Skip to content
 
Episode 81

Open Source Intelligence with the Grugq

EPISODE SUMMARY

Thaddeus E. Grugq aka “The Grugq” joins the 401 Access Denied podcast this week to discuss how cyber strategies and tactics differ globally. We dive into how China, India, Russia, UK, EU, and the US approach cybersecurity, as well as the significance of legal frameworks and coordination among law enforcement and intelligence groups. The Grugq brings his decades of operational security experience and research to weigh in on these important topics.

Watch the video or scroll down to listen to the podcast:

 

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm Joe Carson, the host for the episode, and it's going to be another exciting show today. As always, we're looking to bring really great leaders, people with amazing opinions and ideas to really make the world a safer place, really can highlight what we need to be doing in the security industry. So today I'm actually joined by with Thaddeus, the Grugq. Is that how I pronounce it properly, the Grugq?

Grugq:

It's close enough, yeah.

Joseph Carson:

Close enough. But it's a pleasure to have you here. If you want to give the guests a little bit of background of what you do, how you got into the industry, and what things you get up to, what's the fun things you find in the security industry that's entertaining and educational?

Grugq:

Yeah, sure. Okay. So I'm the Grugq. I basically started doing InfoSec stuff in 1998, so that's a very, very long time now. And in that time, so I started out working at enterprises, doing firewall stuff, then immediately went into doing offensive security, did some startups, did consulting. Along that time, I've always been very interested in, I guess now we call it deviant security, so sort of the secure side of offensive security. So how do hackers protect themselves or how do you do stealth when you're on an operation? That always interested me. And then in the last decade plus I've gotten more interested in the broader sort of things, sort of strategic operational issues. If you are a nation-state, how do you use cyber to achieve your aim? If you have goals that you want to achieve, you have cyber, how do you get from A to B? So that sort of interested me and that's really what I've been focusing on more and more heavily now to the exclusion of pretty much everything else and-

Joseph Carson:

Absolutely.

Grugq:

Yeah, I absolutely love it. I think it's fascinating and it's great.

Joseph Carson:

Absolutely. It's a really interesting industry. Absolutely. I think it's always changing and evolving and exciting. It's not one thing that stands still. The technology evolves, the threat changes. So it's always continuous learning. And one of the things you mentioned is about, absolutely, nation-states from a strategic, how do they make sure that they're doing cyber to their advantage sometimes in an ethical way, in a legal way, that they can actually empower their citizens and country to move forward.

Grugq:

Yeah.

Joseph Carson:

I've always found it-

Grugq:

Absolutely.

Joseph Carson:

In the world we're in, no country can do this alone in many cases. It's very difficult to do it in a silo and it's always about finding good corporation. So what's some of the areas that countries are looking to get into in this? Because every country seems to be... Some places are taking very different approaches. For example, some countries, they permit the ability to go and do offensive attacks in response to being a victim. Some countries are against it, some countries are doing it in stealth where they don't want to it to be known. Where's the majority that's really taking this?

Grugq:

Right. There's a whole bunch of interesting things going on. So the US, they've developed this theory called persistent engagement, which is essentially based on the idea of assuming that you're an 800 pound gorilla, how do you get what you want? And that's fairly easy if you're an 800 pound gorilla, right? Now the problem is if you are not an 800 pound gorilla, that strategy is not going to work for you. So the UK, just the other day, put out a doctrine of how they're looking at... It's complimenting the US. They looked at, "What is the value that the US brings? What is the value that we can bring?" You could be the small version of the US that does it worse and cheaper, or you could do your own thing and they've done their own thing.

I think it's really quite good. I'm going to be looking a lot more of that in the future. I think it's very, very good stuff. But then you have on the other hand places like Germany. They've got a lot of talent. Well, they've got the legal frameworks and the structures and stuff in place, but the sort of political will isn't really there and somehow it doesn't gel, it doesn't coalesce. So I don't know what's keeping them back. But there's that. Then France is pretty good, but they could be better. There's all this stuff... Like the Dutch, they punch way above their weight. They've somehow managed to harness the talent that they have. They're a small country, they don't have the same resources as other people. They're not part of the Five Eyes' alliance. They're part of an alliance, but not specifically Five Eyes.

