sorry a lot in my presentation. Typical Canadian here. Uh, my professional background, my career has been really around the intelligence side, doing things like threat intelligence, OSINT, threat actor tracking, stuff like that. Um, I've worked in financial services, in the tech industry. Right now I work for an enterprise DNS provider called, uh, Blue Cat

Networks. I do threat intel over there right now. Um, as I was introduced, I also work for a not-for-profit called Trace Labs, where I am a member of the leadership team over there. And something else I do is I organize the DefCon Toronto events over in Toronto. So, we meet every month, we do workshops, CTFs, talks, um, and that type of

stuff. So, now that everyone knows a little bit more about me, I'm gonna go over the agenda for today's talk. So, I'm really gonna be touching on 5 key things here. So, first off, we're gonna dive a little bit into what is OSINT and where did it actually all start. Uh, we'll talk about some common uses of OSINT we're seeing out there. Um, the

challenges we're seeing with OSINT today, um, and new applications of it, seen out there, and then what the future holds for that. So, with that being said, what is OSINT and where did it all start? So, there's a lot of terms going around there about what OSINT is, it's a very broad industry. Um, there's some terms that are a bit outdated, some that

are current, some opinionated. So, I'm gonna go ahead and give you my opinion of what I think OSINT is. So, in my opinion, OSINT refers to the collection, processing, analysis of publicly available data to extract meaningful intelligence and get intelligence value out of that. That's really what I see OSINT as. If you can extract any

intelligence value, then you've actually done OSINT. Um, and where, where does this come from? So, there's many different sources of OSINT out there. We have the surface web, deep web, dark web, social media, news media, academic sources, government records, and extends to pretty much anything on the internet that's publicly available. So, why

don't we take a moment to take a step back and figure out, you know, where did we all start with this? How did OSINT get here today? So, before I dive into, like, the timeline of that, I'm curious if anyone in the audience knows which year OSINT, OSINT actually became a thing. If anyone had to guess a year? No? Okay. So, OSINT actually started, uh,

close to 80 years ago, um, back during the World War II era where the US, um, looked for ways to gather intelligence. One way to do this was they started up, um, a branch of FCC called the Foreign Broadcast Monitoring Service, and what they were tasked with doing

was monitoring public radio waves that were beamed with the US for any propaganda material that their enemy combatants were trying to spread to their country. That was really the first use of OSINT seen out there. Um, they did start to see intelligence value out of this, and that's why they continued to do work in OSINT's space, and they later expanded this to start looking at stuff like, um, newspaper clippings from countries

around the world. They actually stood up, uh, over 40 monitoring stations, um, internationally to start collecting and cataloging all this intelligence from just public data out there. That's kind of where we started. Um, moving forward to 2005, this is really where OSINT took the next stage in evolution. So, you saw the rise of

internet, people, um, began adopting it, you know, a common household had a computer with internet access, social media started to emerge, we had sites like Myspace, Twitter, Facebook, even YouTube, this all came out around this time area. So, the sources of

OSINT started to emerge out there in terms of social media and such. Also, around this time period, we had the CIA open up the open source center, where the government was actually interested in now taking advantage of all these new sources of open source intelligence, collecting it from, you know, digital, media, and all of that, and starting to catalog that for their purposes. Moving forward to 2009, this is really

where social media usage took off. This is where OSINT's space started to boom. Um, we saw smartphones becoming accessible, where anyone could have a smartphone, download their social media apps, had a camera and a smartphone, and they could start sharing more moments of your life, um, than ever before. And a lot of these social media sites

would have more of a default public state, where if you post something, it's public to internet, and the more non-tech savvy users may not have been aware of this, so they were kind of inadvertently sharing, um, OSINT without knowing it. Then, fast forward to a few years ago to today, um, we saw OSINT being applied to many different use cases, so

businesses, um, investment firms, uh, political campaigns. If you want to do some OPPO research, you can use OSINT for that. If you want to look at, um, target voter audience, OSINT can help you there. Um, if you're an investor looking to invest in a company, you might want to look at the public presence of that organization, and

you can do that with the OSINT as well. Now, moving forward to talking about, um, more common uses of OSINT that we're seeing here today. So, you have your typical security use cases, like blue teaming, red teaming, using OSINT, you have your threat actor attribution, um, you also have the business side as well, for stuff like business

intelligence, so I'll be diving into all that, um, right now. So, on the blue team side, um, how are blue teamers using OSINT? So, if any of you have ever worked in a SOC before, um, you've probably done OSINT without even knowing it, um, I have a scenario here we'll talk about, um, so, typical SOC analyst, you get an alert in your queue,

