From influence operations and Telegram to using marketing tools for OSINT insights, our guest gives pro tips on OSINT and cyber investigations for professional practitioners.
Ari Ben Am is the co-founder of Telemetry Data Labs, a Telegram data analytics platform.
An OSINT analyst by trade, Ari is also an adjunct fellow at the Foundation for the Defense of Democracies, and researches, trains and consults for clients globally.
Ari writes at memeticwarfare.io on influence and cyber operations.
Ari Ben-Am: [00:00:00] Beyond that, I would just would tell, I think that we have in the OSINT industry, a bit of a different path than what I think should be the case. Arguably, this is my being an old man yelling us, you know, at the kids or something from, uh, from the porch steak, I suppose. So we can have this path where everyone gets to know it and then they get a little more technical by learning Python.
They get right into scraping. Right. And I think that that's not necessarily the right approach for most people.
Jeff: Welcome to Needlestack. I'm your host, Jeff Phillips.
Aubrey: And I'm Aubrey Byron. Today, we're discussing influence operations and incident response.
Jeff: And joining us for that discussion is Ari Ben Am, OSINT investigator and co founder of Telemetry Data Labs. Ari, welcome to the show.
Ari Ben-Am: Thanks for having me. I get to say long time listener, first time caller, so I'm very happy about that.
Oh, I [00:01:00] love that.
Aubrey: Yeah, we love to hear it.
Ari Ben-Am: Am I, am I truly the first person on this, on Needlecast to say that?
Jeff: Yep. I think you're the first. I think you're the first. We'll send you a t shirt and a mug.
Aubrey: Why don't we have t shirts? I'm going to work on this.
Jeff: Let's work. Oh, I love it. I love it. Well, all right. So why we're really here, Ari, is, um, I know a lot of your work has been in, uh, investigating influence operations.
Could you start off by telling us what, what are influence operations and then what kind of investigation does that involve?
Ari Ben-Am: Well, I think you opened a can of worms here that you weren't necessarily aware of prior, prior to asking that question, the, the very act of defining anything as a, as a loaded, a loaded question to say the least, but I think I like to break down into two categories of influence and information operations, right, which are any sort of.
To make it very, very, uh, let's say dumb it down for this, right? Any sort of coordinated planned effort by any given individual organization, [00:02:00] usually affiliated with nation States and organizations and so on, but not always by any means, especially nowadays, right, to. In the case of influence operations, influence public opinion, BF, say, for example, covert propaganda, right?
Uh, general other activity online or offline, by the way, it actually all started, of course, offline. Uh, and information operations. I like to define them as a bit separately, usually actively including disinformation and not just say general feel good or, you know, hard propaganda on a certain topic, but meant to actually.
Inject some sort of falsehood or doctored content or forgery, right? Or what AI generated fake content, which is the hot topic, uh, du jour. Right. So that's the, that's the, the differential I like to make influence operations are usually a bit more meant to influence general public opinion, not necessarily be a, some sort of false it online or offline and information operations are usually a bit more targeted, not always, and oftentimes include some sort of forgery, doctor document or something of that nature.
But it's dynamic and they're essentially interchangeable. I use them essentially interchangeably. Uh, is part of my [00:03:00] work. Gotcha.
Jeff: So, what, what, what does investigating, um, an influence operation that you've identified, what does that involve?
Ari Ben-Am: Well, that's a great question. We, the, the field is a bit young, so maybe I'll take it back just a moment to give you guys a bit of retrospective on the investigation space here.
Yeah, we great. We can kind of dive into what's happening now. Yeah, no problem. It, despite happening since arguably the 1920s, a great book on this, by the way, would be Active Measures by Professor Thomas Rid. The definitive history of the sort of thing for those of you want to read, I'm a big fan of his work in general, and I think that book is excellent.
