View on GitHub

SANS ICS Summit 2025

OSINT Workshop ~ Using the power of OSINT to protect critical infrastructure and operational environments.

OSINT Workshop

Task 1: Workshop’s OSINT Process Outline

This workshop is designed to provide an introduction to gathering publicly accessible information about an organization’s control environment. We will use a combination of teaching techniques but will rely heavily on students doing OSINT lab exercises. The exercise activities will include doing manual and automated reviews of targets involved with industrial and automation control sectors.

Each of the tasks are designed to provide an overview of a specific OSINT gathering and analysis concept. You may or may not complete the task in the time alloted during the workshop. The instructors will move the workshop along every ten minutes. This will ensure the workshop continues to progress and students perform most of the information gathering techniques. This means that some of the analysis steps and techniques may have to be worked on later on your own time.

This is NOT a SANS class. Step-by-step examples with detailed screenshots will not be provided. A task may have some guiding steps to perform but screenshots are purposefully left off because tools change and your version may be different. If you have questions about how to do something, please ask the instructor, your neighbor, or one of your team mates. This workshop is designed to help improve your critical thinking. Use it as an opportunity to problem solve, make mistakes, achieve success, and learn.

Note taking is a vital part of any assessment. During this workshop, taking notes will slow you down. Hence, do not worry about keeping specific notes about your target. Review the note taking recommendations if you are conducting an actual assessment.

By all means, please move on to a new task when you are ready. Or, go back and complete a task you are interested in diving into more. OSINT is digging and, at times, following your gut.

WARNING

We are NOT here to break things, people, or organizations.

DO NOT:

hack things,
break into things,
compromise things,
test authentications,
test default credentials,
cause denial of services,
cause outages,
dox people or companies,
play with control systems,
mess with honeypots,
etc,
etc.

We want to have nice things. Please play nice.

Workshop Objectives

Workshop attendees and students will be introduced to the following OSINT tactics, techniques, and tools during the workshop.

A basic OSINT information gathering process to gather, analysis, and understand OSINT data about a specific ICS / OT target.
Understand online resources that provide specific information, particularly location details, about different industrial sectors.
Understand a simple open-source tool that can automate information gathering, analysis, and reporting.
Manually perform information gathering and analysis to understand risk for an organization.
Understand how threat actors are gathering information about your company, your clients, and your people.
How to use AI tools to improve assessment and information gathering techniques.

Requirements

Students can perform the majority of this workshop’s tasks with a web browser. The following are some more specific details to help students prepare and be successful. Be sure to check out the tools page for additional information about the tools described and used in this workshop.

Windows and / or Linux system
- Students can use either or both. Students can use a MAC but your commands might be slightly different.
Internet access
- The class is ‘online information gathering’ after all :wink:
Virtual Machines
- A testing VM is recommended but not required. Many students will be familiar with Kali and this workshop will reference tools that are installed by default on this Linux distribution.
SpiderFoot
- Students can install SpiderFoot anyway they prefer. Easiest for most students will just be a Kali VM. But you can do Docker or any other method. Feel free to use any tool of your choice, as well. This is just a recommendation for people who are new to this.
Artificial Intelligence / Language Model Tools
- Students will be provided with some general prompts for AI/LM tools. Check out the AI Tools page for an explanation of AI tools and this workshop.

Continuous Study Opportunities

You, the student, may or may not be able to complete all of these tasks during the workshop. The workshop website will remain online after the SANS ICS Summit 2025. This way you can continue to work on these labs to completion and come back to practice in the future. Now that it is online, it will also be available to your team members to do team events. Happy Hunting.

Evaluations and GitHub Issues

Of course SANS will want you to fill out an evaluation for this workshop during the SANS ICS Summit 2025. It would be great if you can also submit any issues to the project so we can keep it going and improve it over time.

Next Step

When you are done, move onto Task 2: ICS / OT Passive Geolocation Reconnaissance By Sector.