Before a targeted attack, there's reconnaissance. An attacker's first step isn't exploiting a vulnerability — it's gathering information from publicly available sources. This is open-source intelligence, or OSINT.
The unsettling part: most of what they find, you put there yourself.
What's Publicly Available
DNS records reveal your infrastructure. MX records show your email provider. A records and CNAME records show your hosting provider, CDN, and any third-party services. TXT records often contain verification tokens for services you use.
WHOIS data (if not privacy-protected) exposes registrant names, email addresses, and sometimes physical addresses. Even with privacy protection, historical WHOIS data is archived by third-party services.
SSL certificates are logged in Certificate Transparency logs. Every certificate ever issued for your domain is publicly searchable, revealing subdomains you may not want visible — staging environments, admin panels, internal tools.
Job postings reveal your technology stack. "Looking for a Senior Django Developer with PostgreSQL experience" tells an attacker your backend framework and database. Job descriptions for security roles reveal what you're worried about.
Source code in public repositories. Even if your main codebase is private, employees may have forked components, uploaded configuration files, or committed API keys to personal repositories.
Social media and forums. Employee LinkedIn profiles list internal tools and technologies. Stack Overflow questions include code snippets from production systems. Slack and Discord communities leak internal discussions.
What This Enables
Individually, each piece of information is benign. Combined, they create a detailed attack map:
- Infrastructure mapping: DNS enumeration + certificate transparency = complete subdomain inventory including development and staging environments
- Technology fingerprinting: Job postings + LinkedIn + public repos = specific software versions to target
- Credential harvesting: Breached password databases + employee email addresses = credential stuffing material
- Social engineering: Employee names, roles, reporting structure, communication style = convincing phishing campaigns
Reducing Your Exposure
You can't eliminate your OSINT footprint, but you can manage it.
DNS hygiene: Remove DNS records for decommissioned services. Use wildcard certificates instead of individual ones where possible to reduce certificate transparency exposure.
Repository audits: Scan your organization's public repositories for secrets using tools like truffleHog or gitleaks. Check employees' personal repos for references to your internal systems.
Job posting discipline: Be intentional about technology details in job listings. "Backend developer" reveals less than "Django/PostgreSQL developer" — and you'll get the same applicants.
Email security: Implement SPF, DKIM, and DMARC to prevent domain spoofing. Use a separate domain for internal tools that you don't want publicly associated with your organization.
Monitor your exposure: Regularly search for your domain, company name, and key employee names. Set up alerts for new mentions. Check Have I Been Pwned for compromised credentials associated with your domain.
The Asymmetry Problem
Attackers have unlimited time and every public source at their disposal. Defenders have jobs, meetings, and a hundred other priorities. This asymmetry is fundamental to security.
The solution isn't trying to be invisible — it's understanding what you've already exposed and deciding what to do about it. Start with a self-OSINT assessment: gather intelligence on your own organization the way an attacker would. What you find will inform your security priorities more effectively than any generic checklist.
If you want a professional OSINT assessment of your organization's exposure, reach out.