So, book recommendation. I'm sure we'll talk about cultural recommendations later on if we have time. That aside, these things started off, you know, kind of traditionally, right? People creating forged documents, uh, black cover radio stations or magazines and kind of disseminating them physically. The most recent, uh, event of note would be the 2016 elections.
There were some online prior to then also as well. Right. Uh, usually Russia targeting certain states in the caucuses that he stood up or so on. But again, the big event of note was 2016 elections, at which point everybody started investigating influence [00:04:00] operations online, right? People were kind of suddenly taken aback by what was possible in a similar way to kind of cyber operations to an extent, right?
When we had this whole period of time in which everyone was losing their minds over how cyber is going to bring about the end of the world and the nuclear holocaust or take down electrical grids and so on. All that fun stuff after 2016, people started investigating, but primarily social media oriented, right?
We're looking at Twitter accounts, looking at Facebook pages, all of those fun things that come around. And then we're kind of, you know, counting tweets, I say, right. And to a lower level degree of investigation, not always, but that was usually the trend as this field has developed, it's become much more multifaceted.
So what started off as doing kind of more data scraping and looking at larger data sets of social media data online, it's turned into a broader space in which you have to do. Investigations into companies and individuals and more cyber oriented investigations of, you know, domain investigations, right.
And analyzing airline infrastructure and all of those things together. That's what I actually promote kind of in my writing. And when I do for the most part, a more holistic technical view of this sort of thing, and that's what I do in a given investigation, you might be looking at an [00:05:00] individual. You can find an OPSEC breach of the network to looking at, you know, what's actually Who actually is carrying out this individual network, comprehensive social media investigation of any kind, username lookups, investigating domains and online activity, and even doing digital forensics on given files, right?
Looking for signs of the given forgery, whatever happens to be. So you really, it really runs the gamut of what you do. It can an online investigation. Right. And that's why I happen to like it so much.
Aubrey: Yeah. That cyber side of things was something I was going to ask about. Um, cause you do have OSINT experience as well as cyber threat.
Um, and you use kind of a CTI approach to some of these. I'm thinking of, you have a blog recently where you're investigating a domain, um, using a Menorah as the logo and it ends up being an Iranian influence operation. Can you tell us a little bit about that?
Ari Ben-Am: So the, uh, that case was a more traditional network of a domain centric network, right?
Where you had a central domain. And then alongside that Facebook account, Twitter account, Telegram channel, all these fun things alongside of it to amplify it and kind of [00:06:00] get the message out. And usually when people look at this stuff in this space, right. They focus on the social media content. Okay. What are they posting?
The narrative analysis, the sort of content who's posting it or so on. That's kind of where it ends. Maybe they'll get the domain who is registration or so on. But if you can look at the source code more effectively, if you can look at the individual host, if it's, if you can prove that it's actually the host speaking server in this case, hosting the data, right.
Hosting the domain, uh, in a more technical sense to kind of fingerprint that server and map it out from there, you can find new information. In that case, there was one OPSEC slip up, which you could look at. If you looked in the actual source code for the domain in which one image was uploaded, actually in Arabic.
A similar case, for example, the different domain cyber court domain that I, that I wrote about actually made just some news outlets was you could look at the E tags of the HTTP responses of that given domain on a given server, and then from there, pivot and find affiliated servers with it. Right. So these are things that you use in like threat hunting, mapping out malign infrastructure for cyber operations, that sort of thing, which by the way, I'm absolutely far from the authority on that.
Right. Definitely much more on the OSINT side, technical side of the sort of thing, [00:07:00] but even being able to do like the first 20 to 30%. Of that in an influence operation or any kind of investigation makes it much more powerful. And I can tell you guys, like objectively, I think that this is what we need to notice it currently a broader perspective on tool use.
So I think what many currently have, right. So that's one element of it, which many people are kind of deterred from using, right. I'm, you know, an OSIN analyst. I'm used to Googling things and going on social media on forums and kind of doing it a more qualitative work in a lot of ways, right. I'm not going to get into the technical stuff quite as much.