let's say, in this example, we have a malicious word document was detected by some endpoint device. Maybe the context we're getting here is data detection, file name, hash, and maybe that's all we get. So, as an analyst, I might not know what to do with that, I might say, hey, this could be a false positive, I'm not sure, but how can I

validate that? How can I use open source intelligence to further get some contextual information and investigation like that? So, if I'm using OSINT, uh, for this type of stuff, I might take that hash that we saw there, pop it into a tool like VirusTotal, see what it knows about it, it's a public available source, so, you can see here in

this scenario, we have 46 of AV engines saying that this is a bad file, so that's probably indication we're not at a false positive here, but if I wanna go deeper and figure out, you know, what threat might be associated with that, uh, actual word document, you might pop that hash into Google and see what it knows about it, um, typically, when I

do investigation, I pop stuff into Google and see what other threat intel related websites are telling me about it. So, here we can see we have some context that this word doc might be associated with Emotep, which is a very prevalent banking trojan out there in industry today. If I want to go further here and see, you know, maybe where did this word doc come from, I might go look at, um, some of the URLs

that are showing up on the Google here as well. So, we got here, uh, URL house, which is like a public, uh, open source feed site for malicious URLs, um, we can take that URL and see what else we know about it here, using another OSINT tool, uh, which is one of my favorite ones I like to use, uh, we can go and search up that domain,

see if it knows anything about it, without actually, like, sending it there for analysis. So, you see here, someone analyzed this URL at some point before, it was confirmed to be malicious, but what's interesting here is you can see the content that was returned from the web server side was an actual word document, so, that would support our claim

that this malicious word document that was detected might have come from this URL here, and then if I'm in a stock, I might pivot off that to try to find a source of that infection. So, just using OSINT, I can go from just a hash to figuring out where an infection actually came from, um, this might be an example of an email you would see

here, these are your typical, you know, your scan is ready themed phishing emails out there. Now, let's look at how red teamers are using OSINT today. So, um, a lot of you are probably red teamers in the audience, here I know where Recon Village, um, typically when you're using OSINT, you're in the reconnaissance phase of your engagements, so

doing stuff like recon on domains, IPs, any applications you're targeting, looking for stuff like open ports, services, etc. Um, if I want to do some recon on domain, I might use a public tool like Whois to see registration information, see if maybe someone's exposed their personal phone number there or address that I can use to pivot off

and find other information on my target. Um, if I'm looking for open ports and services, I can use a public tool like Shodan to see what's open without actually probing, um, the application itself. And when we look at targeting personnel, um, aside from infrastructure, a lot of engagements, you're always looking for the weakest link in a

company, trying to target the employees to see what, um, info they're going to give you. So, if I'm targeting personnel, I'm going to be looking at stuff like their social media, um, e-mail addresses that might be public, uh, frequent locations they might be, uh, see if I can actually scour their social media and find things like, them posting pictures of their ID badge. Um, this is common, people start a new

job and they say like, hey, here's my ID badge, um, check out, I started a job at Facebook today. Um, you might also find stuff like passwords on sticky notes, uh, up on the wall, um, that could be a public available source. So, there's just ways you can use OSINT to like gather enough information to know where you're going to start with

your engagement, um, in the recon phase. And then another technique you can kind of use OSINT for, it's not directly doing OSINT against someone, it's kind of using their OSINT against you, I like to call it counter OSINT, where you're setting up, um, Google Ads or Google Analytics on some of your infrastructure to see if people are

searching for it. So, if I, um, spin up a custom domain for a campaign and, you know, I send a payload to someone and it calls out to that domain. If I see someone matching an ad based on a keyword for that domain, it's, there's a good chance that my target is aware that I'm, um, looking at them or, you know, targeting them. And that can kind of shift tactics from there. Um, another use of this is using virus total to see

if someone's uploading, uh, your payload there to see if they're looking to see what other AV engines are thinking about it. Um, this is another way to be tipped off, so, we'll have red teamers, threat actors too, they're monitoring virus total all the time to see, uh, if anyone's, like, looking at their stuff there. Now, another use for OSINT is

attribution, so, this can be targeting someone trying to find out their identity, it could be threat actor attribution, um, someone who's famous for this is Brian Krebs, he'll, he, he loves to dox people, so, a few years back, um, his site was actually DDoSed by the, the Mirai botnet, and this kind of set him out on a mission

to uncover, like, hey, who is behind this botnet, um, why are they targeting me, can I doc some, uh, so, what, what did he actually use to help uncover identity? Well, he did use some closed source intelligence, you know, talking to his contacts and stuff like he typically does, but he also used OSINT as well, so, things like looking at archive

