Meet Micah Hoffman. Micah has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of hands-on, real-world OSINT, penetration testing, and incident response experience to provide excellent solutions to his customers. Micah is the author of SEC487: Open-Source Intelligence Gathering and Analysis, is a SANS Senior Instructor, and holds GIAC's GMON, GAWN, GWAPT, and GPEN certifications as well as the CISSP. Follow Micah on Twitter @webbreacher and LinkedIn.
Micah Hoffman sits down with Stephen Hart (Marketing Manager / SANS Blue Team Ops) for this conversation.
Stephen: I know a little bit more about you from the SANS side, but let's maybe dial back a bit and talk about you growing up. What drove you into tech? Was there any technology that you were drawn to early on as a child?
Micah Hoffman: It's interesting, because I grew up when computers were really hitting people's houses and, and I grew up with the Atari 2600s and the Commodore 64. I remember my family got our first computer, and we had the Pong game on ColicoVision that was directly connected to the TV, but our first computer was an Apple IIe computer. And it was really frustrating for me at first because my friends were getting the televisions and the Ataris. And my parents were like, yeah, those are gaming platforms, we're gonna get you something else. And they got this really useful, flexible Apple IIe computer that I can remember, we had to make our own games, we had to learn how to program. I remember going to a community center, and taking programming classes in basic and creating my own stuff and just kind of falling in love with but like synching with computers that, you know, I could I could do this stuff.
Stephen: So from from that point, was that a seed that was planted that led to your love of tech? And what made you end up choosing tech and security?
Micah Hoffman: I would say it was. I think it provided the comfort that computers aren't challenging, they aren't scary and it was a place that I felt comfortable. And so I tell the story in a bunch of other locations that my undergraduate degree is in psychology, then I went on to graduate school in a Ph. D program. Then I dropped out of that and went back to undergrad for a pre med degree. Then I tried to get into med school and failed there. And it was at that failure point that I got the opportunity to relook at my life and figure out, okay, medicine is not where I'm going and I don't want to be in psychology. What am I good at? And what do I like? I was working night shift at the hospital doing nurse's assistant duties on a psych ward in a hospital and I would clock out at like seven o'clock in the morning. And then on those days, I go play nine holes of golf because at seven o'clock in the morning, there's nobody on the course. So I play by myself. And one day, the groundskeeper hooked me up with three people that were also golfing really early. And at that point, I learned that I was going to be losing my job at the hospital, just due to downsizing. And the three people that I happened to be hooked up with were people that sold computers to the government. So over the course of 18 holes, they're like, well, could you sell computers? I'm like, Yeah, I could sell computers. I know a lot about computers. Building on that foundation that I'd had for years and it was neat. That was my first job like in the computer field, and was really selling computers.
Stephen: How long before you eventually heard about this company called the SANS Institute? How did that come about? What was your first SANS course?
Micah Hoffman: It was interesting because I did sales in that company and then figured out I hated selling things and then I went into tech support and help desk, and from tech support and help desk I went into servers and routers and switches, and then I had a job working as a contractor for the federal government and I was doing Linux and Unix system administration work. I remember I got a flyer or something like that from SANS, because back then they were all over the place. I'd said to my manager, I need to go to this because security's important, this was way back in 2003-4. I was just a Unix, Linux system administrator. And we had a whole team that did the security and I went to the SEC504 class. And I remember literally falling in love with the security aspect and how I could take this exact stuff and I was one of those guys like: 'Okay, I'm gonna try this on this test network we had at work.' And I brought the SANS books back, put them up in this test environment. I'm like, alright, let's just test out the security of our existing systems that were deployed throughout the United States. And it was terrifying seeing how powerful these techniques I had learned in SANS class, it was terrifying to find out how well they worked on our network. And I was hooked at that point, I was like, This is so powerful and that was my first SANS experience.
Stephen: You found yourself doing other courses from there?
Micah Hoffman: Oh, absolutely. It wasn't necessarily more courses at SANS, although I have done several of them over the years. But it was more the spark that said, I.T. was cool, but there's this other thing and over the past 20 years, I've learned to listen to that spark inside me that says, 'This is okay, but that's more interesting' and move on to those other topics. And that was a big, big shift shift in my life that said, I.T. is cool, but securing things and doing offensive operations, that's exciting!
Stephen: Micah, did you always have this knowledge and this passion for OSINT prior to getting involved instructing for SANS?
