Episode Thumbnail
Episode 4  |  36:44 min

Cyber Security monitoring with Robert Pritchard

Episode 4  |  36:44 min  |  11.06.2019

Cyber Security monitoring with Robert Pritchard

00:00
00:00
This is a podcast episode titled, Cyber Security monitoring with Robert Pritchard. The summary for this episode is: <p>In episode 4 Terry Pattar, head of the Jane’s Intelligence Unit, is joined by “The Cyber Security Expert”, Robert Pritchard, to discuss methods for OSINT analysts to mitigate online security risks and better understand the threat environment in which they operate. Rob is highly experienced in providing cyber security advice, including developing and delivering the Jane’s Cyber Security Awareness for OSINT training course.</p> <p> </p> <ul> <li>To request information on OSINT training go to <a href= "http://www.janes.com/OSINTtraining">www.janes.com/OSINTtraining</a> </li> <li>To find out more on structured data go to <a href= "http://www.Janes.com/IntelligenceUnit">www.Janes.com/IntelligenceUnit</a> </li> <li>Visit The Cyber Security Expert at <a href= "https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.thecybersecurityexpert.com%2F&data=02%7C01%7CJoshua.Wales%40ihsmarkit.com%7C6e2e3bab21414904cd7f08d76376ee8e%7Cc1156c2fa3bb4fc4ac073eab96da8d10%7C1%7C0%7C637087234765277242&sdata=sp4W3VqR7NEvYf5UJTkDgsn24gmcTJKUDly3DxvDokQ%3D&reserved=0"> www.thecybersecurityexpert.com</a></li> </ul>

In episode 4 Terry Pattar, head of the Jane’s Intelligence Unit, is joined by “The Cyber Security Expert”, Robert Pritchard, to discuss methods for OSINT analysts to mitigate online security risks and better understand the threat environment in which they operate. Rob is highly experienced in providing cyber security advice, including developing and delivering the Jane’s Cyber Security Awareness for OSINT training course.

 

Terry: Hello, and welcome to the World of Intelligence, an open source intelligence podcast brought to you by the Janes Intelligence Unit. For more information on how we can help with OSINT training and development, go to Janes. com/ OSINTtraining. I'm with Rob Pritchard, who is the cybersecurity expert for this episode of the James OSINT podcast. Rob, it'd be great to get you to maybe introduce yourself a little bit because I don't think I'll do you justice, but we have worked together a fair bit in the past in terms of delivering training for OSINT analysts and giving them cybersecurity advice to keep them safe online. But that's obviously only a small part of what you do. Maybe it would be great for the listeners to get an idea of what you do fully as a cybersecurity expert and what sort of other services and experiences you've got that you wanted to share.

Rob Pritchard: Thanks Terry. I'm Rob, I've worked in cybersecurity, although it wasn't called cybersecurity when I first started doing it, almost 20 years now, almost my entire career and across a range of sectors. I spent seven years in UK government doing various different things related to cybersecurity in some of the successor organizations to what is now the National Cybersecurity Center. Since 2012, I've worked for myself, I've got my own company and I do the OSINT trainings work with you, but I do a lot of consultancy as well. Working with companies to come up with cybersecurity strategies and quite a lot of work in the incident response and security operations, security monitoring space, and actually a lot of training outside of OSINT. A lot of awareness training and internal specialist skills training as well for companies who are trying to just either bolster awareness of threats or increase skills off existing staff internally.

Terry: That's great. In this area of OSINT, there's a lot of people working in open source intelligence who are within government organization probably, and are doing things where they've got policies, procedures, technical measures to try and keep them safe online. But there's still a lot that people depend on in terms of their own understanding, their own behaviors to keep them safe. Is that the kind of thing that you might be brought in to help advise on?