And it's also a bit harder to learn, but it's not, It's far from impossible and it can be learned independently and it's becoming more popular. Just learning to do the basics there, learning to integrate marketing tools, maybe we'll discuss that a bit.
Aubrey: Yeah. I want to touch on that actually. Um, that was something you said in our prior conversation that I found fascinating, especially as someone with a marketing background.
Ari Ben-Am: So I can give you a few examples, marketing tools, specifically in the competitor research, right? When you want to investigate, uh, what [00:08:00] your competitors are doing on their domain or in their campaigns or so on are really, really critical. So there are a few different categories that break this down into the first would be kind of competitive research on domains for that you have built with, which is a commonly known tool in the open space, highly recommend it for anyone doing domain analysis.
It's an excellent tool. It finds trackers, shared IPs in the past, presents it visually, go to the relationships tab and you'll be, you'll have good results. That's a pretty well known one. There are lesser known tools. Like one of my favorites is for example, public WWW, which is a source code search engine.
So instead of searching kind of like the regular content above the hood, right, or out over the, let's say, you know, that we get on Google or Bing or Yandex or we happen to be searching on, this searches the HTML source code underpinning every website that you search. And you can build all kinds of really advanced queries off of that.
Right. So marketers use that to find other companies that say, you know, are using certain technologies as part of their domain. So you want to carry out competitive research for SEO purposes or to see what technologies are being utilized. You can do that. And we can use that in an open source investigation to find mentions of certain file names [00:09:00] and source code, or certain other mentions of keywords.
Right. To look up code snippets. If there's a code snippet, that's indicative on a domain that you find to look up domains, utilizing certain technologies, right? Every give me every domain utilizing this ad technology and this web server and this, et cetera, whatever it happens to be, you can do that. And even social media integrations.
So often utilize it for example, to find domains that have a certain minimum number of entities integrated, right. They have links to a Facebook page, Twitter account, Telegram channel, and so on. Um, and then you can build those queries and then kind of daisy chain them out into some really interesting results.
And it's also a really short, it's like 50 bucks a month. So that's a tool that's a marketing tool that I use in general OSA investigation all the time, but also cyber investigation quite frequently. After that, uh, similar web is a great one for kind of analyzing domains and their impact. Sometimes you look at an influence operations, uh, domain, right.
A domain and an influence operation. You'll want to see where it's being shared the most. Similar web and tools like that can kind of provide you with that broader overview of traffic going to and from that site. So those are just a few examples. [00:10:00] There's one more. It's maybe it'll come back to me.
Aubrey: We've had many tool recommendations on the show, but I think you're the first one to recommend marketing tools.
Ari Ben-Am: So I think everyone should be used to them. That's by the way, that's totally neglecting the whole, the whole field of social listening and so on. Right. Which isn't even, which is pretty commonly known, right? I'm not even getting into that. Cause everyone uses those tools.
Jeff: Right, for sure. You know, Ari, another interesting area when we were talking previously, um, You mentioned you had worked previously in Digital Forensics, Incident Response, or DFIR and that's kind of interesting to me from the perspective that it seemingly, you know, combines two different, two different cyber security, uh, areas of focus, you know, from the investigation side related to digital forensics, possibly dealing with maintaining that digital evidence, and then, um, with incident response as it's, that's in the title.
Can, can you tell us a little bit about, um, you know, what does it? [00:11:00]
Ari Ben-Am: I'm not an IR analyst. I don't get involved in the actual incident response for the most part, right, man, very rare occasions. If I had the chance to really get involved while the incident is ongoing, but afterwards, there's a lot you can do as an analyst.
And there are many cases that I've worked with a variety of providers, right? Where you get it afterwards. So that can be, for example, looking at the given email. It used to penetrate a given organization, right? Looking at the headers, checking out where it was sent, who sent it and so on. And then mapping infrastructure from there.