With all of that, they've still managed to do remarkably well. They're just really good at the cyber that they do. Australia sort of carved out a niche as well in that their risk appetite allows for a bit more sort of offensive stuff by the state. If it's protecting citizens, then it's okay to be aggressive overseas. The UK, they don't have that same risk appetite. Then we have India... To me, it's really... No one's ever going to say that the Indians are bad at IT. You don't look at them, be like, "Well, of course they don't have good cyber, they don't have any good technical people." That's just not true. But somehow they don't have good cyber and I don't know what that is. And it's not necessarily for lack of a legal framework, it's not for lack of talent.

It must be political will or something. There's so much that goes into having an effective force. As you said, there's the legal stuff where you have to be ethical and within the bounds of... If you're a liberal democracy, you have certain values and you want to make sure that you follow those. Obviously Russia and China have their own things going on, so they've got strong cyber and because they're authoritarian, their legal frameworks... They are not our legal frameworks shall we say.

Joseph Carson:

Yeah. They are actually sometimes very conflicting in regards to what we would see as international norms, I would say. They are very conflicting approaches where in some cases it's fine to carry out criminal activities as long as it's not against our own citizens.

Grugq:

Right.

Joseph Carson:

They would actually give a pass and provide safe havens. But when they need them, I call them almost like the cyber mercenaries, when they need their help, they'll call for the help and they had to be at hand to carry out more direct instructions as long as they are given that pass. So it's very different. Everyone has abide by the laws. There's a lot of exceptions in certain countries.

Grugq:

Absolutely. And China is similar in that they have a lot of companies that provide... They will get work farmed out to them. So when, I think it was in 2021, there was that exchange bug that came out in January or so. So that was farmed out... JD Work, a friend of mine was calling it a land grab. You've got a bug, all of these things are vulnerable, but you only have this short window of time so you need to get as many of them before they get patched and before someone else does. So they just farmed it out to basically companies that do offensive cyber for hire for the government. And that's not a thing that exists in the west really.

Joseph Carson:

Absolutely. Not in the same way.

Grugq:

Right.

Joseph Carson:

They have contracts. They have to abide by the contracts. There's a little bit of different way of doing it. But yeah, the legal terms is definitely where we all have adhere to the same legal framework and those countries, they get that pass. And it was interesting, you mentioned earlier about India. I completely agree. India has an amazing talent. The talent pool-

Grugq:

Absolutely.

Joseph Carson:

From pen testers and really passionate people. I think one of the things that when you talk about the political will and to take some of the risk, I think it sometimes comes down to having a central coordination, where you've got transparency, you've got coordination, you've got different government agencies sometimes working together. And also sometimes in each country, depends where cyber sits. In the US they've got the cyber command and they've got SISA and they all have their different functions.

In the UK, you've got GCHQ and then you've got the nice little cybersecurity center. So they have these different coordinations, they're responsible for different areas, but they cooperate really well together. The countries where I see sometimes that struggle is those where cyber maybe sit into the defense or military side where it just becomes a very military extension and not really looking... Because in the end, it does go beyond. It has different elements of it, whether it's into intelligence gathering, whether it's into criminal activities that targets the citizens, whether it's targeting critical infrastructure and identifying weaknesses. So sometimes it depends really where the country's strategy is, where cyber sits in that overall government area, and that central cooperation of working together.

Grugq:

Very much so. And I think another part of it as well is what are... I'm not going to say the authorities because that's very American, but what is the remit of the intelligence services? What are they supposed to do? So if you've got the SIS and they're supposed to go out and do foreign intelligence, and I believe it's not just collecting information but it's promoting the foreign policies of the UK. They see covert activities and covert operations as part of their thing and it's all external and so they have no-hands internal and that gives you one sort of risk appetite and you expect a certain sort of cyber to come out of that. Whereas if you've got a domestic law enforcement agency, obviously they have a completely different approach to cyber and you need all of these, right? That's the great thing about cyber is you can't just do one, right?

Joseph Carson:

It all has to be coordinated together and everybody has to have some type of at least... Transparency and information sharing is really important. And that brings up an important topic. I really enjoyed the talk that you did last year in Tallinn BSides that really brought up... It got my mindset when... A lot of countries are doing open source intelligence gathering and it's also been done in society as well. Society's also participating in a lot of the social media platforms. I think it really triggered a thought in my mind, it was around, "When open source intelligence is good, when does it work? How has it been helpful?" And not just from a government perspective, but how citizens can be involved and how sometimes those, let's say, the motives or the results can be very conflicting? And when is open source intelligence bad? But before we get into the details, can you explain to the audience in your mind, what is open source intelligence? What is the method and technique and how do governments take advantage of it today?