Rob Pritchard: Yeah, absolutely. That's kind of thing I've worked with you on and that's the kind of thing I do talk to other clients about and you're right. Things have got better over, let's say, the last 10 or 15 years. Definitely. But you could be quite surprised to see very poor behavioral practices, even in organizations that have very sophisticated OSINT technical setups and people can get a bit blase about it and especially ethics sometimes there's a temptation in environments where you might not otherwise have easy access to the internet at your desk and we've both been in organizations like that I'm sure. For various reasons, lots of government organizations do not have internet to the desk and the networks might be air gapped. People sometimes see the OSINT capabilities that they have, which might be a standalone machine or a separate network as general access to the internet and they're off researching bars and signing into Gmail and Facebook and things like that and doing all the things that we use the internet for, not unreasonably, but not really considering that they might be blowing their deniable capability at the same time they're doing that. Behavior is absolutely vital.

Terry: Working culture really plays a part as well because as you've described, people might be working in those kinds of areas or roles where they've maybe had to leave their personal device outside the room. They're not able to access any of their personal things or go online during the day. Then there is that immediate temptation when you've got a terminal that is dedicated to let people go online, that they do start doing a lot of those personal things. It's probably quite natural, I suppose, in terms of behavior, because you get so used to just going online and doing research alongside doing your own personal activity when you're not at work that perhaps that becomes second nature and people fall into that trap quite easily. What sort of things do you advise people when they're working in that sort of environment to help them avoid falling into that trap?

Rob Pritchard: It's difficult. It falls down to both individual, I think, and manage group culture and I've seen setups that are pretty good. You might get somebody in who understands the technical side and understands the operational side, get servicing set up and then you have two or three staff changes and you're effectively a couple of generations down the line and people have forgotten the good practice or they don't take it seriously or whatever it might be. And so that bad practice sinks in. For the environments we're talking about. If you're in a government agency and you are doing open source intelligence analysis, you presumably have requirements around deniability in that you don't want your targets to know that your organization, or you personally and you will also have requirements around your own personal security because if you're researching really capable threat actors like the GRU or something, you don't want them identifying you personally and then collaring you when you cross a border somewhere in the future. There's those considerations and really the only thing to do, the only trick if you like is discipline. Self- discipline and following the procedures that are set out and not allowing yourself to fall into the trap of using it as a personal web pressing surface

Terry: You make it sound so simple.

Rob Pritchard: It is. I'm the veteran. I've been in these environments and I've read that. And it's so easy because you're so reliant on the internet for things, even just paying bills and things, right. It's super tempting to login. I think that the best thing people can do, that's organizationally, is provide a means for people to do that, which isn't also your sensitive hosting network. Although then of course you have to have the discipline the other way, they'll go Google your targets when you're on the backing network or whatever it might be.

Terry: And that is the thing, isn't it? We do find people who even now in various government organizations that we provide training to who you'll hear them say things like," I just would've Googled that when I was at home," and you think,"Oh no, please, please. Don't. Don't combine your own personal activity with your work related research." If you're in an environment where you need to maintain some level of secrecy in terms of not giving away your requirements, but it does still happen. It is so tempting, I think for people to overlap their personal and their professional work in this way. How much of it comes down to people needing to understand better the types of threat actors and the types of threats that they face? Is that something that you find is not always clear for them?

Rob Pritchard: Yeah, I think that's true. I think helping people understand that the threats is one thing definitely. And I do quite a lot of awareness training, like I've said, and not sort of generic awareness training, not necessarily as an analyst. And I work with companies who not exclusively, but with companies who might be targeted by more capable threat actors, basically so foreign states mostly. I think explaining to people the risks they face and they're not necessarily trying to make people terrified, but explaining, I think for me a key differentiator is that if you believe you might be targeted by a nation state, you've got to act at all times like they are targeting you because you're not going to get to get some red flags going up and saying," Oh yes, the GRU are trying to break into your mailbox right now." You need to assume that all the time and equally I think something people perhaps don't really think about is the fact that, it sounds obvious, but they are targets in their personal life as well. If you work for an organization and you're doing research into GRU or North Korea or whoever it might be, or they regard you as a threat, then they don't restrict themselves to targeting you at work. They'll try and phish you for your home Gmail account, for your Facebook or whatever it might be. And then the same is true for OSINT analysts, the danger of mixing in. Making that one mistake, which is a blows your operational network or your own identity. Might not be obvious at the time, but it might come back and haunt you later. I think definitely describing the problems to people and the impacts, the capabilities of the people who might target you. The impacts that might have, I think is always a good place to start with any kind of training.