Micah Hoffman: I gotta watch how I say this. (laughing )... I always like finding out things about people and systems in a legal and ethical manner. No. I mean, that was one of the things that got me into offensive security when I was doing penetration testing, web hacking was not necessarily the finding the exploit, and that would get me in executing the exploit that would get me into a system. It was, once I'm in there, what can I see that I shouldn't be able to see it. It was almost like cyber voyeuristic for systems I was paid to break into. But I really found that when I was doing those penetration tests, that the more I did reconnaissance, the more effective I was at pen testing. And I remember this one engagement where our process, when we had a web application, we were kind of hack and it was on the internet, our process was to go ahead and just do some searches, do some googling. And I remember taking the name of the site and domain, and running a Google query and getting some documents coming back. And I was like, Alright, well, let's look at this one. It was like a help doc. And I read through the help doc And literally, page two was like, Oh, so you want to get into the application. If you want to get into the application, enter your username like this. And it gave a name and a password like this. And it gave a password. I literally typed in that username and password and I was into the app. And I was like, Wow, this is so powerful. That stuff is out there and if I can find it, I can use it. And that was that was one of those aha moments for me where cybersecurity was cool., but this was exciting. And that was where I remember saying, you know, this is this is the future for me.
Stephen: You talked about pen testing. And that leading to OSINT, even before OSINT had its labeling, and OSINT within the SANS umbrella is something that falls within our blue team curriculum. But I know you always say OSINT is applicable to anyone on different sides of the cyber security spectrum. Want to speak to that a bit?
Micah Hoffman: Absolutely. This is something that I learned as I went through all the different stages of my work, that what we call Open-Source Intelligence. It's really a process and that process is different for each person or team that goes through it. It is something that a lot of different people in most all of the areas that touch on cyber go through, whether you're doing blue team, and you're looking up domains and IP addresses that either have been hacked or are being hacked, or you're digital forensics and incident response person, and you're dumping the usernames off of somebody's mobile device, because you need to investigate that and figure out where those usernames have been used online, or security awareness. I had a great time working with Lance Spitz and the SANS folks over in the SANS security awareness group, helping people understand why they should not be posting this or that to their social media or, or discussing things. OSINT can help show that. And then of course, for for those classic fields, like the reconnaissance stage of the penetration or red teaming cycle, all of them use open-source intelligence in some form or fashion. It might not be like going through the entire cycle, it might not be generating a report that is based upon the intelligence that you've created, but it is going through some of the stages of requirements, gathering data and then analysis in order to achieve some goal.
Stephen: Tell us about SEC487 and what people stand to gain from doing that course?
Micah Hoffman: What I noticed was that within the world of SANS, which by this time, by 2016, or so I'd taken, like five or so SANS classes, or maybe more. I started teaching the SEC542 web hacking class and I'd been teaching it for a while and I noticed that within all of SANS, there was kind of this underlying referencing of reconnaissance or some of these other data gathering techniques, but there wasn't actually a class that was built on, here's how to do your fancy googling well. Here's how to think about bias and analysis, and here's how to go into social media for those things. There was a little bit in each of the different classes that I'd taken. And I thought, well, let's put this all together in one place. And so I pitched the class, the SEC487 class as an introduction to the world of open-source intelligence. And I'm so excited right now. We are just going through another major revision of the class, and it's evolving over the years as social media, as image intelligence, as all of these other related disciplines evolve, the class is evolving to and it's really exciting for me, because I can see the class - what it was back in 2018, when I made it, to what it is now, it's a totally different class. So this class focuses on providing those foundational skills, whether you're doing research into people and looking on social media, or people search engines, and other places, or whether you're doing work in domains and IP and who is wireless networks, we talk about harvesting that data off the internet too and and then there's also business intelligence, competitive intelligence, due diligence. We touch on that, too. And this class is I look at it as the base of a knowledge pyramid where if you take SEC487 and complete all of the objectives and do the labs, you will have a very strong foundation that you can then build upon in upcoming courses that are now starting to appear on on SANS' site, but also just interacting in the world. We've gone through several times in the United States in the world's history, where disinformation and misinformation is out there. And really open-source intelligence is about gathering factual data and gathering other information that you can use to prove, to disprove, to figure out the real story behind things. And I so enjoyed teaching all of my international students about the techniques that they can use, whether they're looking at the disinformation that's being shown in some video or whether they're trying to investigate some crime or other thing or finding missing person. OSINT can can be used for all of them. So we're really focusing very broadly in the SEC487 class.
Stephen: How do you stay up to date on on all the latest things changing and shifting within OSINT?
Micah Hoffman: I've chosen to pick certain platforms that I'm comfortable on. Everybody has their feelings about this social media site or that social media site and the information that can be gained from it. For me using Twitter, following those wonderful hashtags that are out there, like hashtag #OSINT is important, because there's so many people in the world that share great tips, techniques, videos, I was just watching a longtime friend and colleague of mine just sent and just shared, like a five part video series. And I think this speaks to the second part of your question is, is Who do you look to to learn. I recognized long ago that I cannot know everything in any discipline. I can always seek to learn from other people, whether they're more senior than me or just more junior and have a different way of looking at something. So I try to surround myself with those sources in those places that I get the most help from. So Twitter, I'm looking at that a lot, and I get a lot of my data there. But then I'm also on Reddit, I'm also on in the discord. There's a discord that that I'm in the SANS Blue Team discord, which is a free place to talk about open-source intelligence and blue teaming. And then also there's a search light discord, which is another place that has a good ratio of chatter, to really good information. And it's just a place I can drop into get what I need or perform searches to find those bits of data that is useful to me, and a great bunch of people on there, too.
