Hey, everyone, and welcome to NeedleStack, a special live episode this week of the podcast for professional online research. Each week, we bring you discussions and relevant information, and all sorts of things of interest to anyone who's out there using online research for the day to day work. I'm your host, Matt Ashburn, a former CIA cybersecurity officer, a current part- time pilot, and a full- time fan of open source research.
And I'm Jeff Phillips, tech industry veteran and curious to a fault, Matt.
That's right. And today's a special episode, as every episode is.
Every episode is special, but this one is especially special because we're taking your live Q and A. We're actually live today instead of prerecorded like we normally are. And so we're taking your questions and answers. So if you're listening live today, that's today, April 12th. And if you're listening, and you want to submit a question, there should be a Q and A box right there on your screen on the platform that you're listening on.
Submit the question if you'd like, and we'll make sure to respond to it and get you the answers, whatever they are, that we might have readily available inside of our heads. Hopefully, we have something useful for you. Actually, to celebrate today's live episode, Jeff, you have something to show off, I think. Right? It's a specially branded coffee mug.
I'm really impressed by this.
I do. Can you see this, Matt? Can you see it? It's got NeedleStack on it.
That is fancy. Isn't that fancy?
Sadly, I think due to supply chain issues, or some kind of conflict or something, I did not receive a specially branded coffee mug. But I took a generic coffee mug here, and so I branded it myself with my own NeedleStack logo with my pen.
I think that's perfect. I think that's perfect. And maybe we can talk to marketing, and we can do something. We can get you one of these. That's beautiful.
There we go. That's good.
I appreciate it. So the audience gets to be curious today versus me. And as you pointed out, they're going to get to answer... Or we'll answer their questions, and so please again, submit your questions in the Q and A box. I've got a first one Matt, so that's always a good start. And this question has got to do with AI. So what role... They say, " What role can or does AI play in the OSINT intelligence lifecycle?" And for all of us in the space, and will it replace humans in the medium term?
Interesting. Not in the long- term, but in the short to medium term, what do you think about AI and OSINT?
Yeah. That's actually a really good question. So there's a ton of information that's out there, and we've discussed this previously.
Lots of information's out there. Technology has evolved to address a lot of the issues that we've had in the past with research. Right? You can get information much faster and at a much larger scale than you ever have been able to do. Right? And so it may be tempting to say, " Well, I can use artificial intelligence in some way, maybe to do some of the analysis as well, or maybe to gain some efficiency." I think there is a role there for artificial intelligence in OSINT, in open source intelligence and online research.
Right? It can collect and scan huge amounts of data, which is helpful. There's also some other automation that you can do as well.
And it can be useful in looking for anomalies, patterns, associations, patterns that may be consistent with a certain desired trait, whatever that may be.
But it can't replace an analyst. There's still a great need to take that data, to take that information, and convert it into intelligence.
And to do that, you really still have to have that human element that's doing the so what. They're performing an analysis of some kind. They also are able to raise new questions and take a look at information gaps. That's something that simply artificial intelligence can't replace and can't really perform successfully.
That makes a lot of sense. Right? So leverage it for sort of the mundane, and to your point, going through the large amounts of data.
But where the analysis comes in, they're not going to replace that.
It's great at sifting through, great at helping to develop leads and use it where it makes sense.
Right? So to gain some efficiency, but it can't replace the analytic piece, and that's what the humans are still useful for. So they're not taking over yet, not yet.
Yeah. I've got another question here. Let's see, number two. Aha, so this is interesting. It says we've seen an explosion in amateur OSINT researchers since the invasion of Ukraine. That makes sense. We've certainly seen a lot of that, lots of folks on Twitter and forums on Reddit, and telegram channels and everything else, looking for stuff.
Jeff, why do you think that is?
And you pointed to the biggest. Right? So social media I think is an obvious one right there. Right? And you mentioned Twitter. And at this point, I'm getting probably more of my information related to Ukraine and the war in Ukraine from places like Twitter and Reddit than I am from traditional media, just because of all the activity in OSINT that's going on there.
