How can researchers keep up with all the changes in the OSINT landscape? From AI to constantly shifting social media platforms, Neil Spencer from LifeRaft gives tips for how to adapt and optimize your OSINT practice.
Neil Spencer is the director of market strategy and partnerships at LifeRaft. With more than twenty years in the security industry, Neil has worked with both corporate and government clients to implement technology that addresses the evolving threat landscape. His work at LifeRaft focuses on leveraging the wealth of online data sources, trends and new technologies to enhance threat intelligence in the security sector.
Neil Spencer
So if you're sort of impersonating a CEO, so or any other individual within organization, what can deepfakes do to persuade, influence and potentially gain access?
Jeff Phillips
Welcome to NeedleStack, the podcast for professional online research. I'm Jeff Phillips, your host.
Shannon Ragan
And I'm Shannon Ragan, producer and co host. And today we're discussing tech and world events that are shaking up OSINT researchers' lives.
Jeff Phillips
Yeah, and joining us for that discussion is Neil Spencer. He's the Director of Market Strategy and Partnerships at LifeRaft. Neil. Welcome to the show.
Neil Spencer
Hi Folks, lovely to be here and thank you very much indeed for having me.
Jeff Phillips
Super excited that you're joining us. Now, for our listeners of the show, they may be familiar with the LifeRaft name. A few weeks ago, we re-broadcasted an episode from the LifeRaft podcast. Talking Threat Intelligence is the name. They were kind enough to have one of our product managers actually our director of product management, Daniel Ben-Chitrit on from our organization to talk about the impacts that ChatGPT is having in the security space. Kind of piggybacking on that, maybe let's look at it from another perspective a little broader. Neil, how are you seeing AI impacting the OSINT space overall?
Neil Spencer
Yeah, great questions. AI and OSINT isn't a new concept. AI has been used with OSINT for years now, so I've been with LifeRaft for six years and even at our formative stage, we had a level of AI in the platform. And it's really how the technology has evolved over the years. So that, I think, is key and quite frankly, how it has become so commercially available. These large language models that used to be very bespoke, very specifically, sort of intrinsically in house built language models, now almost anybody can use. So it's really taken what is something that was very specialized and essentially the purview of either very large organizations or the likes of the defense and intelligence sectors and turn that into a tool that anybody can use. And that's the beauty of its translation into OSINT. The beauty of OSINT is anybody can get It. That's the nature of OSINT, really. It's taking that and it's a 10x multiplier, if not 100x multiplier for the information that can be collected. And I can talk to some of that bit further. But yeah, it is not a new concept. I suppose it is a concept that has evolved, grown and now is becoming ubiquitous because of the way that the technology has shifted and the likes of ChatGPT, et cetera.
Shannon Ragan
Yeah, I think it's interesting. There's been such hot focus on ChatGPT for the last several months, but generative AI has been around for a long time now. Are you seeing or what is your perspective on maybe some of the More image generation or almost deepfake style tools, Midjourney or some of the video tools, and how that's impacting OSINT?
Neil Spencer
Yeah, certainly. And you look at the likes of Midjourney, you look at just how quickly people can create images. If you type a few prompts, deepfakes are obviously something that is on the horizon. Not even the horizon is really becoming a real threat these days, sort of be it to create social engineering attacks from a fraud perspective. So if you're sort of impersonating a CEO or another individual within organization, what can deepfakes do to persuade, influence and potentially gain access to systems, or influence individuals to open up access that otherwise they wouldn't have if you didn't have somebody's face sitting there? And then you look at the likes of images with the lens of brand protection, et cetera, creating fake images with generative AI techniques opens up a new realm of maybe you start to put brands in negative situations that otherwise wouldn't have existed. It's something that is certainly a challenge. Again, if you go back sort of in those time frames two years ago, and you look at sort of deepfakes and sort of things coming on the horizon there and now, fast forward is a very prominent challenge that's facing security practitioners.
Shannon Ragan
Yeah, it didn't take long.
Jeff Phillips
But one thing on the good side, I think you mentioned there's so much information, but then, as compared to the offensive side of AI from a cybercriminal perspective, the side of using it for good in terms of summarizing and reporting and sifting through all of that data. Right. So it's got some of that benefit for the OSINT analysts.
Neil Spencer
Yeah, huge. And I think it would go back to that thought process of now it is AI for the people, if you will, AI for organizations like ours. Again, we've had AI in our platform, but the likes of OpenAI, these large language models which are so now freely available. Again, I'll use that term sort of 100x multiplier as far as taking the ability to summarize and understand quickly and easily a vast amount of content and turning that into ugly, tangible takeaways. Now, it's not a silver bullet. And I think people have to remember that when people say AI, it solves all of these problems. We are always conscious to preach in the live draft house that AI is no substitute for an analyst. A good analyst will always provide the so what and the depth of context that AI just doesn't have. So AI is phenomenal at, as you say, sort of taking vast amounts of information, potentially connecting dots that otherwise an analyst may not have been able to see, or may have just taken them longer to see. But AI is great for elevating that. But it's really the human analyst layer, or a human in general, a subject matter expert that can look at the content that AI has serviced and then add some so what to it, add some context to a certain extent.
