Abbi Dobbertin of Fivecast and Adam Huenke join the podcast to talk hot takes. As tradecraft and training leads, respectively, and years of OSINT practitioner experience between them, they’ve come to form opinions on some of OSINT’s more heated topics.
Abbi Dobbertin is the U.S. tradecraft lead for Fivecast. Abbi currently works for digital intelligence solution developer, Fivecast, enabling customers to employ Fivecast products operationally. She has extensive experience as an open-source intelligence (OSINT) practitioner and social media exploitation specialist leading training and consulting programs supporting U.S. and foreign intelligence partners, law enforcement, nonprofit and commercial customers.
Adam Huenke is an OSINT training lead at Authentic8. He has more than a dozen years’ experience as a cyber threat intelligence analyst including roles in the U.S. Marine Corp and U.S. Special Operations Command.
ADAM HUENKE
I think people are afraid to have the conversations because they're like, well, we've done it this way, let's keep doing it this way. Or Why? Why change if it's working? Well, sometimes the change is necessary.
[music plays]
MATT ASHBURN
Welcome to NeedleStack. I'm Matt Ashburn, your host.
JEFF PHILLIPS
And I'm Jeff Phillips, co host of Needlestack. Matt, today we're discussing OSINT hot topics, and we're joined by two of our favorite opinionated researchers to take on the topics. Abby and Adam. Welcome to the show. Let's have you each introduce yourselves for our listeners.
ADAM HUENKE
Hello, everyone. My name is Adam Huenke, I'm OSINT trainer here at Authentic8. I have a very deep in depth background with OSINT training, being a formerly trained military intelligence analyst and working at several small companies doing cyber threat research and open source intelligence.
JEFF PHILLIPS
Thanks for joining, Adam.
ABBI DOBBERTIN
Hi, I'm Abby. I'm currently the US. Tradecraft lead for Fivecast, and my background is as an open source intelligence specialist and analyst.
MATT ASHBURN
That's great. Thank you both for being here. Before we get started, though, Abby, for those who aren't familiar, can you tell us a little bit about what Fivecast is and what you guys do?
ABBI DOBBERTIN
Yeah, absolutely. So Fivecast is a technology company, and we're an open source intelligence solutions provider. And essentially what that means is we develop technical solutions to enable analysts work to collect and assess publicly available information typically available online.
JEFF PHILLIPS
Appreciate that. And again, I appreciate you joining the show today to kick us off. Adam, Abby, let's talk about one of the fascinating things to me about OSINT is that even the definition sometimes is up for debate. So maybe we start there. Start with what is the definition of OSINT in terms of what are each of your views in terms of what it does include and what it does not include? Adam, maybe we start with you.
ADAM HUENKE
I think OSINT encompasses a lot more today than what we thought it would years ago. Everybody's, including cyber threat stuff and other things regarding that nature, along with finding publicly available information on anyone. I think we've expanded on it so much, we may need to slow down and start thinking what isn't OSINT and tailor stuff to that. Abby, I don't know your opinion?
ABBI DOBBERTIN
Yeah, I think probably when we both got into this space, open source intelligence was just really broadly defined as processing publicly available information. And as a lot of this information has moved online and that's where the majority of the population is accessing it, I think this has become conflated with digital intelligence, which is really just growing in meaning. And I think something we were discussing, adam and I were discussing earlier is that it started to encroach on other types of intelligence and on other types of data. So, for example, I think if you're working as an OSINT analyst, then you've probably used commercially available data, not even data that's classified as publicly available information. And depending on what type of access or authorities that you have, you might even be operating online a little bit differently. So maybe you're analyzing certain types of imagery. So doing image, you might be communicating with individuals online and curating sources online. So you might be doing types of human with online data. And all of these have really weirdly fallen under still the umbrella of OSINT, even though classically, I think you're doing a lot of other techniques that fall into really other types of intelligence.
ABBI DOBBERTIN
At least even like ten years ago, they would have been called other types of intelligence.
MATT ASHBURN
And you mentioned a couple of INTs there. And for the folks in the audience, obviously those are abbreviations, right, of different terms. Human, for example, human intelligence, the trade craft and the art of tricking other people, convincing them to defy their ethics and everything and spy for you. But there's a bunch of other INTs that are out there as well and within OSINT, open source intelligence. One of those I want to draw attention to is SOCMINT social media intelligence. And to me, it's a bit annoying that we keep coming up with all these different terms for these things. But Abby, I think you may be a good person to speak about this, but can you talk about the efforts maybe to ban some of the nefarious actors from platforms that are out there and how SOCMINT plays a role for the researcher, but also how it affects you as a practitioner?
ABBI DOBBERTIN
Yeah, absolutely. I think so. SOCMINT, for those who don't know what that is, it's sort of the art of leveraging social media data or information that's been posted, published, or is available on social media as part of your intelligence cycle. And a lot of that has to do with common mainstream social media platforms that I'm sure everybody's really familiar with. And there's been a lot of pressure and people have probably seen it in the news for these social media platforms to take responsibility for what's being posted on these sites and to take it down, to remove it, whether it's because it doesn't align with the type of content that they want on there or it's criminal behavior. So something truly nefarious. And I think this is maybe a little bit of a hot take, kind of the point of this conversation, but I know it's thrown around with a lot of other OSINT analysts is sort of the shaking of our fists when we find out that something's been banned or removed from a social media platform because it makes it that much more difficult for us to do our jobs when it's out there and it's available and accessible to somebody who's doing SOCMINT or open source intelligence.
ABBI DOBBERTIN
If the barrier to entry, the barrier to access is really low, that's great. I've solved a problem with minimal effort. That's what I want. And especially if that means I'm stopping bad actors. In the course of that, I think when I talk about this, I refer to kind of the golden days of early 2000 and teens where you could find out ISIS training camps through Twitter. They would just geotag where they were. It's like, great. Thanks. Just put that into your report. And now it's just as things have been checkpointed and banned, it's pushed in and really caused a lot of these nefarious actors to manipulate their communication habits so they move into much less accessible spaces, sometimes still online, but it makes it that much more difficult for us to do our job. So my perspective is kind of like, leave it up at least long enough for me to see it and get it and report it, and then you can take it down after that. But that's definitely my perspective on it, is sometimes I worry with the banning and the removal of certain bits of content, we're losing out on really critical insights on some really awful people.
ABBI DOBBERTIN
And if they're willing to put it out there for us to see, why not report on it and take action on it?
JEFF PHILLIPS
I appreciate that insight onto the social media side. I know you both have lots of experience in terms of being OSINT trainers. Adam, in fact, you recently wrote a blog that had an interesting take on it in terms of people are always asking for an OSINT methodology and that you don't recommend one. Why don't you first tell us, did you get any feedback on that? And then tell us, what did you mean by that blog?
ADAM HUENKE
So the point of that blog was to get everyone away from developing or standardizing a step by step way to do an investigation, to do intelligence and intelligence collection, because you take the creativity out of it. Recently, I've talked to someone who had a comment about it, and I've gotten some good feedback about it, and some of the ones I was expecting. And the guy I talked to basically said, don't really call it a methodology, but come up with something where you're trying to find an email address. What sources do you have available? Then you go into, okay, what's your end game? So coming up with step one is what you're trying to find. Step two is what sources you have available. And step three is the end state that you're looking for. And then let them develop their own tactics, techniques, and procedures on how to do that. That actually makes more sense. I'm not saying that that's not the way to go. What I'm saying is we don't need a step by step of when you have an email address, the first thing you do is this. Then you do this. Then you do this.
ADAM HUENKE
Because, again, you stifle creativity. And if that becomes accepted as the norm around the community, if someone hits a roadblock, they're going to stop. If they can't do step four, they're just going to stop their analysis and stop their stuff their collection and go from there.
JEFF PHILLIPS
How about you, Abby? What are your thoughts on methodologies and OSINT?
ABBI DOBBERTIN
Yeah, I think I definitely agree with Adam in the sense that constraining yourself to a methodology is something that comes with a lot of risks. But it is a super common request that you get when you're training not only on social media solutions or open source solutions, but just in general when you're trying to capacity build analysts and train them how to go about this. A lot of them are like, okay, well, what's step one? What site do I navigate to? How do I enter in this search? How do I analyze these results? They want to know and break it down into step 1234. And I think Adam is right. We don't want somebody to get stuck on step three because they're not seeing the data that they would expect. Because the reality is, depending on what use case you're working on, what environment you're working in, what topic, what subject matter, you're going to get variable, highly variable data online and with different tools. So the analyst has to be a little bit creative and a little bit flexible and willing to chase a bunch of different avenues to find what the next step is instead of kind of always navigating to the next step.
ABBI DOBBERTIN
So I find myself agreeing with Adam. And I know this is a hot Takes podcast, so I feel like I want to highlight some alternate viewpoints because I discussed this with some of my coworkers as well. This kind of question of framework, methodology and the way we kind of thought about it is, well, it depends kind of what background you're coming from. If you're an open source specialist, you know, all these tools available to you, you've done this 100 times. Being flexible, being creative. You're used to operating in that environment, but maybe as an all source analyst or somebody who's used to dealing with several different streams of data and reporting. If you don't find your answer on step three with Data Source One, you're going to pivot and they're just working with a bunch more tools at their disposal. So they need that kind of step by step for each different resource tool that they have. So maybe they just have a totally different perspective on it. And also I've been an open source analyst in the private sector, but I've supported a lot of public sector workers and I'll be like, just be creative with it.
ABBI DOBBERTIN
Just follow it where it goes. And they're like, Abby, I have a deadline in 2 hours. I can't just be creative. I can't just sit here with a problem and let it wash over me. I need to get stuff done. So I think I definitely understand the request to really clearly outline and itemize what I think the person, Adam who was commenting on your blog was saying, which is what are your inputs? What are your outputs and what are the tools in between, no matter what they need, I just need to know what's available and where the inputs come in and where they go out so that I can quickly pivot in between them. And I think that totally makes sense to me as well, but would love to encourage creativity and time taking when the analyst has that at their disposal.
MATT ASHBURN
Yeah, absolutely. I think one of the things you mentioned there was flexibility. And I love I love the fact that you mentioned that. Right. That's something that flexibility able to pivot to different things, but also a natural curiosity about things I think is also very important. Along those lines, though, I'd like to ask probably each of you, Adam and Abby, for your thoughts about the organization of a team in your experience. Does it make sense to have a dedicated OSINT collector, someone who's there purely just gathering information and then passing it on to an analyst, let's say like an all source analyst, or someone to actually analyze it and turn it into intelligence? Or does it make more sense typically to have an all source analyst, somebody who's really up to speed on critical thinking, key analysis techniques, analysis of competing hypotheses and other analytic techniques to sort of play that analytic role, but then do collection on their own as an added duty? Any thoughts on that?
ADAM HUENKE
I guess I'll go first. I agree. I think we need to separate into subsets. You need to have OSINT practitioners, you need to have OSINT collectors and potentially nosyn analysts doing the job of OSINT collection. You could even further that down into you've got a cyber collector and a cyber analyst. They have it in the government and the military side, where you've got imagery analysts, you've got SIG and analysts, you've got all these other analysts whose only job is to do one specific set. I could see where if you have an all source person who's had that experience in the all source world to be the analyst, to do the critical thinking and have that background. But it may not be a bad idea to have both an OSINT analyst and an OSC collector per se. So that that's their main focus. They're not worried about all the other little INTs that need to come up, if that makes sense.
MATT ASHBURN
Yeah, I think that it does. I think it's good to have the open source experience, perhaps as an all source analyst, but it's also a bit specialized open sources and the collection of it and being able to follow all those trails to wherever they might lead. Abby, any thoughts on that?
ABBI DOBBERTIN
Yeah, this is something that I have a lot of strong feelings on. I think that there should be dedicated OSINT collectors for teams, as it's possible because as we were sort of mentioning in the training framework that we were just discussing, when somebody's given the ability and the time to identify all the different ways that they can come to an answer or interpret data or access data. There's going to be a lot more tools in their toolkit because they've been allowed to specialize and really dig deep into all the different possible data that sits in publicly available information, what that might provide or contribute to whatever their reporting requirements are. I think if you give somebody that dedicated space, you're going to have clear dividends for your team or whoever's working a certain mission set. And I think a lot of times there's this preference of an OSINT analyst where they're kind of asked to just research a topic, see what's out there publicly available from like a news media perspective. But it's not necessarily somebody sitting there and curating access and finding all of the different pockets of information from a source perspective that are out in publicly available information.
