The OSINT Podcast Podcast Artwork Image
The OSINT Podcast
#7 - Kirby Plessas - OSINT Origins, Tools & Tactics, Starting an OSINT Consultancy, Conferences, Future Trends
October 06, 2018 Jake Creps

In this interview I interview Kirby Plessas, an expert in OSINT investigations.  We talk about how she got into OSINT.  We discuss the best way for someone to get into OSINT.  We discuss the difference between an advanced and beginner OSINT user.  We then talk about Kirby's favorite tools and tactics in OSINT, including some features that she wishes she had in a tool.  We briefly discuss how she started her company and how others can follow in her footsteps.  The importance of conferences was also discussed, including how to get to them and the value they bring.  We talk about the communication between infosec and traditional OSINT users and how marketers, recruiters, and others are using OSINT and don't even know it.  We wrap up the interview with books and online resources to learn more as well as some future trends in the OSINT community.

Episode Transcript

Jake:0:01Welcome to the OSINT podcast. In this episode I'm going to be interviewing Kirby Plessas. Kirby is founder and CEO of Plessas Experts Network (PEN) and open source intelligence, Internet technology and information extraction company specializing in training, researching and consulting to meet the unique needs of diverse government and private sector organization. I think you're really gonna enjoy this episode. So stay tuned.

Jake:0:44Alright, welcome to the OSINT podcast today. We have Kirby Plessas with us. Say Hello.

Kirby:0:52Hello, this is Kirby Plessas or @kirbstr on Twitter.

Jake:0:56Yeah. So this is the first interview that we're doing with the OSINT podcast. So bear with us if there's any type of technological issues, but um, I kind of want to ask a series of questions to, you know, get a different insight into the OSINT community other than my own voice. And , I think you're the perfect person to get started because I've seen you talking at different conferences on Youtube and I've seen a little bit of your content elsewhere online. And, yeah, just wanted to ask you a series of questions to see if we can unpack a few issues that some people might have in the OSINT community. So far so great. Yeah. So let's get started. The first thing I want to ask is tell me about how you first got into OSINT. I know a lot of people have asked what are the barriers of entry or like, what's the best way to get started?

Kirby:1:42So my way to get into OSINT probably isn't the normal way right now. So I actually started off as a US army linguist. I was an Arabic linguist, signals intelligence analyst and when I left the army I went to DoD in DC and I had a chance at that point to try and find everything I could on the Internet about Iran and different Arab topics. And so I taught myself basically, you know, what to find on the Internet, now, I did have a little bit of a background in computers in that my dad was computer scientist, so little bit of a leg up, but I also found that I was just really good at it and this is also, you know, this was way back in 2003. This was the birth of the social networks. Lots of new information was coming online, so I kind of jumped in early and just kind of followed the flow since then as far as what people should do right now.

Kirby:2:38You know, there's a lot of different tech certifications you can get and that's a good way to get your foot in the door. But to be honest, if you want to be a good investigator, I feel that you really need to explore on your own. You need to be getting into Twitter and you can get, get into those slack groups or the rocket chat OSINT group. You've got to get, you know, a network of people who are also really smart that you will will follow and follow them via rss, that sort of thing. And prove your worth. That's probably the best way to get into and to just prove your worth, not just sharing links on Twitter, but actually, you know, finding something new that somebody else hasn't found yet.

Jake:3:15Yeah, I'm with you on that one. I also got my start in the military, but in the air force it was an all source guys. So what we were doing was mostly doing the briefings we were taking all the Intel reports and summarizing them for generals and things like that to give them the bottom line up front. But , yeah, I've seen your Tweet on twitter talking about how a link with the Hashtag OSINT is an OSINT. I totally agree. I totally agree with that. , kind of going out and creating content and getting out there and showing people what you can do is not only a way to show your worth but also a way to learn because sometimes the best way to learn is by teaching. And that's definitely a way to go. That's what I've been doing with my blog and with this podcast is just trying to put out content and share other people's content and lessons learned and things like that. So I would consider you an advanced user. You've been doing it for a very long time. What's the difference between an advanced OSINT user and a beginner OSINT user?

