Skip to content

Using Social Media as a Security and Threat Assessment Tool

May 8, 2020

How OSINT Can Keep You Safe and Change What You Know

This article originally appeared in Loss Prevention Magazine.

Today, social media is just about everywhere. Facebook alone has almost 2.5 billion monthly active users. By now, most of us use some sort of social media to keep up with friends and family and to network professionally. With social media, the reach and frequency are unlimited. Its ease and usability allow anyone, from any age group, to report news or information regardless of its accuracy or merit. Just imagine: a large portion of the population walks around with high-definition cameras in their pockets and the ability to broadcast live video in real time to an audience of billions. But social media has many more uses beyond making personal connections.

Social media has revolutionized connectivity because it is so easily accessible: by definition, social media exists on an open public platform. This means that social media can also be used as a tool for open-source intelligence, more commonly referred to as OSINT. OSINT is intelligence collected from publicly available sources and is an effective method of data collection for retailers of any size. OSINT can open a new world of data for retailers, who can then gather data from every public source available and use OSINT tools to narrow the scope of their search.

Leveraging Social Media in Your Investigations

So how can your team tap into this world of information and use it to achieve your goals? It’s helpful to remember that thieves like to brag about their achievements. They’ll often share their activities with like-minded friends on social media. So a cache of stolen goods might just show up in a Facebook post or for resale on eBay. When chronic offenders or accomplices are identified, a security or law enforcement team can begin to monitor their social media activity. That can provide clues to past crimes—and hints about future ones.

You can collect data from social media using platform features that already exist, such as geolocation. With location-based monitoring, you can gather information to help you make decisions about hours of operation and staffing. You can also use the native search function to track activity about your store and potential threats. In this example, simply use the name of your organization with key phrases such as “gun,” “bomb,” and so forth.

Many social media platforms make their data available through application programming interfaces, or API. An API is simply a set of instructions that allow developers to interact with the platform’s technology. For example, Twitter’s search allows people to access their search function to create their own tools for collecting information. Twitter provides three ways for users to access their data:

Twitter Search. This is Twitter’s native search function, and it’s easy and free to use. Simply plug in your search terms, such as “burglaries, Town Name, USA” to get all the tweets related to that subject. The downside is you can only see the last 3,200 tweets related to your search—a lot of information, but not enough to get the whole picture.

Twitter Streaming API. Though it is similar to the Search API, the Streaming API can send you tweets in real time. This is particularly helpful for time-sensitive operations, such as a robbery or another ongoing event. The downside is that you only receive a sample of tweets containing your search terms, anywhere from 1 percent to 40 percent of relevant tweets.

Twitter Firehose. As its name suggests, this function sends you a lot of data. It’s guaranteed to send you 100 percent of tweets that meet your search criteria. This is incredibly helpful for security or law enforcement professionals who want a comprehensive overview of activity about a specific subject. But as you might have guessed, the Twitter Firehose is not free. Access to the Twitter Firehose is handled by GNIP, a social media API aggregation service that Twitter acquired in 2014.

How to Use Other OSINT Tools

OSINT existed before social media did, and a vast trove of publicly available information still exists beyond social media. We all know the information is out there, but few of us have the expertise, time, or patience to ferret out the parts we need. That’s where OSINT tools come in. Although free tools are available, you get what you pay for. They are still helpful tools for a security or law enforcement team, but remember that you are only getting a small fraction of the relevant data. To get a more comprehensive view of the data you want, you’ll have to pay for it.

According to Infosec, these are the top five tools used by penetration testers and even malware actors:

  1. Maltego, a software used for OSINT forensics that collects data from open sources and visualizes that data in a graph format.
  2. Recon-Ng, a full-featured OSINT framework written in Python.
  3. theHarvester, a tool to gather emails, subdomains, hosts, employee names, open ports, and service banners.
  4. Shodan, a search engine that lets you find specific types of Internet of Things (IoT) devices using a variety of filters.
  5. Google hacking or Google dorking, a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use. The Intext search is especially helpful in OSINT as it helps to search for specific text on a page.

According to a report from Thales, retail is the prime cyber-crime target. As I discussed in a previous article about the dark web, criminals can use the dark web to learn about company security policies, which stores are best to steal from, and which EAS tags a company uses, so they can learn how to defeat them. The dark web is a great place to find information about potential threats to your organization, but it can be difficult and even dangerous to your cyber security to access.

My tool of choice today is a paid open-source intelligence service called Echosec. It incorporates Twitter Firehose along with all the social media platforms that offer open-source intelligence. It also offers Beacon, a discovery tool for the dark web. I find Beacon to be an essential tool for dark web investigations because it allows me to search the dark web using keywords and narrow down the results, which you cannot manually do in the dark web because there is no search engine to index its content.

Like many new technologies, these tools can be helpful for both security professionals and criminals. It all depends on what a user does with the data. When collecting personal data, either on your own or with an OSINT tool, you should always consult your legal department to determine the proper protocols for using and storing this information. Few things are more sensitive than customer data—or more damaging should this data be compromised in any way.

Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit