In this episode, an expert OSINT practitioner from both government and private sector practices joins to share hands-on tips from in the field. He also shares what the students of Center for Intelligence and Research and Training are learning from their real-world client experiences.
Brian A. Fuller is Director of Operations for the Ridge College of Intelligence Studies and Applied Sciences at Mercyhurst University, a position he assumed in December 2019. As the Director of Operations Fuller supports all operations related to the academic curriculum or Ridge College activities. This includes working as the Director for the Center of Intelligence Research, Analysis and Training (CIRAT), Director of the Innovation Entente Lab (IEL) and overseeing the college's internship program. Previously, he served as a Senior Open Source Intelligence (OSINT) instructor for the Department of the Army’s OSINT Office, where he trained Army intelligence professionals at the strategic, tactical and special operations levels.
BRIAN FULLER
So one thing that we're doing is, we, we use things like Similarweb, right? We want to develop - I don't like to use the word persona, and my instructor who taught me, he said, we're not building digital personas. What we're doing is we're building digital footprints and obfuscating our actual footprint.
[music plays]
MATT ASHBURN
Hi, everyone, and welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn.
JEFF PHILLIPS
And I'm your cohost, Jeff Phillips. Today we're joined by Brian Fuller. He's the director of operations at Ridge College of Intelligence Studies and Applied Sciences at Mercyhurst University. Welcome to the show!
BRIAN FULLER
Well, thank you, Matt and Jeff, for having me. I really appreciate the time.
MATT ASHBURN
Yeah, sure thing. Brian, can you set the stage a bit for our audience? You and I have chatted quite a bit. Can you explain a bit about what you do at Mercyhurst, and how exactly does Mercyhurst relate to online research?
BRIAN FULLER
Well, as Jeff stated, here at Mercyhurst University, we have the Ridge College of Intelligence Studies and Applied Sciences. It's actually the Tom Ridge College of Intelligence Studies and Applied Sciences. Here we have the world's premier intelligence studies program, both strategic and competitive business intelligence. And as everyone knows, with intelligence, there is a lot of research and collection that come with that. Our specialties here really revolve around open source intelligence. That is one of the main platforms in which we gather our information and teach the students in our program. The trade craft. The second one is humid. We do a lot of human operations and geospatial intelligence. And realistically, you come here from the time you're a freshman, you're getting experience in working, in really conducting open source intelligence and the rest of the intelligence disciplines, but learning how to tie it back to either a strategic objective or operation or a competitive supporting competitive business intelligence. We also have a grad program in which our grad students that come in, they learn a lot of the same open source intelligence, tradecraft methodology and all of the tools that go along with that and then graduate with a great degree, whether you're an undergraduate or graduate.
JEFF PHILLIPS
That's really cool. Now, Brian, I know from having talked to you earlier, you have a long background, lots of years of experience in OSINT. Can you talk a little bit about your background and then some of the experience you've gained there? And maybe what lessons are you trying to impart on your students when it comes to ocean techniques and protocols?
BRIAN FULLER
Absolutely. So, I spent 24 years in the army. I was in military intelligence and counterintelligence. I can say that now, I'm retired. So, I retired in March of 2019. Towards the end of my career, OSINT really became a big part of the intelligence disciplines at the military practices. And so I was able to really become trained in that and exposed to it. When I retired in March of 2019, I stayed retired for a negative 45 days. And in February, I actually started working for the Army OSINT office as a senior open source intelligence instructor. I was out at Fort Carson teaching basically all the Department of Defense's OSINT courses east...or west of the Mississippi. We also had an office down at Fort Hood and in Texas. So between the two of us, we were really teaching it. That's where I really learned to master the tradecraft. That's where I really learned how to leverage the tools, such as Authentic8. That was a big platform for the managed attribution that we were doing. And then, in February of 2019, oh I'm sorry, in December of 2019, I came to work at Mercyhurst University. Now, preceding that, loved what I was doing in the military. I was out at the Intelligence Security Commands Foundry site teaching a lot of great OSINT courses, I'm getting a lot of great exposure. But my family wanted to move back home here to Erie, Pennsylvania. And so we ended up moving. And at the time, Mercyhurst was looking to hire a director of operations. And more importantly, they really wanted to increase their capacity for doing open source intelligence. They really wanted to teach it