Neil Spencer
And AI can help with this as well. But the what's next? So when we look at our customer base and corporate security teams. It's detective threat. Here's what type of threat it is, here's why it matters to you. It's for the human analyst to understand realistically, based on these parameters that I'm seeing, where do I go next and where do I go next in the playbook?
Shannon Ragan
Yeah, I thought it was interesting when we were talking about the speed of evolution of these types of tools. And recently I've been thinking about the history of OSINT has always been adaptive adapting to changing landscapes. Just the advent of the internet and search engines. There's this issue of trust and verification, like at every turn. This seems to be the next hill to climb in keeping up with this ever evolving landscape. I was thinking of other things that are forcing adaptation or changes in practices. Is the upheaval in the social media space. Platforms are changing, access to platforms are changing. What impacts are you seeing in changes within the social media sphere on OSINT?
Neil Spencer
Yeah, absolutely. And a bit like AI, although in this instance, it's potentially for the negative, depending which way you look at it. There are threats, opportunities on both sides. But again, the sort of landscape has started to shift over the years. But if you go back five, six years ago, there were the constants, there were the Facebook's now Meta's of the world, even beyond that, and you've got the Twitters of the world, then you move into the Instagrams of the world. Slightly newer platforms on the block, fast forward. And especially kind of when you come into the world of let's cast minds back to the 2020 elections, the fragmentation of the oath in space became prominent, even though a lot of these platforms like Macedon, et cetera, were there. And about sort of prior to that time, suddenly there was this massive shift and new platforms coming seemingly online overnight. So the Parlors of the world, Parlor suddenly became the number one downloaded app in the App Store, and indeed in the Google Play Store. Gab again, go back, that existed...2012 sort of Pittsburgh single choosing. That manifesto was posted there. So again, fast forward.
Neil Spencer
It's not a new player on the horizon, but it starts to be brought to prominence due to those shifts in the political stage and so on and so forth. So that's kind of some history. You fast forward and it continues to shift. So the most recent example of that, well, Twitter's changes, change in management, et cetera, people start to want to explore other platforms again, we saw the rise in the likes of masters on there, people shifting like Gab. Parlor now doesn't exist. The number one app no longer exists. As OSINT practitioners, part of the struggle is understanding where the threat landscape is going to move to and how to monitor that and how to keep on top of that and then fast forward again. So Meta, Zuckerberg and Co, quite rightfully, see an opportunity. No slouches. What can we do for an alternative to Twitter? Well, let's create threads. Threads went from, what, 10 million registered users in the first week to, I think sort of 40 million plus in its maybe even more than that, 44 million at its peak today. There was an article that came out that they've lost 82% of that.
Neil Spencer
Even with those large, prominent players in the market, people will shift and people sort of go to and from Twitter and to and from main. Some of these main platforms in the market will persist. Threads, if you fast forward two years time, does Messer & Co decide to actually, that's not a good platform to use. So does that disappear like parlor did? Yeah. To summarize, the landscape is eternally shifting and as practitioners, it is tricky to understand, know what content is, where, and especially where you look at decentralized platforms like Macedon, come back to Macedon. But also the value there, I haven't touched on Reddit. If anybody who follows Reddit is going through its own shift at the moment, they're trying to commercialize it. And obviously some of the APIs that were made available, they've changed the format in which those are available, et cetera, et cetera. So there are challenges throughout and that poses challenges for threat detection, where it's going to look at it. But also from the investigative piece, just if there is a threat that's detected, how do you best understand what that threat is and where they are? Potentially where that threat is emerging from those platforms?
Shannon Ragan
I was just going to say maybe not the nature of change is anything new, but certainly the speed of it now feels a bit dizzying.
Neil Spencer
Absolutely.
Shannon Ragan
Good luck out there.
Jeff Phillips
Well, I was going to bring that up. Kind of expanding on that when we say threat detection, right. So that threat could be a lot of things, like if I'm someone on the government side and looking at nation state type things, I may live and breathe these social media platforms and keeping up with all those changes versus if I'm a cybersecurity or you mentioned like a brand fraud type person there's, keeping up with all these fringe social networks, are they valuable to me? As well as other things change, like X change, where you can't log in without a profile. So that gets really difficult, too. What's valuable to me if that's not my core job? I mean, I need to use it, let's say, in the cybersecurity world, but I'm not living and breathing necessarily looking for cyber threats there. Maybe I should be and how do I know which ones and when? Maybe I look at tools to do that for me, or type of a scenario. Right. I can know the big ones, but all these fringe ones, are they valuable? That seems to me really difficult for the cybersecurity analysts.
