It takes a team of people to provide protection to executives and one of their most important tools for offering the best protection is OSINT. Whether searching Facebook for public protests or getting a tip from Twitter, guest Mick Baccio explains how open-source is a key tool in the field.
Mick Baccio fell in love with the idea of cyberspace around nine years old after reading Neuromancer, which led him to pursue a career in computer operations with a focus on information security. Before joining Splunk, he held the title of Chief Information Security Officer at Pete for America, holding the honor of being the first CISO in the history of presidential campaigns. Mick was also the White House Threat Intelligence Branch Chief in both the Obama and Trump administrations and helped create a threat intelligence program during the rollout of the Affordable Care Act at the Department of Health and Human Services. A US Navy veteran, Mick has also served in cybersecurity and technical roles at the Department of Defense and Centers for Disease Control. As one of SURGe’s Global Security Strategist, Mick leverages his background and expertise to help customers solve complex security problems. When not posting pictures of food, cats, or Air Jordans to social media, Mick is a Goon at DefCon and teaches lockpicking.
MATT ASHBURN
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, a cybersecurity professional with a penchant for OSINT and all things research related.
JEFF PHILLIPS
And I'm Jeff Phillips, tech industry veteran, and curious to a fault.
MATT ASHBURN
Today we have a very special guest with us. All our guests are special, but we like this one the best.
He's here to talk about the role of OSINT in organizational security, corporate security, and executive protection, and a bunch of other use case that he'll talk about. Mick Baccio from Splunk.
He's on the SURGe team at Splunk. He's a global security strategist, and by the way, he has a great show on LinkedIn. If you haven't seen it, you want to take a look at it. Mick and I have worked together in the D. C. cybersecurity community for several years, and he has tons of experience using open- source for a variety of things, including protecting organizations and individuals that are highly at risk. And so welcome to the show, Mick.
We're glad to have you.
MICK BACCIO
Well, thanks for having me on, guys. It's great to be here.
MATT ASHBURN
Yeah, great. That's awesome to have you here. Open- source research is extremely useful for threat protection, we talk about it many times in terms of cyber threat protection, but also in general for cyber security, and even more broadly in technical security and physical security. So what do we mean by that? We mean talking about protecting an organization, a person, a corporation, including when they're not only in their organization boundaries, but even outside, such as on travel. So you're definitely missing out if you don't use open- source research.
Mick, can you tell us a little bit about some of the threats that are out there and how open- source plays a role?
MICK BACCIO
Sure.
I think open- source research, anything that you're doing as far as threat detection and how to leverage that, comes into play in every, I guess, every facet of your travel really. My background lends itself into the other side of the threat model.
So when you're looking at travel, when you're looking at protection for that, you have the force protection and the physical threats, and that's where your protective detail, body man comes into play. Things like that. On the technical side of things, those cyber threats, open- source, it's incredible how useful it is. I didn't think I realized that until after I left the government.
When you start looking at things like the travel, the place you're going to, the specific area, you can start looking at things like the gear that you're bringing with you, the gear that you're using, what are the vulnerabilities inside that and how to mitigate those, and just the resources available to the staff that's traveling with you. Anywhere you go, there's a footprint there, and how to mitigate the size of that footprint, as well as the defense of something that might kind of try and bump up against it.
MATT ASHBURN
Yeah, that's really great, and you hit on something there about travel. Something that folks may not know about you is that you were actually the first full- time CSO for a presidential campaign, is that right?
MICK BACCIO
It is.
MATT ASHBURN
How did this play in, in some of that experience?
MICK BACCIO
It's really weird for me. I was the CSO for Pete Buttigieg, Mayor Pete out of Indiana, who's currently the Department of Transportation Secretary. I was the first guy do it, which is really weird when you think about what the role entails. My background being threat intelligence from the White House, I get it, I was a natural fit, and being able to leverage a lot of the protections for principal on that travel. Wherever your principal goes, the entire office goes, and you adjust your threat model for that.
So you look at, obviously you look at something like doxing, right?
My executive, my CEO, whoever that might be, whoever's traveling with me, that person I'm trying to protect from a technical level, what footprint do they have online and what are their vulnerabilities?
But then you start looking at the folks that travel with them. Their executive staff, their support staff, and your auxiliary staff that come with them, even down to family members, what kind of footprint do they have online that could be leveraged by an adversary?
And it's really, really interesting how OSINT comes into play with things like that.
JEFF PHILLIPS
Hey, Mick, I totally get it, for sure on the physical security, especially when someone's traveling and protecting them. I can imagine with someone that high up that's running in a campaign, or even your CEO, would OSINT come into other types of executive protection online? Like if there's misinformation spreading about them, or some of their private information gets published online and starts spreading.
I can imagine you could start to apply it to their virtual identity also.
MICK BACCIO
I think that's what's a crazy thing, is you're a hundred percent right, Jeff. When you are a public figure, the smallest bit of misinformation, just to see how it travels is incredible.
How fast it spreads and how wide it spreads, from just a nascent starting point. There's a lot of folks that track that, a fantastic team I know over at Graphika. You look at Facebook, the work that they're doing.
They kind of are able to track how wide that goes. I think from, as an individual on a team, if I'm at a company, I don't know if there's much you can do to stop the spread of that, but just to be aware of it for situational awareness I think goes a long way.
I know there are firms out there that do track your, I guess it'd be brand reputation, but I know that's for companies, but I guess companies are people, so for people too, why not?
JEFF PHILLIPS
Right.
MICK BACCIO
But yeah, that information is super useful on both sides of the fence. I know what's out there, I know what's not out there, and I think you can adjust your threat model based on that. These are things that I need to," Hey, that's not true, I need to put this out," or just to be aware of when you're traveling somewhere.
