The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics. IT Audit Labs provides organizations with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of the organization.
The Audit - Presented by IT Audit Labs
Mastering Open Source Intelligence (OSINT): AI, Tradecraft, and Future Trends
Discover the fascinating world of OSINT (Open Source Intelligence) with expert insights from Melisa Stivaletti on this episode of The Audit!
Hosted by Eric Brown and Nick Mellem from IT Audit Labs, we sit down with Melisa Stivaletti, Chair at Epic and OSINT Director at GuideHouse. Melisa shares her remarkable journey from working at the Department of Commerce to the Department of the Army. We dive deep into the world of OSINT, discussing the nuances of open source research, tradecraft, and the transformative power of AI. Plus, Melisa shares valuable advice for those looking to break into the OSINT field and highlights the importance of lifelong learning.
In this episode, we cover:
▪ The difference between open source research and OSINT
▪ The tradecraft involved in OSINT, including the use of sock puppets
▪ How AI is transforming OSINT and the guardrails needed to manage its use
▪ The critical role of data governance and compliance in OSINT
▪ The future of OSINT and the importance of lifelong learning in this field
▪ Personal stories and advice for those looking to enter the OSINT community
Don’t miss out on Melisa's unique insights and experiences. Listen now and elevate your understanding of cybersecurity and OSINT.
#Cybersecurity #OSINT #InformationSecurity #ITSecurity #SecurityInnovation
All right, you are listening to the Audit Today. We have our usual cast, eric Brown and Nick Mellum from IT Audit Labs, and we're joined by Melissa Stivaletti. She is the chair at Epic and OSINT director at GuideHouse and she has a pretty illustrious career and background. So we're really excited to talk to her today about how she got into the position she's in now and do a deep dive on OSINT and maybe some tools and maybe even get into some deep fake conversation, things like that. So, without further ado, melissa, thanks for joining us. Can you give us a little background on yourself and say hello?
Speaker 2:Yeah, absolutely. Thanks so much for having me. I'm really excited to get to talk with you all for a plethora of reasons, one of which, of course, is that intersection between cyber and OSINT, and I know we'll get into it later, but it's a real privilege to get to be here and join you all today. So a little bit of background on me. My current role is I'm the director for open source intelligence at GuideHouse. Guidehouse is a consulting firm that works across a plethora of different industries. The industry that I specialize in is defense and security. So really looking at the defense intelligence enterprise and the intelligence community for the US government enterprise and the intelligence community for the US government.
Speaker 2:So that's definitely, you know, my specific area which definitely influences my outlook on open source intelligence, and I know we'll get to that a little bit more as well. So, in terms of background, you know, I started out my career in government. I was at the Department of Commerce and at the Department of the Army, spent a couple of years in Afghanistan Nick and I were chatting about that before we started recording today and it was really when I was in Afghanistan the second time that open source intelligence really captured my attention, and that is because it was when the Arab Spring was going on. So, for those of you who aren't familiar with the Arab Spring, it was really a revolutionary time in the Middle East that was driven largely by empowered by social media and the best intelligence available about what was happening, whether it be protests or disruptions to government or whatever like it was all very public and the best information that we could get was from social media, which was unusual for those operating in the intelligence community.
Speaker 2:When I was in Afghanistan, seeing, you know, the information was really coming from the open source domain, I knew that there was a shift happening in where we would find our intelligence and how we would be able to inform policymakers, and so from that point. I really pivoted my career to focus primarily on the open source domain, and so that journey has taken me to serving across the intelligence community, across defense, dabbling some in academia, and it's been an incredible journey. But the position that I'm in right now is by far the most fun I have ever had in my career because I get to feed into and shape future Ocenters, an amazing team of folks in the Ocent field at GuideHouse, servicing clients all over the map, and it is just fantastic. So that is a very long winded answer to your question, but I think I covered it.
Speaker 3:Well, all good, melissa, thanks again for coming on. But just to get to know you a little bit, we'll start with the icebreaker and this one. We just came up with this one right before we started as we were just kind of chatting amongst ourselves, so kind of favorite go-to freezer food, maybe when you were growing up. I think Nick's going to tell us different, but we were joking that Nick likes Hot Pockets, the ham and cheese, oh, my goodness, that's pretty funny.