Neil Spencer
Absolutely. And without hammering on the LifeRaft drum too hot. That is essentially why we exist as a platform. Our goal, our mission is zero missed threats. So is really our day to day job to make sure that we have a good understanding of what these landscapes are, where they're shifting, how potentially we can collect data from them. Are they publicly available APIs? Do we have to look at other options and then surface that up in a platform that users can understand? I mean, I am always conscious to point out again to come back sort of full circle OSINT. If you're an OSINT researcher, if you're a really good OSINT researcher, you know how to access a lot of these platforms. Can you do it at scale? That's where the challenge comes in. And if you're not know, we spoke to corporate security sector. Corporations will vary in their level of OSINT analysts and analysts at large, they have on their team, on their security team. Does everybody going to have a minute understanding of every single social media platform? Or indeed, let's broaden that outside of social media. Let's go to deep web platforms.
Neil Spencer
Let's go to dark web platforms. How do you make sense of that vast landscape? How do you collect data? And I think to your point, Jeff, how do you make sure that when you do, if we go for the name of the podcast, when there is that needle in the haystack out there, how do you find that needle in the haystack? And I think where you folks at Authentic8 come in, how do you then potentially know... our platform is so often a detection and validation tool. Very important part of the workflow. Sometimes you need to jump out of our platform and into the native platform to really dig into something. And that's why we have partnership with you guys where it gives you that next step of, okay, we can still do this in a safe environment. If we need to step out of navigator in our instance and go and explore in the native platform the threat, what it means, a little bit more about the context and things like the Silo browser. That's where that really comes to the fore.
Shannon Ragan
Yeah, I think the nature of the AI discussion, generative AI in OSINT is just so much on time saving of like, if I am going to sit down and actually do my human backed research, where do I begin? How do I maximize my efforts to the best of my abilities and what tools do I use to do that?
Neil Spencer
Absolutely.
Shannon Ragan
I was thinking, too, with AI and social media and bad actors, that it just seems like such a ripe time for misinformation, which I feel like maybe we've just been saying that endlessly for the last six years, but it feels like now it might be really bad and there's a land war in Asia. Or in Europe, I guess. Yeah. So this perfect storm, I guess how is the maybe let's just focus on the war itself. How is this disrupting OSINT? Or I feel like it's being felt in all corners of the world. It's certainly being felt in the OSINT sphere.
Neil Spencer
I think, and I wish I could attribute an individual to this quote, but I've heard the phrase where the Ukraine Russia conflict is the conflict of OSINT. It's the dawn of OSINT as far as sure, if you go back to recent conflicts, et cetera. You had if we look at Iraq, Syria, Islamic State stuff, so forth, telegram was their platform of choice for posting our content, but it was their content. So they were controlling the narrative really. Information from the ground was still relatively limited. You fast forwards and you look at Ukraine Russia all of a sudden telegram being a relatively niche platform, and you two both know it well for being a treasure trove of cybercriminality and so on and so forth from there. Now, something like Telegram is the platform of choice for government communications, for getting some ground truth on, sometimes ground truth depending on who's posting. And this is where it comes back to sort of good OSINT acumen of, okay, we know that there is a good, valuable source of information here, and in this instance it's telegram. But we have to understand that there are both good actors and bad actors out there.
Neil Spencer
There are those that are journalists that are going to be truly giving you on the ground information from bomb strikes to troop movements, especially in those early days, there was some incredibly valuable information in telegram in comparison to the likes of Twitter. Twitter was still quite newsy in the sort of opening days of the Russia-Ukraine conflicts. And then sort of fast forward, I say fast forward. So yeah, Twitter was quite newsy. Telegram was giving you that very, very good granular insight as to what was going on. The then, you know, again, you fast forward and just the sheer volume of content. And if I come back to my earlier statement that it is the conflict of OSINT, it is the dawn of OSINT, anybody can go on again...Reddit, Twitter, to a lesser extent things like Facebook, but it's all there for people to see. If you want to spend enough time and effort going into those places, you can huge amounts. And I think that again, is indicative of just the sheer amount of data that's out there. The Ukraine-Russia conflict sort of is a magnifying glass for that.
Jeff Phillips
What I was going to say was spanning out a little bit again, to more like geopolitical. So again, we have lots of listeners that are into the nation stateside, but if I go back into cybersecurity, these geopolitical events are impacting me, even if I'm in a SOC now due to the types of warfare that are going on, right? So it's something more now I have to pay attention to geopolitical events. As a SOC analyst, in addition to the shifting landscape of social media platforms, what happened to just let me monitor my firewall logs? Right? So there's just tons and tons, like I have to care about geopolitical events because of what they might be doing with malware and whatnot.