MATT ASHBURN
Can you expand on that a little bit, Mick? You talked about how this can affect a threat model, and this information can be shared amongst different teams with different missions. Can you expand on that a little bit, about how open- source research can be applied and gathered, and then how do you share that information internally? What are some of the, I guess, the internal customers of that information?
MICK BACCIO
That's the hardest thing to do, I guess. We've always had that problem. Information gets stovepiped, so how do you share information internally, externally?
You've said it on these before Matt, and our history together, you kind of get all the folks together in the same room that need to hear the information. You have your threat intelligence teams, specifically in this case it would be your OSINT team, generate a whole report based," Hey, we're going here.
Here are the technical threats from start to finish.
Here are some strategies to mitigate them," and all the players that are involved in that trip that you're going on are in the room to hear that briefing. Whether it's your comms folks, your legal folks, your logistics folks, other folks that are traveling, other department heads, everyone that needs to hear that information, disseminate that out to their staff, it's kind of a cascading effect.
But I think having that centralized part, that centralized briefing, is super, super useful.
I think when you look at it, especially I remember my time in a campaign, every fact asset of a campaign has a security story that you need to tell, and OSINT is a huge part of that.
When you look on a campaign, things like fundraising. You look at financial crime, which is a huge, huge problem, you could use OSINT to see what is targeting specific campaigns, what is targeting that political landscape, and kind of build those defenses and make folks aware of those, just using OSINT.
MATT ASHBURN
Yeah, and you touched on something that was important there, is getting all the different teams in the same room, whether it's the-
MICK BACCIO
A hundred percent.
MATT ASHBURN
--in a corporate example, right? Your PR folks, your cybersecurity folks, physical security folks, whoever they may be. Also, the other thing is the executive, the principal, whoever's leading that particular event or that travel or whatever the case is, whatever it is you're planning ahead of. Having them in the same room gets them on the same page, but I think even more importantly, having the executive or the principal there really does reinforce the desire to have good security tradecraft, and-
MICK BACCIO
Well, it's that buy- in, right?
MATT ASHBURN , MICK BACCIO
Yeah. When the buy-in comes from the top. It sets the stage.
MICK BACCIO
Yeah, and to build onto that, all the principle levels that I've... The best thing you can do is just tabletop. Everything that could possibly go wrong, every scenario you can think of," Hey, what do we do with X, Y, Z?" The same thing you would do with incident response, this is something you plan out beforehand.
Before you go on this," If this happens, what is our response?" And you as the network defense blue- teamer guy, you've leveraged the OSINT from that team, you've leveraged whatever closed source you might be using as well. But even if it's just OSINT," Hey, here's the defenses we need to put in place before we go wheels up anywhere," and to have all the folks there in the same room to hear it.
I think that pays off in spades.
MATT ASHBURN
And also it helps to shut down any potential pushback from folks, because let's be frank, security can be very difficult sometimes, it can be very inconvenient, and how many times there's pushback from folks on that.
MICK BACCIO
I mean, that's our job. That's a hundred percent our job. It's every place, because you can have operations without security, but you can't have security without operations.
MATT ASHBURN
That's right.
MICK BACCIO
It's–it does your radio work? Yes. Is your radio secure?.
JEFF PHILLIPS
As a user, I just want to say... I was going to say, as a user I want to validate that you guys make things tremendously difficult, so great job. Great job on that front.
MICK BACCIO
That's our job.
MATT ASHBURN
We aim to try.
MICK BACCIO
To find that balance between usability and security, that's again I think where OSINT comes into play. I'm using X, Y, Z radio set on this trip.
I know it has this vulnerability that I've researched online. I've looked at the CVSS Score, I've looked online at the databases. I've done all my open- source research on this vulnerability and how bad it is, but then it goes into a probable versus practical. I know this threat could happen, but will it? And that's where that threat modeling comes into play, but through OSINT, I think you're able to get a better picture of that and have a more informed threat model.
MATT ASHBURN
Yeah, that's great. And talking about that threat model and the research that you do, I guess, to kind of close up here, can you leave folks with perhaps some of the key questions that they should be asking as they're conducting research?
What are those questions that they should be asking and then syncing answers to through the research?
MICK BACCIO
I think when you bring it down to just that technical side of things, you're looking at something like misinformation, doxing, and what that tech threat travel risk is. I think those are the big things on any trip. Your travel risk, your misinformation, and doxing. Those are the big things. When you wrap all those up, that's your footprint, and either you want to make that footprint smaller, or you want to figure out how to kind of lock it inside of a box.
But looking at that your starting point, and from there, once you have that foundation, it branches out.
JEFF PHILLIPS
That makes a lot of sense, even that misinformation side. When you mentioned earlier other people in the room, that could be something more so your PR team's in interested in, if there's any protests when you land or anything like that, in addition to all the safety and physical safety of the VIP.
MICK BACCIO
Right, right.
MATT ASHBURN
Yeah, absolutely. Well, Mick, thank you so much for joining us today. Really appreciate all the time and some of the stories and advice you've given folks today.
Also, thank you to the viewers at home for tuning in today. If you liked what you heard, you can always subscribe to our show wherever you get your podcasts.
MATT ASHBURN
You can also watch episodes for free on YouTube and also view transcripts and other episode information on our website at authentic8, that's authentic with the number eight,. com/ NeedleStack.
Be sure to follow us and ask questions as well on NeedleStack_pod on Twitter. And by the way, if you want to follow Mick and all of his antics on Twitter, you can follow him as well at nohackme. So an excellent Twitter handle. If you're not following him, you absolutely should be. Lots of entertaining and useful information as well. We'll be back next week with more of our tour on OSINT, looking at how it applies for cyber threat intelligence. See you then.