Terry: Yeah. Got it. I think that that's certainly something that people need to be aware of. What you've just alluded to there in terms of the state actors and the threats that people might face if they're researching those countries. How can a more generalist OSINT analyst stay on top of how that threat environment might be changing. Is that something they can do?

Rob Pritchard: You probably can but I appreciate it's difficult because then they're doing the threat intelligence and analysis or the OSINT analyst is probably not necessarily going to be the subject matter expert on the capabilities for the hostile seeking agency or whatever it might be. It's not going to be easy, but I think there's going to be sets of good practice, like not using the operational network for personal things, like ensuring that you don't leak information between sessions, things like that, like not taking your work home with you, which is just good practice at a minimum and should hopefully stand you in good stead regardless of how the threat environment changes. And I think it's also probably worth saying that the kind of threats we're talking about now, we're right at the top end of the scale. To our target organized crime it's still really, really important that you take your personal security seriously because you definitely don't want organized criminals turning up on your doorstep, but equally they don't have the capabilities of an NSA like entity.

Terry: Yeah, of course, of course. It's interesting obviously we're talking about open source intelligence in the sense of security and defense professionals doing open source intelligence to try and work out what perhaps some of the threat actors they're looking at might be doing then in a defensive capacity, thinking about how they protect themselves from some of those threat actors who they might be researching. But in terms of the way that open source intelligence has developed, I guess in the last 10 years, we see it used much more as a term now in the cybersecurity sector. And it gets, I think, a bit confusing for people because it is a different type of open source intelligence. When you're talking about using open source intelligence for purposes, such as pen testing, et cetera, I think it's worth probably us clarifying for people obviously that we're not talking about that kind of open source intelligence in this context, but do you see where people can get those wires crossed or getting confused between the two things?

Rob Pritchard: I don't know necessarily if people getting confused because it's different worlds, but I think you're right. Most of the open source analysis I do tends to be technical, right? I'm looking for, I don't know, to pick something out of my head, I've been looking at a client now who's potentially had an Office 365 to state compromised, and I'm trying to work out how that's happened. Can I tie anything back to a particular threat actor or is it random? Was it just somebody with a weak password? The kinds of analysis I'm doing is trying to take the indicators of compromise that I have, that I can see from the client's logs and see if I can connect that to a broader infrastructure, domain registrations and all that kind of thing. And it's a lot of the same techniques that you'd use for the kinds of things you're talking about. And you may stray into that territory of course, because if it is a nation state, then I definitely don't want to go around poking at nation state infrastructure for my own home network. But yeah, you're right. There are sort of, I think it's quite a broad church, when we talk about OSINT now in terms of the kind of activities people do.

Terry: Yeah, no, it is, I think. And I think certainly for what we see, I think there is a little bit of confusion around it because the term does get used in those different contexts. But it's interesting. You talk about doing that more technical analysis using the similar techniques. Has that become easier or harder over the last few years? Have you seen many changes in that area?

Rob Pritchard: So things like GDPR actually had quite an impact because you don't necessarily get when you've registered a domain. So like Google.com is a domain. When you register a domain, you have to give details, you have to get the name and email address and a phone number, things like that. Now you can fake those details, they don't have to be real, but what you would find is that people who were setting up large scale and packing infrastructure would get a bit lazy and they would use the same fake details, or it has to be a valid email address. They have to be able to access it. So they might need to see me email address to register domains for lots of their, what we'd call, the command and control infrastructure, the hacking infrastructure, and once you were done picking something, an email address or something else, a fake address or a phone number could lead you to the rest of the infrastructure. And that's got harder because of GDPR, because lots of that data is now redacted. But the flip side of that is that there are many, many more companies doing this work. And there are lots and lots of tools that's full of indicators of compromise, which help you do this analysis. There's much more. The landscape from when I was doing this when I was in government, I left in 2012 and the last three years I was semi senior so I wasn't doing a lot of hands on analysis. When I was there, this is government in 2009, the tools we had available, the open source analysis was much, much harder. You had to do an awful lot of legwork yourself. Although the flip side, people were perhaps less secure so once you'd cracked the nut, you could maybe unpick it a bit more, but the tools available now and the depth of data available is quite impressive. You could do, for somebody who isn't the FBI or security service or whatever they might be, the data sets that are available to you are really quite useful.

