The Physical and the Digital of Open Source Intelligence

The Physical and the Digital of Open Source Intelligence

January 20, 2020 • Monica Todros

Our guest this week is Nico Dekens. Online, people know him as the “Dutch OSINT Guy,” a handle he’s earned through his extensive knowledge and background in open source intelligence.

Nico shares his own history getting into the field, as well as some real-world examples of how he goes about gathering OSINT, and how individuals can do a better job protecting themselves online. And, of course, we’ll get his insights on threat intelligence as well.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 142 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest this week is Nico Dekens. Online, people know him as the “Dutch OSINT Guy,” a handle he’s earned through his extensive knowledge and background in open source intelligence.

Nico shares his own history getting into the field, as well as some real-world examples of how he goes about gathering OSINT, and how individuals can do a better job protecting themselves online. And, of course, we’ll get his insights on threat intelligence as well. Stay with us.

Nico Dekens:

I have a background in the government, Dutch police to be precise. I’m an intelligence analyst, and I worked there for over 23 years building the Open-Source Intelligence Framework for the Dutch law enforcement, as well as teaching almost each and every governmental body who conducts open-source investigations. And currently, I shifted to Bellingcat and there, they bombarded me to be a manager and a senior investigator.

Dave Bittner:

Now, were you someone who was interested in this sort of thing when you were coming up and growing up?

Nico Dekens:

Yeah. Well, I was always very interested in computers and IT in general, but especially finding out stuff and bustling. That has always been my hobby, so I made my job my hobby, basically.

Dave Bittner:

Yeah. Good for you. Well, let’s go over exactly what OSINT is. For folks who may not be completely familiar with it, how do you describe it?

Nico Dekens:

I would describe it as finding open information, and it could be anywhere. It could be on the internet, it could be in a library, could be by looking in a magazine. So, publicly available information for you to find, for your mother to find, for anyone to find.

Dave Bittner:

And so, how does that come into the work that you do?

Nico Dekens:

Well, from when you look at my background, when I was hunting down jihadists, for instance, or domestic terrorists, they are online very often, and they leave traces on their social media and that tells a story about their interests, maybe their contacts, maybe where they have been, all kinds of things. It is the same thing we do at Bellingcat. We try and hold those accountable for wrongdoings, and we do that by finding information, most of the time, on the internet.

Dave Bittner:

Can you give us some examples of how that works? I mean, are there situations where people have been deliberate in trying to hide themselves, and yet, they just, they can’t help sharing some information inadvertently?

Nico Dekens:

Yeah. Well, there’s always a vast majority of people who make their day job of being, let’s say, on the down-low or not to be found, but there’s always someone around them who will tell a little detail, maybe in a picture from their daughter or maybe someone else in a restaurant or in the gym where they hang out will take a selfie, and we can see based on their likes, for instance, that they hang out in the gym very often. Then we go look at that gym, and we look at pictures of the gym and we see the person of interest in those pictures and we see him talking to someone. And five pictures further, we see them talking to the same person, and that person tagged him or herself to, for instance, in Instagram or Facebook page of that gym. So, now we know the name, and then we can pivot in and, well, you can go deeper and deeper. It’s just finding pieces of the puzzle, and if possible, from two or more different sources. So, one source is no source when it comes to open-source intelligence. You need to verify at all times.

Dave Bittner:

And how do things like facial recognition, and some of the more advanced technologies we keep hearing about, how do they come into the work that you’re doing?

Nico Dekens:

Well, they are coming in more and more. It’s shifting. It used to be a lot of handwork, manual work, but nowadays, the amount of data is so huge that you need to use facial recognition. You don’t need to, but it makes it easier. It makes your process go faster. Also, text recognition or maybe use machine learning to detect certain differences in landscape or geo locations. We use it as an example when you are looking for minefields in war zones, for instance. You can use satellite imagery, just commercial freely open satellite imagery, and you put some machine learning on top of it and you’ll learn how a landscape looks when it’s filled with mines. And then, you can feed it additional satellite imagery and let it detect areas where mines are possibly placed.