Kirby:4:19I think it's going to go again to creating your own methodologies, finding something that no one else has found because you're observing, so beginning OSINT user will take the links that other people have given them, use them and sometimes can use them very efficiently and effectively, but it's when you find something new, when you're, you're the one who's paying attention to those urls and you see, hey, what if I tweak it this way and you find more information? Or you're the first one who notices when suddenly SnapChat just sends a burst of content on the Internet because you're constantly monitoring and looking for that sort of thing. That's what I would consider advanced. I did see that. You had mentioned, you know, when you're starting to code in Python and yeah, I absolutely agree with that as well, but I don't think that somebody needs to be doing that to be advanced either.

Jake:5:04Yeah, I agree. Um, I'm not, I wouldn't consider myself a python developer, but I use a little bit like the baseline Python just to be able to interact with some of the modules that other people have created that I don't think you necessarily need to know python, but you need to understand it when looking at it so that you can learn how to use some of these open source tools that are available out there. But I do think that there are some tools with like a graphic user interface, things like tweetbeaver.com and Michael Bazzell's Intel techniques, all of those tools. I think that's a great way to start as well, that you don't necessarily need to go down the programming route, but it doesn't hurt. Speaking of tools, what's your favorite OSINT tool? Why and where can I find it?

Kirby:5:46I'd say I have two tools and the first one is a really specific tool and the second one's more of a, of a type of tool. So the first tool that I think is my favorite by far and it took me a little bit of time to really get into it, but that's Hunchly so I know that Hunchly is very popular amongst most of the advanced users, but if somebody is listening to this podcast and hasn't heard of Hunchly yet, hunch.ly basically it records everything that you've been doing on chrome for your investigation and creates a report, you know, you can put in indicators which are my keywords that I'm searching for, the things that I would want to pull out of this report and not get a bunch of the chaff of the stuff where I wasn't successful in finding things. And like I said, it creates a very nice report at the end. The second tool or type of tool will be a link analysis tool. So I'm talking about something like Palantir or Analyst Notebook at the high end or CaseFile, which is free. And then Maltego, which is somewhere in the middle. So of course my goto right now is Maltego only because Analyst Notebook and Palantir are so expensive and I can immediately get people started on a CaseFile within minutes. And again, CaseFile is just your most basic link analysis tool, while Maltego takes it up a notch with allowing you to do transforms and basically automatically pulling information out from different sources. But either way, even CaseFile by itself, you can put the stuff in either via a spreadsheet or kind of manually hand jamming it in and then it's going to create a really nice report at the end and beautiful visualizations. And so if I use Hunchly and CaseFile together side by side and I come up with two reports, I almost don't need anything else to give to my clients.

Jake:7:28Awesome. Who's Hunchly and CaseFile not for? Because I feel, as an Intel analyst, not so much an investigator, it's hard for me to look at Hunchly as something that might be useful. Like, what's the workload that you would need in order to effectively use Hunchly?

Kirby:7:46I don't think that you need a kind of a minimum workload. This is just a recording tool. So it basically, anything that you go through, it's going to grab a screenshot, it's going to show your path through the Internet. Somebody says, hey, how did you find this? You can say, look, here's my path. Exactly. Or if somebody says, what, what'd you find on this? This, you know, email, just for example, you can at that moment, put it in as a selector, pull out all the stuff that you found on just that email. I don't think that there's a minimum load for that.

Jake:8:14Awesome. Yeah, it's definitely something that, at least I've seen as a question before, is a, how to justify a using Hunchly, if you don't have a really big workload with investigations. I think it's very useful for doing a persons of interest, POI investigations on my end.

Kirby:8:37It took me a while to get into it as well. And so that might be the problem they were somebody looking at it and not quite seen, but I think that if you even use it for, you know, just even one report that you want to create so you want to find out as much as you can about one certain topic, whether it's a person place or thing and just use it for one report and you might be right there and it might shine and you might see what the value is.