Grugq:

So basically open source intelligence is like the intelligence process where you collect information, you analyze it, and you extract intelligence, right? Intelligence is the result of analyzing data. Raw data is not intelligence. So that's sort of an important step that's involved, that analysis phase. Historically, open source intelligence meant things like newspapers, brochures, magazines. If you were Sweden and you were doing open source intelligence on Germany's tank production or whatever, you would call up, say Ryan Al or whomever it was and say, "Hi, can you give us a sales brochure for your current tank?" And then you would collect that and everything that you knew about Germany's tank production would be based on maybe job ads in the local papers, et cetera, et cetera.

Joseph Carson:

Yeah.

Grugq:

The internet, it's completely blown that up.

Joseph Carson:

Accelerated, with both accurate information and misinformation.

Grugq:

Right.

Joseph Carson:

Now it's a case of you have to then decipher what is factual and what's not factual as well.

Grugq:

And there's just been some other amazing things like satellite imagery that's down to one meter per pixel.

Joseph Carson:

Yes.

Grugq:

Which is not even the good stuff. That was high end government super secrets technology a few decades ago and now it's $20 per square kilometer or something like that. And you can get it for free if you want as well. It's just amazing. So the sources for open source intelligence have exploded. Everything now from database leaks, which we could call it a gray area, but the fact is once it's out in the open and you're collecting intelligence-

Joseph Carson:

I've had my hand slapped a few times for connecting specific databases to each other. And the way it was referred to me was it was creating a new breach by having an index of multiple data sources together. So I've had my hands slapped a few times and told not to go down that path, don't do that.

Grugq:

I'm not advocating any illegal activity of course but hypothetically we could say that there are people out there who are a little bit closer to the line. Bellingcat, for example, actually purchases databases from Russia that they then use and I think that blurs... The open source where you go out and you specifically collect from data brokers... So one of the ones I had was from Belarus and I know that what happened was that the cyber partisans had hacked the Belarus... They just hacked everything, but they took the database from immigration that had the passport numbers of people across borders and they gave that over to Bellingcat and that was used to expose Russian illegals where they're able to match up passports and names to trips that went to Moscow and all this stuff. I mean it's open source in that it's been sort of public and how you've gotten it, but it's a bit closer to...

Joseph Carson:

It's one of those areas that can highlight a lot of really interesting kind of data once you correlate it with other things. Absolutely. Even the Bellingcat book was fantastic, the recent book that they released. It was really insightful into a lot of the techniques and a lot of the risk that people took as well in getting it that ultimately highlighted... We're operating in that gray area where it actually highlights a lot of even war crimes and criminal activities. Some people take a lot of risks in order to get ultimate justification, bringing other serious crimes to closure because sometimes that's the motivation, is bringing closure to some serious catastrophic events.

Grugq:

Right. And I think that that's one of the interesting differences between, as you were saying, the public open source, public OSINT versus... Well, I guess the government is also public OSINT in a way.

Joseph Carson:

Yes. Yeah.

Grugq:

So the private OSINT, that's done in the public and the public OSINT, that's done in private. But anyway, the difference there is sort of the intent and the motivation. When the government is doing it, a lot of times it's not even so that they can act, it's just so that they could know what's going on and decide if they need to act later on. So they may know things and they don't see why they should do anything about it. It's worth knowing and they like knowing the truth, but they're not going to prosecute someone or they're not going to start an international incident. So they're done. Whereas for the public, a lot of the time it's very different. In Lebanon, when there's a gigantic explosion, we think that there's public interest in exposing all of that, even if nothing ultimately happens. Which seems to be the case now unfortunately. But there's value in just having the truth out there, that transparency. And transparency is not always a thing that governments are super inclined towards.

Joseph Carson:

Being based in Estonia, that's one thing I really enjoy about the society and state here is that the government is doing everything they possibly can. They see themselves as service provider, so they're being transparent as much as they possibly can to the citizens. But not all governments operate that way. Not all governments want to and not all citizens want it as well.

Grugq:

Right.

Joseph Carson:

Not all citizens want that transparency. They just want to be able to live their lives and not have to worry about the ways that governments operate.

Grugq:

So the Estonians are the ones I believe who put out a yearly intelligence summary. Their intelligence agency writes up this booklet that they put out in-

Joseph Carson:

I have a bunch of them behind me here.

