We talk to an OSINT professional about what he learned when he applied his daytime skills to a moonlighting hobby. On YouTube, Gary Ruddell shares 3-minute tips, geolocates scenes from movies and shares the OSINT discipline he learned from the U.K. military with hobbyists and practitioners just starting out.
Gary Ruddell
Once we figured out the rough location, I was then keen to sort of explore what level might he be on in this building and can we find the actual apartment? So that took us to Instagram. Sure enough, there's photographs that he's taken inside his apartment that show the view, a beautiful view. Wow, must be an expensive view.
Jeff Phillips
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Jeff Phillips.
Aubrey Byron
And I'm Aubrey Byron. Today we're talking about OSINT techniques and tips and the intelligence cycle.
Jeff Phillips
And joining us for that is our guest, Gary Ruddell. He is a cyber threat intel analyst by day, but at night he's an OSINT and cyber threat content creator. Very good content, I might add. Gary, welcome to the show.
Gary Ruddell
Thank you very much for having me. Nice to be here.
Jeff Phillips
All right, so we do want to get in and talk about your YouTube content, but people should know that you're a professional in the field. You also have an interesting background. Can you tell us a little bit about that and how it all led up to you becoming interested in OSINT?
Gary Ruddell
I'm afraid I can't talk about it. Yeah. So I started off my career in the UK military, so I did four years with the Royal Navy as a communication specialist. And that was largely working on sort of radio systems and cryptography systems, not computer systems, just sort of the old school stuff. But I guess that sort of implanted something in my mind. And I got to work a little bit with intelligence people during that time. But I ultimately left that world and went into army intelligence, military intelligence, and went to places like Afghanistan and did intelligence work in hostile environments. That combined with an interest in hacking and just generally being sort of geeky, I guess, hands on, sort of technical building websites and things, got me into cybersecurity and intelligence plus cyber. It just made sense to lean into that. So that's why I do CTI Plus. It's really interesting, right? Because CTI, you get to touch on all of the geopolitical stuff as well.
Jeff Phillips
What then led you to want to start creating OSINT content online?
Gary Ruddell
Yeah, good question. It's certainly a lot of work. It's as much work as I thought it would be. It's lots of work, but it's really good fun. And I guess I've always been into photography, web design. I've had an interest in video, but I never really pulled the trigger on it. I watch an unbelievable amount of YouTube. In fact, most of the knowledge that I have today and the things that I use every day probably comes from some YouTube video somewhere. It's probably my number one learning mechanism. I much prefer it to reading a book, for example, and I guess I just wanted to put my know iron in the fire and give back. But also upskill in video skills and things like that.
Aubrey Byron
It's interesting. I think most people who moonlight tend to do something else other than what their daytime job is. So it's interesting that you kind of are staying in the field. Is there something about the accessible format in YouTube that makes it appealing to you?
Gary Ruddell
That's a good question.
Gary Ruddell
I think YouTube is the hardest platform that I create content for, so it's the most accessible for other people. I think they can just sit back and provided they have the faculties, they can just watch and listen, and that's it. Albeit sometimes they would have to zoom in on the screen or view it on a desktop to see some of the things that I'm doing. But I try and mitigate that with oversized fonts and things. But I guess because I love the YouTube format so much, that's probably why I'm drawn to it, to put back into that. I want to be cool like the cool kids. Right.
Jeff Phillips
Well, you do a good job at it. The videos are super engaging. So, again, we'll have in the show notes, I think we'll have links to everything.
Gary Ruddell
Thank you very much.
Jeff Phillips
Informative but also engaging.
Gary Ruddell
Appreciate it. It's something you have to just keep working on and learning. Like, every time you hit record, you do the introduction again and you do it again and you think, I need to do that better. And it's never just a smooth take. There's multiple takes and loads of editing, and I haven't had to do a reshoot yet. Touch wood. Okay, yeah, we're getting there.
Jeff Phillips
We never edit this podcast, so it's perfect every time. Thank you, Aubrey. All right, so you have this rigorous background, especially in intelligence. You then added the cyber threat side of it to things. How does that inform how you go about presenting the topic of OSINT on your channel?