Jake:8:59Do you think there's an issue with it being a Chrome plugin? I know a lot of government workers, like the Intel community and a people on corporate networks have the chrome store blocked and I know I think Justin's created a way for you to install it manually. But have you seen that as an issue at all?

Kirby:9:14I have not seen that as an issue. Not that the Chrome Store blocked, because you can any, any Chrome app, you can pretty much install manually. But if you are buying Hunchly than you would probably talk to your IT team in the first place and kind of help that move along. The only problem I do see is that not everything happens on Chrome. So for example, some of my investigation might happen in the Nox, which is like an Android emulator or that I might be doing something in Tor. I might be doing something in Firefox. So the only problem I see is that not everything happens in Chrome and I do usually use something like a screenshot grabber, like Snagit to grab the stuff that's not in Chrome.

Jake:9:57Yeah. I think that people have addressed that to Justin a couple of times about making it a Firefox add on as well. But I think that's something that's probably definitely coming down the pipe. What features do you think Hunchly and other tools that you use are missing? Like what's one thing you wish you had that you haven't seen available in the market, in the open source or a low barrier of entry, dimension? Because I know there's plenty of tools out there that are thousands, tens of thousands of dollars, but , what feature are you looking for that you can't find?

Kirby:10:28The killer feature on a less expensive tool would be something like Hunchly where it also does the visuals. So for example, I could be recording everything on Hunchly and then type in a phone number and have it just pop out with a link analysis diagram of where that content was found. I'm very much a visual person and if I can get that to my customers as well, I find that to be honest, that they're happiest if there's a graph that they could follow without having to read a wall of text.

Jake:10:57Have you seen the Hunchly Maltego transform by chance?

Kirby:11:01I haven't played with it yet. So, no, I haven't.

Jake:11:03Yeah, I haven't messed with it either. It may solve some of those problems that you just discussed. So yeah, maybe, maybe we'll do an update on that once we check it out. Moving on, what are some tactics for starting your own OSINT consultancy? Because I know that that's something that you've done over the last 10 years. I'm not exactly sure if you only do consulting. I know you've done some training, but at what point do you think that people are ready to stop working for other people and start doing everything on their own?

Kirby:11:32You know, I don't have an exact point. I would say that once you feel the motivation, I actually kind of got a kick in the pants to do it, but I don't think that everybody would have to do that. You have this motivation to kind of do it on your own, then my biggest advice would be to get to get your name out there is to apply to speak at conferences and speak on whatever you give yourself something ambitious, but speak at conferences, get your name known and then people are going to start coming to you.

Jake:12:00That's actually what my next question was gonna be about conferences. You read my mind. Do you think conferences are even good for beginners? Like people that have no experience in the industry at all? And if so, how can you, how can people justify the costs of going to some of these conferences including flight and hotels and things like that if they're just getting started in the industry?

Kirby:12:20I'd say conferences are key and it doesn't have to be the big conferences, you don't have to go to Def Con, you can go to the smaller ones nearby. And there's almost always, I mean, BSides, Bsides has conferences everywhere so you could find a local one. To me the biggest value is not even necessarily all of the talks of the conferences, although some of them can be killer. It's more of that networking, getting to know other people who are in the same kind of thinkspace, knowing who you should connect with on Twitter and who you should trust on Twitter. So, you know, I mean, you can talk to a lot of people on twitter and I suggest you do, but when you know that person that you've met, that person in person, you know, there's a kind of a trust that you can build that way. And so I think that's important. Beginners, of course probably won't want to speak at the conferences, but I would say speak as soon as you feel like you've got a grasp of some sort of either technology or methodology that you want to share. I know you don't have to be an expert to speak at these conferences, but you do have to be confident in your talk. That's my biggest suggestion is attend and speak at the conferences. And as far as justification, I think most of the time, managers do know the value of conferences. So as long as you're not the first day at work saying I need to get off to Def Con, you probably get a little bit of buy in on at least on some conferences and just kind of build it up.