Twitter posts related to the person he thought was, um, the person behind Mirai, looking at stuff like LinkedIn profiles to find out employment information, Paceman, Wayback Machine, these are all OSINT tools that, um, people like Brian Krebs are using to do doxing or do attribution. Now, another use of OSINT, um, is

business intelligence, and we're starting to see this emerge more and more, before OSINT was kind of seen as something used for, like, cyber security, something used for engagements, maybe government, but now you're seeing businesses start to adopt this as well. So, if you're looking to investigate new markets, you might use OSINT to see

what, um, companies in that space are actually doing. Um, they also might use OSINT to identify things like business risk. So, something common is corporations are now spinning up internal investigation teams, where they're looking into their employees, they're looking into any associations with their company that could have

risk to their reputation and such. Um, so, actually, recently, I was a beast as LV this week, and I was talking to some guys who do, uh, pen testing internally, and they were actually given a challenge to take their boss's business card, take only the information on there, and pivot off of that using OSINT to try to find out, you know, what risk there is to the company with this, uh, individual, and what they

were able to find was his personal address, his salary information, they were able to find information about his family, which they were able to use to unlock security questions to his accounts. And this is all with just an email address, name, and phone number. So, you're starting to see businesses look at this stuff, um, more and more.

Now, OSINT is a very broad space we're seeing, it's applying to many different uses, we're seeing it expanding to other areas of intelligence as well, so, typically in the past, if you were doing stuff like human or geoINT, you had to have special access to tools or physically be there surveilling someone, but now using

OSINT, you're able to do things like geoINT using, um, Google Maps, Google Street View, Google Earth, Google Satellite, all that stuff, it's publicly available, and now you can start using OSINT to apply to these other intelligence disciplines as well. If you're doing human, you can surveil someone's social media to see places they frequent and

kind of build a profile of, you know, where they're gonna be at. So, really, because of the passive nature of OSINT, it's becoming a more attractive intelligence, uh, technique to, um, people in the intelligence community, because if you're doing this right, no one should know that you're ever looking, it's passive in nature, you're not querying systems to get new information, it's already information that's out there.

Now, I did say the OSINT industry is very broad, and with this, there comes some challenges. So, the first one I, I see a lot is, there's really no clear definition of what good OSINT is, um, everyone has their own definition, but there's a lot going

on right out, out there. Another challenge we're seeing is there's new sources of OSINT popping up very fast, and you're also seeing a lot of them being taken down as well, I'll talk about that a little bit more. And then another problem I see is, there's a majority of tools being, falling into two different categories, I like to call it single use tools for very specific purposes, or use case specific tools that are more

your enterprise platforms that serve a very specific use case. So, why don't we dive into what is good OSINT? So, if I'm doing OSINT, is me gathering, you know, someone's whole friend list on Facebook good OSINT, if I map out 500 people on a map here. Is

it good OSINT? Well, if you can get intelligence out of that, maybe it is, but just plotting public data on a link graph, maybe not. So, why don't we play a game of OSINT trivia, let's see, um, I'm gonna put some definitions up of what good OSINT has

been defined as, um, in industry, and I'm curious to see what you guys think, um, would be the most correct answer. So, if we look at the first one, uh, good OSINT is pivoting from one public data point to another in an efficient manner to produce intelligence, that's number one. Number two, good OSINT would be collecting, processing, and

analyzing large amounts of data to produce intelligence. Or three, um, driving meaningful and actionable intelligence from open source data. So, let's do a vote, who thinks it's number one? Okay, who thinks it's number two? Okay, you guys are too good.

Who thinks it's number three? Gave it away. So, trick question, they're all, um, correct to some extent, but the most correct answer, and I'm gonna be that guy if you've ever done like a CICP exam or anything, the most correct answer here is getting meaningful and actionable intelligence. Really, it shouldn't matter how much data you're processing or

analyzing, it only matters about the finished intelligence product, like, can I produce actual intelligence that can inform my stakeholders? So, typically you'll see when someone does intelligence, they have key intelligence requirements, so, unless you meet those, you're really not doing good OSINT, um, and also looking at doing OSINT in

efficient manner. Sure, it's nice if you can pivot from one point to another fast, but unless you're really getting meaningful and actionable intelligence, it shouldn't really matter. Um, so that's just my opinion on that point there. Now, the next challenge we're seeing, there's so many new sources of OSINT popping up, it almost seems, um, that

as well for every five OSINT sources that disappear, ten more pop up, and it's just we're playing a game of whack-a-mole, it's just like, okay, which one do I look at now? There's so many tools popping up, so many platforms, um, APIs are changing, so, how do we tackle this? So, the main way to do this is to really stay up to date with all OSINT tools, listen to your podcasts, look at your blogs, see what tools are being more

commonly used to serve the specific purposes that you need them to. So, why don't we take a look at some examples of what OSINT tools have been changing out there in the world? A company will tighten up their privacy or security, which closes off a source of