Gary Ruddell
I guess because I have this sort of slightly deeper technical acumen that most people that do OSINT as a first sort of step into the intel world shouldn't really have a deeper understanding of cyber threats. So some of the OSINT tools, in fact, many of the ones that I use, I use as part of Kali Linux, which is the Pen testing OS. And I'm very comfortable with that operating system. I'm very comfortable in the command line. I'm very comfortable putting little scripts together if I have to or modifying existing scripts. So I think that underlying knowledge of being comfortable with the sort of platform that you're interacting with helps. It's a bit like if someone spends all day in Google doing OSINT, which is totally fine, by the way, because you can have some unbelievable results doing that, and then you put them in front of Yandex or Bing, well, they're pretty much at know. But you drop that same person onto GitHub and say, download this tool and clone it into a repo and set up all the requirements in Python and things, they probably will be lost unless they're taught how to do it.
Aubrey Byron
Can you tell us a little bit about the Intelligence Cycle and the discipline of creating an intelligence product and what you do either by night or by day?
Gary Ruddell
Yeah, sure. I mean, that's actually the video that I'm working on at the minute, the Intelligence Cycle, for my new Three Minute Thursday video series. Nice plug there.
Jeff Phillips
I just watched a three minute Thursday. I saw that, thanks.
Gary Ruddell
Funny.
Aubrey Byron
A lot to get through in three minutes.
Gary Ruddell
It is a lot to get through. This is the book that you'll see in that upcoming Three Minute Thursday. I think you can get this as.
Aubrey Byron
A PDF, the title for the audio listeners.
Gary Ruddell
Yeah, it is. The Intelligence handbook. A roadmap for building an intelligence led security program. I'll see if I can get a link for you guys. But really good book. You can find loads of information online about the intelligence cycle. And it's a tool that I've used since I started my career. Frankly, I've always been a part of it, and most of us in some way are a part of it without even realizing. Marketing teams, sales teams, the CEO. It's a bit like risk management. We're all doing it on some level. When you cross the street, you're doing risk management by looking left and right. We're all playing our part in the intelligence cycle. No one told us that we were doing it. And there's really five main steps. You'll see a few different variations of this, but direction, collection, processing, analysis and dissemination. And the direction is someone giving you instructions around what it is they're trying to achieve. So that might be, for example, you and I want to do some work around Kenya because we want to go and open a new business in Kenya. Full stop. That's it. You've got some direction.
Gary Ruddell
Now we need to go and look at what the threats are within that region and start to understand what's going on. Collection is how you would go and do that. You go and collect the information. And what's interesting about collection, especially in the military context, is that sometimes people won't even understand what it is they're collecting. The example I use in the upcoming video is you might send someone with a special piece of equipment to a river to test for chemicals. Now, they might just be a soldier and they have no idea how this equipment works. They just know how to turn it on and use it and then take it away. But they've done the collection. Someone else then needs to process that data, take that little database or whatever those readings are, and turn it into information that can be analyzed as part of the analysis process. And when you do that analysis part, that's where the sort of action happens, where you produce, as you said, Aubrey, the intelligence product. That product will probably be dictated to you in direction at the start ideally, your boss might say, come back to me in a week with a PowerPoint presentation and a Word document.
Gary Ruddell
So you need to do that and you need to do it on time. And that delivery of that is the dissemination component. Without dissemination, everything else is a complete waste of time. If you don't tell the right person within the right time frame, it's wasted effort. So that's the cycle sounds really boring whenever you say it to people, but being a part of those processes is a really cool thing.
Aubrey Byron
And you said something before we started recording about how actionable intelligence can make a difference of how you spend your money. Can you elaborate on that a little bit?
Gary Ruddell
Yes, sure. So I think the example I gave you guys the other day was around home security. This is sort of an analogy I use to help people who aren't in the field understand the value of intelligence. So if you buy a house in a new area that you've never been before, and the first thing you do is you lock the door after you go inside and you think, oh, I think I need to upgrade this lock. Intelligence might tell you different. You might be told by the intelligence people that actually the number one mechanism for a burglar to get into a property here is to cut a hole in the glass like something out of Oceans Eleven and climb inside. So actually you need better windows, not better locks. And it's a very simple analogy, but that needs to be applied across the cyber landscape. People spend money protecting things that actually don't need that much money spent on them because of compensating controls and other things like that. So that sort of actionable intelligence that's really mapped to your organization makes a big difference than just some vendor turning up and selling you the thing that they sell.
