Social Media OSINT Without the Indigestion

we're going to talk about a kind of using your threat model for whatever you're defending or whatever you're doing as a point of reference for ingesting you know information and rendezvous social media and one of the things that I really like it for is its immediacy right really long detailed technical reports and write ups are great long-form logs or great reports and other things all very useful right but in most cases that stuff doesn't come with the speed and the immediacy sometimes you know for good or for bad essentially useful now the downside always there I think all of us can understand there's a lot of ways on social media getting back to that low

barrier to entry so our approach with it is to look at it as a very large robust data set potentially not the highest fidelity data is that you know there are existing utilities tools third-party services that you can use to do things like indicator scraping from social media we're going to talk a little bit about that today it's not necessarily our focus you know maintain that separation between personal consumption and working and consumption for your insults were saying you know a really good idea to start to kind of cut through some of that noise trying to get to a targeted kind of following so it's not only about cutting through the noise but it's also about understanding on

what those trusted sources of information are what are those data points that you can use whether they're queries or hashtags or accounts or trends that you can use to to get to that quality I call the information and the data leveraging you know embedded capabilities like lists for channels in some of these services you know and then frankly like just dive into scripting right or the really nice things about a lot of these platforms although the you know it's perhaps not as open as it used to be in many cases is you can do a lot programmatically and I'm sure some of you in the audience that are doing a little bit today if not

a lot programmatically using api's to kind of mind the data that slice and dice that however you want and that's largely been our approach as well the most flexibility out of it so those are all the ways to kind of manage the overload another challenge that we gotta navigate in this area we ear miss if we had talked about it was bias and there's a lot of really good you know material out there our bias chris sanders has done a lot of good research writing about it from a defender and analytic perspective but I took this just kind of a quick overview from a writer Buster Benson Hager bible's the bias cheat sheet these are I

think some of the most common kinds of bias that we encounter particularly in security operations or cyber defense we run into this a lot whether it's dealing with social media or any other data set right there's either too much information which causes you to kind of skip over things or make assumptions or just focus on whatever is most interesting or shiny and any given moment there might be insufficient meaning or lack of context where especially for a short term short form social media you see that a lot of rights leaders throw something up you don't really know what the validity is there might not be a lot of context in it and it can cause you as a consumer to

sort of fill in with the gaps right and again make some assumptions draw conclusions from you know very small dataset not necessarily the best thing for an analyst insufficient time and resources and their connect us at the heart of what we're talking about today what are some of the ways that you can use automation to mine the data and get meaning and get down you out of this large diverse data set and not take shortcuts not burn resources not come out with that's not actionable not quality and then insufficient memory right we're human we can only retain so much information so when you reach those limits it's kind of natural to say well good enough is good enough or disregards

the inputs you've received that's just human nature so these are some of the pitfalls really to analysis with any large data set particularly when we're using social media for those purposes or even just even some aggregation the particular bias that comes into play is availability bias right and that's basically just saying that things that are more memorable come to mind more quickly and they can cause you to make false assumptions about the larger data set right so I'm sure none of us can think of any parallels outside of the security community especially in social media where people just say things and it's a plant matauri and it causes you know I don't know a huge part of

population

okay so I promise in a few minutes we're gonna start to be into the technical part of it Ryan's going to talk about and I'll walk you through this data set some of the things that we're doing to try to kind of get this big beast under control but before we do that I want to just talk about kind of how we approach this challenge and how we incorporate this into security and specifically into security operations and really it comes down to your threat model I think social media is a really good source of information for kind of this external discourse if it's not you're not going to get the transparency that you need you're not going to get measurability

you're not going to have any of your conclusions be aligned to you know the business or what your mission is and if you're not doing that you're just kind of minding the data set - just to do it and see what's interesting right you know you have to start off with you have to understand you know how your organization generates value particularly if you're using social media to understand and how people are talking about your organization that you're charged with defending talking about how they might target it talking about threats that are specific to you but might impact you you have to understand how your organization generates value and how that value could be disrupted or hijacked by a party