Grugq:

As soon as they come out, I sit down and read them. It's great. Obviously they're limited in what they can say, but it's always so amazing when they're like, "And here is someone who worked for the KGB and then he started working for us and then he was contacted by one of his ex..." And it's just, "Wow, I love all that stuff. It's great."

Joseph Carson:

One of the things I also like where they actually have coordinated it and aligned the increase in certain types of attacks to political events and news information or elections and moving of statute, how they coordinate all of that and show, "Here's the spike when we made this decision and here's the types of attacks that happened and here's what the origin is." It's really insightful because it really shows you a lot of the methodologies and the techniques that are used. Sometimes, again, it's those, let's say the hacktivism, so you do get hacktivism happening, but in a lot of cases you also can relate it back to government operations as well.

Grugq:

Right, right. Basically, I think other agencies should do this. I think that there's no reason that CIA and SIS and GCHQ... This sort of information is great. It highlights operations that have been successful. It reveals some of what happens behind the curtain and not in a, "Here are our secrets," but more like, "We are a government agency staffed by civil servants. We have to work nine to five and we have holidays and we're doing a job. We're not some weird, scary, fly by night, shadowy organization."

Joseph Carson:

And it's interesting as well. Europol has also taken a bigger big step in doing this as well where recently, they're more proactive in releasing some of the campaigns that they've done. What was the last one? It was the Cookie Monster campaign, which was taken down, I think, it was the Genesis Marketplace. And SISA in the US has also taken a very proactive approach as well where they're now trying to release information enough ahead of time so people can take informed decisions about protecting themselves. So there is those elements and I think it's fantastic because I think for me transparency is so critical because when you know, it allows you to make informed decisions versus not knowing means that either you don't know that your data's compromised and your systems are compromised or that they're vulnerable. So it's really important to be able to get that proactive steps and make decisions sometimes yourself.

Grugq:

And I think it's particularly useful for... We talk about the security poverty line and stuff like that. If you have your dedicated security officers or your security staff, you're probably a lot more aware of what's happening than the majority of places who just don't have anyone. They've got your friend's kid who comes in every week or not even-

Joseph Carson:

Exactly.

Grugq:

He came in that one time, he set up the computers, and now it just works.

Joseph Carson:

The guy or girl who actually came in and knows a bit about computers helped me set up your business.

Grugq:

Right.

Joseph Carson:

And there's so many businesses, there's the hair salons, there's the mechanics, there's the paint shops, they don't have those dedicated staff and those are the ones... I've seen people's businesses where it was a family business and all of a sudden, they become a victim of ransomware. And it's not just the business, it's an entire digital life. 25 years of all pictures and family photographs, all basically encrypted. And you're just sitting in that situation where you're trying to determine, "Okay, how do we help them? How do you get their lives back?" Because it's not just a business, it's pictures of family members who may have passed away 10 years ago and that's the only evidence you've got that they ever existed. And it's tough for people. And to your point, majority of businesses are a lot of those types of business where they have that one person who they rely on for being not just the tech person but also the security person.

Grugq:

To me, I always find that so fascinating because the world that I live in, it is security stuff. I have a lot of different laptops because I isolate by what I'm doing with them. I'm going to school, so I have a school laptop and I'm doing a report for someone, so I have my consulting laptop and here I'm on my podcasting and access to the internet laptop. And so talking with people who have the computer and it's got their games and they look at porn and they run their business and it's all on the same thing, and to me, I have a heart attack.

Joseph Carson:

It's a scary thought sometimes. We have come from that same background, very security minded in everything we do, but ultimately I always find it's the society around is that what makes us secure as well. I can take a lot of the procedures and measures to reduce the risk as much I can, but ultimately it's the society... The people you interact with, the people who have your contact details on their devices, if they become breached, what can you do?

Grugq:

And they don't even need to be breached, they just need to install an app from an app store anywhere and all of our contact details have been scraped since the dawn of the iPhone essentially. It's too late now. There's getting it back, it's gone.

Joseph Carson:

We have to operate as knowing that it's out there. And then it comes down to knowing what can that data be used for, what's the potential of abuse of that data. That's where we have to start being proactive in is looking about when that data's being abused and how to be notified. And it's a very challenging... To your point, it's absolutely right is the data's out there and if every government has access to it and even criminal organizations have access to it, so now it's the case of, "How do we make sure to limit its impact and abuse?"