Jeff Phillips
I continue to be intrigued by your background in well, first it goes from intelligence into cybersecurity and cyber threat intelligence, and then OSINT for forever. Not forever. If I go back when I even joined the company here, the term OSINT was very government focused. So open source intelligence as being one of the INTs was very government focused and it continues to make its way into the private sector. But I'm curious how you blend those two areas of expertise, cyber threat intelligence and OSINT. How do you see them overlapping? Again, we have some listeners and they may be a journalist, and so they're using OSINT to go discover certain things. Did that really happen? Is that photo really real? And then we'll have SoC and threat intel teams that are very focused on malware, phishing attacks, et cetera. So how do you blend the cyber threat intelligence with your OSINT together?
Gary Ruddell
Yeah, great question. And just as you said that, I can think of numerous examples in both spaces, so I'll go from the journalist side and then I'll go from the sort of cyber side. The journalist one is really interesting, especially if you look at websites like the Guardian. They have guides, I think, on how to deploy tails and use all these secure dropboxes and things like that from the Edward Snowden days. So journalists are well aware of the risks that are the threats that they're facing and the risks that they're taking. And fortunately, most of them are pretty well trained in that space. There's a lot of great organizations out there that do that stuff for free as well. And when a journalist goes to investigate whether a photograph is real or not, they will obviously have to do some sort of geolocation type stuff based on the image itself. I mean, I've done that in YouTube videos and things like that. But then there's also the sort of technical side to it. They may use tools like EXIF tools. It's EXIF tools to look at EXIF data, which admittedly, you can just right click and click, get info, and you can get most of that right there in the OS.
Gary Ruddell
But sometimes you got to use these tools to uncover a little bit more. And that's more, I guess, on the cyber front, isn't it, than just the plain OSINT front. It's the sort of technical, more geeky looking stuff on the cyber side. There's a few really good examples, actually, that I can talk about in vagueness. These are things that I've been a part of and I've done. I can't obviously go into details, but there's a really interesting product that a place where I used to work, we used to deliver to executives, which was the CTI team would be tasked with gathering OSINT around the executives and their families to manage risk. So we were worried about the execs being targeted for fraud and things like that because it's a large financial organization, so they're a prime target. And we had permission, obviously, to go much deeper. Everything was kept very close and small and niche and very confidential. But as part of that process, you got CTI people, people that are not just investigators, they're also cyber capable, so they have access to tools and go and look in little places that maybe people wouldn't think to look.
Gary Ruddell
And I like to think there's slightly more of a deeper analytical mindset there just because it's cyber and there's a whole extra layer of complexity in cyberspace than there is in just general OSINT. But I mean, you're going to have complexities in both. Some of the stuff that I see geolocation wise from Bellingcat and other organizations is next level. Like, it's unbelievable. Another example from cyberspace is when you have incidents in organizations with data loss prevention and all you have is an email address that the files are sent to ABC123@hotmail.com. And all of a sudden you're now off Googling trying to figure out, who is that? Oh, it's tied to this Twitter handle. Oh, look at the pictures and the posts. And you're trying to correlate, could that be one of our employees who could it a that's another example of the blending of CTI and OSINT, that investigator.
Jeff Phillips
Mentality, if you will, there.
Gary Ruddell
Yeah.
Aubrey Byron
If you can go into more detail, can you tell us, on the executive protection side, where were you gathering your intelligence from for that kind of work?
Gary Ruddell
Social media pretty much exclusive, maybe so, but yeah. Okay. Yeah. So all the kids Instagrams and Facebooks and things like that, we knew their wallpaper that was inside the living room. We knew the wrapping paper on the Christmas presents under the tree. When you do that to an executive and you put it on a PowerPoint and you say, this is the wrapping paper from your kids Christmas presents, the threats of social media become very real, very quick. And when you go further and you start looking at, well, I know you use a ring doorbell, which is WiFi based, so if I can use something like D off to kick you off your WiFi, then you won't be able to see the cameras, and you really start to profile then. And you can just see the pressure enter in their face, like you can see it in their minds what they're thinking.