Jake:13:45Yeah, I agree with you on that one. I know it's sometimes intimidating to ask, you know, especially in the security industry, which is mainly a revenue eating part of the company. It's difficult for you to ask, you know, hey, can I go to OSMOSISCON? It's $900 plus travel plus, you know, hotels and things like that. But piggybacking on that, what we talked about before, and I think this my caveat on what beginners can do with conferences is once you start creating your own content and putting yourself out there, you can combine that with going to conferences where, let's say that there's one niche that you have like the blockchain and you constantly write about that and then you can move on to going to conferences and maybe start speaking , on those topics as well as soon as you start building a brand for yourself. I think that's a good way to approach the conference sector. I just recently spoke at a, the Southeast Analysts Roundtable (SEAR) about a social media intelligence (SOCMINT). And I think that once you kind of get your foot in the door and you do one or two that a lot more doors start to open or you might just enjoy going to conferences. So you, you mentioned Defcon and that's one thing that I've been thinking about over the last year or so. But one issue that I, that I've come up with time after time is the difference between traditional, OSINT people and infosec OSINT people like you have your pen testers, then you have your investigators, you have your intelligence analyst, and they all kind of speak a different language. So my question is how can infosec and traditional OSINT folks improve their communication and collaborate more because I know a lot of people, like intel analysts, investigators may not want to go to Defcon even though there's a ton of value that can be gained there if you want to go.

Kirby:15:25Okay. So they do speak a little bit of different language. But I think that the important part is to listen and learn from the other side as well. So I've learned a ton from the infosec community and I think it's just listening and kind of seeing what they're doing. They're going at things at a different angle and for a different end goal, I guess you'd say. But it's the same info. We just want to pull it out in a different way. When I talk about intelligence or an investigations, so the same would go the other way. So infosec people should be listening to the intelligence or you know, there's a bunch of other groups that are also doing that often get overlooked marketers, those people do a lot of OSINT. Librarians and I'm not even talking intelligence community librarians which are a special breed, but all librarians are doing OSINT, so are, you know, the recruiters. So just you kinda have to flow and realize that OSINT such a, such a wide base and there's a lot of people to listen to. I actually have most of this kind of setup in my RSS feeds and have had them for years and I just kind of pay attention to the different sectors that are doing OSINT what they're finding and seeing how that applies to what I'm doing.

Jake:16:41Yeah. I think that's really interesting. In my last podcast that I just posted today, I talked about how marketers and recruiters are using a lot of the same tactics that we're using. They're just using them in different ways and applying them in different applications. But I know one thing is a lot of people that I've talked to are like front end web developers, full stack developers or they're doing something else but they're really interested in going into OSINT and they have a lot of the same skill sets that users have, but they don't necessarily meet the requirements on a lot of these jobs because they haven't had five years in the security industry. What do you think is the best way for these types of people to cross trainer or to crossover into the infosec or OSINT community from a position like marketing or development or recruiting? Have you had any experience with that? Or have you talked to anybody who's made that transition successfully?

Kirby:17:33So I think that a lot of cases, marketing recruiting, they do the OSINT in their own world and never really even want to cross over. But if there is somebody who wants to cross over and they don't have the job experience to either jump into intelligence or law enforcement or infosec then one of the best things they can probably is to intern, but also started attending those conferences and get their name known. Like I said before, start posting on Twitter, create a blog, maybe a YouTube channel, just kind of get their knowledge out there. But like I said, the internships, those might also help even if they're virtual internships. So for example, we've done a couple of virtual internships for my company and we're starting another one where we just have someone come in and they work at home, we give them a topic at the end of the month, we want them to produce a report and that goes out to our clients, to all of our clients. And so that person gets some exposure. We give them by name, etc. And so if that person ever wants to one, list us on their resume, the job, there's, that they can get a reference from us. But the clients may also have already seen their work.

Jake:18:36That sounds like an awesome opportunity. Is that something that you guys are doing now? If someone wanted to reach out to you and , get involved, are you guys looking for anybody right now or is that something that's just something that's been in the past?

Kirby:18:49We have that open right now. We're actually starting a new one with our new intern, which should start next month I believe. And if anybody is interested in that sort of a virtual internship, they can definitely contact me at info@plessas.net.