Speaker 2:So here's the thing I grew up in South Carolina and determined at a very young age, in third grade, that I wanted to be a vegetarian because I didn't want to eat animals anymore. Um, and I have never eaten meat since, of any variety, in any at all. So since I was, you know, a very, um, tiny human, and so, um, freezer meals, uh, were sometimes really important for me because, you know, uh, my mom was a single mom and a business owner and she cooked a lot. But at that point, you know, cooking for a rising vegetarian in the South was a little tricky, and so, I guess I would have to say for frozen foods, there were a lot of these little like pasta, like frozen pasta dishes.
Speaker 2:You know they weren't great, you know, not ideal nutrition wise but, today, man trader joe's has vegetarian frozen food on lock, so there's a lot of really wonderful choices. Now I remember those hot pockets, nick, though I do I score off in all those things.
Speaker 4:I ate too many MREs in my days, so I don't think I would pick up a hot pocket ever again.
Speaker 1:Sounds like Eric's done a little oscent on Nick's eating habits. I'd have to go with the pizza rolls. Yeah, I grew up in a very remote area so not a lot of fast food and things like that.
Speaker 4:Pizza rolls nice, I would say bagel bites. Those were pretty great back then.
Speaker 3:Well, melissa, it's interesting because you and I are very similar Growing up. I started out vegetarian as well at a very young age, and I'm still vegetarian at a very young age and and I'm still vegetarian dabbled a little bit with uh being a vegan for a while, um, but I like pizza too much. Uh grew up also with uh, with a single mother and um, just yeah, that frozen pizzas, I think, were my staple. But to this day, uh and I grew up on the East Coast as well. Especially when I was growing up, though, you'd tell somebody you were a vegetarian and then they'd say, oh well, you eat fish, right? Did you ever get that?
Speaker 2:Oh yeah, all the time, do you?
Speaker 3:eat chicken. What?
Speaker 4:So be pescatarian, right, if you eat fish. Yeah, yeah.
Speaker 1:So, as we were preparing for this podcast, Melissa and I had a conversation on Monday for pre-pro and it came to my attention that there's a bit of a definition difference between the OSINT, that the day-to-day cybersecurity experts like us our team thinks about OSINT in a different way. Melissa, can you explain how you think of OSINT compared to how the general population might think of that?
Speaker 2:Yeah, and it gets, you know it gets even more complicated than that because even internally within the US government and with our partners, you know, abroad, even that you know the definition of OSINT can get really tricky. I would encourage and this will not be the first time I mention this, but I will encourage your listeners to look up the IC as an intelligence community OSINT strategy. It is posted on the CIA website and the DNI website DNI as in the director of national intelligence, and there is a new definition of OSINT in that strategy. But I'm going to zoom out a little bit more and not even get that specific and just talk about the difference in my mind, right, between open source intelligence and open source research. You know, because anyone who's getting on to Google or going to the library or, you know, accessing social media like you could, you're leveraging something that is in the open source domain to gather information. Right, and so leveraging that information, even if it's using really exquisite trade craft or you are using what in open source we call a sock puppet, or which I'm happy to dive into a little bit more as well, like any of those things, right, some people will say, is OSINT, but in my definition right and the definition of the US government it's not, because if you're researching in the open source domain, you're not answering an intelligence requirement.
Speaker 2:So unless a policymaker, government, has tasked you to answer a question that is being used for intelligence purposes, or you are researching for intelligence purposes, it's open source research. It's open source information purposes. It's open source research. It's open source information. You know it's information that you know you're using for an investigation. Maybe we see a lot of really incredible OSINT tradecraft pulled from open source investigations that are used by private investigators and folks in the law enforcement arena, but OSINT with intelligence at its core. It's really important to differentiate that for tradecraft and at least for today's episode, I would just say, if I'm using the word OSINT, I'm talking about a very specific type of activity on the internet.
Speaker 3:Can you give an example of what that trade craft might be for someone who is maybe really unfamiliar with the term, or even what that might look like?
Speaker 2:Absolutely so I don't know if you're a listener or if you all are familiar with digital dust or your fingerprints right on the internet. And if you are researching something, you know anything that you're researching you're leaving behind little fingerprints, um, and someone who is researching for an intelligence purpose doesn't want to leave behind those fingerprints, so they're going to take specific actions to obfuscate themselves, right? They're also going to take specific actions to be able to access the information that might not be readily available, right? So there's some countries in the world where you have to be in that country to get access to their internet, right? And someone who's operating in OSINT is going to use Tradecraft to obfuscate what they're doing, to access information that is, you know, not readily available from just any IP. And you know, from just any IP. And you know the tradecraft can get really, really complicated and deep really fast, and that type of tradecraft is certainly used across a plethora of different disciplines and applications for exploiting the open source domain.