right you don't understand that probably not the right starting place for doing any kind of analysis much less social media analysis and that's really gonna shape everything you're doing from intelligence collection and applying that intelligence to your operation to picking technologies actually doing your analysis and everything else okay and really that can impact what your news piece is so you know Osen is a hugely broad discipline and you know we know people some of them are standing in this audience you know colleagues we're using it for everything from you know seeing who's trying to run disinformation campaigns to try to be the gameís system if your business or part of your business deals with you

know online ratings or reviews you know I think a lot of us are aware of concerning campaigns to to impact some of those services and sites social media is a good place to kind of mind to understand that you know week stock seeing that kind of stuff understanding maybe where people are registering for example you know whole council to try to especially engineer employees I mean there are numerous different use cases for this kind of work and we're going to zero in for our case study you know really come one specific service and one particular set of used cases just because it is so incredibly broad but we want to just illustrate our approach okay I don't want to move forward

without also acknowledging that there are lots of commercial transport services feeds third-party sites and services public repos news aggregators there's a lot of stuff out there that exists for you to do this kind of intelligence collection or even just analytics but what we found with most of those services particularly where a lot of the social media TTI's are starting to be narrowed and more heavily monetized so there are lot more restrictions with what those third-party sites and services can do we didn't really get the flexibility that we wanted to be able to slice the data and so we found that a lot of these you know they're very good for the purpose for which they were built but if you're

trying to kind of repurpose them or kind of more customized intelligence collection or customized information collection that there are quite a few limitations so it just pays to really be aware before diving in on you know one particular third-party service for our research we looked at blogs blogs you know you name a major social media site and we probably kind of looked at it around data set you know Twitter we found was the I think it's not all the most effective right now at least in like a public way but also the easiest and navigate programmatically and so that's about that so as you narrow down kind of where our focus was going to be with doing this

kind of work using some of these social media sites these are really kind of the key questions that we wanted to ask to drive our research and that was where can I find the most the best most quality original information and timely information sorry I'm going to use this word again who are the real influencers in cyber security and I don't mean it kind of like several pictures that were in the slide deck but I mean you know people who really do have something original to say or contribute that can help you how do we find that it's not always about followers it's not always about some of the stats that you know are right there on Twitter or other their

sites we're going to talk about how to kind of get through that to that group of people because there are some that are flying under the radar and so what are the information sources that are kind of under the radar and maybe you know are not going to be trending they're not going to be top fall orders they're not going to show up any of those third party lists or services but you know in terms of ratio like signal to noise a lot of signal and some of these accounts and some of these

- based on the quantity of information but also what we could find at the tail language is the quality of information we took an approach to leverage their API which by far you know suited our programmatic goals they did a mixture of local and AWS based hosts using the ec2 preacher I think we went over a handful months as really they've been going on for about nine months and we probably went over the free tier limit probably half that time to the tune of $6 a month so if we were able to do a lot of data gathering you'll see some numbers here a minute in that nine-month period and we were to do it

at a very low cost and we're also leveraging you know Python shell scripts so little barrier to entry to be able to do that Python was largely focused around existing abilities for prizes not or Twitter's API and the shell was a lot of cleanup focused around prejudice when we started to dig into the data the question became where's our starting point so if you are a Twitter user or your insecurity to considering trying to use Twitter as a mechanism to gather information where do you even begin so we kind of took attacked of all right Google who were the top Twitter accounts to operate Google's all too happy to show you 15 blogs that have top 30 top 100 and a

lot of the same themes kind of a little the top some of them you'll see here in a minute but then we pivoted off those leveraging the API you could dig into who's following those accounts but also we knew of some specific accounts that weren't in the kind of blue team and defense malware analysis and I our space that we then looked at who was following them and who they were called so we kind of pivoted in a couple different directions on this and we slowly built this list of 170 plus thousand I think over time over 200,000 either so from there we grab profile information we started to grab tweets in roughly a 200 per user

