Why OSINT? - Michael James

all right thank you guys for coming out here this is going to be kind of a short and sweet talk um the purpose of the talk is to go through and educate people how to get either more involved with open source intelligence in regards to the company that you're already working for or transitioning from where you are into an open source intelligence role my name is Michael James I am one of the founding members of osync curious I'm also the director of cyber intelligence and analytics for a company called complex out of Virginia don't let that scare you um so really I the the reason why I want to go through and give this talk is because I

do the Ocean Village every single year do we want to shut the door I I don't care but I just I don't want to call it the sound of a preparation thank you so much uh peaceful quiet um so yeah uh like I said I I started my career in 2013 uh with open source intelligence and getting into cyber uh actually in 2003 I discovered what open source intelligence was and I was the first person in our financial group uh because I worked for a fintech company out of Olathe that started using social media to go through and investigate people for the purposes of risk fraud or either collection because we had to go through and do our own first party

third-party collection there's nothing like standing up beside somebody's house and stealing their car as a repo agent with them having a shotgun on their front doorstep it's a it's a good time so we wanted to mitigate some of that risk and by going to certain profiles and seeing what they're into what their interests are whether they're posting they have shotguns it gives us a little bit of preparation before we go through and do anything again everything with oceans that you do is uh manage your scope understanding what your role is and then actually saying what you do before matters so if you're going to go through and pull out your scope and you know that it's something that you're

going to be directly investigating probably want to get a sock puppet between you and your target regards that stuff if it's something that you have to have direct correlation or authentication like a social media platform where you have to have like a telephone number like telegram it's something that you want to go through and maybe put some distance between your telephone number and a sock puppet telephone number so all that being said I have a couple years experience in regards to doing some open source intelligence um and what I really wanted to go through and do is kind of share my experience in regards to working for a fintech kind of company that had no

business being in security but we use open source intelligence to go through and to mitigate risk fraud other things like that it actually started back in 2014 and I brought to the attention of the people who were the executives at the time for the company and I said hey I'm very interested in cyber security I I'm very interested in regards to Tax Service monitoring passive threat landscape all these type of things that are kind of evolving and you've seen from 2014 to 22 what we're dealing with in regards to ransomware malicious actors fishing things like that um so I said hey with little to no budget if you give us scope Direction and time we can actually go through and

help do something whatever you want to go through and do and they said well what do you want to do and I said well it's not what I want to do what is it that we can go through and help you with remember open source intelligence is always about answering a question that comes from leadership or a stakeholder the reason why we do this job is to go through and not to use fun tools and be cool but is to answer questions and help direct either budgets roadmaps or timelines in regards to what other people need to go through and accomplish we're there to go through and solve problems and answer questions we're not there to go through and make decisions

or budgets that that's that's leadership is a job there right so what we wanted to do was to reduce risk because we had an automated platform for I think for we we did a lot of credit lines back in the day for the fintech company we would be essentially the guarantor for credit lines and they were unsecured credit lines for fuel or they were secure credit ones for like uh Best Buy and other commercial applications because we had the web platform it was an automated like a kind of a form that would fill out and they would process it and we had an SLA to go through and get them back with a result whether they got

the loan or they didn't get the loan or the line of credit within 24 to 48 hours something was so it's a pretty fast turnaround to go through and to check on someone's credentials when they're spamming with a lot of the fraud investigation stuff so what we did was we actually would run through Public Services like credit bureau checks uh public search engines like that's them and true people search uh we were able to go through and to identify and flag any of the accounts much quicker that would need either secondary runs or to go through a look at this uh as as an additional step of verification at that point we would go through and tell them

they need to go through and submit to like a phone screening or an SMS thing and a lot of times that was enough to go through and put people off because they didn't want to go through and interact So within seven months we were able to drop fraud by 25 in two programs so it was pretty impressive in regards to that stuff that goes guys

uh so the the point is that if you have the passion to go through and put open source intelligence kind of to its test there then it doesn't matter what the goal is but you have the ability to get inside your own organizations right now to go through and kind of talk to leadership if you're in a security role you can definitely go through and say hey we want to go and spend five hours a week doing open source intelligence what does that mean we want to go through and develop a program to go through and answer a question because like I said all open source intelligence is based upon what question are we trying to

answer and who's the stakeholder or the leadership right so for those who just kind of joined my name is Michael James I am one of the co-founders or one of the original members and co-founders of osense curious that's how it's it's the domain I'm also the director of cyber intelligence analytics for a company called the complex out of Virginia uh and really like I said I just want to go through and kind of talk a little bit about what you can do today to go through and kind of get open source intelligence in regards to your corporate infrastructure and again it all kind of starts with you can have all the tools all the trainings