Jake:19:08That's great. How has that product that they're making disseminated? Is that just for your customers or is that something that isn't a newsletter that people can read? Because I know people might want to say like, hey, do I have what it takes to get an internship doing this? And maybe they can look at the product and see if it's something they're interested in

Kirby:19:27Traditionally we kept that to our, our customers inside our training portal. I would say that we would give it as well to the actual author and say that, you know, you can publish this wherever you want as well. So, I'll ask our interns and see if they would want that published publicly. But again, I would leave that up to them because we're not going to, you know, blast their name out there if they don't want it to the wide public. I know that they do want it to our customers, but beyond that kind of leave it open.

Jake:20:00Awesome. Yeah. I think that's a good networking opportunity as well for people to talk with a previous interns that might be interested in doing something like this name one book or online resource turn, learn more and develop your OSINT skills. Have you read anything recently that's interesting or is there any other online resource like Intel Techniques or Justin Seitz blog that you would recommend?

Kirby:20:22I follow so many different blogs and different sources. So I can't say for sure that it would be just one, as far as books. Now remember that I started a ways back, but I'm going to tell you that one of the critical books at the time, and I would say still is that Google Hacking for Penetration Testers, Volume Two. And I know there's volume three or the third edition that's out there right now, but I feel if volume two is a sweet spot, they have a very deep. This is Johnny Long. He went very deep into explaining why everything worked in volume two. I also know that volume two can sometimes be hard to find and can sometimes be expensive, but there's also a PDF out there. So that's a really great starting place. If somebody wants to, to earn their Google Fu we'll say.

Kirby:21:13Of course Intel Techniques. Bazzell. He's got a great book out there, for investigations. There's a lot of good books now you can even look for just OSINT or internet investigations on Amazon and there's quite a few great books. I do have quite a library of my own and several of them signed by the authors, but I might have to write that out on Twitter later. The different ones that I have. Online, I tell people, one of the blogs that they should definitely subscribe to is learningallthethings.net. He doesn't post often and I actually wish you would post a lot more often, but when he does post, , this is Josh Huff, he posts very indepth his articles go into why something works and how to archives evidence from whatever topic it is. So he's got a great blog. He's also got a post that's not on his blog titled osmosis that came out of the OSMOSIS conference last year. So it's learnallthethings.net/osmosis and it's all about Tinder and triangulate people on Tinder. Now this is kind of a jump off of a still a, oh gosh, I'm forgetting her last name, Warren. She's, French PI on Twitter and she talked about all sorts of ways to get into those dating apps and get intelligence in the dating apps. And so Josh took a step further and kind of did a how to on his blog and so, you know, sources like that. Another person to follow and I know you're going to be interviewing soon would be Miccah Hoffman. He's got the.osint.ninja and he's got some great stuff on his as well as, as well as the great opt out doc where he's got a Google Docs filled with all sorts of people search engines and how to get yourself out. You can also use that is your list of people and when you're looking for someone online.

Jake:23:03Awesome. that's so many great resources. I'm sure everyone's gonna check it out. I'm going to include them in the show notes as well. So I'll probably collaborate with you and I'll probably include a short reading list from my own library and we maybe we can combine them both together. I don't know if you heard recently, but all of the sock accounts for Tinder have all been shut down as of a couple of days ago.

Kirby:23:24I heard that was because of the latest Facebook hack. I'm not sure that it's something to worry about it. You might just have to recreate the accounts.

Jake:23:33Yeah. They were saying even ones that had a phone numbers that were linked to the actual accounts, you know, with burner phone numbers, were actually getting dropped off as well. I think I heard that from The Dutch OSINT Guy, which is another great person to follow on Twitter if you haven't seen him already. What trends do you see in the future for OSINT? I know that like Facebook starting to crack down their API, Instagram pretty much neutered their API. It seems like the direction that's going, at least in the social media front, is that they're going to start locking down access for investigators to look into a lot of the different features that used to be there. Do you see that being a trend moving forward and may that impact investigations in the future? And what other things do you see coming up? Things like blockchain, etc. That mIght be useful to get into.