quantity so for any given user that's going to stretch back as far as two hundred tweets would take us you'll see for our influencers that that range can be you know a matter of days and you know for some folks it's a matter of you so it proved to be an interesting study in that now is that a great sample size when you're trying to assess a given user probably not the best and so an extension of this that we'll have moving forward is broadening the scope over a longer period of time both in terms of number of tweets as far as time and then actually digging in from there and seeing kind of where keyword analysis on

the profiles as well as the tweets validate are these people actually insecure because of course security people don't only follow and aren't only followed by people in security so we'd have to then whittle down that massive big stack you know where we have thousands of politicians that were being followed that some cases following they have some tons of media some of whom are more engaged and I would consider in the security community know there's more consumers so having to kind of ferret that out both through profile text as well as actual tweet to get into just because I say I'm a security person the hacker you know in my profile if all my tweets are pictures

of cats am I really offering anything of manner and history so ancillary to all that was actually a little related but extension capability that we built to scrape domains and that sounds like a crawler to touch a single domain page right so into the domain and it's going to go to the default page and it's going to scrape any social media links that are on that page it's not spidering it's not following links on the page so it's a low touch things the Asterix there represent the fact that I did find once I see that someone had their Twitter profile that immediately reported you if you visited the domain to an IP abuse list so I agreed back and forth with AWS

about why they shouldn't be concerned I said really don't just go to the site yourself you'll see in there like now we wanted so you gotta still be careful even if your house create the right one make sure you're on the right side of things so as we dug into this we kind of got to the point of what is you know what is the gravity what we're dealing with if we're trying to get to meaningful content there's no meaningful content tag we'll talk a lot more about hashtags as we go through that everyone uses rate comes in all different shapes all different forms differently a lot of different backgrounds we're going to talk about indicators and fanging of

indicators that people use different tacks there and then you just generally don't only talk about work all the time our specific malware or threat Intel and their social media so how do they actually kind of balance the noise to signal ratio more in our favor it's never going to be eliminated but the key is getting it so it's assumable and this is one of the things that I've struggled with that kind of a goal-oriented person I'd like to kind of check boxes so when I get into Twitter and I'm following even 100 or 200 users and I can't get through everything before it says I have more messages like that to me is a daunting thing and heaven forbid I'm

actually trying to get the equal continent and not just see what the latest you know talking point other people are you know this is they agreed Twitter after chamber so an example of this is as I narrow down the accounts to what we consider really valuable for Intel discussion one SlideShare profile as an example should have four times more than any other and for some reason it was this b2b contacts account that has nothing to a security 2200 I think posted slide shares most of which I think are very short to probably just content that someone took and post it and it's really interesting that this is kind of the thing that still bubbles up

even when you have a refined data set so it's not going to be perfect so the key is if it really needs to get closer to perfect you're going to have to do some scripting it's not gonna be something you're certainly going to do in the Native Client or a third perfect rocket so as we talked about Twitter some user modifications kind of bubble a lot of dick we'll start to see this is kind of what we determined and you know hopefully you know kind of judge those around you judge each other around where our accounts are but the person that we would all really like to focus around as the community so this is someone who's

not only originating some content and sharing meaningful things but they're also engaged in the discourse with people they're contributing you see a lot of this out there and Kosek community where people in and even once down to the hey I have someone who's knew the community and they're looking for a job or I got let go and those are beautiful stories that you see people actually engaged to support each other that's that's Twitter to me and it's fighters you know and then you kind of drop off a little bit it's not that these are necessarily bad roles that people can fall into as far as kind of a teacher but you know the scylla box

person is gorgeous types have been kind of just off the system off the grid for about me than they were active for one period of time and either like duck disease or what have you and they kind of go dormant where they never were really active the lurker which certainly important for most of my time it's someone who's kind of just taking it what other people are putting out there again not bad things just different ways of going people who more consume content and then broadcast it back out there again they're getting that message out so about that thing or the commentator is very similar to the echo category where your rebroadcasting content but you're