There have been times where it's been comparatively easy to expose campaigns, right? Or if, you know, phishing domains, whatever happens to be based upon those initial things, data points that you see coming in, because threat actors are inherently lazy. Right. So if you know how to utilize, for example, the same tools that you would use an influence operations investigation for mapping out domains and infrastructure, you can utilize most, if not all of those right in your investigations, part of the given incident response, whereas more technical cyber investigations.
[00:12:00] So you can be looking at a specific malvertising site and then use like tools like public WW to that, expand upon those WWW I should say, right. To expand upon those, to find other instances. Right. You can look up given email addresses that you get, you find from suspicious phishing emails sent in reverse who is tools to find other registered domains and see what's available there.
Sometimes you might come across, for example, those appearing in breach data sets also as well, which you can easily query via business tooling. And so on. I'll shout out to my favorite, uh, bridge data tool district four, uh, over a year as well. The more affordable version of that would be D hash, which is nearly as comprehensive, but it's still a great tool.
Uh, by the way, right? So there are a lot of different ways you can kind of get involved in these sort of things, even if you're not the one actually carrying out a given incident response, which again, that's certainly not my skillset. Now what I get involved in doing, but that can provide a lot of added value.
And that's still even then leaving aside, you know, supporting ransomware investigations, getting on forums, the more traditional things that people do. Also, there's a lot you can do with OSINT that IR analysts don't usually do themselves or know how to do or. Simply get involved to do it.
Aubrey: So you have your own tool when it [00:13:00] comes to investigating on Telegram as well.
Can you tell us a little bit about telemetry data?
Ari Ben-Am: I do, I have a bone to pick with. The last episode also is
Aubrey: telemetry data. Did I say it wrong again?
Ari Ben-Am: Yeah. Telemetry. Telemetry. Telemetry.
Aubrey: Okay. I'm gonna say tele telemetry.
Ari Ben-Am: Telemetry is the tool. No, it's good. Telemetry is the tool. The company is called Telemetry Data Labs.
We, we did not put AI in the, in the title, uh, to avoid being played out. Although, honestly, in retrospect, that was probably a mistake. , we probably should have thrown, we probably should have thrown search maybe. Right. But it's, uh, maybe, maybe we'll change it one day. Uh, but yeah, so telemetry is, is a telegram search engine.
I've had a great time developing with a very close friend and partner of mine. And we essentially aspire to be the first real telegram indexing tool available, right? We also eventually maybe we'll consider expanding to other social media platforms and other messaging application platforms, I should say.
But that's our mission, right? There are plenty of tools nowadays that give you access to social media and other data sets online, but nothing other than a few Russian companies provide you with access at scale. To telegram and other messaging and other public data as well. And all, all of our data is [00:14:00] collected into courts, telegram in terms of service, ethically, only public data, right?
All that stuff as well. So you don't need to worry about the ethics of actually utilizing it. That's the basic ability to take public data, say Twitter or any other. Sorry. My dog is barking me in the back.
He's busy making his name is Jango. No, we can go get him over here. Django come here.
Um, anyway, what I was saying about telemetry was that we want, we're, we're gathering this data ethically. Here's, here's my dog. Anybody wants to see him? This is my dog. I think this is the kind of thing, this is the kind of thing that people come to these things for, right? Uh, at the day, he's a good, he's a, he's a good boy.
He's joining us in the podcast right now. So I'll let him, I'll let him stay, uh, very good boy anyway. Yeah, I know he's critical to our, our business success. There's no question. We couldn't, we couldn't make it without, uh, leaving that aside. So we want to be the first platform to ethically source and index all this data and make it searchable and affordable price for users.
Uh, you could, there's a free trial available. It's also a freemium version ongoing for everybody wants to use it. [00:15:00] You get five free queries a day. We have over a million groups and channels, uh, over 2 billion keywords, and we're constantly adding more. And we really provide the broad kind of Google style search for telegram, including advanced features like Boolean logic, you know, wildcard searches export, the CSV channel and group analytics.