Kirby:24:24Okay. As far as the locking down of the APIs, this is cyclic, you know this, they've done this before. There was a point where, I don't even remember what year it was, but it was a while back where all the social networks are cutting everybody off and they kind of run off and then everything built up again. oh no, now they're going of, this has got to be at least the third major lock down and that kind of content. So I'm not worried as much about that for social networks. I am a little bit wondering what's going to happen with as far as privacy goes. So you see, you know, all the news about privacy for the social networks having to do with Russian bots and whatever. And then facebook, it's their first major hack. You know, that's the kind of things that make me wonder, it's not going to be so much whether the companies cut you off or whether the people start actually wising up about privacy and, you know, as of yet, that hasn't happened. But we'll see. Your second question. The one about things like blockchain, I did see your article on the blockchain. Good job on your blog and that's something that I've been working on as well and if you look on the Maltego blog. They actually have two blogs, one from 2016 from 2018 about using Maltego to visualize the blockchain and that I think is so important. That's the only thing that I'd say that was missing off of your blog was the fact that visualization has to be a huge part of it because the blockchain is super complicated and if you don't visualize it, you're not going to get a chance to really get into it. I think that there's going to be some really cool stuff happening with blockchain investigations in the near future. I've been working on that a lot as well.

Jake:26:05Yeah, I saw that transform for a blockchain.info pretty much right after I wrote that article. So I'll probably go back and add it. It's a good thing about having the blog. You can just edit it and add different things if you want to. Um, my last question for you before we wrap this up is, what's one thing you want listeners to take away from this episode? Like if you could give one piece of advice, one tool, one tactic, whatever it may be, what's the one major lesson learned for you in, OSINT recently?

Kirby:26:36I think this just be persistent and don't give up. Something that looks like it's not there. Try, you know, come at it in a different angle. A lot of times you'll have something that appears that you can't find it. It's impossible or it doesn't exist. But the thing is, usually it's there and there's some way to get it. Everybody makes mistakes. So if you're looking at hunting down a person, they're going to make that mistake somewhere. It's there. Be persistent. And the same thing in business. If you decide you're going to do consulting, if you're going to jump off, you know, there's all these different side hustle podcasts. It'll give you a great business advice and I'd say just be persistent.

Jake:27:16Yeah, I completely agree. I think we live in really great times to get involved in anything you're interested in and just like you said, be persistent. Keep writing, keep reading, keep listening, and just try to stay as engaged as possible and you're going to learn stuff from people that you didn't even know existed and you're going to learn about things that you didn't even know were possible. So that's definitely good advice. How can listeners find you online? Are you mainly on Twitter or is there any other way that they could find you?

Kirby:27:41So, I am most active probably publicly on Twitter. I do have a company Facebook page. We also have, some remnants of a Youtube page. We're not too active out there. I am occasionally in the OSINT rocket chat and if you don't know where that is, go ask @ph0558 on Twitter. He will direct you to the rocket chat. Occasionally I'll be in there. Sometimes I'll be in the old Open OSINT Slack as well. But again, probably the best way, the most direct way to engage me is on Twitter.

Jake:28:17The same thing for me. Twitter is the way to go and the rocket chat, if you're interested is osint.team. You can request to have an account there. I'll put that in the show notes as well. Alright, Kirby, thanks so much for taking the time to do this interview. This is the first one. I hope it's the first of many and I think that you've provided a lot of really great insights for people and I think that people are gonna find a lot of value in this. So yeah, thanks again and if you ever want to come on the show again, feel free to let me know.

Kirby:28:44Thank you. Thanks for having me and good luck with the podcast. I think you're doing great. I'm looking forward to great content.

Jake:29:08If you enjoyed this interview, Kirby's going to be speaking at OSMOSISCON 2018 in Las Vegas, Nevada starting tomorrow, October 7-9. Her presentation is titled Charting Dark Web Investigations, Mapping out the Darkness. If you're interested in exploring the dark web and how you can apply OSINT to investigations on the dark web, make sure to check her out.

See All Episodes