everything you need but what are you what's your scope what you what are you actually trying to go through and either prevent understand or identify right it is uh it is very Noble for a lot of people to go through and say I I'm working for this company we do widgets uh and I want to go through and monitor all the attack service good luck like one person doing something like that is not feasible so scale back the actual scope of what you're trying to do right if you want to go through and build an asset list from an external Vantage and then Mark those things that would be drive by opportunities for malicious actors

that's an excellent step if you can go through and pattern your entire organization and say hey why do we have 33890 why do we have 636 open why is ldap exposed to the internet probably shouldn't be there right there are very minimal things that we can go through and do to increase security so that we don't look like a target of opportunity in regards to the business community so it's something where if you can take the open source tools and the methodologies and even some of the trainings that we do OC curious does Joe Ray does all the other people who are in the community even just joining the Discord to go through and learn more about what you

can do is very helpful but again start small and start bite size you can always scale up in regards to your output but you can't go back and say well I'm going to go through and find out who the where flight was at 437 or M37 or whatever that fell over in Ukraine because a missile hit it you know uh you can't go through and do that you're not going to be able to go through and scale that it's not going to be a successful thing uh one thing that I always encourage people is if you are serious about trying to open up a line or a a business unit or an ocean cell essentially

whether inside your organization talk to your leadership first find out if you can click and carve out the time because if you do it off hours that's fine you can do that for personal but I wouldn't go through and let your company steal your your personal time for that stuff but find out what they actually want to go through and have salt they may have a supply chain issue and you can go through and look at that for business intelligence or they may have competitive analysis that they want done that's all part of Open Source intelligence if I can go through and tell you the comparative analysis between Aldi's and HyVee it may not be

super attractive to a lot of people but it is damn in your bottom dollar things that that will that will help Heidi's now a 13 billion dollar company whatever in seven states so if you want to go through and say what Aldi is doing better than them it's probably something that will stand up and take notes of right

um so again this is a real quick kind of 20-minute talk over so I I really did want to go through and spend the last couple minutes answering questions if anybody had any but the the Crux of the talk is really anybody has the opportunity to start learning start training and start doing a single focus in regards to open source intelligence gathering the information taking it and resolving it through critical analysis and producing something right you have to produce something for your stakeholders for them to go through and stand up take notes you can go through and spend nineteen thousand dollars on a product or whatever that will help you automate some of that stuff but the

point of this is to go through and go with shoestring budgets so maybe a couple apis maybe a free version of spider foot maybe something else that you're actually looking to do and then having desired results right and you can always pair up the findings you can always get more Fidelity in regards to what you're finding or even add on layers of things so again if you're talking about Supply Chain management you can find out who the vendors are and where the shipping rounds are kind of taking place that's a huge thing right now even if you were to go through and give a daily or weekly update in regards to the ports that are closed in China

and in the U.S if you actually have a supply chains that go that way that would be a huge thing because then you're putting that information in front of them saying hey are you aware that our main supplier out of uh Shanghai whatever is on a three-month delay because their boat is just sitting in the port and they've been able to go through and unload and reload maybe we want to talk about that in regards the funding alternative streams of X widget whatever it is right it's always going to be about answering a question but then producing a result in regards to something that is actually efficient something that actually will go through and help move the product either forward

uh we'll go through and get it out of Harm's Way left a bag we like to say or it will go through and give us insights into something that they were originally thinking about that's kind of about it the open source intelligence Village is right down the road here I'm happy to go through answer any questions if you don't want to talk about questions here we also have a CTF so we'll be doing a lot of that stuff I'm also local so if you ever want to ping me I'm here in Kansas City um Eric and I said I get a hold of me Twitter knows how to get a hold of me LinkedIn knows how to get a hold of me

so it's all good there I don't have a bad signal yet but that's working um what questions do you guys have or is there anything I can answer in the last five minutes of what we have here for kind of this Village talk here so would you mind sharing a lesson to learn from your successes since any other program and possibly a failure from setting up that sure yeah uh the failure I'll start with because I like failures failures are very easy to go through and identify and then uh learn from and failure is a big one with this overscope like I want to go through and do the moon and the stars I know like

