhanced measures.

Apply strong security to all executive devices and communication channels.

Use encrypted messaging for sensitive discussions.

Secure executive devices that bridge personal and work use.

Include executives in security testing and drills.

Monitor for threats specifically targeting leadership.

Detect fake profiles and impersonation attempts.

Respond to exposure of executive personal information.

Practice response to executive-targeted incidents.

Prepare for recovery after executive-related incidents.

Conduct one-on-one or small-group training with executives about targeted social engineering.

Limit how executives will issue critical instructions.

Prevent creation of fake profiles or accounts impersonating executives.

Train support personnel who often handle communication on behalf of executives.

Manage information shared during public appearances.

Implement measures to obscure and protect home addresses and physical locations of executives.

Establish protocols for secure executive travel and commuting.

Prevent inadvertent disclosure of executive locations through metadata and digital footprints.

Secure home IoT devices and smart systems that could reveal occupancy or personal information.

Establish protocols for executive public appearances to reduce OSINT exploitation opportunities.

Enhance security measures for executive financial accounts and transactions.

Minimize exposure of executive financial information in public records.

Secure physical and digital financial communications.

Enhance privacy of digital payments and online financial activities.

Continuously monitor for unauthorized use of executive identities and images.

Register domains and social media handles to prevent squatting and impersonation.

Develop plans for responding to false information campaigns targeting executives.

Protect and manage the use of executive images and likeness.

Monitor for data breaches and dark web leaks.

Track mentions and data across social media and code sites.

Continuously scan external assets for changes.

Participate in information sharing communities.

Integrate OSINT data with security monitoring tools.

Develop specific playbooks for likely OSINT-related incident scenarios.

Implement mechanisms to quickly mitigate discovered exposures.

Develop clear communication procedures for incidents.

Feed incident learnings back into security controls.

Integrate OSINT defense with executive travel security planning.

Develop a quantitative methodology to measure organizational OSINT exposure.

Measure the performance and effectiveness of OSINT defense activities.

Establish measurable KPIs for OSINT defense program success.

Create effective reporting mechanisms for OSINT defense metrics.

Strategically place false or misleading information to detect and misdirect adversaries.

Create signal-to-noise challenges for adversaries attempting OSINT collection.

Deploy decoy systems and services to detect and analyze OSINT collection.

Develop plans for actively engaging with identified adversaries conducting reconnaissance.

Implement need-to-know access controls and information boundaries.

Implement measures to detect internal OSINT collection activities.

Secure internal project names and codenames from external disclosure.

Limit the exposure of detailed organizational structure information.

Align OSINT defense with data protection regulations like GDPR, CCPA, and others.

Address vertical-specific regulatory requirements in OSINT defense.

Align OSINT defense with international privacy standards and requirements.

Maintain appropriate records of OSINT defense activities for compliance purposes.

Establish segmented online identities to prevent cross-platform correlation.

Minimize recognizable patterns that enable identity correlation.

Deploy technical controls to prevent automated identity correlation.

Detect attempts to correlate organizational identities across platforms.

Tailor OSINT defense training to different organizational roles and responsibilities.

Provide specialized OSINT defensive training for technical personnel.

Provide targeted education for executives on high-profile OSINT threats.

Establish internal certification programs for OSINT defense knowledge.