typically offering some kind of commentary more than just kind of like the arrow pointing down this and then the last one they had to kind of hard work we had in there but we do see evidence-based results where people are taking other people's tweets repurposing that doesn't show up as a retweet it doesn't show up as a quote it just shows up as original content from that person when clearly it is an exact same tweet least all frequencies from so on and so that's disappointing sometimes that can happen just in the course of kind of cutting pasting and doing all that I get but if you see it repeatedly together I'll breeze through this I don't need to

educate on Twitter the first four categories really are your standard when you get into read reading yourself that's where people are generally building threads where one tweet is not enough to kind of cover a topic and there were some one engages them later and they go back and they respond to their own original tweet to clarify some things so that's where thread building really to our site let's reply so we're tweeting yourself is more just kind of like hey I said something important did you visit I haven't seen a lot where it taped by my book right even our communities a fair bit of that quoting yourself again that's kind of doing the same thing as retweeting but you're

actually adding some new thought and said this is two years ago they're still relevant and then the manual retweet is really what that category was built on so mark talked about bias you know in everything we do at least there's some element of bias that comes into play we wanted to knowledge that in this research just nature of the forest in our original selections of where we started with the accounts and then the resulting accounts that were followed we ended up with mostly english-speaking accounts you'll see results that go outside that but it's not a 12-ounce global study keywords and phrases that we did a lot of searching based on our well known things so this is not originating new

keywords it's not at this point doing natural language processing to identify if you see lead in text the next phrase might be somebody when our family that's where we'd love to be that's what we need to be that's not what you're gonna see represented so it's known knowns in a lot of cases that we search for even at 25 million tweets that we collected it's small sample size you know that really isn't that much content and then of course there's always the data so as you grab these keywords you'll be roaming not so surprised at just how many other instances of these keywords you know if we're looking for raging panda it's shocking how many people go

to the zoo is described what they saw is a raging we'd like to think that there's Twitter info good for a sec Twitter right now that's its own domain but that's not the case right because all our stuff gets cluttered up with our ways so what do we do the most recent data set that we originated what you're going to see in the slides came from some work early this month we wanted some currency so we have 25 million half million tweets be collected I coming from 177 thousand profiles we leverage 2220 somewhat generic security keywords embraces many of which we'll see earlier slide as well as there's the apt Google spreadsheet out there that

kind of talks about actor campaigns actor tools and actor groups and general names of all these things we collected turns off the air time whittled out the stuff that we knew was going to be way too noisy and leveraged a bunch of those terms to again see who's talking about the things that people would generally consider it really interesting and then you're going to get ancillary benefits my father so what did that result in out of those thousand sixty eight terms and keywords we got about five million tweets traits you can imagine that InfoSec cyber sect malware like the more generic terms made up the brunt of that so as we kind of cleaned up some of that noise we've got

a hundred thousand comprised at thirty four thousand users then we did on dug it a little more closely on just the apt terms have eliminated a lot of the 224 generic terms and that got us down fifteen thousand users and finally we said who who's using more than one term in these two hundred tweet samples when we got to about sixty seven hundred eighty so we said okay like that's a cool we can work with more flows as we looked at those users we looked at only their original tweets so we didn't want to catch stuff that they were rebroadcasting over the last 45 days to again keep a manageable data so and we looked at who they were Matic who they

were what they were hashtag the URLs they were embedding as well as other tweets or other traits of lizards what does it look like when we actually dig in so we pulled that data yeah India does not serve data like this you've got a tweet at the bottom that's how you would see it in your browser what you're seeing up top is basically our our flat file data store of that same tweet so why the why the delimiter count till pound goes back 15 years where we were be in data sets that's one of the few things I've found that would never show up the URLs or other data that we were working with so it just