But so what's causing it? So we have social media available to us. I think that allows you to kind of find people that have a similar interest. I think there's a level, in doing things like OSINT, I think there's a level of digital activism that people feel like they're able to come in and make an impact in a significant way.
We're also seeing though, that traditional media companies, I mean, I've seen the word OSINT from places like the various newspapers and the New York Post.
I even read an article where they've established an OSINT division or department to go out and do their own OSINT. And there's all kinds of different media entities like Bellingcat, that we're all familiar with, that are getting a lot of attention in the news now. So people in my regular life are talking about it, so I think social media and being able to find each other and work as a community in sort of a digital activist way is one key reason.
But from another one, I think that's got a huge impact is the number of satellites that are out there, so specifically the proliferation of private companies that have launched and are operating satellites has made that imagery a lot more accessible to the hobbyist, if you will.
They can go and purchase images.
I've seen anywhere from for $ 10 when that satellite's going over a certain place, so in this case we're talking about Ukraine, that you can go out and you can purchase some of these images.
And so we're seeing a lot more of that. There's of course all of the intelligence that's classified, but in the case here of OSINT, there's just tons and tons of satellite imagery that's out there now, where people can get in and look to vet and figure out what's disinformation, what's misinformation, and leverage different tools to geo- locate and try to put together what's true and what's not true.
So I think those are some of the things. So it's been, we saw some of this back in 2011 with the Arab Spring. We saw a lot more OSINT hobbyists out there in Syria in 2014.
But it has taken off, and it's made the mainstream news here, due to unfortunate events, of course, but here in 2022. That's a good question. All right. Let me find another one. This one got submitted earlier. I know we did our whole last sets of episodes were around OSINT.
And someone had asked, Matt. Can you become... I just mentioned hobbyists.
Right? But can you become certified in OSINT, credentialed if you will?
That's a great question. The answer is yes, but not really.
And what I mean by that, I'm not trying to wiggle out of answering the question, but what I mean by that is that there are a number of really good classes out there, lots of really good training. But there is no single source for a certification. Right? If you're a physician, or an attorney, or something like that, you can take your boards or pass the bar, and you're certified and licensed and all those things.
There is no one single certification source for many disciplines, cybersecurity being one of those, also for OSINT.
There is no single certification source, but there are a few courses that are out there and are sort of recognized in the community as being of value in some way.
And there are a couple of these certifications that are out there. Some things that I would point folks towards, I would say would be SANS, the SANS Institute, great organization, been around for many, many, many years.
And they have two courses that are pretty useful. One is SEC, S- E- C, SEC 487, that's open source intelligence gathering an analysis. Think of it as an introductory course for OSINT. There's also SEC, S- E- C, 587. That's the advanced open source intelligence gathering analysis, sort of a follow on course to that.
Both of those are good complements, an introductory course and then a more advanced course. I recommend checking those out and seeing if those would be of value to you. There's also a number of organizations like the McAfee Institute, not the antivirus people, but a separate institute that does certification and training on a number of things. Check that out too. I know that they have a certified open source intelligence professional certification, so check that out and see if that would work. The other one that I would think of would be Michael Bazzell of Intel Techniques, so inteltechniques. com.
He has a number of training courses that are available there on his website. And they also have an open source intelligence professional, I believe it is, OSIP, O-S-I- P, certification as well. So there's a number of them out there, like you have with a lot of the professional courses that are out there, so cybersecurity, you have a number of these as well, so similar to that. There's not a single certification source, but many courses that are available, some with certifications.
I'm going to have to look into that, get certified.
There you go.
Let's see if I have one here for you. And by the way, again, as a reminder, if you're listening live today on April 12th, you can submit questions to us in the Q and A box that you see on your screen. Here's one from a caller or a viewer.
First time caller.
First time caller.
