OSINT Strategies for Preventing and Responding to Cyber Attacks

How proactive and reactive OSINT strategies can strengthen cyber resilience before and after major attacks.

Category
Guides & Information
Date
August 14, 2025
Author
Paul Wright & Neal Ysart

The insurance industry has faced its worst cybersecurity crisis so far. Recently, three insurers have been targeted by cyberattacks. Scattered Spider, a loosely organised group of cybercriminals, has been actively attacking the industry. The troubling pattern affecting industry giants like Erie Insurance, Philadelphia Insurance Companies, and now AFLAC could be countered with robust Open-Source Intelligence (OSINT) strategies to strengthen defences against increasingly sophisticated cyberattacks.

OSINT is already a valuble resource for fraud examiners. Information on possible fraudsters can be gathered from various sources to assist in claims investigations, including social media, public records, consumer reports, and more. However, the potential of OSINT extends beyond traditional fraud detection, offering insurance companies essential proactive threat mitigation and reactive incident response capabilities.

The Current Threat Environment: Scattered Spider's Multi-Sector Campaign

When these attacks initially surfaced against the insurance sector, Mandiant Consulting CTO Charles Carmakal said Scattered Spider's insurance sector campaign began around a week and a half earlier. The shift from retail to insurance marks a strategic trend in cybersecurity campaigns, notably against verticals that store enormous amounts of sensitive personal and financial data.

Threat intelligence analysts reported that hackers were focusing on multiple U.S. insurance firms using all the techniques observed in Scattered Spider activity. Their sophisticated social engineering techniques target call centres and help desks, exploiting human vulnerabilities for initial network access.

The attacks have been matched to Scattered Spider techniques, but without ransomware. In several recent incidents, the attack was completed in hours, demonstrating that while some companies have enhanced response efficiency, the threat remains active and present against a range of industries.

Recent Enforcement Activity: Scattered Spider Arrests and Industry Impact

The threat environment remained volatile in July 2025, with notable activity as UK police detained four individuals, a 20-year-old woman and three males aged 17 to 19, on suspicion of cyberattacks on retailers such as Harrods, M&S, and Co-op. The arrests represent a peak in the activity to counter operations linked to Scattered Spider-type operations, reflecting the vulnerability of critical infrastructure and demonstrating the success of law enforcement when provided with quality intelligence collection.

Their economic impact has been severe, with M&S quantifying around £300 million of revenue lost solely because of the cyber outage. This figure underlines the serious financial consequences of complex social engineering attacks on major organisations and the necessity for robust cybersecurity across all sectors, not just insurance.

This development confirms the central thesis that effective OSINT capability is crucial, not just an operational resource but a strategic measure in countering an advanced and multidimensional threat matrix of sophisticated foreign and technically capable Indigenous actors.

PROACTIVE OSINT SOLUTIONS FOR INSURANCE COMPANIES

Threat Intelligence and Early Warning Systems

Given this threat group's targeting by sector and their demonstrated ability to impact multiple sectors, insurance companies must develop comprehensive OSINT programs that are continuously assessing potential threats. They are:

1. Cybercrime Group Assessment

  • Researching recognised threat groups like Scattered Spider on dark web forums, social media, and cybercrime marketplaces
  • Listening for any mention of targeting insurance companies or specific methods
  • Creating automated notifications for company name, executive, or industry keyword mentions
  • Strudying cross-industry attack patterns to anticipate potential targeting changes

2. Supply Chain and Vendor Intelligence

  • Utilising detailed digital breadcrumbs to detect and prevent insurance fraud, e.g., misrepresentation and policy manipulation
  • Enhancing underwriting integrity by leveraging digital data to drive risk decisions, enabling more accurate policy pricing and terms
  • Streamlining background screening of third-party partners and vendors
  • Identifying data breaches and security incidents affecting business partners
  • Open-source monitoring of the cybersecurity stance of mission-critical suppliers

3. Executive and Employee Protection

  • Social media monitoring of key personnel for exploitable information for social engineering attacks
  • Publicly available personal information monitoring to facilitate spear-phishing campaigns
  • Locating publicly available executive calendars, travel schedules, and professional contacts that can be monitored