worked and it just levers up for it highlighted a couple things one starting around where it says wrote a post to migrate so that's the main part of the tweet text to end of the second line you'll see that Twitter takes every URL and Twitter shortens it to teen SEO they do provide the opportunity I to pull back the actual URL so you can have those and they separate those with their own delimiter today till greater that they do the same thing with the hashtag so they don't they don't encode those anyway but at least you have those in separate field really makes digging into the data a lot quicker it's kind of going back to that

influencer discussion cooler the most following people so just based on profile follows you know we have these twenty photos I apologize for the folks in the back sadly I have to say the pot to chief was not on my radar at all of your apology a lot of discussion about iPhone exploits certainly a year two years ago so not something that was a focus of me professionally personally but you see the range for the most recent two hundred tweets from pot to G the range was 1980 I did right so not a lot of tweets spread over finals by comparison if you dig in I think the shortest one we have there Swift on security as well as as a car heart

attacks for pancakes for days to cover 200 tweets now that's every time the tweet right this isn't just original content in this case this is every time between replies quotes you man so in oh by the way all of the slides as well as all of our bran data as well as analyses as well as kind of tips on how to recreate what we did all going to be on github that we're sharing it's not there at the moment we'll be as we start rolling out we're going to put up there for people to have that as well as the scripts to recreate this entire car so some other things kind of highly Shire maybe more of the snow so parts

were the original please so I'm not a bad thing you know you're gonna get Percy people value their you've got some folks who are more Broadcasters about this content either side of the are retweets method you've got folks who are more engaged without to the endlessly carvart Dan Kaminsky with the high levels applying to other so again all kinds of different personality types represented here as well as the number of views in the community for over hundreds of thousands of hours so as we looked at tweets and kind of from a defender mindset which we are come from historically how can we derive value right so the most obvious path to people go to or you know where can I get

indicators that's just where people naturally fall how can I collect more things to go plug into my sim to go hunt forward to find out I've got great you know they're probably one one-thousandth of indicators is that direction useful to any given person any time certainly without any context so that's really not where we want to end up the goal there is actually probably to have that analysis to understand what are the actor TTP's lairs behaviors I could start to build rules and logic around for my cinema store or other platforms and actually start to detect these things regardless of what the indicators are the infrastructure is all going to change so some people are

actually tweeting more that top level where we're talking about signal rules were talking about yaro rules so that was one of the focuses that we had was going to how do we get more to that actual net result so again there's a lot of ways you can get to that you can do keyword searching you can do hashtag lookups you can try to just carve stuff out of rock between not something you're going to do in a Native Client but we found that both cinema space rule as well as the RS based rule great case insensitive provider to learning relevant stuff with very low noise that's not to say if you then go follow those accounts you're only going to get

signal they're going to get whatever the ways is going to come along with that those are very conservative to go into a native Twitter client if you want to if you got some value coming out you have to signal area our rules those are searches that you can do that are probably going to have a lot less false positives that you're going to find other places as you get into blogs on it so you're going to write up into this kind of coming off the side for Twitter but then you look at folks who are writing good content in a blog their Twitter accounts tend to net go when that content is available as well as

some findings actually in there so another great source to to have those right as well as getting into indicators bra announces easy gear in theory to come by looking up certain types of attacks such as c2 : IOC : or specific keywords for malware families if you look at MJ rat scum box Twitter account that's going to come up in this you're going to see them they skewed everything because they use not only as a c2 tag but they also use an our family so they they show up as really high as well as looking at sandbox URLs so if you're interested and kind of seen what's going out there at the sandbox bro there's a lot you can do

to search there's a lot to actually get more here so what are some actual numbers so over the last 45 days of content we've kind of trimmed our contact number down to keep it current again looking at only original tweets you see some basic numbers around a few searches so you got 331 Ed's for Yara 74 Sigma out of those 250 different users made up that 401 hands and then there were three hundred seventy four metal URLs right typically when you get it on a yard or signal phrase the URLs are not you know go shopping it's something probably a write up URLs the last 45 days as far as those tweets now we're pretty good garetty noise honey better