We should do that, actually. We need to have a live call in show. Maybe I can give out the cell phone or something and have somebody call. That'd be pretty great. All right, so here we go. Is there a template or way of thinking that you should apply before beginning an OSINT investigation?
So talking about investigations, different ways to approach it. Jeff, is there a single template or a way of thinking? What are some approaches there for OSINT investigations?
Okay. And so I like the focus on the first step.
So people are probably familiar with the OSINT intelligence lifecycle, and there's five steps to that.
But that first step is around planning and direction. And I've asked practitioners this because I'm interested also.
How do you go out and set the stage here? And a number of them have highlighted how important that first step is, really from wanting to make sure you're productive and efficient, so that's a key perspective of taking time on planning and direction, as well as being aligned with other team members up the stack with management before they get started on doing any investigation.
And if I kind of boil it down, there's not necessarily rocket science, but it does help if you lay out a template.
The first thing being: What is the primary question you're trying to answer? What is the key question? If I link this back to, we had the VIP protection podcast, maybe that first... Or the key question is: Do we think anyone's going to actually take action at the event where this VIP is attending? That could be the question. Do we think anyone's going to show up and actually look to disrupt or take any kind of action?
The next, the second thing is: Well, what are important secondary questions? So that's the primary one, but the secondary one might be: Do we know if that person has been out making any noise, that they are going to attend? Do we know if they have any fascination with weaponry or something like that? So what are those sort of three, four, five secondary questions that are key?
So we know what we're looking for when we're out there gathering information. And then the third one, which I thought is interesting, is to make sure you set the stages.
What information would be useful for me to gather, that'll help support others that I'm working with? Maybe teammates, or others involved in the investigation. If you're in law enforcement and you're the intelligence analyst, if it's with the detectives, maybe that's a photo, or what kind of car they drive, that types of supporting OSINT that might help others, might not be directly related to answering your primary question, but you know that would be useful to others involved in the investigation. So I think just setting up, just kind of base it like that.
What is the primary question I'm trying to answer? Are we all aligned on that? What are the important top, secondary questions? And then what other information would it be useful to gather if I come across it for others that are involved in this research or this investigation? Good questions, good questions. Let me look for another one here. So okay, all right, Matt. The question is, the dark web is mentioned as a resource, which it has been, in a number of our episodes by some of our guests in particular.
The question is: Is it illegal to access the dark web?
Great question. So the answer is yes, yes, it is.
There's probably some additional detail that would be helpful though. Right? So many times, practitioners go on the dark web for a number of reasons. Right? But many times, it's for gathering data that may have been stolen in a data breach, maybe for performing cyber threat intelligence, or something similar to that. Right? And this question actually comes up quite a bit. What are the boundaries of this? And is this legal? Keep in mind I'm not an attorney. Jeff, to my knowledge, is not an attorney either.
I am not.
Certainly not your attorney at home.
Right? So even if we were, we wouldn't be your attorney. Right? So with that said, and with that caveat, the US Department of Justice, actually, published a really good guide. So The Computer Crime and Intellectual Property Section, CCIPS, at USDOJ. They're within the criminal division. They actually do a lot of really good work in prosecuting cyber crime. So who else would be better to give some advice in this regard than the prosecutors that are prosecuting cyber crime? And the guidance that they've put out, if you Google this, CCIPS, C- C- I- P- S, and then something like dark web data breach, collecting information, something like that, this will come up.
And they offer in there some general tips. And generally, collecting information in a passive manner, meaning that you're not participating in stealing it or something like that, that is generally not illegal. The other thing that they provide is you must access the information lawfully. Right? So don't exploit a vulnerability or something like that. Don't use stolen credentials to then log into a system without access from the system owner, some common sense stuff there.
And the third thing that they offer was don't access information or do any kind of research by assuming somebody else's identity. Don't use a fake online persona to gain access or participate in exchanging money for things and that type of thing because then you may get wrapped up in some kind of other investigation.