at that tier two level. They were really doing tier zero and some tier one, but they really wanted to get it to that tier two to tier four level. And so it was a great fit. I knew operations, I knew intelligence, and more importantly, I knew OSINT and how I could help incorporate it. And now how do I impart it on the students? Well, we have what's called our Center for Intelligence Research and Analysis training, or CRAT. It's a lab here, so state of the art lab, where we work on real world projects for real world clients and decision-makers, whether it's strategic government side or it's competitive business intel or business intelligence on the private sector side. And we support the mission of nongovernmental organizations. The students get hired to work on those projects. It really is a part-time job for these students. They get paid to work on the projects. It's contractually based. We're guaranteeing the deliverable that we're providing, just as well as we provide direct support to clients in being a force multiplier and enhancing their intelligence and information research and collection capability. Within that lab, we are exposing the students to a lot of great tools. We're not just teaching them tradecraft. Now, all of this is external to the classroom. So in the classroom, they get a great education, we have a great faculty. They're all providing a lot of great education and knowledge to these students and imparting tradecraft and the use of employing it. But really, the applied experience side comes inside that CRAT lab. And so that's where I teach them a lot of OSINT. We have to learn, working for real world clients on real world projects going in from the decision makers that are influencing operations, whether it's government or private sector. We're going on foreign intelligence websites or foreign websites, right? And a lot of them we know, are probably being monitored by foreign intelligence services or foreign governments, so it's very risky to go on there. Just as well, we go on the dark web. We will go on the deepest corners of the dark web. We even will go on the surface, deep web and dark web. We teach all the tradecraft, but we have to teach how to mitigate the technical risk to the university into our lab.
MATT ASHBURN
You know Brian, you mentioned a few terms there. I just wanted to back up a little bit there. You mentioned tier zero, tier one, tier two. Can you explain to some of the listeners that may be out there what are those tiers mean and how they relate to research?
BRIAN FULLER
So tier zero would be your safe search sites, so that's sites that you trust, sites that are mainstream, sites you vetted, those would be, like, mainstream news sources, really. Tier zero is US-based sites. So if it's a dot com, it's a trusted dot com, a database, library of Congress, for instance, it's a trusted database. You can go there. There's no real risk of being a technical risk of getting a virus or malware or snoopware or ransomware. Same on the technical side or topical side. You're probably not going to be being really tracked for what going into these databases. So it's just that: it's sites that you consider safe that you've used before that you've vetted and don't really pose a risk. You should always check every site for a technical risk. So if it comes up without a technical risk, then you're good. And then looking at it from a topical perspective, would somebody be interested in while you're on that site? Then you have your tier one. That's where you go to a site that maybe you're vetting. You haven't found too much wrong with it, but maybe it's a foreign site, like a Chinese website, a Russian website, Iranian website, whatever it is that maybe not necessarily an ally with the United States. They may be interested in why you're going to that site, but you don't find any real risk. So there could be a risk, but you aren't 100% sure. That's called a tier one, where it could pose a risk, but there's nothing imminent showing you that it is a risk. And then there's your tier two. Tier two is, it does pose a risk. You have found that there's a technical risk. Like, there's been a lot of viruses reported coming from that site, or, you know, you vetted it and it's owned by a foreign government. You've looked into it, like forums, especially like a 4Chan or something like that. You know, there's probably hackers on the other end of that or the webmaster is interested in. While you're there, you found solid information to say that there is an imminent threat to your both technically and topically, right? So that would be a tier two. And then tier three and four is where you get more into your active collection. So everything tier zero, one and two is passive collection. Three, four, and I'll stay away from five. But three and four is where you really get into the more aggressive type of collection methods, more your human and OSINT combination.
MATT ASHBURN
That's interesting. You mentioned also about some direct experience opportunities. And as you know, some of the most valuable lessons can come from doing direct experience in any particular field. Can you talk a bit about some of the opportunities that exist for students to get hands on experience with actual clients doing OSINT research?