Speaker 4:I got to jump back. Well, first off, I feel like I'm watching an episode of Homeland. Did you refer to something called a sock puppet? Did I catch that right?
Speaker 2:Yes, I kind of wish I had a prop now with like a little sock puppet. I do not. Yeah, a sock puppet. And for any of your listeners, this is not, you know, super secret tradecraft by any stretch. The investigations community uses this terminology. It's when you create an account on Facebook, on Twitter, whatever, and it's not you, it's fake. And so you have a fake account and you use it to research, access, interact with, pull information from corners of the internet. Sock puppets are frequently used to get access where you have to log in to an account. So you might not even be like interacting, you may not like something or message someone or anything like that, but just to get into a platform you have to have a login and so being able to log in. That is frequently called creating a sock puppet. It's also called a persona, but sock puppet is cooler sounding.
Speaker 4:Nick, you may know that as catfishing, Well, I was thinking about social engineering this whole time. But yeah, cat.
Speaker 2:Got you.
Speaker 3:Hey, our intelligence community professionals do not catfish.
Speaker 2:Thank you, Melissa have you known any other Marines that have two hairless cats? You know, I know someone from Army with a hairless cat, but not two. So this is unique, Nick, I'll be inviting myself over to meet the cats. Maybe you can bring them out. You know, I don't know if they're around and you can put them on the video, but like ready.
Speaker 4:We're actively taking name suggestions for the cats. Josh, can you rattle off the list of a few?
Speaker 1:So far we have Edgar Allen Paw and Katy Perry and General Meow. General Meow, the other one, general.
Speaker 4:There you go. Yeah, mr Meow, mr Meow. If you have any suggestions, we're taking them.
Speaker 2:Okay, great. Well, you have to really think about. You know what it would be shortened to, because when you're hollering, you know to get your cat to come to you if they decide that they want to, that day you got to have something short. So if it's, mr Meowgi, like, what are you going to go with? You know, is it like hey, mr Right, you know what's the shortened version of that. It's important.
Speaker 4:This is the heavy hitting knowledge that the listeners are looking for.
Speaker 2:It is really important and since you've taken us, you know you've opened the door, so this is your fault, know you've opened the door, so this is your fault.
Speaker 4:At our, mr Eric Brown, but let me get us back on track for a second.
Speaker 2:This is gonna be for you, Eric, and I have material I now have to offer.
Speaker 4:So my apologies, but please.
Speaker 2:One of my fun facts that I share on the regular is that I rescued a cat from Afghanistan after enlisting him in the Marine Corps as a staff sergeant, so his full name Staff Sergeant Garfield Stivaletti. He was airlifted in a Blackhawk Out of Kandahar, Spent some quarantine time in Kabul and then lived in the lap of luxury In the Stivaletti home For almost a decade. Before going to cat heaven.
Speaker 4:That's the coolest cat story I've ever heard.
Speaker 2:You opened the door. I wasn't going to go there.
Speaker 1:I'm so happy you did. Yes, that was the most epic cat story we've heard thus far on the podcast.
Speaker 4:The highest ranking cat.
Speaker 3:How did you enlist the cat?
Speaker 2:Well, there were a couple of kernels involved. We could do the rest of the episode on that cat.
Speaker 1:Don't not encourage them.
Speaker 2:We're going to need a part, I will be distracted easily.
Speaker 4:I got to know now was there a promotion ceremony? Was there? Was it a field ceremony? You know what? What happened in this enlistment?
Speaker 2:Yeah, I mean definitely a field ceremony, right, because, and um, and he did like have his paw print put on the paperwork I do have, I still have the documentation. Um, we, we've got signatures from two different colonels. Um, it was, it was a whole process and it and it allowed him to get veterinary care. Oh, very cool.
Speaker 3:Nice.
Speaker 4:You took the words out of my mouth. I was going to say that is the best morale booster when I was deployed. We had dogs. We had a Malinois and a Lab Close to us. They weren't directly with us but being able to feed the dogs and throw a tennis ball just for that couple minutes. So I connect there with the morale booster for sure.
Speaker 2:Well, I will plug the organization that helped me rescue him. They're still in operation today. The organization's called NowZad, like the place, so N-O-W-Z-A-D. It is run out of the UK. The founder's name is Penn Farthing. He has been awarded just a number of accolades and different awards from all over the world and media, and he has just published a book about the sort of the final days that his organization was in Afghanistan during the retrograde period to include, you know, the atrocities that happened at Abbey Gate in those final days. So wonderful book, wonderful organization, and if you are a cat lover or an animal lover, check it out.