All those fun things that people really want to have to get added value out of it. So we're trying to fill that hole. I had the idea after Russia decided to invade Ukraine. Unfortunately, And then all of the Russian tools that I've been using simply, I couldn't pay them anymore. That was the idea. And here we are today.
So anybody wants to check it out, you're welcome to. I'm also be able to answer any questions about that separately. So feel free to contact me on my blog or LinkedIn. And I can tell you it's been critical. I have some examples of investigating influence operations on there where you can find Russian telegram channels that coordinate influence operations, breach data, channels that are themselves part of broader networks of influence operations running almost exclusively on telegram.
Whatever you want to find, you can essentially find on there.
Jeff: We've been hearing a lot lately [00:16:00] of just even different. types of analysts, whether you're dealing with kind of OSINT and, and nation state type scenarios or cybersecurity related items, but just how much is even moving from the dark web just onto Telegram, right?
Not, not that you should give up the dark web as a source, but just that often those conversations are getting quickly moved into the Telegram world.
Ari Ben-Am: Absolutely. And beyond that, I just would add even that firstly, the dark web migration is very much ongoing for a variety of reasons. Telegram is much more easy to set up securely.
You buy a burner phone number, the cameras and microphone, the chance of you getting exposed if you use it just for your criminal activity is very low. But even leaving the CTI kind of threat intelligence element out of it, the wealth of data that you eat, you want to investigate The Middle East, Latin America, former Soviet states, East Asia, all of these places, the data that you have from there, sort of, you really can't get anywhere else at the end of the day.
It is the application for many, many people in the world. I think it's like the fifth or sixth largest application after Facebook, WhatsApp, TikTok, and maybe Instagram. Uh, and maybe YouTube also isn't there, for [00:17:00] example. It's definitely one of the biggest in the world. And even for general OSAP work, it's critical.
I'm asking, you know, saying else they're following channels and, you know, Africa, Latin America, whatever happens to be, I've come across, uh, traders who follow like local markets and local channels and certain countries to follow, like, you know, it's a copper market or whatever happens to be of, uh, the lithium market in a given area, they want to know if there's a, you know, some sort of issue happening over here for that to be as well.
It's a critical source of data in general. And that's something that we're seeing more and more of leaving the CTI space and then have more generalism space.
Jeff: Do you think, I mean, since it is Russian based, I don't know, not to Malign that. But more so from a question. Um, do you think you'll be able to keep that access to?
Because I can see this your tool being extremely valuable, right? To be able to search it, run Boolean and just a wealth of information. Do you have any concerns that that access gets cut off? So that, that's like the number
Ari Ben-Am: one question we get asked. And I totally understand why now something to keep in mind.
It's [00:18:00] not actually based in Russia anymore. The Avodorov, the founder of telegram has moved to the UAE and it is located there and registered and headquartered there. I believe currently it might've changed since I last checked. So it's based on the beta based out of the UAE currently. Uh, I'm not super concerned and I'll explain why also this requires a little bit of platform dynamic stuff.
They have an open API available that anybody can access and get data from unlike most platforms. Publicly state their transparency. And frankly, I believe them. They've really, they've really stuck with it in the last few years. Even when it's been difficult for them politically, let's put it that way.
Right. So they are committed to this open access and give that access, excuse me. And it's also critical to their business model. Their business model is inherently different than other platforms, which are based off ad risk, right? Free users and ad revenue and how they make their money. Telegram is going to make money off of telegram premium, which is a subscription based thing that you can do.
You can buy it and you get all these different. I think that's it for now I'm putting away. So if you're subscribing to the channel, please make sure to hit that follow button and leave your own feedback. And oftentimes, because of course, if you are subscribed, [00:19:00] you don't get a free interview. You just get a free interview.