Speaker 3: Do you need to understand and plan for tomorrow's threats without diverting valuable resources from the threats you face today? At Jane's we deliver cutting edge, trusted, open source intelligence on current emerging and future threats and assessments of the capabilities you need to mitigate them. Janes is the only single resource for comprehensive, structured and connected intelligence on military equipment, inventories and orders of battle, which means we can help you reveal previously hidden connections. We also provide data and insight on conventional and asymmetric threats, including terrorism, extremism, and organized crime. So if you are tired of collecting and processing overwhelming volumes of inconsistent and unstructured data, let us reduce your workload. Janes assess, validates and verifies huge volumes of data, and then adds insight you need to focus your resources. We can also help improve your open source intelligence capability through intelligence reporting, RFI services and open source intelligence trade craft training. If that sounds good, visit jains. com/ intelligenceunit to find out more.

Rob Pritchard: Definitely people are more privacy aware and it doesn't necessarily mean they're doing the right things though. I think you sent me a link to Strava the other day, about how hard it is to get your privacy settings on Strava right, which is the sports tracking website. If people don't know what sports tracking application.

Terry: It's one that we've talked about quite a bit in the past, isn't it?

Rob Pritchard: Yeah, it is. Yeah. And Strava and some of their rivals have leaked things like the military bases in Afghanistan and things like that because people track their activity and I really like Strava. I use it. You want to compete with your friends on the leaderboards, for things like that you have to make some information public. If you make it all private you don't feature on those leaderboards. It's quite a sort of powerful anti privacy incentive. And you could do things like set privacy zones, but I live in a village and I set a privacy zone, but I'm not particularly convinced that it gives me much additional cover, but yeah. I think you're right. I think, I don't know, it's swings and roundabouts. Definitely. I advise people on ensuring, I don't want to lecture people on what they should and shouldn't share, but I try and encourage people to be mindful about the information they are sharing just to make sure that they have reviewed the privacy settings on the things they use, so they are happy with the data that they are sharing, because it's really easy not to realize that settings have changed or things like that. And you're leaking much more information than perhaps you intended.

Terry: Are people becoming more savvy or is there still that sort of element of," Oh, wow. I didn't realize all that was out there."

Rob Pritchard: I think it's a real mix to be honest, because almost by definition the people who are asking somebody like me the questions, are probably concerned in the first place.

Terry: Yeah. True. Fair enough.

Rob Pritchard: They're not going to be necessarily surprised they're the worst case and they're going to be pleased if there's not too much about them. I think there is probably a huge amount of naivety I used to use, not to sort of shout out to specific tools, but I used to use PitBull, just the free tier, which has vanished now, unfortunately, but I always found that-

Terry: It's still available as a paid- for tool, I guess isn't it?

Rob Pritchard: It's not cheap but it's very powerful. I've used them for free for years so it's probably about time I reached into my pocket, but they're very good example you could check a phone number in and see what you could find out about people or an email address and that would always, always open eyes and people would be really astonished about how just literally one indicator, a phone number or email address could not every single time, like you say, it slightly depends on region, but it's a pretty sore thing. If I had a class of 20 people and got a few numbers or email addresses into PitBull, I reckon three out of four would bring back the right person and give employment history and education history, social networks they use things like that. It was really powerful. And like you said inaudible still out there, it's just behind a paywall now, there will be other service providers. I'm sure.

Terry: Is that a limitation in the sense that I think as much as people might be aware of those resources and what information might might be there, they might not necessarily be able to go out and use them or investigate using them fully to find out what other people might be able to get on them.

