Podcasts
8th Layer Insights
Ep 38
8th Layer Insights 9.26.23
Ep 38 | 9.26.23

OSINT, Curiosity, Creativity, & Career Pivots: A Conversation with Rae Baker

Show Notes
Transcript

Perry Carpenter: Hi, I'm Perry Carpenter. You're listening to "8th Layer Insights". If you've been listening to the show for a while, you'll know that we've touched on the topic of open-source intelligence, otherwise known as OSINT, several times. Open-source intelligence investigation is an area of cybersecurity and penetration testing that has been getting a lot of attention over the past several years. Cybersecurity company CrowdStrike defines open-source intelligence as the act of gathering and analyzing publicly available data for intelligence purposes. And when you think about the digital world that we currently live in, where we have this proliferation of personal, organizational and governmental data on the internet, we think about the social, the economic and the political factors that motivate crime and cybercrime. And we have the very simple fact that data likes to leak and likes to move around. With all of those factors, I think we can safely predict that OSINT investigation techniques will continue to be in demand for the foreseeable future. My guest today is Rae Baker. Rae is the author of the book "Deep Dive: Exploring the Real-World Value of Open-Source Intelligence", which was released in April of this year, 2023, from Wiley Publishing. In this discussion with Rae, you'll hear a bit about her career pivot to OSINT specialist from being a graphic designer, how creativity fuels her job, advice for aspiring cybersecurity and OSINT professionals and a whole lot more. So on today's show, OSINT curiosity, creativity and career pivots. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think, to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights", season four, episode eight. I'm Perry Carpenter. Welcome back. Okay, let's dive right into this interview with Rae Baker.

Rae Baker: My name is Rae Baker. I am a senior OSINT analyst for a large consulting firm. My main focus personally is maritime and some professionally. I have volunteered with several OSINT-related organizations like NCPTF and Operation Safe Escape. And I was on the executive board of OSINT Curious. I am also a private investigator licensed in my state. I think that's it.

Perry Carpenter: That's a lot. And then just for people that aren't familiar with the acronym.

Rae Baker: NCPTF.

Perry Carpenter: Yeah, the National Child Protection Task Force, right?

Rae Baker: Yep.

Perry Carpenter: So let's start really broad for people who have seen the acronym OSINT around a lot and have made some assumptions about what it means. From your perspective, what is the best way to describe OSINT, and where does it fit in within the cybersecurity or security discipline?

Rae Baker: So OSINT stands for open-source intelligence and it is a passive reconnaissance activity. And what that means is I am not logging into anyone's computer. I'm not hacking them. I'm not, you know, using passwords, anything like that. I'm not calling people like a journalist would. I am just finding information on people, places, things and reporting on it.

Perry Carpenter: Okay.

Rae Baker: And sometimes that gets taken further to a pen test team. It's like the first stage in pen testing or it gets passed on as a report and then more analysis is required.

Perry Carpenter: So describe how you got into this. I mean, how do you build a skill set and where does your part come in to focus and then where do you do handoffs?

Rae Baker: I kind of have a weird background.

Perry Carpenter: I love weird backgrounds.

Rae Baker: Before open-source intelligence, I was a graphic designer, majority print design, some digital. And I did that for about 15 years and I wanted more money. It doesn't pay well to be an artist, unfortunately. And just a change of pace. I kind of feel like I settled with design and that I could do something more, just more technical, more exciting. So I started going back to school. I'm still at Penn State for security and risk analysis. And when I did that, I didn't want to throw my money away.

Perry Carpenter: Yeah.

Rae Baker: So I made a promise I was going to like do everything I could. So I started blogging. I started doing podcasts and stuff. And I went to the Layer Eight Conference and there I played in Trace Labs, which is a missing person, capture the flag. And I realized there after I played that, that one of my favorite things, true crime and this thing I'd never heard of, open-source intelligence -- I mean, it was like a straight connection to that. And I was like, I have to do this. This is it.

Perry Carpenter: Right.

Rae Baker: So I went home and I started picking things. You know, I'd look on Twitter, I'd find somebody doing something cool in open-source intelligence. I'd follow them. And then I'd write a blog about what they're doing, the technique to try, and not write for other people. And it was mainly for myself.

Perry Carpenter: Right.

Rae Baker: So I would learn these techniques through writing a blog. And that's kind of how I fell into maritime too, because I had written a few blogs and then I was looking for something new and somebody had posted something about maritime and I looked around and there wasn't much material there. So I wrote a blog and people liked it. And so I wrote another one and then I just rolled into this weird niche in open-source intelligence.

Perry Carpenter: That's so cool. Let me grab a couple of details, because I think this is super encouraging when you think about 15 years of graphic design, deciding that that's not where you want to be for the rest of your career. And then making this almost a counterintuitive pivot to a lot of people, but then finding your passion there. How long ago was that pivot?

Rae Baker: I think I actually kind of entered a job in OSINT because I was reached out to on Twitter and got a good job through the blogging and talks.

Perry Carpenter: Yeah.

Rae Baker: That was about 2019, I believe.

Perry Carpenter: And then how long had you been poking around in the space and blogging and learning and sharing what you're learning while you're still doing graphic design?

Rae Baker: Not too much.