ABBI DOBBERTIN
And I think it's almost like a framing of how they're going about that data collection. I think instead of just being responsible for doing a quick query and then integrating it with the rest of the data, they should be sitting in the data curating sources and dealing with their work almost as if they were like a human intelligence collector. They're sitting there and trying to identify the richest sources of information and how to interpret it, put confidence scores on it, and really go all the way in. But if you don't give somebody the time and space to do that, A, you're relying on much more expensive means of intelligence. Typically, like, you're going to be going to other intelligence sources that take a lot more time, money, and resources to leverage and incorporate into your intelligence workflow. But really you're missing out on really easily accessible information that people are already seeing and reacting to, possibly. So it really has impact on whatever it is you might be investigating or interpreting. So I feel really strongly that there should be a collector I do want to bring up. I raised this question as well with some of my coworkers and their response was that's already being done.
ABBI DOBBERTIN
This isn't even a debate. There's already people being integrated and doing this. They're like, what you really need to be debating is whether everyone should be getting OSINT training or how do you overcome resource constraints that are keeping you from having a dedicated OSINT analyst on your team. And I thought that was really good feedback as well because we're sitting here talking about what to label somebody and sometimes it's just too expensive to have a dedicated person in your unit doing just that job. You kind of have to do it all. Or alternatively, you have this whole team. You already have an OSINT collector, but then the rest of your team who is also feeding into your reports is pretty ignorant or unaware of what you're capable of finding through publicly available information. So I think that's also a key point for maybe it should be something where you put everybody through a basic awareness training on what you can and cannot find through publicly available information so that you're asking the right questions when you're sending an RFIs to your OSINT collector. So a little bit of an opposite perspective of everybody should get training at a minimum.
ABBI DOBBERTIN
But I thought that was interesting. They just threw more questions my way instead of feeding into the debate.
MATT ASHBURN
I like that take.
JEFF PHILLIPS
Yeah, I do too. And there is a lot of trade craft in doing collection, but also to your OSINT, the ability and knowledge of where else to go and get information, right? This is not just googling something, right? That Jeff is not a practitioner. I can do that. I do that on a daily basis. But that's not what OSINT is. And people that are trained in this, it's amazing to me sometimes with Adam Matt from interacting with them can find out there. So I guess I can go with at minimum, everyone should be trained on it. Also, if you're not going to have the dedicated analyst, let's go to another one. I think that's a pretty interesting talk. And everyone's talking about seemingly in every area of tech about automation and AI right now. And in the world of OSINT, we do talk about that. There's just tons and tons and tons of publicly available information. And I've even seen some higher ups within the government side say there's so much information, OSINT analysts can't even dig through it all. So what we need to do is we just need to automate everything. This should all be automated.
JEFF PHILLIPS
So what's your take on automation and AI from an OSINT perspective? How about we switch it up? Abby, you start this time.
ADAM HUENKE
Yeah.
JEFF PHILLIPS
Let's start with Abby.
ABBI DOBBERTIN
Abby, I wanted to jump right in because a lot of what Fivecast does is we're developing AI enabled analytics to help analysts interpret and comb through data. So definitely have a perspective on this because I've seen analysts working manually without any sort of automation and then I've seen analysts working not only with our solutions, but a lot of other automated capabilities. And really I think the focus when it comes to integrating any type of automation or AI is it should be with the end goal of hyper enabling the analyst. We don't ever want to replace the analyst with what we're implementing, what toolkits we're putting out there, because you need analysts. You need somebody who the whole reason they were hired is because of their judgment making capabilities, their ability to assess and interpret data and make judgment calls on why it matters. Why are we looking at this? What impacts does this have for my mission set or my key intelligence questions? It's why you hire them. So we don't want to ever put automation or AI in a place of making those judgments for an analyst. Instead, we want to leverage them to take away all the monotonous, tedious work that typically encompasses collection and analysis, which is how do you access that data, how do you collect that data?
ABBI DOBBERTIN
How do you visualize it in a way that allows you to make those judgment calls? So that your brain, your time is not completely occupied with how do I see the data that I need to make this conclusion. Instead, you're just focused on, here's the data. I can start making my interpretation. So in my mind, that's absolutely the role that automation and AI enabled analytics and AI in general should be incorporated is they should OSINT there as a tool for an analyst to make their job easier so they can kind of overcome the masses of data, but ultimately they shouldn't replace the analyst.