Speaker 4:It's really cool. That is very cool, melissa. I you know Eric got brought up the cats. I don't think we knew we were going to go to this, this lane, but I'm going to get us back on track with the whole thing.
Speaker 4:Okay, fine, because I'm as much as I'm curious about the field information with the cats. I got to know about, like, what your day-to-day operations are, what, what do you? You know I maybe can't talk about what you're currently working on, but you know, for people that aren't listening what. What does a day-to-day look like for you?
Speaker 2:Yeah, so in the day to day for me right now, I have the privilege of being a director at Guidehouse, so in my portfolio I have a number of different teams that are performing open source support and enabling functions across the intelligence community and the defense intelligence enterprise. And rather than getting into my day to day because at this point I'm doing work about work, not actual work, so it's a little boring I'll talk about what my team does. So on my team we have auditors that work on compliance. So those are generally data scientists or folks that are at least data science literate and they're able to do the really important job of ensuring that US citizens are protected, that those privacy concerns are protected, and so they audit the work that is done by the intelligence professionals doing the collection work to ensure compliance with US law, which I actually think is one of the most important jobs that you can have in OSINT, because it's what sets us apart from all of our competitors, right? I promise you China doesn't have that. I assure you that Russia doesn't have that, and because we take such pride in being compliant with US law and protecting US citizens that that function, I just can't overstate how important it is, right. So that's one of them.
Speaker 2:Another is is really geared towards tradecraft, so we call it signature reduction, which kind of talks about that digital dust that I mentioned earlier and reducing that footprint and maybe getting into the space of sock puppets or personas. And then we have folks that help with just like the day-to-day operations of keeping things on track, because we have people doing OSINT all over the world, you know, in the US government, so making sure that they have the tools that they need. Which leads me into another area that we support, which is, you know, vendor engagement and tech scouting. There's a lot of vendors out there.
Speaker 2:The audit labs might be an example of a particular variety of vendors out there in this space, but we have a responsibility to help the US government make sure that the supply chain is on the up and up, that the tools are the best possible, that the data has integrity, you know. So we spend a lot of time with vendors. I spend a lot of time getting demos of what is possible. I did a webinar a while back with one of our trusted partners called Flashpoint. Guidehouse is a tool.
Speaker 2:Agnostic I kind of don't like the word agnostic because neutral, I think, is better. Agnostic I kind of don't like the word agnostic because neutral, I think is better. Agnostic implies we don't care. We care deeply, but we're neutral about our tool choices.
Speaker 2:We also have data governance specialists, so folks that in the open source domain, data, big data, massive, massive, massive amounts of data Like we, a person could never, never exploit all of it, and so you have to have data scientists and data experts who can, you know, navigate the systems and and the governance of data. You know, metadata is really, really important. And then, finally, another sort of enabling function that we have is strategy. So I will point back again to the ICOcent strategy. It's. Osint is generally funded less than the other ints in the US government and because of that, having a firm strategy for how we spend our money is really, really important. Open source is always punching above our weight when it comes to the rest of the intelligence community, but having a really buttoned up, measurable strategy helps us be even more effective for our customers.
Speaker 4:Melissa with going through all this data. Can you speak to any use of AI technology for this?
Speaker 2:Yeah, no, I totally can. So I will point your listeners to do a little bit of open source research themselves and look up AI and the CIA and see what Google gives them because of the open source enterprise. Um, this is public knowledge. Um, the the lead there at the open source enterprise, his name is Randy Nixon. He's given a number of interviews about this, but the open source enterprise at the CIA has integrated in generative AI into their data holdings to help process and allow for some sense making around their data holdings, and it's been transformative.
Speaker 2:We were, you know, open source was the first in the intelligence community to put this to real practice. So there's a you know a chat like function you know, in there. So I can say, like, why is Russia mad at Poland today? Or like you know what happened in Haiti today? And it'll, and it'll just give me all you know, a full synopsis of you know, all of the sources that we have, and protect the analyst or the collector by giving information about those sources and give more detail and fidelity on the type of source, which is very important, especially when you're dealing with generative AI.