Aubrey Byron
That's definitely unsettling to hear, I'm sure.
Gary Ruddell
Yeah. But fortunately, it's coming from the good guys, and they're trying to we're coming from a place to help.
Jeff Phillips
You are taking in that example, taking what you've collected, turning that into a deliverable. But I know you have a bit of passion around the discipline of creating an intelligence product. I've heard you use words like actionable. Can you tell us a little bit about your thoughts on all that work you do and how important that intelligence product is that you put out there?
Gary Ruddell
Yeah, so, I mean, the intelligence products, they need to be tailored to their audience. So some people just want a briefing with no document. Some people want a Word document. Some people want a PowerPoint style presentation. Some people just want a quick call on the phone or a text message. So it needs to be tailored. But when you're in a busy intelligence team and big financial organizations, for example, have social media monitoring teams that monitor social media and it's sort of part of it's for marketing, but the other part of it is like threat based and it's a very complex governance structure, frankly, to then intersect that with CTI and all the other things. So that's a bit of work that is always complex within large financials in any large organization, really. So we have to really put good management practices around things like requests for intelligence, RFIs. So that direction phase, the very first phase of the intelligence cycle, you might have a general direction that, you know, the company is going, but on any given day, someone might come to you and give you a task to look at something very specific and that's an RFI.
Gary Ruddell
They're requesting intelligence around a specific topic. I don't know, say the recent takedown of Quackbot by the FBI, what's the impact? Who's going to fill that power vacuum? Where are they going to go? How are we going to monitor for it? All those sorts of things. So, yes, putting all those RFIs into a database of some sorts and I know if anybody's listened to this episode and they're just an amateur sort of OSINTer. If you become a professional OSINTer for a bank or a big organization that has enough budget to employ someone, you would be expected to know things that you would see in a book like this, the Intelligence Handbook. And those things are covered in there. So yes, that discipline around the management of information, building up the library of knowledge so that you can always look back and see your thinking at any point in time. And most intelligence reporting should sort of have a few key aspects to it. One is the bottom line, like up front it's called the bluff. The bullet points, the exact summary right at the top. After that, then something like a situation. What is going on?
Gary Ruddell
Sometimes that can be the best situation you might get is just from a website like, I don't know, Bleeping Computer or something. Or the FBI's press release about Quackpot. It's flawless. It's from the FBI. The people who did it copy paste. The value add that is relevant to your organization and isn't on the FBI's press release is, what does this mean to us? Does it mean we can turn off that control? We don't need that one anymore? We can cancel that subscription? Or do we need a new subscription? Do we need a new vendor? So that's the bit that matters. The situation bit copy paste, but the actual analysis part, that's the key bit.
Aubrey Byron
That's fascinating. I want to shift gears a little bit back to the YouTube, more entertainment sort of side of things. Can you tell us a little bit about your videos and what kind of scenarios you're exploring and what methods you're using?
Gary Ruddell
Yeah, so I guess from an OSINT perspective, the most recent video was figuring out where Johnny Lee Miller, who is a lovely guy, I don't know him, but great actor, seems like a nice guy. I'm sorry, Johnny, if you're listening to this.
Aubrey Byron
He'S a fan of the podcast.
Gary Ruddell
I would like to thank you.
Jeff Phillips
That's awesome.
Gary Ruddell
Yeah, he's in the shower listening right now. I was trying to find out where he and Angelina Jolie had a bottle of wine at his apartment. She was followed by the press. There was a couple of photographs outside a building and I pieced together from the Daily Mail, which is a UK sort of TMZ kind of website. They mentioned some location in Dumbo, which I thought was just a typo because that's an elephant, obviously, but turns out it's a place. So, yeah, it was just Google Maps, basically, and a bit of street view work to find the doors that Angelina was stood in front of and then confirm that those are the right doors. And if you've watched the video, which I would encourage you to do, I think you'll sort of see inside the mind of someone, like how they look. In fact, you're not looking at Angelina, you're looking at everything else, which is often the opposite. Most most people are looking at Angelina and know, why is she there? I'm thinking the opposite. I'm like that little bottle cap on the left. What is that? And then once we figured out the rough location, I was then keen to sort of explore, what level might he be on in this building and can we find the actual apartment?