REACTIVE OSINT UTILISATION DURING INCIDENT HANDLING

Quick Threat Assessment and Attribution

In case of an incident, OSINT can help to enable quick threat assessment and attribution by the following activities:

1. Attack Pattern Analysis

  • Matching observed TTPs against known threat actor profile data
  • Searching for similar attacks against other companies in and out of industries
  • Identifying the likely scope and targets of the attack
  • Correlating with recent law enforcement activity and reported threat actor capability

2. Compromise Analysis

  • Reviewing dark web marketplaces for stolen company information or leaked credentials
  • Analysing online discourse of the breach within cybercrime communities
  • Detecting possible data exfiltration through paste sites and file-sharing websites

3. Threat Actor Profiling

  • Developing intelligence on familiar networks and infrastructure used by recognised threat actors
  • Following the monetisation of stolen information or ransomware demands
  • Foreseeing follow-on attacks or business partner targeting prospective business partners
  • Analysing links to recently arrested or disrupted threat actors

Business Recovery and Continuity Assistance

After a cyberattack, business continuity and quick recovery are also a focus area, and so one in which OSINT needs to play a leading role:

Customer Trust and Communication Management

  • Social media sentiment analysis and public opinion assessment in incident management
  • Identifying misinformation or inaccurate reporting of the incident
  • Reviewing competitor reaction and market impact

Legal and Regulatory Adherence

  • Supporting law enforcement investigations with evidence
  • Documenting the scope and duration of the incident for reporting to authorities
  • Identifying affected individuals whose information could have been breached
  • Coordinating with international law enforcement efforts where cross-border elements are involved

A close up of a car in a streetAI-generated content may be incorrect.

IMPLEMENTATION FRAMEWORK AND BEST PRACTICES

Building an Effective OSINT Program

To maximise the benefits of OSINT for enhanced cybersecurity, organisations need to move beyond ad-hoc efforts and strive to establish a formal and structured OSINT program. This involves several important considerations, including:

1. Team Structure and Training

Organisations must build specialist OSINT capabilities with extensive training programmes to enhance their cybersecurity teams. This involves creating expert practitioners who understand the value of pertinent intelligence and accurately interpreting, validating, and ethically applying it.

2. Technology and Tools Investment

  • Automated alerting and threat intelligence systems
  • Social media and dark web analysis platforms
  • Pattern recognition, data analysis and visualisation tools
  • Compatibility with current SIEM systems

3. Legal and Ethical Aspects of Organisations

  • Adherence to data protection and privacy laws
  • Any information collected ought to be truly public and not obtained through illicit means
  • There must be robust internal policies and procedures for guaranteeing OSINT activities are strictly controlled
  • Ethical guidelines must be drafted and enforced on OSINT activities

OPERATIONAL SECURITY AND PROTECTION OF PRIVACY

A further key consideration is how firms manage and store any information gathered. Mishandling sensitive intelligence can put organisations at legal, ethical, and operational risk, and lax data practices can diminish the value and validity of the intelligence itself.

A structured data management and retention policy safeguards sensitive information and sources and ensures that intelligence is actionable, compliant, and secure throughout its lifecycle. 

Considerations among these should include:

  • Having well-established policies of collection, analysis, and storage of OSINT information
  • Applying the necessary security controls to protect intelligence collection activities
  • Respecting privacy laws and industry best practices
  • Protection of Sources and Operational Security
  • Applying the necessary technical controls to protect the identity of intelligence collection activities
  • Offering secure communications for the sensitive exchange of intelligence
  • Educating staff in operational security best practices

COLLABORATION AND INDUSTRY INTELLIGENCE SHARING FORUMS

Developing internal OSINT capabilities is highly beneficial, but the intelligence gain can often be optimised through collaboration. Engagement with industry peers and intelligence-sharing forums allows organisations to validate OSINT research, confirm intelligence, and identify potential sources not previously discovered.