Grugq:

Exactly. And so that's an important point actually that I would bring up, which is that a lot of security, it's less about not getting hacked or breached, it's more about impact containment. A bad thing is going to happen. How do I make sure that it has the least impactful damage possible? Trying to structure things. And as I was saying, I've got a lot of different laptops. That's because I assume they're going to get hacked. So if the one that I do work that I think is sensitive on gets hacked, that's bad. But I treat that a lot more securely than the one that I do this sort of thing or where I do Twitter and everything on. And it's because if those get hacked, then at least the things that I treat more sensitively are not exposed. And that's the impact containment and that's the compartmentalization of things. And it's very expensive. Not in terms of... Well, I mean buying laptops is expensive, but it takes time and it takes effort.

Joseph Carson:

Time consuming, absolutely.

Grugq:

Right. And you get lazy and it's, "Do I really want to get up and go and turn on the other laptop?" Or, "I'll just do it here once quickly, it won't be a problem just one time."

Joseph Carson:

Yep. No, I completely agree. And it's a process that I do personally as well. And it's not just about also containing the impact, but it's also about resiliency as well. I know that even it's ridiculous for me, I've got so many email aliases to the point where when I see something being targeted with phishing, I can almost identify the origin of which organization where I use that email to subscribe to... Because I have broken it into, to your point, is impact emails. It's one for communication, one for subscribing, one for traveling. And it's that containerization where I've got to the point where when I see all of a sudden something coming through, I'm like, "Huh, that's interesting because only these types of places have I actually used that email address on." And it really allows you to start knowing where some of the risks are as well. But also means that if those emails are ever compromised, the impact to them is very limited or already isolated.

Grugq:

Absolutely. So I have a similar approach and I detected a phishing email because... It was quite good and I was reading through it and I was like, "Something is slightly off." So I took a few minutes and when I looked at it again, I'm suddenly like, "Wait a minute, this is the personal email address I use for friends. My bank doesn't know this. There's no way my bank could email this address because I use a different one with them. Something is wrong." It's not the sort of thing that normal people do unfortunately.

Joseph Carson:

They're getting very difficult to tell how authentic they are looking. I really thought the recent phishing campaigns that show that there's suspicious activity in your account, log on attempts coming from Moscow, and people will like, "Whoa." They'll click in links and try to log on to see what these activities are.

Grugq:

Yeah.

Joseph Carson:

But ultimately that's the phishing campaign itself, to scare you, and to get you to click in it rather than you seeing it and then going, "Well, let me go and log into the place that I typically log into and check it from there and seeing if I'm getting alarms." Some people might not have that mindset, all of a sudden they just get... It's a fear and they know that sometimes time is sensitive and they have to respond very quickly.

Grugq:

Well, that's behind quite a lot of phishing attacks. Same with the Indian call center scams where they'll say, "You've bought Norton and if you want a refund you have to call us." Some people are like, "I don't want to get charged $600. I better call for a refund." And they keep this time pressure on so you don't have time to think. So that might be one of the big takeaways.

Joseph Carson:

Yeah, the financial fears.

Grugq:

Yeah.

Joseph Carson:

So one of the questions-

Grugq:

Take five minutes to think.

Joseph Carson:

Yeah, yeah. I always say the 30-second pause. Just take the 30-second, sit back and think about, "Is this something I was expecting? Have I seen it before? Is this the first time I've seen it? And do I know the original source? Am I thinking with that bike?"

Grugq:

Yeah, it's just going through that-

Joseph Carson:

Just take a pause.

Grugq:

Yeah. If you're panicking, it's probably induced. There's almost nothing that has to be solved this exact second that you're going to find out by email. That's basically not going to happen. So try not to panic.

Joseph Carson:

Absolutely. I always say that the 30-second timeline can make a big difference.

Grugq:

Yeah.

Joseph Carson:

So I've got a question for you. I've seen a lot of times where if you get into... Even looking and reading the Bellingcat book and a lot of those are the great ways that are showing how in open source intelligence has been really successful. Is there any cases that you see where it's been bad? When open source intelligence can go wrong? Because I think there's the good and bad, there's the good about getting transparency and finding truth where open source intelligence can also cause problems, whether it be political or... Whether, for example, I think closing the door for real intelligence gathering. Sometimes the hacktivists and those who are just trying to help but sometimes are causing challenges for the real intelligence gathering. When can OSINT go bad?