Gary Ruddell
So that took us to Instagram. Sure enough, there's photographs that he's taken inside his apartment that show the view. A beautiful view. Wow. Must be an expensive view. And I even had a little dig around on New York sort of property websites, sales websites. Obviously, I'm not going to buy a place in the States, but in the UK, you can find my house and look at old photographs of the inside of it from before we bought it. So I figured you must be able to do something similar in America. And sure enough, you can see who bought it. You can see the whole register. It's crazy, but I think we roughly found where he might be. I think I could drop a bomb in the right corner of a building. You know what? You know, you only have to look at Israel's Op, I think it was Hamask hackers they took out. It was like the first missile strike against a cyber target. So that's quite a real thing, actually. Right, so that's that one.
Aubrey Byron
And before that video, digging into train spotting royalties to figure out how Sick Boy is affording this apartment.
Gary Ruddell
Maybe I should. And I'm in Edinburgh, so I think that was filmed here as well. So maybe I could do some I could just stick with Johnny. I could just OSINT his whole career. He'll love that. He will be so happy that I forced him to move house.
Jeff Phillips
Any publicity is good publicity. That's what they say.
Gary Ruddell
This is true. The reason why I did the Johnny Lee Miller video is because we did an elementary video, which is the Sherlock Holmes show that he was in. It's called elementary with him and Lucy Liu, and you'll see a thumbnail of me looking through their window into their living room in the show. But there's a beautiful rooftop scene overlooking Manhattan and I had no idea where it was, but I was really keen to find it because if I ever go to New York, it'd be quite cool to go to that rooftop. And we did find it pretty straightforward one, but shows the sort of fundamentals of geolocating someone from a few shots and making some predictions about time of day based on light refraction and all that sort of stuff.
Jeff Phillips
Well, I have to say on the first video you'd mentioned, just to reiterate that how someone can look at a photo differently. In the picture where it's got Angelina Jolie, there was a reflection. You pointed to some scaffolding, so that meant there was construction that must be behind him. But then that led to this little piece sticking out on the left hand side to show there was scaffolding right there. My point is I hadn't seen any of that. I'm watching your video, staring at the picture and not seeing any of this stuff. I'm not looking for it. So it's truly amazing if you take a different lens, just literally your eyeballs in a different approach, what all you pulled out is important in that photo, and then you got into Google Street View. So I do want to ask, which we could all do, but are there other tools know whether it's your favorite tools as you do some of these things, or the latest tools maybe you've been exposed to from an OSA perspective that kind of top of mind and interesting to you.
Gary Ruddell
I think AI is going to be interesting. Just to get a massive buzzword into the script here, AI is going to be a game changer. Like if you could drop a video clip or an image into some tool and it just says, this is where it is, that would be incredible. Whether we'll get there or not anytime soon, I'm not sure, but I'm sure someone will make it work tools wise. I try and keep it pretty basic, to be honest. And obviously most of the imagery stuff, you're limited by what Google or Yandex or Bing or whoever has collected. Unless you go and pay for expensive satellite data, which is out of the normal person's league. Right? And if anybody's going to do any of this OSINT stuff, I wouldn't just rely on Google. You will see mixed results. I can't remember what video it was. I'll find it and I'll give you guys the link. It's one of the first OSINT videos that I did where I show the difference between Google, Bing and Yandex from an image lookup, reverse image search perspective, huge difference. And I think Yandex, which is Russian, is particularly good with faces.
Gary Ruddell
Like if you drop a low resolution face in there, I should really drop my face in to see the difference. It has fantastic results. Bing was sort of not the best, but I guess maybe we expected some of that. Microsoft wasn't really that experienced with search compared to Google, and Yandex has always been pretty. But yeah, just using those tools and if you've got a big image and you're putting it into Google and you're having difficulty finding it, you can actually sort of crop the image in the tool and it'll only search for a particular segment of it, which can be quite useful. People don't realize that sometimes they think you have to crop it yourself and re upload it, which obviously wastes time.
Jeff Phillips
Right.