Speaker 3:When you talk about information that might be available to the intelligence community. Snowden's tool X-Keyscore, I believe was the name of it kind of was that early aggregator of information where it could go out and look across the community and be able to pull back data and some of that data was coming from those digital fingerprints or that dust that people leave behind where you could, say, sit on a Tor exit node and scoop up a lot of information coming out of that exit node going out to the internet or wherever it was going, and that, combined with things like super cookies or information that's sitting on ISPs, can start to stitch together a pretty comprehensive set of data about a particular target or targets. But that's really available largely to the intelligence community. When you talk about intelligence, is it that sort of data or is it data that the general public could potentially have access to as well?
Speaker 2:Yeah, so you are now getting into an internal US government debate about the definition of open source intelligence. So that's where you get into commercially available information vice. Publicly available information um could be commercially available to the public. So it could be a subset of PAI, because it's just something that you or I could just go buy Um, and it's a very disconcerting what we can actually buy, because if you have real money, like you know, marketing firms have more open source information than than any of us.
Speaker 2:I mean, have you ever just thought about going, you know, on a vacation where you might get to see whale sharks and then all of a sudden, in your social media feed you start seeing whale sharks? You know, I mean the, the collateral telemetry data, um that is collected on us. The predictive power of it is astronomical, and so here's what I will say the US government is collecting far less than marketers are. So pick your marketing firm and they're the ones that have all the information, and far more than the type that you're referencing. So I would just make the distinction here between truly publicly available information, commercially available information, sensitive commercially available information that is only accessible to the US government, which really, at that point, makes it not open source anymore, then it's in a different category and the follow-up question to that is maybe bringing it down to a corporate level, a non-marketing corporate level, where an organization is trying to get more information on the vendors that they work with.
Speaker 3:We're tool neutral as well. One of the tools I've run across in the past is a tool called BitSight, where it attempts to create like a credit score, if you will, of an organization and how well that organization does security wise. Have they had breaches in the past, or things like that? So do you have any insights or any guidance on those sorts of things or how people could potentially help their organizations if they're in, maybe, that vendor space where they're looking at protecting their company or bringing on new vendors, how they might do that with open source research?
Speaker 2:Yeah, absolutely, and I love that I've already trained you guys to say research and not intelligence, because I was prepared to say that researching a vendor, especially one based in the United States, is not something that the intelligence community would do in in a traditional intelligence role, because we're not collecting intelligence on US persons, and what a lot of folks don't realize is that companies are considered people and so a US company is considered a US person and then not collected on by the US intelligence community.
Speaker 2:And that's where the GuideHouse team that does supply chain risk management is like top notch, because they are using tools that may be very familiar to you all, like LexisNexis and Bloomberg and you know, pick your tool where they are able to really research a vendor and determine okay, well, where is their ownership really and what is? You know, what is their performance like?
Speaker 1:I had a follow-up question circling back to AI and large, large packages of information, and when you're trusting AI to kind of comb through all that and come up with some sort of an assessment, um, do you come across hallucinations and and how do you deal with that?
Speaker 2:We have to to put in guardrails, right, and those guardrails is certainly the human in the loop. So, you know, for any intelligence professional or aspiring intelligence professional out there is like well, ai is going to, you know, take my job or no. So AI is not going to take your job, but AI is going to take the job of people who are not willing to work with AI. So that's kind of my differentiator on that, and having people in the loop is really important. And we also have these guardrails, too, of like I was mentioning the tool that open source enterprise uses. That's generative AI. That's not pulling from the whole internet, right, those are curated sources and then you're categorizing those sources and so then, from there, the information that you're getting, could it still hallucinate? Absolutely, but your people in the loop are going to be there to help mitigate and say, oh, you know what, we don't actually want to put glue on pizza, like I think we're good.
Speaker 4:What about pineapple?
Speaker 2:That's, or you know whatever right it is, having the subject matter expert who knows that topic in that area, saving them the time of reading you know 300 articles and it taking them a month to do it and analyze it. Instead, you're giving them this output and you're having them read and analyze that too, and they are going to be able to to identify what those hallucinations are. Right. Is anything foolproof? Of course not, but it's. It's pretty close and it's better than anything we've been able to do in the past.
Speaker 1:That's interesting because ostensibly, a lot of the things that it's pulling from are different news organizations from across the world that might have their own bias or their own spin on the reporting, and so the nuance is basically left to experts in your field, and what does it look like managing a team of people in the OSINT realm when you're working with all these different professionals that have different expertise? How do you go about managing a complicated group like that?
Speaker 2:Yeah, you know, the critical part of being a good leader in any space is to only hire people that are smarter than you, and so I pride myself on regularly being the dumbest person in the room, which is very helpful, and so I have folks working with me that are able to take these really complicated topics and distill them down into something that policymakers can work with. I am biting my tongue on a comment on policymakers, given the debate last night, so maybe edit that out.
