As I’ve mentioned in other posts, Open-source Intelligence (OSINT) analysis is not my day job – not at the time of this writing at least – but its definitely one of the categories of work and challenges that I am most passionate about. As such, it often comes up in conversation with friends of friends or extended family members, and it follows that they often ask how to get started in this.
Now, as is the case in penetrating any industry or network, system, etc, there are multiple angles which could be effective and more yet which may more prove a more efficient use of your time. As with our brothers and sisters further down the cyber kill-chain, I do not believe that there is one set way of entering this market.
Hopefully this post will be perceived more as food for thought than a gate-keeper post, and at the end, I’ll touch on the qualifications that I would look for as a hiring manager and department head who may be charged with outsourcing some of the workload.
Personal Background: For Context
I was always a self-starter who would view barriers to entry or gate keepers as a challenge that I would immediately accept. For reasons I will not get into here, I joined the Military at 17 and would work there and later as a private contractor in the intelligence sector for roughly 8 years in total. Though it was not my first choice at the time, I would not have changed a thing about this chapter of my, and might even be inclined to return if presented with the right opportunity. Especially in contracting, where the caliber of people that you will work with are among the most passionate SME’s in the world, and there is so much that you can learn from them.
I was getting burned out though, which I suspect is mainly due to being young and not approaching this career with balance in mind. So, when offered a mostly remote, mid-level compliance and due diligence position back in 2014, I jumped on it. As the title suggests, this position would focus mostly on insider threats, background checks, threat intelligence and assets.
Because of this experience and the network that I developed on along the way, I did not require any certifications or degrees, to present work history statements or submit a resume, though I do maintain copies of these just in case. Starting off as an independent OSINT analyst, it was mostly individuals from my network asking “hey, do you think that you could have a look at this [x] on the side?”. After a few years of irregular requests, word of mouth spread and now I’m at the point with the OSINT side-gig where I’m debating if I should start vetting contractors to help with the work load and switch to full time consulting. It will snowball fast – you’ll see.
Certifications vs. Experience
As a disclaimer, I’ve only ever worked for either performance oriented teams or for privately held organizations. These are much different than your larger corporations, with their pay-band scales, supposed equal opportunity employment and resume rat-race to win other corporate contracts. My type of organizations hire, retain, reward and keeps performance only. If you start dropping off but were great back in the day, you basically have 30 – 45 days to fix your problem on your own, or you’er out – maybe less time depending on situation. If you are worth keeping and the need for certifications starts to arise, they would send you to get certified.
My experiences may have made me bias toward the qualities which would excel in these environments. So I’ll repeat the words of John Hammond from a David Bombal interview: “Your blog, github and other documented experiences are more interesting to me than certifications.” Now, this was brought up in relation to malware analysis and programming which is easier to publicly document than an OSINT investigation, but the same holds true to some extent in the OSINT world. What I may be looking for right off the bat are side projects where the applicant developed code to automate a redundant task, or ways to better organize large volumes of breach data. I may also look for your participation in online discussions or forums.
Blogs are another great way to develop an understanding for the way that an applicant may approach a specific problem. Most experienced managers will be reading through your investigation write-ups in search of something close to their current use-case or previous scenarios.
With a good sense of who the person is, an in-person interview is the next step. Here, I’m looking for a sense of who the person is and indications of them ‘faking’ or attempting to show what they think I want to see. What I am personally looking for is someone who is comfortable in their own skin, with their own abilities and experience.
Types of Experience to Avoid
I recently came across a position listing advertised by @OSINTJobs on twitter. This isn’t a knock against OSINT jobs or who ever is maintaining the account, but the position asked more questions about the applicants gender, race, identified gender, identified race, whether or not you identify as one gender and would like to be identified as transgender, sexual orientation etc – than they did about the applicants qualifications and work history.
In total, there were 5 questions about the applicants qualifications and 12 questions of the latter
Don’t walk away from organizations like these – RUN! This is not equal opportunity employer which means that exciting projects, promotions and opportunities will be pushed to someone based on their identifiers rather than their performance, passion and subject matter expertise. This is not the type of environment that will cultivate rapid growth or reward passion.
OSINT is becoming it’s own career field rather than a specialty, which is what it was while I was starting out. Regardless, here are some of my thoughts on how to get started, based on my experience and if I were to offer advice for someone starting today from absolute zero:
- Spend some significant time with Linux. This is where most of your work and documentation time will be spent. I would also recommend that you at least tinker with bash and python scripting.
- Plan your area of focus: In example, I work specifically vulnerability and threat analysis / intelligence for people, organizations and assets, where I’m only now breaking into the IT infrastructure side of the house. There are others who focus solely on IT infrastructure.
- If you do not know where to you might fit in or where your specific area of interest may be, take some online training. In another post, I wrote about how IntelTechniques.net was a great place for me to start for this, and how it impacted my direction. You can read more about that (here).
- Find books and manuals for your area of focus, especially if the book lends to well to your training. In my example, I picked up and read a copy of Michael Bazzell’s Open Source Intelligence Techniques ahead of taking his courses, which really helped develop a baseline in his line of thinking and approach.
- Build and conduct full mission profiles (FMP’s) analysis projects to hone your skills, record timing and build reports. It seems like a waste of time, but I promise that it isn’t. When/if you have a report that is polished enough, you can even use a redacted version as a sample report. Further, this will help you identify training gaps
- .Volunteer and part-time experiences are a great way to gain experience and references if you are light on either of these categories.
- Professional references (or referrals for private contractors) are basically gold – make sure to treat them with the same respect.
I hope that this helps people who are thinking about how to break into the field. In other articles (both planned and published) I review training, tools, techniques and examine where recent targets have gone wrong. I also publish some of my own scripts for you to play around with.
If you have any questions I did not go over, are curious about a specific use-case, or anything at all, please feel free to reach out.