Gary Ruddell
But those are the sort of go to tools using Google Dorks. If you're good at doing Google Dorks, you can find a lot of stuff. There's a lot of things in the open that shouldn't be in the open. And it's ethically a gray area to open that stuff and read it and then drop someone an email to say, hey, by the way, passwords TXT is here. And then I guess on the training side, I just found I think you guys had someone on the podcast recently from case scenarios. Yeah, I found those guys. That's really cool. I was in bed last night with my wife, like, having a go on this scenario. It was really, really cool. I guess I kind of expected something less high quality, but I really enjoyed it. Like, I'm looking forward to getting stuck into the other scenarios because OSINT training is sort of few and far between.
Aubrey Byron
And I think even when you do have training, it's usually like high level or theory not doing it, which is a really important part.
Gary Ruddell
Yeah, doing the clicks hands on keyboard is always the best way. And I set my OSCP, which is a 48 hours penetration testing exam, 24 of hacking, 24 of report writing. So it's intense. It's not the hardest exam in the world, but just the conditions and the pressure that you put yourself under to do it. But there are other exams out there that people get that are multiple choice and it's just not the same quality. So if you can choose between a multiple choice OSINT course and the hands on keyboard one, please pick the hands on keyboard one. You'll learn a whole lot more.
Aubrey Byron
Absolutely. I have watched some of your videos and in this podcast and before we started recording, you've mentioned a couple of books. Since we've done some book club episodes, I wanted to ask, are there any books you recommend for researchers in particular?
Gary Ruddell
I mean, there's funny, I thought you were going to talk about books, so I set these two books here, the Intelligence Handbook. There's also the excuse to talk about yeah, yeah. This is Elliot Higgins. He's the founder of Bellingcat. You might know them from well, I mean, the Ukraine stuff, at the minute they're all over it, but also they've been tracking Russian activity in Salisbury with the novichak poisonings. This is his sort of autobiography, how he got it all going. And obviously there's loads of other good OSINT books out there. There's the book that has the redacted cover. That's hard to know. OSINT intelligence techniques. Is it Michael Basell? Is that his name?
Aubrey Byron
I believe so, yes.
Gary Ruddell
I think. It's something like that. Sorry, Michael Basil listening. Yeah, it's like ruddle rudel. So, yeah, that's another one. And he's got a great website, too, and it's just back online. I believe it was down for a while.
Aubrey Byron
And if you're listening, he was holding we are Belling Cat, which we actually have an episode on that our co producer did a review of.
Gary Ruddell
Yeah, those would be my go to books. Don't overlook the intelligence handbook stuff. Learn your discipline first and then apply it. That'll be my hardcore hat on.
Jeff Phillips
Well, as we start to wrap up, I do want to ask if you have any parting thoughts for our audience, especially maybe those that are newer to OSINT or self taught or even newer to threat intelligence, including I'm going to do this for you. I know there's a third book you could have mentioned. I know you've published a threat intel book for kind of Threat Intel 101, but what are your overall parting thoughts for our audience?
Gary Ruddell
I think if you're interested in it, go and do it. Turn the PlayStation off, turn Netflix off and actually go and do this stuff. If you're struggling to find inspiration, you could watch one of my videos and get the general scenario and try and solve it yourself. You could pick something from your own favorite TV shows and try and geolocate it. You'll get great satisfaction out of figuring that stuff out because you'll go, oh, that's where he stood on that corner, or whatever it is. But there's also things like Trace labs and trying to find missing kids and missing persons, very good causes to be a part of and be involved in. And even with what's going on in the world today, with Russia, Ukraine, and what may go on in the world in the future, with other countries around the world having these skills globally, if people have these skills, it just makes it much more useful. When we go on Twitter and we see that picture of that bad thing that happened and we can figure out where that picture was taken and start to work back, you would be amazed what Elliot from that book, the Bellingcat Book, has uncovered with simple photographs.
Gary Ruddell
So I think it's a good skill for us all to have for many different reasons through career development or just gamification or social good. Just get stuck in, I guess. Yeah, awesome.
Jeff Phillips
Well, thank you, Aubrey. And thank you to our guests, Gary Ruddell, for joining us today. If you like what you heard, you can view transcripts and other episode info on our website, authentic8.com/needlestack. That's authentic with the number eight.com slash needlestack. And be sure to let us know your thoughts on Twitter @needlestackpod and to like and subscribe wherever you're listening today. So we'll see you next time with more on the latest in OSINT. Stay tuned. Bye.