BT better with the number attached to salmon security threw this out there out of those URLs what was being linked you see some virustotal cybercrime is a big player Sigma little space github accounts tons of people are moving yup we're social bottom ranked and say who think there's people for a number of years so it's certainly when you're getting into yaar another whole logic write-ups other things get up is huge we're going to dump a whole slew of get up accounts at first probably gonna be more what we're going to look to do is actually navigate those and bring them down by discipline and so all of our content that's where we're looking to go

is actually that people go okay so looking to get deeper so speaker - speaker broadcast we're going to have to give up kind of tie back to those things if you are focused on IRC something it's you know all things so that in mind trying to keep those numbers down when you look at any of indicators which is a great way to keep them from you know red flag finding our systems I don't need be aware of the most common thing for seeing our bracket theory is bracket bracket of d bracket HS XP right so the simple ones there the taxi to and I see you see some numbers around the volume use they're very similar numbers so who

is using those things come up so again we have two hundred tweets back from every account so clearly we're getting some redundancy its guards no that's okay and that's coming from both these c2 as well as penny you see the number of other good accounts and are pretty good signal accounts if you want any thought we've got listen see later that are tagged or tied to my further down so you look at those clothes I recommend the one that is tied to this is you're probably going to get a little more noise you go to the one that's actually focused more around the yard and signal rules I would actually do those searches it's a little bit

different when you look at activity and really generic sort of hashtags early on he's trying to get into our families and those can be done hashtag wrap your much may vary depending on the country you know we're gonna be valuable to that end so this is the scale is based on prevalence he weren't so this is largely the apt Google's Richmond spreadsheet terms extended some things is you de BT one two three four all gets you because if I search for those I'm going to catch 11 through 19 as part of 81 right so even the 11 it makes you want their own numbers but even T 1 will be the collective coholic because of Health the

regex Wernick even in scripting you're going to run into some Chavez there fortunately there wasn't too much noise out there for fancy there but there's a lot of men on you technically found out they're looking in sandbox I thought this would be an interesting so probably want to say 5 6 7 or Sam boxes that are alive out there probably more than that they're not waiting tweeted about certainly memories so over the last 45 days left two columns kind of covered sandbox mentioned the right side is across the entire data set so again interesting note was recently anyone is coming in about seven or twenty mentions barstools historically my result was much higher than native on so

I don't know if this is a trend or between war to anyone as far as but it seems like at least that is for the kids you also see some orange ones down the bottom that we're doing for specific analysis around Android PDF cetera those are kind of dropped off the radar there's some country specific ones well there are probably many more but we didn't hit our user base our ability to get through translations when I talk about generic search charms one of the things is relative power you know any media story so these things all value keywords here or the ones that are hiding it's things like rent money ones that are I'm gonna make all this

available this is important your Bible to be very aware of searching for a hashtag valor certainly it's going to bring back friends work I think the peak for hashtags one tweet that we have this is not point there but there are a number of hashtags are not this protected well is very quickly poison so you know the means by which person and I could if someone started to leverage hashtags surrounding what it is I do you know so I don't want people creating yard I'm sure that there is one Yara who knows you're a fan following her and posting pictures hashtag Yara trust me you're going to get a lot of points try and service them so person equality does

show up things overwhelmed for Sigma apparently Sigma is something having to do with camera equipment serious wealth

so kept circling back to our well-known friends how did they look at those kind of 220 malware or security keywords as well as the 800 you see the left icon we got some decent kids you know some surprises and how low the numbers are but when we talk about things again from a defender perspective a level of technical acumen as far as when you're doing your day to day work and what you're actually sharing the relevancy it's really so in context I'm not even sure attached the party to two additional write-ups and those not a whole lot of discussion your focus is high-end research against advanced threats funny about you try to say so one of the