OSINT. You'll also see individuals become more aware of their privacy, close off those sources of OSINT as well. We look at things like Facebook profiles, before they were typically public by default, now everyone is locking them down. So, maybe, you know, five years ago you had a lot of OSINT from there, but now you're starting to see

people become more aware, so, how do we handle that? Um, if we look at Facebook again, uh, recently after the Cambridge Analytica scandal they had, they started tightening up the privacy of their users, so, they had this really good Facebook graph search tool out there that leveraged a Facebook API to do a lot of mass scale searching across the public Facebook data. Now, this was being used in a legitimate way

by investigators out there and such for good purposes, but it was also being abused by some malicious people as well. So, you saw Facebook close off their API a lot to this, and in turn you saw a lot of OSINT tools that used this API starting to go down to say

that, hey, we can't support this functionality anymore because the Facebook API got closed off for the Facebook graph search. Um, so that's a challenge as well, how do we keep up with that? Um, in addition, if we look at the tool landscape, um, there, there's a lot of different tools out there. Um, one of the websites I like to use is OSINT framework, it kind of spreads out, um, how you can pivot from one data point to

another using public tools. Um, if you look here, just taking a username, you can pop it into, I don't know, 10 different tools and look to see if there's other profiles out there that use it. You look at email address, there's so many different email tools, but which ones do we use? Which ones are the, you know, most, uh, legitimate and good

for my use cases? It's, it's hard to tell, um, especially if there's someone that's new to the OSINT industry and, you know, doesn't know where to start, it can be a little bit overwhelming. And if we look further at the landscape of OSINT tooling here, I kind of separate OSINT tools into two categories. You have your single use ones on the

right, things like, have I been owned, where you're looking for breach information, virus total, you're looking for malware information, who is domain, um, tools like TinEye, you know, reverse image search, people have their custom scripts, and they serve very specific use cases and they can be flexible because you can customize them, um, but

the challenge is there is that if you go into one tool and you find one piece of intelligence, you pivot, let's say, from an email address to a domain name, now you gotta take that domain name, pop into another tool and pivot from there, and then you're gonna keep going down the rabbit hole of opening up a million tools and your Chrome browser is gonna have a hundred tabs. That's the challenge there. Then on the left

here we have our enterprise tools. These are more full-fledged platforms, they have use case specific criteria, um, things like searching the dark web for stuff, they're refined to, um, meet certain business needs, and these are great for, you know, specific use cases, but what if I'm an organization who has a very weird OSINT use case, how do

I handle that? Do I go write my own tools every time? Or is there something out there that I can leverage to do what I want? And that's where I really see, um, the gap here in the OSINT landscape. There's really no platforms out there where you can define your own OSINT workflows, where you can define your own OSINT use cases. Um, what I think

we're gonna start to see in the future is platforms where you can kind of build your own workflows to say, I have this input, take me to here, take me to there, and then take me to here, and that's gonna be my finished intelligence. Um, I find a lot of tools already have that built in, but for very specific use cases, so I think this is a

need that we have in the industry. Now why don't we talk about, um, some new applications of OSINT we're seeing out there. So, things like blockchain and Bitcoin, um, they're known as a cryptocurrency, you know, for financial purposes, but how can we apply OSINT to that? There's definitely some use there. Then there's things like the Trace Labs

crowd-sourced OSINT for missing persons. Um, we looked at missing persons, um, before in the space, and we didn't see OSINT being applied there that much from the greater industry. So, we'll, we'll talk about these. So, if you look at OSINT for stuff like Bitcoin, um, because of the way Bitcoin is designed, you know, to the general public, they

might see it as being secure and anonymous, but in reality, you have this public ledger on the blockchain of all the transaction information associated to a Bitcoin address. So, if I'm looking into someone's Bitcoin wallet address, I know it's associated to them, I can now see all their transactions on the blockchain, like,