Dave Bittner:

So, it sounds like a situation where combining the technical with the expertise of the people themselves, that you can process a lot more information that you otherwise wouldn’t be able to do?

Nico Dekens:

Yeah, yeah, exactly. So, it speeds up the process, but also, there’s a fallback because, in my opinion, a lot of artificial intelligence or machine learning isn’t good enough yet, so it misses stuff or it misinterprets stuff. So, you need to look at it a little bit more in that with your own eyes or maybe let someone else look at it because you’ve stared yourself blind on it already.

Dave Bittner:

I’ve heard a lot of folks who try to set up some sort of false persona online, that there’s common mistakes that they’ll make that connect them to their real identity. Are there any of those that you can share with us?

Nico Dekens:

Yeah. Well, when you look at the darknet marketplaces, which for instance, law enforcement and Dutch law enforcement, especially with the FBI, there were always loose ends. They were on the dark web and darknet markets. They were on pseudonyms or false handles, synthetic identities. And what they would do sometimes is use that same handle or the email address to sign up that handle to ask questions in the plain web, and that gave them out. And they used to be on the down low, you couldn’t find them because they only had the handle and only had a dark web Tor connection, but once they started asking questions on specific places on the clear web, you could find him and identify him.

Dave Bittner:

Does it ever happen that you end up with a dead end? Is it-

Nico Dekens:

Oh yeah. My job is 90% of the time getting into a dead end. That’s what people forget when you conduct open-source intelligence. As an example, you walk on a road and you go left and right and each and every time you will end up at a dead end, but you did explore that road so you learned a lesson. You got intelligence, you found information, and you must keep track of that information, because when you keep track or you are at a dead end, it doesn’t mean that tomorrow that same dead end will have new information because now a crawler of Google went by it and it indexed new information which you didn’t find the day before. So, yeah, there are a lot of dead ends, but even the dead ends can come alive again.

Dave Bittner:

And I suppose, also, knowing where not to look is a valuable bit of information as well.

Nico Dekens:

Yeah, for sure. Because you develop, let’s say, a third eye to look for certain pieces of information on websites. So, when I look at a picture and I need to geo locate it, I won’t look at the persons on the picture, but I’ll look at the surroundings because they tell where it’s at. Or something else, when you look in documents, a PDF document may have metadata underneath it, so it will provide you something about the machine of the person who wrote the document, or maybe they will just have their contact info beneath as a closure of the document. So, yeah, like you said, you know where to look once you do this on a daily basis.

Dave Bittner:

What’s your advice for people who are out there trying to strike that balance between maintaining a good level of privacy online but also not going overboard realizing that there’s always going to be some information out there?

Nico Dekens:

The good thing is a lot of search engines will provide you with the right to be forgotten, so you can provide them the information which they index, which you don’t want to have pop up anymore when people search your name, for instance. But you can also think of adding noise if you don’t want to be found or generating a little bit of noise, for instance. Generate your name with a lot of telephone numbers which you don’t own just to keep the adversary busy, for instance. I don’t think you can hide from the internet anymore, but it’s just being aware of, is it necessary to share all the information that people share nowadays? Is it necessary to share each and every vacation picture which tells a story of you or maybe your job or maybe your financial position or something else.

Dave Bittner:

Yeah. That’s a really interesting insight. I suppose a lot of people just share reflexively without maybe thinking that’s … There’s that saying, whatever you share on the internet is kind of there forever.

Nico Dekens:

Yeah, yeah. But I recently got a fairly good example. There was a CEO of a certain big company, but he had his badge, his door badge, on his neck, but he wasn’t aware of it, obviously, because a red team found that picture. And that picture, actually, was taken at his PA’s birthday, so they took a picture with cake and everything and celebrating. But he wasn’t aware that that specific badge picture was essential for the red team to copy and mimic and get into their company.