things I believe mentioned that there is no top-level people share but what we're seeing we're gonna work to try and help shape that and change so kind of a line for Josh this is an example if he really started to get going on Twitter and blog post the work is doing and as part of that one of the people responded maybe by the way so the bracket seat bracket if you're gonna say indicated wrap upgrade bracket you two will just Auto you just take the packets off it'll just go and so Josh quickly changes behavior so we're seeing some good kind of feedback to help shape things I think if we've got two more standard tools we're able

to work with things like prime indicators what would be really more helpful is if you're going to include in the computer's various types to use certain labels or tags we're not going to allow that well it's good so we're seeing a lot of positive peer pressure to get us okay so just to kind of wrap things up you know hopefully we've kind of highlighted some of the differences in terms of your formats and use cases and all the data consumption between kind of these or non-standard social media data sets and something like feed that might be in a very standard format for programmatic you know for us ideally be on the defensive side of things

for some discussion all great but I really you the day I want to get as fast as possible to information it's actionable for me that I can use to dump straight into my operation whether it's you know rules like Ryan said play books you know queries hunting methodologies things like that so you know we're gonna be sharing as Ryan mentioned a bunch of resources I think to kind of help folks do that but once I get my you know my my list down of sources that I trust of queries that have very high fidelity good signal-to-noise ratio you know now what do I do and really this is where you can kind of pivot and turn into you

more traditional you know cyber threat intelligence operationalization processing kind of workflows you know prioritize the Intel that you have you know validate it contextualize it pivot if you need to create those con those pieces of custom content those playbooks so they can be operationalized kind of in your technology and then ideally you know share back I mean that's the great thing about these platforms sometimes is a great thing you know you can share back with the community hopefully with some of the data points that we've shared today those of you who are you know posting research or posting indicators or posting other you know analyses raw data you know there's some kind of more effective ways to do that

and maybe less effective ways to do that where you can reach you know a broader audience and kind of get the most feedback but hey you know wouldn't be a party if you guys didn't leave with prizes so we're gonna be posting like we said a few times now a lot of you know data from from some of this research some of our scripts and queries follower you know lists resources to the Bionic github you have to you know get it clear from legal and export no that's true we just haven't done it yet but we'll do it very shortly probably in the next 24 to 48 24 to 48 hours 18 gigs of data in the

raw so a lot of the stuff will get out there by tomorrow and then some of it's just gonna take however long it get up to accept that right you know in addition one of the things on Ryan's Twitter he's got you know Twitter lists of followers born out in large part of some of the research we've done here we sharing is that social scraper for domains that he mentioned where you can pull out in all the social links without spidering entire web sites you know just little things that are kind of handy to have we've talked a lot about Twitter today again principally because it was the easiest to kind of illustrate you know kind of digging through the data

set and there's a lot of like interesting data there to look at but also you know we found I'm sure I don't need to tell many of you this you know there are a lot of great slack communities out there that's another fantastic resource people don't always think about don't always look at first a lot of those are kind of closed-door invite-only but there's a lot of good stuff there you know news news aggregation sites here are some examples of some that we find particularly valuable in terms of like aggregation and providing actionable information you know even now like twitch is getting into the game with a lot of like instructional kind of tutorial kind of

videos on there that are really good so if you're kind of in that social space and you're interested in pursuing that more or you know looking for more resources beyond going into Google and typing like how to cyber you know or something like that there's some lots of good resources out there here just some examples ok future plans you know we're gonna kind of continue this research I think there's a lot that we could do here that we just haven't gotten to yet because I mean quite frankly there's so much data and there's so much stuff and they're so few standards in terms of how you know our little niche is discussed and presented you know there's that's

kept us busy for quite some time but we're gonna continue to maintain the the projects and part of you know us sharing them is obviously we love contributions and collaboration but I definitely plan to continue making refinements to kind of what we're doing and making it more specific and actionable and so you know welcome you to to come find us we're also on Twitter you know my feed is one of those mixed you know you're gonna hear like InfoSec stuff be like I watched watchmen last night it was awesome and like you know there's gonna be all kind of stuff but yeah feel free to hit us up and ask any questions either now or or later

thank you very much for coming out today Thanks