Rob Pritchard: Yeah. I think that's true. That's absolutely a valid point because if you've got a paid for subscription for something at work, you might not necessarily have it at home to do the same thing. So you're right. And you might not have the same tools available, but I think you could probably at least get, hopefully if inaudible that into the world, if you like, you probably have some other avenues could use to work a little bit harder to try and find that information. Your paid tools are probably going to let you down sometimes anyway. Thankfully it doesn't prevent people completely from doing that work, but it's absolutely valid point. If these things are behind paywalls, then you're not going to pay the$ 500 a month or whatever it might be just to do your own security checking.

Terry: No, for sure. Are there any other sort of tools or resources that you've seen come online in the recent past that you feel actually could be really beneficial for people not just inside of security, but as general OSINT analysts?

Rob Pritchard: I've been curating a list actually. I can't think of anything right now. The ones I've been looking at it are more around, like I said, more around technical. There's quite a lot of the positories of technical information and doing things like the OSINT for penetration testing or security testing of organizations, because I do quite a lot of work in that kind of space. So trying to brute force domain names and find resources and things like that. There's quite a lot of tools in that space that have proven quite useful. And I think that we lost, what's his... Michael, he took all his tools down recently, didn't he as well?

Terry: Michael Basil from Intelligence crosstalk

Rob Pritchard: I think in the more general OSINT basis, sounds patronizing, I don't mean it like that. In the non technical OSINT space I think there's definitely a lot of the tools I've used have vanished recently whereas in the technical OSINT space I think it's got a bit richer because it perhaps targets a slightly smaller and different set of people. Different set of analysts, although there's still lots of painful tools out there as well, but yeah, I'm happy to share my useful tools list with you if you would be interested and I'm sure you're-

Terry: I'm always interested. We Like to keep abreast of any useful tools and resources that are out there.

Rob Pritchard: Yeah. There's a couple of things I was looking at recently around looking for finding emails in leaks. There's obviously, Have I Been Pwned? But inaudible does it responsibly, you can't necessarily pivot on the findings to other sources or passwords. There's a few resources in that space that I was looking at recently for something.

Terry: And do you find, we certainly find from the general OSINT perspective, in terms of the online community of OSINT practitioners that's out there, people are generally quite helpful. People share a lot of stuff and a lot of tips, advice, links to new resources, et cetera. Do you get the same benefits on some of the more technical tools that you're looking at?

Rob Pritchard: Yeah, absolutely. I'm always clipping stuff for people on Twitter. Like you say, people are really helpful, but also people are always writing new tools or sharing or putting up new services, things like that. So definitely. Yeah. Twitter is absolutely fantastic resource both in your OSINT analysis, but for learning how to do it and finding the tools as well.

Terry: Yeah, definitely just cycling back on one of the things we touched on earlier, which was thinking about threats and threat intelligence, we talked about this in the past you and I about threat intelligence and the benefits or limitations of it. Is the threat intelligence better now, is it easier for people to either access it or use it or to use it to better protect them?

Rob Pritchard: I think the answer is probably not that straightforward. I think the threat intelligence world is a good one and there are lots of generally useful sources out there, but I can count possibly even a one finger, the numbers of clients, that I've worked with who actually understand threat intelligence, can lay out some requirements around how what they want from a provider and how they're going to use it. And then have the analysts themselves on site to churn it either into their protection tools or into training or awareness briefings or whatever it might be. I think threat intelligence is definitely suffered from being a bit of a buzzword, and lots of things are, that people say," We've got to have a threat intelligence source." And so people will sign up for threat intelligence also and then they'll get emails or get indicated for compromise. And it's like," Well, what do we do with it? We can't use this." I went to a critical infrastructure provider in the UK and they told me the threat intelligence fee so they signed up for it. When I looked in their Outlook shared mailbox, there was thousands of unread emails in them. They pay the subscription fees and literally nobody did it but they could check the box saying," We have got threat intelligence." And it's difficult because when people start saying," We need some threat intelligence." I'm like,"What are you going to do with it?" And most times it's all physical space, it's useful because, okay, we know that there's unrest in this city so we definitely will, actually we were having the conversation about it before we started recording, we'll make sure that everybody goes in armored cars and then he goes to the pre- approved hotels and you could definitely see value for it there and I think it's easier to articulate. But when you start talking about cygo threats or threat actors, it's a little bit harder because you don't get that information. A lot of the technical threat intelligence IP addresses and things like that is useful, but you've got to have analysts you could use it. And a lot of times it just gets churned into to the security tools anyway, so the indicators compromise would be in your antivirus or whatever other tool you've got. Right? They will be the consumers of the threat intelligence, not you as a punter. And so finding a happy medium where people actually can describe what they want and then find providers of that and then use it properly is quite tricky and I haven't seen it done well often.