Stephen: I know you're Mr. OSINT. But beyond that, are there other topics or courses within signs that are sort of top of your wish list to still be the student in the classroom?
Micah Hoffman: That's one of those times I look forward to, I talked to a bunch of other people like, Oh, I can't, I can't wait to take this class or that class. And I'm thinking, gosh, I wish I had time to take that you know, somebody else's class, but I'm very excited about the new classes that are coming out in the OSINT area with SEC537 coming out, just finishing up its second beta and SEC587, the more advanced six day class coming out the end of the year. It's, it's exciting for me, because I want to one of those continuous learners, and those classes are interesting. However, if I was looking just across the board, there are so many new classes that are just amazing, or very much updated classes, whether it's wireless, or web apps, understanding all of those kind of related concepts to the world of OSINT helps me be a better person, if I can understand how websites or the cloud services are secured or insecure or put together and hosting things, then I can be a better OSINT person. I don't know how to dissect that stuff. So I don't have a specific classes besides those two OSINT ones, but there are some I've got my eye on.
Stephen: If I'm completely new to the world of OSINT, and maybe have an interest in pursuing this as a career, what advice would you share? Where should that person begin?
Micah Hoffman: It's really neat that you mentioned this, because we got the the second part of that question. There's a lot of resources out there for new people coming in the field. I run a nonprofit organization called OSINT Curious and it's at OSINTCurious.com or OSINTcurio.us. And that organization seeks to be a conveyor of great high quality information about OSINT for free. And we were just doing a live stream the other day and somebody asked 'Well, okay, there's a lot of resources for Beginners, what about the advanced people?' So let me tell you about the beginner and then maybe we can just hit on the Advanced one as well. So for beginners, it's, I've seen a lot of people just get overwhelmed with the amount of data that's being shared. I saw this years ago in cyber, and some of the luminaries in the field made it easier by kind of summarizing all of these talks or resources. In OSINT, there's a ton of resources for beginners and a ton of basic OSINT classes that are free or very low cost. My strong suggestion is, get a Twitter account to watch what's happening. But you need a place if you're going to be getting into this or you are just getting into open-source intelligence, you need a place where you can talk and interact with people. So find a chat group, client, whatever that you're comfortable with, whether it's it's Slack, or discord, or whatever, and interact with people. There are people in these groups that will do everything from sharing videos and book references to answering questions. They have CTFs or capture the flags that they do to keep you engaged and to help you learn, they even do things like talk about dark web and other more discrete topics as well. But joining that community, where you can talk with other people is going to be much, much better in the long run than tweeting out, 'Hey, can you give me some resources', and then you going ahead and, and trying to track those down. And then for those advanced users, what we just said on the using curious webcast or stream was, was essentially go broad and go deep. So instead of just focusing on social media, just focusing on domains and IPs, branch out, find some other disciplines to get engaged with and to to look at, because once you've mastered those basics, those foundations, you now have the comfort to look at that website and look at this website or other sources for data. So go broad and go deep.
Stephen: What is your favorite hashtag for Twitter?
Micah Hoffman: I think my favorite is just the hashtag #OSINT. That's in my Twitter feed. I'm just constantly watching that, and across other platforms as well. But the other one is, is hashtag #OSINTCurious. That hashtag #OSINTCurious is neat. Because what I'm starting to see after the nonprofit being around for about two years, people are starting to use that but to tag interesting tools, techniques, and resources and when they need help to, they're using it as a call for help call for action. And I enjoy seeing all of the things that people are using that Osint curious hashtag with.
Stephen: How do we stay in contact with you? And for those who are maybe watching this video at a later point, how can they join in on the conversation?
Micah Hoffman: There are there are a lot of groups where you can join in and have discussions. The group's where I've chosen to kind of continue that discussion is Twitter like you mentioned also, Stephen you and I run a LinkedIn group on the SANS OSINT community that is open we're always sharing ideas in there and we have 1000s of other people that are that are also in that group sharing things. And then on discord either in the SANSBlue Team discord, and also the search light discord, which is something that we talked about over in OSINTCurious a lot.
Micah is a highly active member in the cyber security and OSINT communities. When not working, teaching, or learning, Micah can be found hiking on Appalachian Trail or the many park trails in Maryland. To learn more about Micah and where you can take his next course — visit his SANS bio page: https://www.sans.org/instructors/micah-hoffman Catch him on Twitter @WebBreacher.