Grugq:

So just before that, I'd quickly say one of the ways that OSINT did really well I think was in February of '22 when Russia was trying to do all these false flag attacks and they were being debunked in real time with evidence. And I think that's where OSINT by the public can absolutely shine because the credibility of a random Twitter account saying, "I've geolocated this to here," that's actually a lot higher than if the New York Times says, "Officials who have asked to remain anonymous because they're not authorized to speak to the press have said that, "We've geolocated that as a false flag attack."" That has no credibility compared to a JPEG with some colored squares on it by a random-

Joseph Carson:

Yeah, I've seen it. That's impressive, the speed. Even on Twitter, I like the OSINT challenges. I like, "Here's a random picture. Where am I?" And I love those. And for me, the speed of some people, I'm just like, "Whoa, how do you-?"

Grugq:

It's so good. Yeah, so there's that. But I think the area where the sort of public participation in intelligence collection, it can go very wrong when there's something sort of active that's happening. And it's not even a case of too many cooks spoil the broth or anything. It's very much that if a service is trying to do a set of operations, so for example, if Rotenia invaded Yugestan and Yugestan was very interested in knowing what was going on in Rotenia, but then everyone was like, "Hey, let's go hack Rotenia because they're doing a bad thing," Yugestan would be fucked. They would be screwed over because all of their operations are now being stomped on by randos who have got no connection to them at all.

If there's a lot of public notice of this as well, if there's a lot of media attention of, "Everyone is everyone's participating, they're all hacking, this is great," the people getting hacked are going to increase their security because people are yelling at them, "Hey, we're coming to hack." That tends to be a good motivator to become more secure. And so that random example pulled out of nowhere, that has no relation to events that may or may not have happened in the last year, that's a real problem. If there are people basically getting involved and telling everyone that they're getting involved, you're alerting the people that should be kept in the dark as much as possible.

Joseph Carson:

Absolutely

Grugq:

Anything that you do can't actually be exploited by the people that need to exploit it. If you conduct an operation, you steal a bunch of data and then you leak it publicly, a huge amount of value that that had is now lost for a number of-

Joseph Carson:

They're closing the door, they're changing the information in real time, they're trying to mitigate that impact of that data being disclosed. I think the difference between noisy OSINT and stealthy OSINT, sometimes need to have some type of at least operational integrity or centralization, kind of control, and I think when the public are doing it, it's not very stealthy versus when a designated agency or let's say members are assigned to doing it, stealthy is the utmost importance. So sometimes it's the difference between that.

Grugq:

Right. I mean it can also just be things that are hard to quantify, but tasking. So if you are in an agency and you're doing an operation, it's because you're trying to answer specific questions that have been given to you and those are questions that need to be addressed. Someone has said, "What is the tank output of this factory? And what is the shell production and then the logistics throughput for one month over these train lines?" Just things that are important. But if you-

Joseph Carson:

Fuel supply or food provisions, a lot of those details can make very important military decisions sometimes.

Grugq:

And even stuff like, "How full are the hospitals? Did they do a campaign and thousands of people have been injured and they're going to run out of beds and space and so they're going to have to stop because they just can't afford it anymore? Or do they have so much extra space that they can keep going?" All sorts of just things that don't necessarily occur to you as a civilian are important, but say that you go into the places where that information is located and you get something else. You collect all of the emails because maybe there's going to be something scandalous in the emails. And so when you leak that, you've collected information that is not useful to addressing the questions that these people have, but worse, you have cut off any access that they would've had to the actual information that they need.

This is an important thing. When someone is tasked with doing something, if you are an agency and your job is to read the emails of the Kremlin, that is your job. Even if you get caught and you get kicked out, you still have to go back and read the emails and there's only so many places you can read their emails. They don't have an infinite number of email servers. And so after a while, they're going to start getting a sense of what you're trying to do and it becomes a lot harder for you to operate because they now know, "Well, if we think something's fishy, the first thing we need to do is check our email servers because that is where we always get hit."

Joseph Carson:

So the central source. If it is coordinated, it is definitely the top target.

Grugq:

And so when the people that you're targeting, when they start learning your trade craft and your behaviors and your operational techniques and stuff, it becomes harder and harder. You either have to retrain or you need to do other stuff and there's a practical limit in that you can change up your malware, you can get new techniques and stuff, but you still have to hit the same email server. At some point, there's not much you can do. And so the difficulty here that I'm getting at is that if someone else who is not affiliated with any of these things comes in and starts poking about and they do the same sort of attacks, they generate the same reaction on the other end. The targets start learning, "These are things we need to worry about because this is what's interesting to people."