Terry: In that threat space though, we mentioned earlier the state level actors that people might be worried about, if there'd been further developments in recent years in terms of the capability of non- state threat actors, is that something you're seeing more of and is it something you're having to deal with at all?

Rob Pritchard: Yeah. There's NSO, I think they're the Israeli spyware company who have been very controversial and they were the people behind the WhatsApp exploit then they sold the capability. And so I think it's become a lot easier for countries to beat strap their cyber espionage, for want of a better word, capability. And they've been some really good reporting in the open source and Wired than others about the UAE. And there was another country, maybe it was Saudi recently recruiting ex NSA and ex CIA analysts to go over there and set up the hacking teams. And so I think, yeah, back to talking about nation states haven't I? But I think there are lots of private sector organizations who are selling their services to nation states and the nation say," Get the capability." Even if it's not them who are developing it. And I think there probably are developments in cyber crime, but the big things we're seeing and the organized crime space are still inaudible targeted. Ransomware started crypting old organizations and then demanding money to get the decryption key, that's a slightly different set of requirements I think.

Terry: In terms of open source intelligence practitioners, if they're working on their own, if they are perhaps not supported by a lot of infrastructure behind them. Is there a sort of setup that you would walk people through at a basic level to say," Okay, here's the minimum of what you need to have in place?"

Rob Pritchard: Yeah. For the at home or the less well budgeted open source intelligence analyst, I think the tools available actually are really good anyway. I don't think you necessarily need a good budget and a lot of it is the discipline. Their security comes from the self- discipline rather than the technical tools. First of all, you want to make sure your platform isn't compromised or you only need to make sure that it isn't compromised longterm. Do your research and things like Virtual Machines are your friend. VMware do a free tier or there's VirtualBox, both of which are free. And they are-

Terry: Easy for people to set up these days?

Rob Pritchard: Yeah, pretty easy. I think so. You don't need to be technical. I don't know, the Buscador, back to Michael again, the intelligence techniques. They have Buscador and the Linux operating system, which comes with lots of open source intelligence tools on it and they talk you through how to set it all up. I'm not going to say it's the Soviet cakewalk if you've never done it before but I think if you're wanting to be an OSINT analyst and understanding your tools then...

Terry: Yeah. I just supposed people listening who maybe don't have a strong technical understanding, what's the advantage of a Virtual Machine and what does a Virtual Machine do?

Rob Pritchard: Virtual Machine essentially, I'm sat here talking to you on a Mac, and I've got VirtualBox on here, which means I can also run a windows operating system and a Linux operating system, which is an open source operating system at the same time. And I can flip between them. The good thing about the virtual environments is I can set them up in different ways. Something I'd recommend to people when they are doing their open source analysis is to build your Virtual Machine, whatever you want to use for that. And as I said, Buscador comes with lots of tools, but you can easily build your own. And it's really important that you keep everything up to date, standard security good practice so you can build a Virtual Machine. You could take a snapshot of that and then every time you do a new investigation, you can basically launch a new Virtual Machine off that snapshot. And it means that A, if that's compromised, your host isn't compromised. Your day- to- day computer isn't compromised just a Virtual Machine, but also when you roll back to your known good build the compromise is gone, are rarely all your data is gone as well so if it inaudible then you have a way of getting off your analysis. I've done that, I've rebooted back into a state accidentally without taking off the analysis and I know it's painful.

Terry: But it's worth it.