Neil Spencer
Yeah, absolutely. I think two points on that, Jeff. One is in the corporate space, we're absolutely starting to see sort of this fusion of physical and cyber because the two are hard to separate. So I can think of a few of our customers that have those fusion centers. Historically there was firewall between the two, but now they can't. There are a number of our users that have evolved to have these fusion centers with the two expertise combined. Because let's look at some examples. So, Ukraine, Russia. So two adversarial states. Well, I mean, Viasat, the Viasat hack was probably a prime example of that. So Viasat US-based entity, strong footprint commercially in Ukraine, supply a lot of SATCOM platforms, but not only were they used on a civilian scale, but also at a military scale. So the Russians understandably took it upon themselves to hack that system that then had an impact on the broader Viasat business. But it was an output of Ukraine-Russia conflict and the tactics that those two adversarial states were using in that instance, Russia against Ukraine. But it was a tactical choice that they made that then had a knock on effect on the broader Viasat system, so on and so forth.
Shannon Ragan
Yeah. The collateral damage in global conflict. When you were saying about just the volume of OSINT and open source information coming out of the war and largely posted to social media channels that anybody can get in. I think they brought this up on the Talking Threat Intelligence podcast about the lens through which the Wagner mutiny was seen by many people, I think, who are starting to have AI in the back of their head at all times. It's like, is this real? This seems crazy one. And then is this real that there is just so much more doubt sewn into things. But doubt and verification are very good for the OSINT field. Do you see as a strange silver lining of this an amplification of the OSINT field or more people getting involved in that type of work.
Neil Spencer
Yes. When we look at the prominence of it, it piques the interest, I think yes, to answer your question. For a couple of reasons, like say now people, it is at their fingertips, they can go and explore it a bit more easily. You've still got the stalwarts. And I always try and call out the likes of Bellingcat on these sorts of things because they are foundational. I believe in public awareness of OSINT and obviously just the work they do is got. Now, especially with the likes of generative AI, you've got some tools around you that you can start to essentially make understanding and easier access to some of the data sources and start to really summarize. But if we look at what's going on Twitter, the sort of constraints that Twitter started to put on some of their feeds, what's going on TweetDeck. TweetDeck now is no longer a free tool. And that used to be sort of the go to option for, again, OSINT researchers, especially if you're looking at more of a situational awareness type, use case build, TweetDeck, build your feeds, that's starting to be clamped down upon. So, whilst I think these geopolitical insights and some of the trends that we're seeing will make people far more interested in OSINT, I think there are still a lot more barriers to potentially access that information than arguably ever there was as much as we've sat here and sort of said, hey, AI is going to make this a lot easier for everybody.
Neil Spencer
Getting access to some of that information in the first instance actually is going to continue to be very difficult.
Shannon Ragan
Yeah, other doors are closing for absolutely.
Jeff Phillips
Well, you know, as we begin to wrap up, Neil, what are some parting thoughts that you might have for our audience on how they face and keep up with and deal with that evolving landscape?
Neil Spencer
Yeah, absolutely. We touched on it briefly if we come back into good OSINT best practices, so how do you detect and then fundamentally validate? So if you're looking at we touched on sort of misinformation campaigns, disinformation campaigns, if you are seeing a threat, if you're looking at a piece of intelligence, how do you start to validate that piece? So how do you start to go to potentially secondary sources to make sure, okay, this is a message that we start to see. If it's an image, if it's a post, and I'm concerned about it, what do you do then to back it up? What is that second layer of validation? Do you then to add discussion earlier, go back out into the platform and sort of go from there? Do you start to look for secondary sources that might be corroborating what that initial statement is, or that initial threat? What other secondary research can you do to go and validate? So I think if we're looking at some of the summaries that we've been talking about, the landscape is shifting phenomenally, it's shifting fast. AI is there to help, but it is not a silver bullet.
Neil Spencer
But ultimately, OSINT best practices will help you overcome a lot of things. Do the research, make sure that you have the right headspace, and use the tools to really amplify your efforts. The tools are there to make your life easier. That's what they're there for.
Jeff Phillips
That makes a lot of sense, especially as we try to talk about on the show. Leaning on your OSINT best practices is more important than ever. And leveraging all the tools out there. Neil, thanks for joining us today. It's a super interesting conversation. Really appreciate it.
Neil Spencer
Pleasure.
Jeff Phillips
Yeah, absolutely. And for audience, if you liked what you heard, you can view transcripts and other episode info on our website, authenticat8.com/needlesack. That's authentic with the number eight slash needlestack. And be sure to let us know your thoughts on Twitter @needlestackpod and to like and subscribe wherever you're listening today. We'll see you next time with more on the latest in OSINT. Stay tuned.