And yeah, I don't really care if you subscribe that way, but let me know if you subscribe that way. You'll receive ads in that channel that are relevant for the users, generally speaking in that channel, but not, not targeted to you, right? So there's no added value in keeping that data closed. They also have a huge third party bot and app ecosystem that they're actively developing.
They have their cryptocurrency app as well, running off of it and so on. So it's really critical to their kind of open business model and how they want to operate. And lastly, that other platforms like Twitter and Reddit that have shut down access to their APIs have killed off the third party. In the case of Twitter, especially, right.
Oh, it's an ecosystem and the general ecosystem alongside of that, right. Well, there are certain third party apps or bots and things, you know, really damages the platform and it doesn't really pay off necessarily. Also, uh, we've seen, for example, Twitter has kind of walked back a little bit of their API stuff and made it a bit more affordable than it was in the past and all the, all these things, there are a lot of challenges to be had here and I'm not super concerned.
I mean, we'll happen, but I think that for now we should be okay, [00:20:00]
Jeff: but that makes a lot of sense. I mean, understanding, uh, just
Ari Ben-Am: you can tell how many times I've been asked this question just by, I'm going to say that was a great answer.
Jeff: Yes. I feel like you've been out touring with VCs and investors and you've had to answer that question.
When you, yes, absolutely. Yeah. I hit the nail on the head. Well, before we wrap up, sir, do you have any, you know, final takeaways, um, for the audience on either the, the threat Intel front or on OSIN research in general that you'd like to pass along to our audience?
Ari Ben-Am: Short of shamelessly plugging my blog. Uh, and my platform and all that fun stuff that I'm doing, which is, which is great.
You guys also have a great platform. I've used a lot of different ones in the past, and I've had the chance to use it in past gigs, so also plug there. So take that from me on me. Uh, beyond that, beyond that, I would just would tell, I think that we have in the OSINT industry, a bit of a different path than most people.
What I think should be the case, arguably, this is my [00:21:00] old man yelling off at the kids or something from the, from the porch steak, I suppose, but we kind of have this path where everyone gets to notice it and then they get a little more technical by learning Python. They get right into scraping. Right. And I think that that's not necessarily the right approach for most people in the space.
I think the right approach for most people in the space would be getting a nose and learning networking, right? Getting like a network certificate, even or CCNA, if you're really up to it, right? Learning that sort of thing, getting into the more technical infrastructure of how that works. And then from there learning Linux, maybe eventually if you're good at all that stuff, getting into scraping and so on, taking a bit of a different approach about it.
Right. If you're in this space, try to develop a bit of a different, you know, niche for you and learn some things that aren't as commonly done. And don't view Python as the end all be all of the space. Although it is great. I'm not a machine looking close to it. That's all I would say, I guess. I'll give myself oxygen.
Jeff: But I think those are really great tips, tips to keep expanding and, and, you know, getting a little more technical in, in how you go about. Conducting your OSINT investigations is, is not a bad thing, so I think, I think those are great, great [00:22:00] tips. Um, Well, Ari, thank you for joining us today. I know it's super late on, on your end, so thank you very much for joining Aubrey and I.
Thank you so much for having me. This was a pleasure. Well, and for our audience, uh, you can find, uh, more about Ari, including his blog and Telegram tool in our show notes. So be sure to check out the show notes and, and as always, thank you to everyone for listening. Um, to find those transcripts and other episode info, visit authenticate.com slash needle stack. That is authentic with the number. Eight dot com slash Needlestack and be sure to let us know your thoughts on, uh, on X formerly Twitter. Aubrey, how long do we have to go with the formerly Twitter part?
Aubrey: I think we could cut it soon.
Jeff: You think soon we can go with everyone's just gets what X is, but be sure to let us know your thoughts on X or blue sky at Needlestack pod and to like, and subscribe, uh, wherever you're listening to today and we'll see you next time on Needlestack.
Thank you [00:23:00] guys so much.