Speaker 4:You're in a very safe place.
Speaker 2:Oh, my goodness. But yeah, so getting you know, distilling down massive amounts of information and getting it to a digestible format for policymakers to make critical decisions is a really um, it's a delicate thing and it requires a really well-rounded team who can all think differently and operate in a safe space so that they can, you know, object and be disruptors. You know, I'm reading a book right now that Carmen Medina wrote about being a rebel in the intelligence community, and you know, one of my jobs, I think, is to protect the rebels in the intelligence community who are thinking differently about these crazy big problems, especially in the data domain, to ensure that they're able to help us navigate it.
Speaker 4:We talked about AI and now you're talking about these. You know extremely smart individuals that are working in this space. Is that the future of OSINT, or you know? What does that look like to you?
Speaker 2:Yeah, you know. So when open source intelligence kind of got its big start, I mean, I think it's been going on for forever, but when, at least in the United States, fibis was founded, right, it was newspapers, predominantly like radio, and newspapers that were being translated by language and subject matter area experts being translated by language and subject matter area experts, and that, when you distill down you know the open source arena, it does come down to those experts, right, the nuance that they're able to pull from information knowing the language, knowing you know the area, knowing the language, knowing you know the area. Really, I don't see that ever being replaced at all. Like, however, I am not going to be hiring a team of 500 people to translate documents, right. So that's where the workforce is changing in open source, because the landscape is changing, and the way that the landscape has changed in the last 10 years has changed the way that open source is conducted.
Speaker 2:And so, for those that are interested in coming into the intelligence community in the open source domain, what I would ask for, I think, from any of them is to be lifelong learners who embrace change, who embrace technology, who are, you know, comfortable being uncomfortable, and who are always thinking of new ways to do things, because the algorithms are always changing, the platforms that are utilized are always changing. You know, kids these days laugh at me because I'm, you know, an elder millennial hanging out on Facebook and they're like, really, you're so lame, you know, and there's so much rapid, rapid change. And so the main thing that we need are lifelong learners who are comfortable with change, because I could go on vacation for two weeks and come back and my skill set be rusty if I'm an open source, because something crazy has happened. You know, open AI has released something that has completely changed the way that I do my job. Like that is a real thing and so you just have to have to lean into it.
Speaker 3:As we pivot into that next generation, if you will, any thoughts on what, what people can do or what are some of the things that we should be thinking about from a policy standpoint. We talked about the debate a little bit earlier and I just know in a couple of days from now, there's going to be memes coming out from the debate, there's going to be fake news, there's going to be fake images, fake videos, fake sounds that somebody who didn't watch the debate or maybe wasn't close to it gets a hold of one of those pieces of media. And the way in which society can be manipulated through fake images and fake sound bites is a pretty important, I would think, area of research that should be done.
Speaker 3:Yeah, there's a lot there, there is Sorry, there's a lot there, eric.
Speaker 2:I'm going to try to break it down into some chunks, one being is the ability to trust the information that we're seeing right in the media. And you know, while I'm shamelessly plugging all kinds of things to include pet organizations, there is the Trust in Media Cooperative, or TIM for short, that one of my mentors and heroes in the field founded. That is really aiming to help with this for the general population right and for public. So I would encourage your listeners to look that up, because I think you'll find some helpful tools that are really accessible on how to sort of validate information that you're getting from the media. The second really has to do with critical thinking. You know, I have a child that I'm trying to raise to be a critical thinker and you know you can't believe everything that you see and you know.
Speaker 2:One of the most important things in intelligence, but also just like in life, is multiple sources for any bit of information. So if you are an average American, you see something you know, get down to the original source and you can. You follow that average American and you see something you know, get down to the original source and you can. You follow that right and and then see who all is reporting on it, who was the first to report on it, and don't just get that information from one source, right? So you have to be willing take the time, and that's the problem is that our, our current society is not willing to take the time, and that's the problem, is that our current society is not willing to take the time. And so that's where organizations like Trust in Media may be able to help. Right, but it's taking time to get there, and the intelligence community is not going to validate, you know, news media for public consumption, like that's not what our remit is. But what is important in open source research is to help identify what is real and what is fake. And, and that is really important.