Joseph Carson:

And this is a history of what we've been doing in security all the time for many years. It's looking for those indicators to compromise and it's looking for those techniques and the bulletins for AV was one of those things, it was done for years, looking basically at what file is changing, what's the process names, and then creating those bulletins to be updated so that the next time you are targeted, you can vent them. And it's true to your point as well is that when you've learned a way of doing things that's been very successful up until that point in time...

And that's one of the things that we missed at the beginning is this is always continuous learning. We have the evolve every single time. So once you find that that technique is no longer value anymore, you have to evolve it, you have to change it. And sometimes that might be bringing in new skillsets sometimes, rotating the people. I think that's why probably a lot of governments might be looking to outsource to cyber mercenaries or criminal gangs because that's one way of changing the techniques and changing the way of doing things very quickly rather than using your own direct people and resources.

Grugq:

And it's cheaper in a way in that you don't pay procurement costs and you don't pay for the testing, you're just paying for an end product and that's-

Joseph Carson:

For the result.

Grugq:

And if that doesn't succeed, then you'll probably pay something but not as much. And so there's all that.

Joseph Carson:

I guess also as well as you could separate across multiple different groups as well so they don't even know what they're participating in as an entirety. They only know that they've got one specific thing that they're working on in a larger campaign and that might then be rolled into other group's activities as well. So you can also limit the knowledge of those who are actually participating in it as well.

Grugq:

Yes. Yeah, so there's some security risks of having outsiders, but then you can get security back by doing compartmentation and limiting people and other things. Yeah, so it's funny because there's sort of two sides of it. On the one side from a defender point of view where we want to say, "Yeah, you need to find an exposed campaign so that we can learn the trade craft and we can stop them being able to use these things again," but then on the same defender side, the guys doing stuff that we agree with, people doing counterterrorism and counter child sex abuse stuff, when they're doing operations, if we expose them, then they have the same costs that we try and impose on the adversaries. So exposing Russia is one thing, but exposing like an FBI operation against child sex abuse stuff, that's something else.

Joseph Carson:

Human trafficking and just tons of different other criminal... That's one of the things is there's so many different criminal activities in cyber. It's not just what's in the headlines today. There's a lot of nasty things that happens in the background that a lot of these criminal gangs who are... It could be years of work as well and-

Grugq:

Absolutely.

Joseph Carson:

Lots of different corporations.

Grugq:

I think this is from the UK's cyber doctrine thing, one of the things that they bring up is that there's so much integration of cyber and digital stuff into everyday life that people doing criminal or terrorist or whatever activities that we do not like, they're going to have to use cyber. People are not sending letters to each other, "Dear sir, to whom it may concern, I'm prepared to do drug deals with you. Let me know." It's like that doesn't happen. They're all doing things with computers and that means that they are vulnerable to offensive cyber operations and those offensive cyber operations operate in the same way as all of them, the ones that we don't like and the ones that we support. And yeah, it's interesting. On the one hand, it's like, "Won't someone think of the cyber operators?" And on the other hand, it's like, yeah, you get people with this huge chip on the shoulder, basically all hacking is bad.

Joseph Carson:

That's a challenge.

Grugq:

That's a huge political... Yeah.

Joseph Carson:

It's a shame because hacking itself is a curiosity and unfortunately it's been put in from a... It's a criminal, malicious person. But to be honest, majority of people I have come across in the industry in the world, they're people with good intentions and motivations. I always put context about ethical, it's the motives, it's the curiosity. Putting context around hackers, majority of them are good and they're all trying to make the world a safer place and they're all trying to do what they can to help, to make sure that a lot of organizations are protected, and that sometimes vulnerabilities need to be disclosed because the organizations are refusing to do the right thing and a lot of them put themselves at risk in doing so.

Grugq:

Yeah.

Joseph Carson:

A good question just to sum it up and bring it to a close is that for those who's listening in, with OSINT or might be even involved in some of the types of operations, what type of advice would you give them? What would be a good place of resources to improve your OSINT skills? I know Bellingcat had the courses. They're doing these courses yearly that provide open source intelligence skills, which I think is fantastic. Is there any good resources that you go to, that helps you, that you'd recommend the audience to look into?