Nate and I originally before I even started with this company we had an idea to go through and do an open source project called dossier which eventually moved to something else whoever that we have to go through new but the scale and the scope and the people we had involved were not to the point where we could actually get it done with just us right we had multiple people that were trying to get into the project we had really big Ideas I had a [ __ ] at code still am um but I was the guy was giving the ideas and I was like I could just push all this stuff through but it wasn't it

wasn't achievable right if you had 10 different things and you can only go through and do one in a week you know you just got scale back uh now and uh in complex we call it above the green line you have all these great ideas but you have to go through and draw a line that delineates what you're going to get done what are future 2.0 update some things like that in Reverse of successes like I said we've done some amazing things for other companies uh in regards to what we've done like I said there was a a high value Target that we're looking at for a company and they were a CFO of a

company and we went through and scraped the page and found out that they took their own photo with their own iPhone inside their own house and we could actually geolocate to their kitchen where they took that photo which was a lot of fun for us they didn't show up any of the metadata any of the executed any of that stuff whatever they just put it online so a lot of people are scraping that and then she becomes the target of opportunity because now it's a physical threat right so there's a lot of stuff that we can get into like that any other questions good everyone else knows everything what time is the ocean CTF good question from

noon to four so I know there's like 75 ccfs today uh ours is pretty basic it's very entry level it should not go through and get better in uh any any sort of panic attack or anything it also requires nothing more than a browser essentially to go through and kind of do this stuff um you may be able if you have questions we're there to go through and help and give give pointers it's hosted on ctfd which is a pretty pretty good platform and all that um but yeah the there are prizes for the top three so you know play play with what you want did you have a question there anybody no okay good could you

tell us a little bit more about ocean jobs sure yeah sorry if for some reason you don't have an opportunity or if you're done with the company that you're working with and you really want to migrate to an actual uh position inside her that does focus on open source intelligence uh Laurent Bono who is part of Hosting curious at one time actually just came out with this about a year ago and it's osent Dash jobs.com or there might also he might own osagejobs.com uh it is hand-picked uh it is not scraped it's not auto-generated these are all companies that work in open source intelligence in regards to business intelligence National Security uh or even like I said competitive analysis

there was somebody um who used to come to besides can't say I don't know she's here now she worked for AMC and her job was to go through and check the internet for anything that had like an AMC badge on it or AMC shirt especially if it was like porn related then they could go through and try to get that stuff taken down because that's brand monitoring and that's all part of Open Source intelligence it's just the visibility in regards to all that stuff there so yeah oceans that's jobs is for people that want to go through and move into a full-time career for this stuff uh oh saint curious like I said we have a lot

of 10-minute tips we have a lot of blogs we have a lot of other um you know trainings and things like that that can help with that that's pretty much my time and somebody else that's the last question what kind of training event or certifications do you need for the same jobs so right now because it's pretty new in a Virtual Field I mean we're really for the Cyber intelligence side we're really less than 12 years old I think you know pin testing and other things appsec that's been around since the 80s in regards to some of the early stuff right open source intelligence comes essentially from the military background and it was essentially for

gray literature and to go through and kind of protrude movements as everything gets interconnected and all this stuff we've developed a lot more robust systems kind of look at that stuff I will say you don't need anything like when we hire people at complex we don't care if you have certificates we don't care if you have a college degree if you have passion and you're looking to go through and do this stuff and you can be responsible and you show up and you get the [ __ ] job done then we can teach you gam near anything in regards to it but if you want a leg up if you want to go through and have a solid foundation

Sans does some really good courses they're like ten thousand dollars of course but Sans 487 as the intro for osense and you can get a certificate called the gosi it's the gaci open source intelligence badge there's a there's an additional one called Sans 587 that just came out it's for advanced uh Oak Public Service intelligence stuff uh and then there are other people myself I do training here locally in Kansas City so if you're a company that wants to go through and have me come out I'm happy to do a full day or a full week uh Joe grade does some amazing online stuff um osync curious has a Discord and there are a lot of places where we do Post

trainings or we will actually go through and do trainings virtually so if you're interested in that please reach out to me either in the village or host it or on Twitter and I'm happy to go and get you a list of people that do really good stuff and I would say there are some people who teach osit but don't know Osa so it's really tough to go through and delineate between the people who are selling you a a good service versus you know the right service so I I have my own opinions about that there's gurus everywhere right I will always say that I'm continuing to learn because you can't know everything so I don't know that I'd

ever consider myself Guru so anyone who wears that title beware right I think that's about it anybody have so many questions comments concerns anything I missed good good good good all right [Applause]