number of transactions, full timeline of those, amount of money sent or received, where it's coming from, where it's going to, and then any other associated Bitcoin addresses, maybe in the same wallet as that one. That can be very valuable for, um, investigation purposes. So, before you were seeing people want to do financial crime

analysis, they have to have special access to banks, now you can do it publicly using OSINT, um, with things like the blockchain. Now, looking at, uh, Trace Labs, so, um, I do work for Trace Labs, not-for-profit, we do crowdsource OSINT for missing persons, um, it was actually just a couple years ago that this new model was born

around crowdsource OSINT to helping to find missing people, um, before we saw, like, a lot of, um, vigilante sites pop up that did this, but not really in a structured way. Um, so, oops, the idea here was to really pair people in the OSINT community, um, together to work in teams and crowdsource a collection of OSINT to help solve a social

problem. So, problem statement here, we have a number of missing persons cases worldwide, not enough resources to tackle them all with the same level of urgency, um, sometimes law enforcement can be understaffed in that area, um, so how can OSINT help here? Well, now we've built this community where you can bring together

skilled investigators with, uh, more senior members as well to track a digital footprint of an individual to help find valuable intelligence on them, um, to provide law enforcement with. So, the goal here is to really get intelligence value for law enforcement, provide them new leads on investigations that they can actually follow up on, um, and

help out. We've, we've really seen this starting to be adopted also by the general public, so people who haven't done OSINT before are learning about us and saying, hey, can I try it out? And, you know, with a little bit of OSINT training, they can actually go and start looking for stuff on these missing people. So, really, we're starting to see that, like, 2019 is the year OSINT is going mainstream, more people are becoming aware

of it, more people are getting involved there. So, how does our model work exactly? So, um, what we really try to do is bring together the investigators, also known as intelligence operators in this diagram here, and pair them with, um, our more volunteer team of intelligence administrators, where people are collecting OSINT, submitting it to

us, and we have our administrators vetting it to check for relevance and context and such, and then if it, it's vetted, we, um, store it in a database, package it up after and share it directly with law enforcement, so that starts in the model here as well. And

what we really do is we look at only public cases as well, so if law enforcement's asked for the public's assistance, um, with a missing persons case, we can push that to our platform and people can start working on that right away. So, this is actually an example of one case, um, just, um, a sanitized case, there's not a real person, but this is what you would see typically in one of our capture the flag events, where we put up a

case, we give the known information that's publicly available, we give the source link, and it's up to, um, the contestants to start crowdsourcing OSINT on these people, doing pivots from one piece of information to another. Um, we have, uh, a number of different categories for flags that they can submit this OSINT against, um, here's

an example of what one submission might look like, um, we have a category called advanced subject info, um, maybe what I'm doing is looking, um, at someone's phone number that I found, pivoting off there to see something like their used car for sale up on Kijiji, um, that can be a valuable piece of intelligence that can help out in a case.

These are just some examples of, you know, what we're seeing. And this is actually an example of a, a recent event we ran, uh, last month, we ran a global international remote event, where we had over 200 people on the platform collecting OSINT, we had about 25 intelligence administrators, and here's a breakup of, of the intelligence we got,

so you're seeing different things here, like, uh, dark web information, day last scene of the individual, employment information, family, friends, there's just so much you can find from OSINT here. So, now moving forward, um, where do I see the future of OSINT going from here? So, I talked about, um, you know, the challenges we're

seeing, I'm talking about the uses, where it's come from, um, what are the new applications of it, um, but what I really see happening in the future is more crowdsource models are taking advantage of OSINT to solve specific social problems, like the missing persons, um, at Trace Labs. Also, I expect to see more dedicated OSINT

platforms spinning up, there's a number of start-ups in the space doing this work already, but I think we're gonna see more of this as OSINT becomes a more, um, well-known space. Um, I also think we're gonna continue to see the shifting of OSINT sources, I don't think that's ever gonna change, there's always gonna be sources popping up,

going down, we just have to stay up to date with that, and there's gonna continue to be roadblocks there, as companies start to tighten up their security, users start to become more privacy aware, we're gonna see roadblocks here in collecting OSINT, but that's okay, cause we're gonna figure out a way to get around it. So, that actually

concludes my talk, um, if anyone has any questions at this time, I'd be happy to answer, and if you wanna learn more about what we're doing at Trace Labs, um, that I talked about, we're actually running a full day OSINT CTF tomorrow in the contest area, I'll be there if you wanna come up and chat more about that as well, um, but right now I'll open up the floor to questions. Okay, good, how are we doing on

time? Good? Awesome, thank you.