All right. That makes sense. So if you're passive, but you can't fake things there.
Absolutely. If you're going on there trying to find information that's been stolen, and you're doing that in generally a passive manner, where you're consuming the information, that's generally okay.
But as always, consult with your attorney, not us, for legal advice.
I'd like to be a lawyer.
Yeah, I don't think you want me defending you in a court.
I don't know that I would do that well.
Maybe you can take that mug and cross out NeedleStack and just write lawyer on it.
I'll put lawyer on here. Scratch that out, there we go. Good. All right, so let's see here. We have another question that just came in. And let me pull this up here. Aha. This person references, they said, " So the last couple of episodes, you were talking about different use cases within OSINT. Are there industries that you didn't cover that people should be aware of that use OSINT?
Who else is using OSINT that we haven't talked about?" Great question.
Oh, yeah. OSINT is an official term. It obviously started off on the government side of things and under all the INTs, but we're seeing it more and more applied on the commercial side of the world.
So let's see, if I think back to the episodes, Matt, so we covered trust and safety teams, so those individuals that are leveraging online research, OSINT, to protect or help keep online communities safe for all of their users.
We touched on cybersecurity, so OSINT's role there with our guest, Adam, were around cyber threat intelligence and enriching cyber threat information, as well as from the SOC perspective, so out investigating around malware or phishing sites.
And so there's open source intelligence gathering going on there.
We had the session on VIP protection, so that was another one as a category. And we also had a session around basically around law enforcement, so that was another area for OSINT, and government agencies and the intelligence and defense communities, so we've covered a bunch of those. Other places where we're seeing online research play a key role, the banking and financial industries, so financial services companies, banks, dealing with fraud, anti money laundering types of investigations.
That also leads into crypto types of investigations and dealing with crypto purchases and who sold who what, so that whole space. A lot in the... If I think of general corporate research, OSINT can apply to legal teams, so we know there are legal teams, whether that's intellectual property protection, for example, where they're out investigating anyone that's breaching their rights from that perspective.
There's even on the merger and acquisition front, so we'll see some M and A teams, if they're out looking at certain companies that they might want to be acquiring, and they want to... They're out doing that type of OSINT, and they want to make sure that others are not aware that they're looking at that. There's almost like a KYC type approach, or know your customer, in terms of we see people doing OSINT around partner or vendor vetting. There's of course, HR couple employee vet, but if I think about it from the perspective of someone we may be partnering with or a vendor we want to use, and so I want to go out and gather some information about their business practices.
And the last one that comes to mind, we do see a lot around brand abuse or brand misuse and fraud, things that are detrimental to my brand. I know we touched on counterfeit about one episode, so kind of for goods of mine.
But if someone's typosquatting around my brand, or has put out false apps or Twitter accounts, social media accounts that are pretending to be my organization, so a lot of OSINT going on around the brand abuse, misuse types of use cases.
We covered a bunch, but those are some of the others where OSINT's applying, both on the government side and on the commercial side.
That's great, Jeff. Appreciate that. Lots of use out there for open source research, so glad to have that. It applies to pretty much everybody that's out there. Every segment and every industry has some need there to do online research. And that's why we're here.
That's why we have this podcast.
That's it. All right, so looking at the clock here, we're just about out of time. So we got to almost all the questions that folks submitted. To those that we didn't get to, we'll reply back to you via email if you submitted a question today and didn't get answered.
We want to appreciate and thank all of those who attended our show today, especially to those who asked questions. You get extra points for the day. And as always, you can subscribe to our show wherever you get your podcasts. You can also watch episodes on our YouTube channel and view transcripts and other episode info on our website at authentic8, that's authentic with the number 8, . com/ NeedleStack. And by the way, our next episode will be coming out on May 3rd. That's the week of Cinco de Mayo. So look for a special margarita flavored version of NeedleStack on May 3rd to discuss the dark web. We'll see you then.