Rob Pritchard: You know that, A, if your machine is compromised you will lose just wiped it and you're starting from scratch. But also that there's no data leakage, right? You've got a nice clean build. It hasn't got all your search history, hasn't got all the cookies and all the things like that on there from your previous investigations. And then I think the other thing, so using a Virtual Machine gives you that segregation between your main platform and your analyst tools, and Tor really is probably the easiest way to ensure that-

Terry: Tor browser?

Rob Pritchard: Tor browser, yeah, to provide anonymous network access, that is probably as good as anything, well it's probably better than anything, you're going to build yourself. And it might not be suitable for every purpose, because if you are using Tor then it's pretty easy for an observer, for somebody looking in the logs of their website, for instance, to see that somebody has visited this website from the Tor browser so from the anonymizing network.

Terry: Can websites use that to block access to people who might come to their website from the-

Rob Pritchard: Yeah, you can and there are problems so they will block Tor access for you if you want to. Most people don't tend to bother because it's well inaudible and some people have legitimate reasons for wanting to use Tor, but you can. You can Just block access if you wanted to. There are downsides to using Tor as well but I think for a lot of the time, if you're just doing general research and you just want to make sure that it's not obvious that it's you sat at your home network doing it, then Tor is probably the easiest way to accomplish that. Although you can use VPNs and things as well, although it depends, you might want to start having to find ways to pay for them, which don't lead back to you, depending on how paranoid and [inaudible 00:28: 51 ].

Terry: True. Yeah.

Rob Pritchard: Once you start unpicking things it can be challenging to really, really be deniable. Tor is a really useful tool. So Virtual Machines and Tor. And just having that discipline to make sure that when you start a new OSINT investigation, you start with a fresh build. And you can have lots of Virtual Machines. You can run concurrent investigations, but you just get that segregation then, the compromise of one investigation doesn't blow all your other investigations.

Terry: I suspect as those tools, like you said, with Virtual Machines, they're becoming easier to use or have become easier to use and the Tor browser has always been very easy to use. One of the things that for people who are listening, who maybe have used Tor in the past, I don't know if you've noticed this, Rob, or not, but I know several years ago, trying to use it was actually quite painful because it was generally very slow, but it's improved a lot I think in terms of speed over the last couple of years, they seem to have added a lot more nodes to the network to give it more bandwidth. Is that reflected in your usage of it as well?

Rob Pritchard: No, see I used it all the time for malicious activities so for hacking and things like that. I think Edward Snowden did us all a favor there because Tor, pre Snowden, was kind of usable, but they weren't really there for that many active notes and Tor, post-Snowden, there are lots of people who are onto obviously has become much, much more usable and the list of active nodes is really big now. So yeah, it definitely has and you could do things like, everybody I'm training, so people have been watching Youtube videos and stuff over it which you just wouldn't have been able to do six or seven years ago. Definitely.

Terry: Yeah. It's interesting you mentioned Edward Snowden and there's not many ex- government people I think or certainly current government people who would say he's done us a favor.

Rob Pritchard: crosstalk

Terry: Yeah. Any development in a tool like that is driven by demand. I suppose the more people that use it the more they will grow the network and they will add more resource to it and have more volunteers coming along and joining the network. I think those kinds of tools definitely will improve. Interesting what you've described in terms of the tools, but also that discipline and having the right things in place in terms of the practice that people follow and keeping that separation between the professional and personal activity online. Do people also need to worry about, like we've alluded to already, the level of information they put out there about themselves? Let's say somebody in your role where you're in the private sector, you've got your own business, et cetera, you need to publicize your activities. You can't just hide and be an entirely anonymous online. Do you have concerns sometimes about how much you put out there or do you try and limit it in any way? Is that something that you worry about at all?