ADAM HUENKE
And on that note, again, I would agree. I think from where I came from, as a cyber threat analyst in the So you could automate a lot of their processes, right? You could automate, hey, a computer has got to be reimaged. Cool. Automate the process. Right. The analysis still needs to be done with regards to what caused that computer to need to be re imaged, but that process can be automated. Having done collection as an analyst in the military where I had tons of data to sift through and I didn't know what the answer was when I was looking for years ago. Now, if you're doing it today, there's so many ways to get the information and so many ways to have that information called out for you. Cool. Great. I love it. I love that AI, I love that automation. But you still need that analyst there who has an overarching understanding of what's going on to provide that analyst the analysis needed, right? We could have AI do the analysis, but is it going to be biased? And yes, some analysis is going to be biased based upon my experience or Abby's experience, but we've also been told to remove that bias and think outside the box and get rid of the biases that we come up with, whether conscious or unconscious.
ADAM HUENKE
You can't really do that with AI because it's code written. So whoever wrote the code has maybe inputted some bias into there, whether you're going to pull from this source or that source. Again, I sometimes cringe when people talk about automation, but now when I look back on it, it's great because we need it to help sift through the data.
JEFF PHILLIPS
And I think collection still is a key skill set, right? Even if there's some sort of automation that's doing that initial collection. And so you're getting to put your brain power, and as you guys mentioned, into being creative and analyzing, that's probably going to lead you down a path or a pivot point that you didn't get, that you're going to then have to go out and investigate further because of what you're taking away, right. So you're still going to need those skills and tools to go out and collect and continue your analysis until you deliver whatever you need to deliver to who you need to deliver it to.
MATT ASHBURN
Yeah, that's right. And I think the point to drive home here from, I think both Abby and Adam is that let's use machines for what machines are good at, for things that are very tedious and repetitive, things that can be scheduled. Go collect some things, perhaps, but when it comes to using humans, let's use the humans for what they're good at as well, which is typically using your brain, doing the analysis, doing the critical thinking, and as Adam pointed out, removing bias, looking for bias, and looking for other hypotheses that may be out there as well. So, really good stuff. I was wondering if I could shift a little bit from, I guess, the analysis back to collection, if we could. And I'd like to just get a quick take from Abby and Adam both, if we could, about the setups that you guys use to go do collection. As an example. Tell us a little bit about your thoughts about sort of the do it yourself setups that may be out there. What do you use? What do you recommend that people use? What do you find works best for you and your work, and what are some of the pitfalls?
ABBI DOBBERTIN
I think that's a good question, and I feel like it really depends on what you're trying to accomplish. Not to answer your question with another question, but I feel like if you're building up an OSINT program or you yourselves have been tasked with setting up an OSINT capability, and you are that OSINT collector analyst, I feel like you have to kind of itemize what your capabilities and skill set are and then where your gaps are technically, but also operationally. So once you kind of know, what am I being asked to do, what am I capable of as a person, and what do I need technology to enable me to do, and what do I need maybe some operational assistance with doing that's going to help you pick the right solutions for yourselves. And I've seen people do this, and we were kind of having a laugh about this earlier, where you've seen people who have done this, like hardcore, the manual way. They have everything done in the most manual process possible, and that works really well for them. And based on their reporting requirements and whatever it is they're tasked to do, that situation works really well.
ABBI DOBBERTIN
But then you have people who they really rely on technology and a lot of solutions to optimize their work because their reporting requirements are a lot more frequent and they have a lot more data that they need to get to. So it really just depends on what your requirements are as a team. But I would say at some point and I wrote up a bunch of categories on this in a blog I wrote ages ago on key technical elements of an OSINT program. And I think the first one is actually where you all fall in. If you're going to be working online, secure yourself, whatever that means to you, whatever your touch points are to the Internet or via your device outwards, you need to protect that and then secure kind of your methodology, if you will. So the actual techniques and practices and then optimize that as best as you can. Automate the things that are tedious, that you're able to keep up with their demands. I think overall, that's what I would say is secure yourself, secure your methodology, and then optimize everything that you can feasibly optimize. I would say those are a generic statement on what I would tell people working in this space.