Grugq:

So yeah, basically there's Hunchly. I don't know what the company is called because they've recently been acquired by someone and so they're under a slightly different name now I think. But they do training courses and I think that a lot of the sort of tooling that you get is stuff that just... Take screenshots when you visit a website and keep a database of all the links that you've gone to and then be able to search it and it's really basic stuff. But when it's done well, it works excellently and the people who are behind it, they're good people. So I guess that's what I'd recommend. There's a new one, Vortimo. I'll send you a link so you can put it in the show notes.

Joseph Carson:

If you can send the links, I'll make sure we'll get them into the show notes so that it makes it easier for the audience. Absolutely.

Grugq:

Yeah. And so the guy who invented Maltego... Again, it's another OSINT sort of-

Joseph Carson:

Maltego tools is fantastic. The frames, I sometimes find I get a little bit lost in it. But the great thing is there's a lot of templates, there's a lot of also API integrations that can now expand the sources. But absolutely, once you get to know how it works and working with the templates is impressive.

Grugq:

You can enrich data and everything. Yeah, it's great. So the guy who invented that, he's got a new product now, Vortimo, and it's the same sort of thing, but when you browse, it does all of this matching against stuff and it extracts phone numbers and email addresses and URLs and all this and then starts linking it together and creates dossiers and all this stuff already. And yeah, it's kind of amazing for doing online research. It automates a huge amount.

Joseph Carson:

Yeah, I think one of the more important things that you mentioned is taking notes, just documentation. I think that's some one of the most under... Focus on prioritizing the things that we can do. And for me, I'm always looking to improve my note-taking, always looking to improve how I document things, trying to... But I think that's one of the things that we can all probably do better at and maybe learn from those who do it really well is just documenting it so well that it's easy to search, it's easy to find, that you can go back to what... When I'm going through my notes, I do a lot of gamification sometimes and I go back and I'm reviewing one of the boxes I did or one of the CTFs and I'm going, "I wish I could capture my mind and what I was thinking at that point in time." That's the one thing I'm not very good at note-taking is what was my mind thinking when I actually went through that process.

Grugq:

When you sit there, and you're like, "Okay, this is so obvious. All I need to do is put down this one word and it'll trigger the entire memory castle that I've got to..." You write down orange giraffe and that encapsulates everything. And you're looking at and you're like, "How could anyone not know what that means?" And six hours later, you're looking at it, you're like, "Why the hell would an idiot write down two...? What was the thinking?"

Joseph Carson:

So that's where I wish there was a solution for now. So if any of the audience is thinking about... I think it was Graham Clooney was talking about one a while back, I think it was rewind or just kind of record your screen activities.

Grugq:

Okay.

Joseph Carson:

That's interesting. But I think if I can get what I was thinking about in my mind, that would be a great note taking tool. It's been fantastic having you on. This is really insightful and I think for the audience we haven't had a good OSINT episode to date and talking about how governments are taking different approaches. So many thanks for being on the show and it's been fantastic talking with you. And if you don't mind, you're... Most easy findable on social media, so we'll make... If anyone has any questions and how to contact you. So any final words of wisdom you have for the audience?

Grugq:

Yeah, I guess the important thing is that cyber is so big that you could do whatever you find interesting and it's bound to be within scope. I mean that's what I've found. Over 25 years, I've changed careers a lot and I'm still doing cyber because I love it.

Joseph Carson:

It's a big field. I can't really believe how much different rules and skill sets and what it's broken off into... I remember, just like when you were saying when you were back in the late nineties, and when I was starting, it wasn't even a field, it was something you did in addition to your day job. It was like I install the ID and deployed these machines while I was going and maybe training on Windows 95, rolling out some new tele-type application. It was something you did in addition, but now it's exploded into such a wild variety of skills and knowledge, which is amazing. This is an industry where, even when we have a lot of automation coming in, that there is still a good amount of things that we can do that isn't automated yet.

Grugq:

Absolutely.

Joseph Carson:

So again, excellent. Thanks to you.

Grugq:

Thanks for having me.

Joseph Carson:

It's been fantastic and it's been a pleasure and all the best and for everyone again, this has been a great episode. Definitely tune in every two weeks for the 401 Access Denied podcast and hopefully this was valuable and that you learned a lot from today's session. So again, many thanks to Grugq for being on and you've been awesome guest and everyone, stay safe. Take care. Thank you.