The benefits of industry-specific collaborative OSINT include:

  • Shared threat intelligence helps improve the overall security stance of the industry
  • Collaborative study of trends and attack profiles is more potent than researching alone
  • Where trends are identified, they can act as an early warning system for potential attacks across industries
  • Shared working groups can present a united front and have a standard response capability for major incidents that impact a range of industries
  • Improved coordination with law enforcement agencies during the time they are actively pursuing

MEASURING SUCCESS AND RETURN ON INVESTMENT

Organisations must demonstrate to stakeholders that any internal investment is being well spent. Demonstration of success against measurable performance targets provides true assurance that OSINT-based investments are delivering returns and bringing tangible value to the organisation's security posture. Developing OSINT Key Performance Indicators (KPI's) can provide a measurable and formal way of demonstrating its performance and effectiveness.

Specific KPI's must be developed for each organisation, but might include such metrics as:

Proactive Measures:

  • Reduced number of successful social engineering intrusions
  • Detection of targeted campaigns against the company earlier
  • Percentage of OSINT reports leading to proactive action, for example, patching vulnerabilities, updating policy, or informing clients.

Reactive Measures:

  • Reduced threat attribution and impact analysis time
  • Reduced incident containment and recovery times
  • Improved evidence collection to support law enforcement collaboration
  • Improved situational awareness for crisis response

CONCLUSION AND RECOMMENDATIONS

The recent targeting of insurance companies by advanced threat groups, such as Scattered Spider, along with their demonstrated potential for high financial impact across multiple sectors, highlights the fundamental need for robust OSINT capabilities within the cybersecurity industry. The recent arrests and the £300 million impact on M&S alone demonstrate both the seriousness of the threat and the effectiveness of intelligence-led law enforcement responses. Insurance companies must adopt proactive and reactive OSINT measures to counter sophisticated cyberattacks.

Immediate Actions for Insurance Companies:

  1. Establish Specialised OSINT Capabilities: Invest in technology, people, and training to build strong open-source intelligence programs
  2. Utilise threat intelligence tools to scan for risks across dark web traffic, social media, and threat intelligence from other sectors
  3. Enhance Incident Response by integrating OSINT capabilities into existing incident response processes and crisis management processes
  4. Cultivate Industry Collaboration: Participate in threat intelligence sharing groups and cross-industry security efforts
  5. Measure and Improve: Possess clear metrics for OSINT program success and continuously develop capabilities as threats evolve

The rise of complex and sector-focused cybercrime attacks, allied to recent law enforcement Successes necessitate an intelligence-driven response. Companies that can effectively leverage active and passive OSINT methods will be well-positioned to protect their customers, investors, and stakeholders in the threat landscape as it continues to develop.

As the insurance industry faces targeted campaigns from advanced threat actors with cross-sector capabilities and high financial impact potential, OSINT is not merely an operational necessity but also a strategic essential to maintain business continuity and customer trust.

 

Authored by: The Coalition of Cyber Investigators 

Paul Wright (United Kingdom) & Neal Ysart (Philippines) 

©2025 The Coalition of Cyber Investigators. All rights reserved. 

"
People linked with me on various projects after the event... A+ for networking opportunities!
Sam Doak
Jack Lambourne
TOEX, UK Police
A great opportunity to talk about OSINT and meet professionals from different areas of the field
Sam Doak
Sam Doak
Sky News
Best place for OSINT insights and learning from others
Simon Gunning
Investigator, M&G plc
An excellent community to network & educate with UK OSINT experts
Agent G9
Anti-Scam Youtuber
An outstanding atmosphere and an amazing gathering of professionals
Daniel Heinen
Founder, GeoSpy
Bridging industry
gaps to create a real community
Stephen Adams
Founder, Intelligence With Steve
Synergy between different minds and tradecraft
William R
Founder, The Aracari Project
Inspiring community of members who collaborate and engage for knowledge sharing
Peter Allwright
Head of Crossleys Forensics
Prev
Next
About & Team

Making the United Kingdom the global leader in open source intelligence.

Events

Talks, networking opportunities, hackathons and more.

Content

Guidance Guides & information to become a world class OSINT expert.

UK OSINT Community Code of Conduct
© UK OSINT COMMUNITY LTD — Company number: 15762520
Made in the UK 🇬🇧