BRIAN FULLER
I can. So I'll caveat everything with, we work under nondisclosure agreements with quite a few of our clients. But I can tell you, every day we are doing tier two operations when it comes to OSINT. Every day we are on Authentic8, utilizing Authentic8's toolbox and a lot of times the Tor network. And so the opportunity, so, Big Pharma is a good one. So Pharma is always worried about their brands being illegally copied, manufactured IP being stolen, brand being stolen, brand illegally being used on products that don't belong to that pharmaceutical company, being sold on marketplaces that are out there, that really, you know, the drugs are killing themselves. That baby formula issue that happened, there were a lot of knockoff products coming out saying that they were Abbott products when they really weren't. And then Abbott was getting blamed for it. And so it's a huge international criminal network. So we have been hired, we work a lot with Big Pharma to help with those types of investigations. We're going on the web and we're finding these illegal marketplaces illegally selling specific products that are related to this that are actually killing people or could kill people. Products that are no longer being manufactured, but are still being sold under the brand name or believe it or not, even the copyright on the pictures that go on these things, their logos or all of that. We're looking for that. And then we're looking where it's being sold, who it's being sold by, who's purchasing it, and then we trace it back to where's it being manufactured, how did they get a hold of it? So you look at the whole gamut of an investigation from start to finish with that. There's a dark side to a lot of this, too, that we come across and work on. Unfortunately, we do help find missing and exploited children with some of what we do. We have uncovered just through the nature of what we do, criminal networks, criminal activity, whether it's a pedophile ring all the way to illegal selling of drugs locally, we help our local police department once in a while. They have an intelligence sell and we'll help them out to track things. We do a lot of social media stuff as well. So we'll do a lot of social media exploitation, whether it's for sentiment or we're looking for specific information on assessments that are going on.
JEFF PHILLIPS
That's super interesting. Well, super interesting. And I can imagine, or can't imagine how useful that real hands-on experience is for the students. You mentioned using a managed attribution platform in terms of mitigating technical risk. We do have a lot of...the skill level varies widely in terms of our audience. I take it when you get those students in there right off the bat, is there some things you teach them as far as mitigating risk when they're conducting their online research? Not the technical risk, but the other side of risk?
BRIAN FULLER
Yeah, absolutely. So the first thing we do whenever we start off any project is we do a collection plan, whether it's a project in the CRAT or it's a project in the classroom. So you should always start with a collection plan. And that's really the plan of how you're going to go about doing your research and collection and producing a product. But in there, you should identify where the risks are, where you do risk assessments and everything. You should be putting in place a way to reduce that risk, measures to reduce that risk. And then from there, as you're doing the research and collection, you should be doing a source risk assessment as well, which goes to the technical side. Now, on the topical side, when we're doing manage attribution, we built something called a managed attribution plan. I tell all the students, I have a rule called Four and Four. You should have four websites that you go to before you hit your targeted website and then four more websites to go to after that. So that way, topically, nobody can really figure out what website you went to, why, because you're really blending in. We want to blend in as much as possible. We do not want to be unique in any way. We want to look like a typical user. And so using Authentic8, it really gives us this ability to do that, to really develop that type of plan. So one thing that we're doing is we use things like Similarweb, right? We want to develop I don't like to use the word persona, and my instructor who taught me, he said we're not building digital personas. What we're doing is we're building digital footprints and obfuscating our actual footprint. But then, even though you're technically doing that, how do you blend in? What kind of pathway do you build? So we like to put what's called breadcrumbs. So the first thing that we'll do is we will develop our digital footprint. What should it really look like? If we're going to a Chinese website, are we using a point of presence right, to get to that website? So say it's the financial sector. We're interested in the Chinese financial sector. Well, if we go directly to the Chinese website from a us based platform network, or even the operating system that we come from, it's probably going to send up a red flag. Odds are the Chinese government is probably monitoring that. And I'm not a conspiracy nut by any means, but there's probably somebody that's got ill intentions, nefarious activity on the other end. So how do you get in there without them identifying that you're there, that you're a collector in the United States and why you're collecting, that you're interested in something? So you will build a managed attribution plan. You will develop what does a point of presence coming from Japan look like? How do you blend in as a Japanese student if that's the way you're going to go with it? What sites would make sense in Japan that you would go to to get to a Chinese website? What sites would you go to in China before you go to your targeted website to look like you're blending in? And then how do you egress out of that? So you go to a couple more sites in China and then you jump back to Japan, and then you go to a couple more sites in Japan. Well, then you're done. You can close out, you're done with your manage attribution, right? So on the topical side, you've really blended in - your footprint makes sense for what it looks like. We always match it up with what Authentic8 pre-builds for you to make sure we're always vetting it against that. And so far you guys have been 100%. And then we check everything from languages to time zones to all of that. And time zone is another big one.
