OSINT for Blue Teams: Pivot from Email to Infrastructure

Defenders often focus on their own logs, but looking outward can provide valuable context. OSINT techniques allow Blue Teams to understand the external threat landscape and pivot from a simple indicator to a broader understanding of an attack.

Pivoting Techniques

Starting with a single email address found in a phishing attempt or a leaked database, analysts can pivot to find:

• Registered Domains: Identify other infrastructure owned by the same actor.
• Social Media Profiles: Understand the actor's TTPs and potential targets.
• Password Reuse: Predict potential passwords used by the attacker on other services.

Using DarkLake for OSINT

DarkLake serves as a massive repository for pivoting. By searching for an email or domain, you can see everywhere it has appeared in breaches, logs, and pastes. This historical context is invaluable for connecting the dots in an investigation.