In a recent post, we shared with you some best practices for submitting Call for Presentations (CFP) responses that get selected.
A key point is that the quickest way to disqualify yourself is by submitting a proposal that’s light on detail. We know, you might think you stand a better chance of success if you deliver a neatly packaged, publication-ready paragraph. But we have a content and marketing team standing by to polish up your proposal pre-publication, if necessary. We’d much rather have a robust write-up that tells us exactly what attendees will get out of your talk. After all, we’ve never had an advisory board member reject a submission for being too comprehensive and thorough.
Here is a confirmed talk from Christina Lekati for the 2022 OSINT Summit:
And here’s what Christina gave us in her CFP submission:
This presentation walks you through the workflow of a (sanitized) OSINT assessment case for a high value-target. This case revolves around a company executive a few days before moving into public announcements that were likely to trigger hacktivist groups. Cyber harassment can start from online platforms, but it may also continue into the physical sphere of the targeted individual. Most often, the goal is either to influence the behavior of the target and make them resign, change their decisions and future behavior, or to cause significant psychological distress that will ultimately affect their work performance. Knowing that harassment was a highly likely scenario, the company requested an OSINT assessment on this individual to help them eliminate or manage information that could pose a risk to the individual and ultimately affect his performance and the company. As intriguing as projects like these can be, they require an effective workflow. Conducting OSINT on people can put investigators into endless hours of combing through information and multiple rabbit holes. While discussing the case, the presentation will discuss important OSINT workflow variables such as defining a specific scope and research questions, creating a proper search plan, and reporting effectively.
Presentation of the case storyline: A company executive is about to move into public announcements that are expected to trigger a hacktivist group. The group had previously targeted with harassment campaigns other executives from organizations that had moved into similar public statements. The company (and the executive himself) decide to be proactive and eliminate or manage the digital footprint that could put him, or his family, at risk. This talk presents the workflow of this case, but it will also discuss the workflow methodology. OSINT assessments on people can extend both broad and deep, and therefore, having a concrete search plan is necessary.
For that reason, the introduction will conclude by pointing out that OSINT tools should be used in support of a research methodology and not as a methodology on their own.
Planning & Preparation
Starting an OSINT assessment, one needs to define the scope of the assessment with their client and define specific research questions. When it comes to High-Value Targets (HVTs), the main research requirements usually revolve around categories like:
-Recognizability: (the amount of information an adversary can collect about that. That includes: personally identifiable information, private address(es), predictable routines, family members, and more)
- Accessibility: (the ease with which a stranger can approach them or their private address(es), their level of response and engagement with a potentially unknown individual, the presence or absence of a security detail, and more)
-Vulnerability: (the target’s level of exposure, predictability, profiling accuracy. This category includes adversarial capabilities or determination. For example, based on their previous activity, are they likely to approach or harass friends & family members of their target?)
It is already becoming evident that the above categories can be vague and broad. The analyst needs to discuss with their client and define specific research questions that can be answered in specific terms.
Once the scope and research questions have been defined, it is time to start organizing the OSINT collection process, select the tools you will begin with, assess the OPSEC required for the project, and establish your notetaking and documentation process. For this case, I used the mind mapping tool (XMind). (A visual example of the mind map with some of the research questions will be shown)
Once the information collection phase starts, I try to first aim for the quick and easy wins. Tools that can provide the target’s email(s), the username(s), social media profile(s), etc., are utilized before anything else. Once this information is available, you have a set of initial data points with which you can maneuver easier into other areas of research ? your research questions.
Beyond utilizing tools, you might also need to conduct social media content analysis or use Boolean searches for certain requirements.
For this case, I needed to look into the HVT’s social media and news articles images. Pictures of his home included elements that allowed him to geolocate the address. Google maps & satellite images provided a clear view of the property’s fencing and other security & accessibility characteristics.
Boolean searches will most likely provide additional information. Researching a target’s social media profiles & interviews with keywords such as “routine,” “favourite” etc., help bring up results that may shed light on certain predictable habits. For example, in the case of this HVT, it was found that he was openly expressing his enthusiasm for hiking every second Sunday and of how much he liked the hiking community. This information can be considered a point of accessibility or vulnerability for an adversary that may want to social engineer their way into an account takeover (through a phishing email that uses hiking as a pretext) or weaponize a predictable routine. And while a client may want to share their hobbies with the world, we ought to make them aware of the risks and teach them how to protect themselves against a potential adversary or an attack scenario. An OSINT report is not only used as a vulnerability assessment tool. It is also used as a tool that helps us predict potential attack vectors, and it can also be an educational tool. In this case, it had to be all three things.
Reporting & Delivery of an Intelligence Product
Last, the talk will discuss the value of effective presentation and communication in a report. The report must contain the findings, and the tools & methods we used to reach those findings. Yet this alone is certainly not sufficient for a client. A good analyst needs to also explain what those findings could mean for the client, the risks associated with them, and provide recommendations. All that should be communicated in a way the report’s audience can understand.
This report had two different audiences: The HVT and the company’s security team. Therefore, it contained the following sections:
- An executive summary (that is part of every report).
- A report section addressing the HVT containing the findings, their analysis, risks, and recommendations, all written in a short, concise way.
- A report addressing the security team which also included a detailed account of the tools & processes used to reach each finding.
A report should additionally contain:
- Any research questions you did not find answers to, along with the research process & tools you used throughout your research
- Any potentially important data points that you found but were out of scope. (this is not mandatory, but I do it out of courtesy)
To conclude, I will discuss what happened in the case of the HVT after he moved on with the planned announcements and finalized the story. If the time permits it, I will briefly mention the case of another public figure that did not proactively conduct an OSINT assessment. In that case, the public figure became the target of an adversarial group that moved on with multiple (cyber) harassment actions. (Spoiler alert: their adversaries had already collected too much valuable information on them, and the harassment they had to endure was persistent and severe.)
Christina Lekati is a psychologist and a social engineer. She is also an OSINT practitioner, running corporate and high-value target OSINT investigations to help clients identify and manage risks.
This proposal made it so easy for us to select Christina’s talk. Not only is the content relevant, interesting, and clearly laid out, but we know she’s already done the work, gathered the data, and organized the information. She’s even told us what kind of visuals she’ll include in the final presentation. She even customized her bio to emphasize why she has the credentials to deliver this talk.
This is not a speculative proposal for a talk she’ll start developing if we select it, and Christina’s information is so thorough and well-laid out that we have a high degree of confidence that she’ll meet all our deadlines and deliverables. (Incidentally, we already knew that because she’s spoken at previous SANS Summits, but if you’re new around here, think of turning in a slick CFP submission just like triple-checking a cover letter before you apply for a job. Sloppy errors make us worry that you might not have the attention to detail – or deadlines – that we strive for.)
Maybe OSINT isn’t your thing, and not all of the categories Christina used in her proposal make sense for your prospective talk. But this is an exemplary submission that beautifully highlights the level of detail and preparation that go into creating a high value proposal.
Want to see Christina deliver the talk? Register now for the OSINT Summit, free and virtual on April 7.