Speaker 2:The way that the intelligence community is addressing, um, what we call synthetic media, uh, is through a number of different R and D efforts. Um, I'll plug one of them now that is publicly accessible. So get out your your Googling fingers, um, and check out um. Darpa, semantic forensics, or semaphore for short. That is a defense research initiative that is coming to the final stages of its work, and Semaphore is, you know, certainly not of a thing, right. Fake information is going to be produced so quickly that being able to identify if it's real or fake it's actually not particularly helpful because we won't be able to keep up with it, and so that's where we're seeing some new ways to look at that information.
Speaker 2:Some people call it narrative intelligence. There's a school in Mississippi, ole Miss, that has a Center for Narrative Intelligence, and they even will call it ICBNs instead of ICBMs, they'll say Intercontinental Ballistic Narratives, right where there's just new narratives being like launched, you know, across oceans into American territory and really gutting us from the inside out. So anyway, I've not answered your question, but there's some food for thought.
Speaker 1:I love to hear that DARPA is developing this technology. You know they've given us so many amazing technologies like GPS, drones, touchscreens what have you? As a musician producer, that's my day trade and it's really kind of flooding the market for royalty-free music, for commercial music. On my Spotify playlist now there's AI-generated content showing up on a daily basis. So I'm glad to hear that there's some heavy hitters in the space kind of coming up with these tools that will hopefully eventually be used to kind of separate the wheat from the chaff. But are there any other technologies that you see emerging that are going to be really important on the horizon for detecting deep fakes or or kind of keeping our democracy safe, keeping our country safe?
Speaker 2:You know, I think I have to go now.
Speaker 2:Really great, yeah, so there are really incredible technologies.
Speaker 2:This is the thing about America, right, like we are so innovative and continue to be innovative, and so we may be inventing, you know, ai, and then, and then also, on the other side of it, inventing countermeasures to deal with the consequences of that AI, right? So you know, I mentioned DARPA and SEMA4, that is one example, right, but we we need more research. So so I think, rather than say what is also out there and there are more things out there but what I'll say instead is to maybe challenge your listeners and just say that this is a field worth entering. There's going to be a market for this field, it's going to evolve and it's certainly an area that's critical for you know, just the general safety of our public and you know the way that we consume information. I don't know that I'm super comfortable going into much more of that, just because in my world of working in open source intelligence, I don't necessarily hit, like US media, validation of information, like that kind of thing. So it's a little bit of a different area, but it's so important.
Speaker 1:Well, I just want to call out we're at 53 minutes into the recording, so it'd be a good time to maybe kind of wrap things up. I would like to ask Melissa, you know it seems like you have a really intense job. I know Eric and Nick do as well. I'm a musician, so it can be intense, but I get to go and play tonight at a pub and have a drink and entertain people, so that's my lane. But I'd like to ask you, you know, what do you do outside of work to kind of relieve the stress and kind of keep a level head and deal with all these things coming at you?
Speaker 2:Yeah, so you know, we we mentioned some of my activities while I was in Afghanistan, amongst rescuing cats. I also practiced yoga when I was in Afghanistan and, as you know, being the only female in many of the places I was practicing yoga, you know, being the only female, uh, in many of the places I was practicing yoga, you know, could draw some attention, and so, um, one thing that I did is I looked around and I said, hey, you, you can only stare at me if you're doing it with me. And so I started teaching yoga, um, all over Afghanistan, um, to, you know, young soldiers. I'd have a guy you know who's working like all day long in the turret or whatever, and he's like, hey, uh, I heard that you could help me with my back, you know, and um, and so I started teaching yoga in Afghanistan without certification or anything. And um, and you know, later became certified and I'm really passionate about about the practice. Um, I admittedly don't get to practice as much as I used to, um, but I will note that, uh, I am able to practice some with my son, which is the other thing that really balances me right. He is almost eight years old and will happily do cosmic kids, yoga with me or go out and just like stretch, and, you know, get our core strong right and do downward dog, and so we definitely do that.
Speaker 2:We really, as a family, enjoy hiking, core strong right and do downward dog, and so we definitely do that. We really, as a family, enjoy hiking and traveling as well. Um, you know I like to explore the world that we're trying to protect. So, uh, my husband and I recently got back from a trip to Patagonia and we had the best time, you know, got to see penguins and hike a glacier and, um, what a, what a wonderful treat to get to see that part of the world. So, you know, having having the, the passion for the world and for my family and and for yoga and my faith as well, um, really help me stay, you know, driven and focused um towards the task at hand, which is really important, and I'm really lucky to have such an amazing team at GuideHouse with me helping. You know our customers try to get to mission success, you know, for national security purposes. So it all comes back together.