ADAM HUENKE
Again, I hate to agree, but I do, because it's one of those things where when you try and set up your own system, even if it's by yourself, because you work for a small company or a larger company that may have the funds. Money always is a key aspect of this, too, and it costs a lot of money to set this stuff up. I've done the research. I've looked into it when I worked at my last job and my last company. We're talking 40, $50,000, not to mention that I've got to hire someone to manage the stuff if I don't know what I'm doing. I have some knowledge on how to manage systems and do images and wipe computers when necessary, because we may have gotten a virus or whatever, but if your team doesn't have that technical expertise, you could be at a pitfall. When you start going and using a standalone machine that may have a virus on it that you don't know about, you accidentally connect a thumb drive to it, and then you take that thumb drive and put it into your work computer. Now you've infected your whole network. The possibilities are endless there.
ADAM HUENKE
So, yeah, you've got to look at, as Abby said, what you're trying to accomplish, what your methods are and what your means are, and what your funds are available to maybe do that as well. I could do it at home, but do I have the money to set up my own server system here at the house? Probably. But do I want to? Not really. I don't want to set up my own server farm. I know people who have. But that's a lot of time and effort I've got to put into it on the back end where I could just find something that maybe is a push button solution that works and keeps me protected, as Abby said.
MATT ASHBURN
Yeah, I think those are great points. Well, as we wrap up here, any final thoughts on OSINT or any other hot topics before we wrap up?
ABBI DOBBERTIN
I guess maybe my takeaway from this. Is shockingly. We agreed on almost everything. But I promise you out there, there are a bunch of people who disagree with us on a lot of what we've said here. I think it's a really ever changing space to work in, which keeps it challenging and interesting. And I feel like super interested to hear people's reactions to some of the stuff that we might think are obvious and we agree on. But the reality is people have taken a lot of different routes to come to really successful solutions to accomplish open source intelligence or integrating into their workflows. So I'm really kind of curious to hear what others think about it.
ADAM HUENKE
I think from my end, what it really comes down to is we've got to get the conversation started, whether they agree or not, and have the conversation on what is the future of OSINT, what is the future of all this stuff. We're going to have competing ideas and competing problems. We've got to come up with solutions. And whether we agree or not, we've got to start having these conversations. Right. I think people are afraid to have the conversations because they're like, well, we've done it this way, let's keep doing it this way. Or why change if it's working? Well, sometimes change is necessary.
ABBI DOBBERTIN
I don't know if you all not to kind of throw a wrench at the end of this, but have you all encountered where a lot of your customers are dealing with open source intelligence, policies being written now and guidelines and framework written now? Is that something you all deal with? Because I find that's really challenging.
MATT ASHBURN
Absolutely. And in fact, it was something when I first started with Authenticate about three years ago, it was such an issue, especially back then, that we ended up writing a couple of policy exemplars because we saw some common needs and also some common desires from customers. So we actually have those available for folks if they need them. You're talking about sort of establishing methodology, and the thing that was in the back of my head was man also policy say policy. Say policy is it something that a lot of especially in the government right. And also in the private sector too. I think to a little bit of a lesser extent, policy is important. You got to have those guardrails if you're out there looking at publicly available information. So that's a very good point.
ABBI DOBBERTIN
Yeah. And it's always interesting watching a lot of either draft ones come out or even seeing finalized versions come out. And people have to adapt really rapidly to the new guidelines that they've been given and how it affects the practicality of their job. I think that's really interesting, and I'm hoping a lot of the policies that I've seen come out are getting revised really frequently so that they keep pace with kind of this debate that we're having now, which is the fact that OSINT is changing every single day. I hope we don't have a policy release now, what, 20 years too late, and then it just stays stagnant. I'm hoping that these get reviewed and they're put in place, just like technology is put into place to kind of enable the analysts to do their job and solve these problems. But, yeah, I bet those exemplars are super helpful if somebody just really doesn't have a starting point for how they should be guiding their research and their work.
MATT ASHBURN
Well, thank you so much to our guests, Abbi Dobbertin and Adam Huenke for joining us today. If you at home, liked what you heard, you can always subscribe to our show wherever you get your podcast. You can also watch episodes on YouTube and view transcripts and other episode info on our website. And the website is authenticate.com/needlestack. That's authentic with the number eight .com/needlestack. And be sure to let us know what you thought of the show on Twitter. You can find us there @needlestackpod. Also, we'll be back next time with more OSINT tips for your research. We'll be glad to see you then.