MATT ASHBURN
Brian, if you can narrow it down to just one, what is one big mistake that OSINT practitioners make?
BRIAN FULLER
They put together a great managed attribution plan, but they forget about the time zone. So you could be going to that Chinese website when it's 2:00 in the afternoon in the United States, but it's an odd hour in China, and forgive me, I don't have all the time zones in front of me, but that sends up a red flag because I might be one of the sites. Less traffic, and the webmaster wants to know why people are coming there at a high traffic time. We also use things like similar web to tell us, and some other analytical tools that are out there to tell us when is high traffic on these websites, right? When would it be best to go on those? And we try to match up that time, so we'll look at timezone to make sure the time zone makes sense. That's why I love your collector platform, because you can set up collector to go actually collect at that time, when it could be 2:30 in the morning when it's high time on the site I'm trying to go to. So what's great is your collector platform allows us to set up the search. I don't have to get up at 2:30 in the morning to do the search myself. I just get up in the morning, 7:00, look at my results, and great, I've got it all. Managed attribution plan still works. That's what I love about your collector platform. But the other thing that we look at is a lot of times we'll look at bounce rates, right? We'll really look at the bounce rate. So what's the bounce rate on our targeted website? Can we get on that website at the same bounce rate and get off of it? We look at the amount of time the average user spends on there. So if it's 2 minutes and 30 seconds, I will take a timer, put a timer in front of me and make sure I don't go over 2:30. Maybe I do 2:10, 2:15, but I'll time to make sure that I'm only on the website for that long, get off. And then if I got to come back to it, I'll develop another managed attribution plan to get on there. I know that I've said a lot with that long way to answer that question, but that's really how we teach a lot of the topical risks with a great managed attribution plan.
JEFF PHILLIPS
That's amazing. Amazing classes.
MATT ASHBURN
Yeah, I love how focused you are on the tradecraft with all of this. If there are a few things you want to leave the audience with, what would those be today? Brian, what tips would you want to leave the audience with today?
BRIAN FULLER
So I will leave it with the audience two things. One, you really got to have a good collection plan. You got to have a good risk assessment, you've got to have a good way to mitigate that risk. And you've got to have a good managed attribution plan. Next thing, you've got to have a good tool set, right? You've really got to have a good tool set for mitigating the technical and topical risk. Everybody tries to mitigate technical, but they don't really think of the topical side of it. So you have to look at the topical side as well, because you don't want to burn your operation mission and you don't want to burn your clients as well, right? If you're doing some type of corporate searching on your competitors, you don't want your competitors to know that you're doing that, right? It used to be termed corporate espionage. Well, you don't really want to let people know you're doing it. It's like doing digital human operations. So topical risk mitigate it, right? And then the other thing is, if you don't know what you're doing, Google is not an OSINT technique, right? Google is great. It's a database that's out there. But don't think that you're doing proper OSINT by using individual search tools. Use a meta search tool. Use your tier zero. Figure out what your tier one and tier two threats are going to be in sites you need to go to. Don't be afraid to go to them. But if you don't know how to mitigate the risk before going to those, seek out the training. Seek out that training before you burn yourself or burn your company or burn your network. If somebody got ransomware, it's because they didn't do proper OSINT. These companies getting ransomware, it's because they're not either training their people on how to do proper OSINT or they're not mitigating the technical risk in a way that doesn't allow someone to get in. And you know what? You've got to train all your people. It's great that the intelligence professionals or your global security operations center or your IT guys and your cybersecurity guys know how to mitigate that. But what about the people in your HR department, right? What about the people in accounting and finance? Everybody can be a point of vulnerability. So teach them how to do proper OSINT as well, and I guarantee you'll reduce your risk 100%.
MATT ASHBURN
Lots of great information there. Thanks again to our guest, Brian Fuller, for joining us today. If you liked what you heard today, you can always subscribe to our show wherever you get your podcasts. You can also view our episodes on YouTube and get show information and all sorts of other stuff on our website at authentic8.com/needlestack. It's authentic with the number eight at the end dot com slash needlestack. Don't forget, we're also on Twitter @needlestackpod.