Speaker 3:Have you done any of the alternative yogas like the goat yoga or things like that?
Speaker 2:So I have a lot of friends that are farmers and so I'm not particularly willing to pay the premium to do the yoga with the goats when I can just go hang out with their goats and then do my yoga. Um, but I I can be talked into some different kinds. You know, aerial yoga I've I've messed around with that a little bit and uh, and also um yoga on different locations is like I'm here for that. So, um, for for folks in the DC area there's um Project Sunrise look it up. Um, we practice. I say we practice.
Speaker 2:I don't always I get to make it, but um, but we practice at um, the Jefferson Memorial, um, on the mall, like right, you know, over the tidal basin, which you know so inspiring. Um, and it's you know, a group tidal basin, which you know so inspiring, and it's, you know, a group of folks practicing in national security and is definitely supported by some pretty powerful folks in defense and intelligence. To include the founders of a podcast that I love. It's not the Audit, but it's called Iron Butterfly and it features women in the intelligence community over the years. Very cool. And the founders of Iron Butterfly are always showing up to Project Sunrise, so it's pretty cool.
Speaker 3:It's great to hang out with you and hear some of the things that you do in your spare time. One of the questions I wanted to ask you was do you attend any security conferences?
Speaker 2:Yeah. So I love that you asked this question because earlier, you know, when Josh introduced me, he said oh, the Epic Chair and I am the chair for the emerging professionals in the intelligence community committee, for Epic, we're very Epic, Um, and we are a committee for emerging professionals, um, that uh falls under AFCEA, so that's A F? C, EC-E-A. Don't ask me what it stands for, you can look at it, it's armed forces Anyway.
Speaker 2:So AFCEA fantastic organization they put on a plethora of different conferences and I literally go to anything that they put on that I can possibly make it to, uh, because they really are always on, you know, the edge of um quality, technology, information and policy in the security domain, and I'll I'll plug for you know, in August they're having their annual um conference. That is done in um conjunction with another organization that I love very much, INSA, and so INSA and AFSIA put on a joint conference once a year. That is like the event to be at, and that one this year it's totally open every year, you don't have to have a security clearance to attend, and it's a really fantastic way to learn more about what's happening in the broader defense and intelligence communities.
Speaker 3:Very cool. I'm just trying to look up real quick what AFSEA stands for.
Speaker 2:Oh yeah, see if you can, we'll see what your OSINT skills are like. Can you find it? Put them on the spot. I love it, yeah.
Speaker 3:Oh my gosh. Oces Communications and Electronics Association International.
Speaker 2:There you have it, and you know another organization that is really up and coming in the OSINT space that we'll be putting on more and more, you know events is the OSINT Foundation. So you know, another sort of shameless plug. I'm on the events committee for the OSINT Foundation, so the you know another sort of shameless plug. I'm on the events committee for the OSINT Foundation. We've put on like a tech expo and award centers and that kind of thing, but there's more coming down the pike Absolutely From the OSINT Foundation to include, you know, webinars and that kind of thing. So I definitely spend time in all three of those organizations really making sure that my knowledge is up to speed.
Speaker 3:So if somebody is just maybe new in their career or at a point in their career where they want to pivot and go in a different direction, what's a step somebody could take to get into the true OSINT community?
Speaker 2:Yeah, so definitely, you know, if you're a US citizen, the OSINT Foundation is a great place to start. You can really plug in and learn a lot about the community there. But I'd also just recommend some light trainings that will kind of give you a little bit more of a flavor of what the work is. Michael Bazell, intel Techniques, is fantastic. Another trainer that I love is Michael Hoffman. My OSINT training is one that I've done that is cheaper. There's plenty of more expensive ones out there that, like, are cost prohibitive for an individual, just kind of looking to get acquainted. But those are two that are really accessible and, you know, super helpful and just kind of learning a little bit more about OSINT techniques.
Speaker 3:That's great. Thank you yeah.
Speaker 1:Thanks so much, melissa. You have such a wealth of knowledge and experience and we're so honored that you came today and shared that with us Once again. You've been joined by Melissa Stivaletti, osint Director at GuideHouse, and as well as our hosts Nick Mellum and Eric Brown. You've been listening to the Audit presented by IT Audit Labs. I'm your producer, joshua Schmidt.
Speaker 3:You can find us every other Monday on all the streaming services. Please like, share and subscribe, and share us with your friends. Thanks for listening. To improve our clients' data security, our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio-video editor, cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.