Rob Pritchard: It is, yeah. And then because you inherit the risks of your customers in some ways, because if you're providing security advice to people who might be targeted by state actors, those capable state actors may decide that you yourself are worthy of target. Yeah, it does. Like you say, I need to be public because I want people to pay me money to do some work and if customers can't find you, then they won't. I try and be sensible. I've got more relaxed about ligate insurances over the years. Although I still limit what people can see, at least a little bit. You can only get the highlights without actually connecting to me. And I use social media and things. I use Twitter a lot so it does but I try and then make sure that I do what I preached in that I make sure that I'm happy with the privacy settings and things. And I just follow all the full security best practice and I keep everything... I'm quite paranoid basically. I have two factor authentication turned on for everything, everything's encrypted when I take it with me, those kinds of sensible steps. And if I'm doing OSINT research and things like that, I do try and use my Virtual Machines and Tor and so on.

Terry: Hmm. And in terms of the information you put you post online on platforms like Twitter, et cetera, do you try, well, I follow you on Twitter and like anybody else you're using it for a mix of stuff. You'll post things that are professionally relevant and occasionally stuff which is more personal, I guess.

Rob Pritchard: The dog pictures.

Terry: Friday updates from the dog. Yeah the dog, I love the dog pictures every Friday. I don't know if we can mention her name online or if it's classified, but yeah.

Rob Pritchard: She's not a classified dog.

Terry: She's not a classified dog. Okay. Good. Is that something that you then look at and think," Okay, that potentially creates a vulnerability?" Because if somebody sends you an email saying," Oh great news, there's an offer on a free dog food." Or something like that from your local pet supplier or whatever it might be some social engineering. Is that something that you then have to keep an eye out for?

Rob Pritchard: Yeah, it is. Yeah. You're right. Yes, I haven't actually seen those emails, but-

Terry: I was going to say or are we getting too paranoid there?

Rob Pritchard: Yeah. It is. Everything you put out that gives a bit more information about yourself and I worry. The Bellingcat reports with the GRU guys traveling all over the Alps and I live in the Alps. They came to where I live and I think," Oh, that's a bit weird. That's a bit alarming." My threat model didn't really include the GRU coming round to my house. I do worry about security and I do take it seriously. And I have to. We all live our lives and I think the approach just more generally about security I think I try and encourage people to ensure that the practices you follow mean the days that you make a mistake, you limit the impact of that mistake. The days that you do something wrong, you haven't blown your entire operational network or you haven't blown your entire case or whatever it might be because people make mistakes and the same in our personal life so that's why I'm pretty strict about making sure, well very strict. I have a password manager, I have unique passwords for everything. I have two factor authentication turned on for absolutely everything that I can. It's entirely possible that I get phished, but hopefully it limits at least the immediate impact of that if somebody gets a password so the only thing important because they won't have the second factor obviously you can do real- time phishes and things like that against people to try and get that second factor but it gives me some breathing space. Hopefully I've limited the potential failure modes if you'd like. I think that's the important thing from the security practices, it's like having a seatbelt or airbags or something in your car. Every now and again, things are going to go wrong so you try and reduce the impact. No, I think it's appropriate to be paranoid. If I go traveling or even at home because obviously the beauty of cyber espionage is that it doesn't have to be done in person, but I think you just need to make sure you build in appropriate security controls and your personal behavior. And I appreciate I do do share stuff online and you're right. It would be better practice or maybe better practice if I literally had no social media presence. That's probably overkill for me. I need a social media presence because it's where I get work.

Terry: That's great. I think we've caught a lot of ground there, Rob, thanks for joining me. And it's been a really interesting discussion as always. If people want to find out more about your work or figure out more about what you're doing, they can find you at thecybersecurityexpert. com.

Rob Pritchard: That's right.

Terry: On all the socials as well?

Rob Pritchard: Go to the website and you can find me on there.

Terry: You must've been delighted when that domain name was available.

Rob Pritchard: I was. Yeah. crosstalk Somebody buy it off me for a lot of money but that that hasn't happened so I have to work.

Terry: That's all we've got time for today. Thanks for listening. And for more information on how we can help with OSINT training and development, go to janes. com/ OSINTtraining.

More Episodes

Tackling the terrorist use of the internet

Producing effective open-source intelligence

OSINT and climate security

Indo-Pacific International Security Challenges

China's Cyber Capabilities

What the intelligence community can learn from Wild Bill