Dave Bittner:

Wow. That’s really interesting. I want to talk about threat intelligence with you a bit. What is your take on threat intelligence? What part do you think it plays in an organization’s defenses?

Nico Dekens:

Well, especially nowadays in the digital age, I think if you’re a self-respecting company, you should do a little bit of threat intelligence. See how your adversary talks about your brand, for instance, but also, are we being attacked and how severe is the attack? Where’s the attack coming from? What are they aiming for? What is my personnel giving away? Because they’re, most of the time, the weakest link. Well, the example I just gave a minute ago is basically a form of threat intelligence. Is it necessary to not let people wear their badges out in the open just because we want to keep safe and we don’t want to have people copying it? So, yeah, it’s two parts. It’s the digital part, so the digital and tech part, and it’s the physical world part, which you can still find in open sources nowadays.

Dave Bittner:

Yeah. And how much does that real-world part, the part that’s not digital, how much does that play into the work you do?

Nico Dekens:

Well, I think it depends on the job you have. For instance, like I said, red teaming, they do a lot of social engineering. And before they do the social engineering, they can do a lot of online reconnaissance, open-source intelligence basically, which helps them to talk themselves into a system or gain access to a certain door, for instance, because they now have a pretext and the story based on the intelligence gathered. So yeah, I think real-world blends in very well. But also, when I commute or travel, I see people typing in their passcode, and then I can shoulder them and I can see their social media accounts. For instance, if I was a private eye and I didn’t know where to look and I couldn’t find him, I might tail him and find their social media accounts then, and then, go back to the office and pivot off that information.

Dave Bittner:

How does this affect you personally? Do you ever find yourself just being extra careful? Does any sort of paranoia set in knowing what you know?

Nico Dekens:

Yeah. I used to be, I think, a little bit more paranoid when I was in law enforcement and doing the covert ops stuff, but now, yeah, I’m aware but I’m also fairly certain even if you step up your operational security to the maximum level, people with bad intentions can and will get in if they want to. I think it’s more of being able to detect anomalies and then take your countermeasures.

Dave Bittner:

What sort of advice do you have for someone who might be considering a career working with open-source intelligence? What sort of aspects do you look for in someone who, for example, you would hire to do that sort of work?

Nico Dekens:

First of all, I would look for people who have a lot of tenacity. That’s really important because you will, like we said, end up in a lot of dead ends, so you must not give up ever. You must be willing to spend a lot of time behind a screen, but also you must be good at puzzling and being a devil’s advocate. Because it’s fairly easy to find a lot of information, but it doesn’t become intelligence until you refine and analyze the information to make a decision on it or take action on it.

Dave Bittner:

Yeah. It must be exciting when those pieces fall together and when all that hard work pays off.

Nico Dekens:

Yeah, yeah, absolutely. It’s absolutely satisfying when you solve the puzzle, basically. Beat him. That’s what you do it for. That’s what drives me all the time, finding that new tool that gives me that extra piece of information that no one knows how to find or maybe see that little detail in a picture because I just bought a higher resolution screen which gives me more depth and color so I can see a detail and that is the breakthrough in a certain case. So, yeah, that’s it. Yeah. That’s what I do it for, for that rush.

Dave Bittner:

Our thanks to Nico Dekens for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Countering 5G Conspiracy Theories

Countering 5G Conspiracy Theories

November 30, 2020 • Caitlin Mattingly

The global transition to 5G mobile technology is well underway, with ongoing network build-out and...

Cyber is as Much Psychology as it is Technology

Cyber is as Much Psychology as it is Technology

November 23, 2020 • Caitlin Mattingly

Joining us this week is Pierre Noel, managing director for Europe at ISTARI, a company providing...

Inside the World of Cyber Venture Capital

Inside the World of Cyber Venture Capital

November 16, 2020 • Caitlin Mattingly

Our guest this week is Mark Goodman, managing director at MassMutual Ventures Mark shares the story...