Perry Carpenter: Really? Okay.

Rae Baker: It was probably, maybe a year.

Perry Carpenter: Okay. So one more question there. You went to the Layer Eight Conference, something drew you there. So I'd like to know what drew you there, but then also you mentioned participating in Trace Labs. Had you done any prep or any other OSINT work before that? Or was that your first exposure to OSINT?

Rae Baker: That was probably my first exposure to like case work.

Perry Carpenter: Wow.

Rae Baker: And how I got there was actually just Patrick Laverty, the one who was running it was just nice.

Perry Carpenter: Yeah.

Rae Baker: He knew that I was going to college. So we had a tech club. I ran the tech club at Penn State and I used it not only to help the students like learn and we did projects and stuff, but also like as kind of a networking thing for myself because we had a lot of speakers on, and the way I got speakers was through finding them on Twitter.

Perry Carpenter: Gotcha.

Rae Baker: People within the field who were doing good things, I would just ask them if they wanted to be on, and then they would say yes, and they'd come on, and they'd talk, and then I would keep, you know, the talk going in the background.

Perry Carpenter: Right.

Rae Baker: So I had a lot of connections just from doing that. But he gave us free tickets because the club, he just said, hey, come on down, we're doing some OSINT stuff here. And then I played in Trace Labs, and that was really the first time I had ever heard of OSINT.

Perry Carpenter: Wow. Okay. So now you've gone within four to five years of not even knowing that OSINT was a thing or that you were going to be into cybersecurity as a career to having a book that's published and very well received. So congratulations on that.

Rae Baker: Thank you.

Perry Carpenter: What would you say then to people who are just now starting their career in cybersecurity or feel locked into another career, and they just don't have passion there, but they've been wondering how do they break into this field? Do you need a four-year degree, a master's degree? What are the things where you're seeing people successful now? Because you have an interesting path, and it seems to mirror a lot of the other paths that I've heard more and more recently.

Rae Baker: I think it depends on where you're trying to work.

Perry Carpenter: A lot of it requires a bachelor's degree just to get through HR because they have those filters. But at the time, I didn't have a bachelor's degree. I still don't. I have an associate's degree, but I'm working on the bachelor's, which I don't know if they're like, okay, she's almost there and they check it off. Right.

Rae Baker: But yeah, I think depending on -- I'm in a consulting firm and it's large, and so they definitely filter for bachelor's degrees. But I did get around that somehow. It's not impossible. I would say the biggest thing is knowing how to market yourself. And I think I fell into that really easily because that was my background. I worked on a marketing team for many, many years.

Perry Carpenter: Yeah.

Rae Baker: So it's just a pivot from marketing a company to yourself. And that's what the blogging is, the talks, the podcast. It's just marketing yourself. And you have to come up with who you are, who you want people to think you are online, and then just maintaining that voice of what you do so people recognize it. Like the maritime stuff I do, people know that I do maritime. So they will come to me for maritime. They'll watch my stuff for maritime. You find a little niche in what you want to do and just market yourself towards that.

Perry Carpenter: And another way of saying that might be that one of the ways that you may have been able to move past that degree requirement is that you had a portfolio of work showing your passion, your skillset, your achievements, your networking and connections and all of that other kind of stuff that some people that may have achieved that four-year degree, they're still at square zero on all that other stuff. And so I think that you really kind of demonstrated what a lot of people have yet to demonstrate maybe whenever they finish that degree. So then maybe two points of advice could be, if you're in the middle of getting the four-year degree, don't hold off on doing all this other stuff. You can still start blogging, sharing what you're learning, getting involved in some of these OSINT competitions and CTFs and things like that. And then if you're not in a position to go get a four-year degree, you might be able to still back into it by learning on your own time, sharing and building that portfolio.

Rae Baker: For sure.

Perry Carpenter: I think that's super encouraging. That's really cool. And again, five years out from not having heard the term OSINT to writing a really great book on the topic is amazing. There's one passion project of yours that I want to talk about because it seems like you're taking your passion for design, your passion for true crime, passion for OSINT, and you're also kind of bringing that into another package with the whole Kase scenarios thing.

Rae Baker: Yes.

Perry Carpenter: Can you describe that? Because I think that's amazing. And I'm surprised that there's not a lot of other competitors out for you right now doing that same thing, because it does seem like kind of the zeitgeist of the day is to be listening to podcasts around this or participating in a game in a box types of scenarios that come once a month. But describe Kase scenarios.

Rae Baker: So Kase scenarios is a platform for training people on OSINT techniques. It's an immersive -- it's a story. If you like true crime, we do a lot of true crime stuff, but it puts you in the shoes of the main character. So if it's a journalist or, I don't know, a detective, a private investigator, you are playing as them. If you've ever done a capture the flag or CTF, you get questions and they're not always related to the next question or the question before that. There's no like narrative that's drawing you from the beginning to the end with a story. So that's what we do. You start the game, we have audio, we have voice actors, we have video, which I do. The imagery, like I'll be outside burying something in the dirt and taking a picture of it just to make it look like it's real for the story. And there's no points. It's mainly for learning. When you take hints, it's not just a random hint that says like try X. It's a stakeholder. So it might be your boss, it might be your friend, your co-worker, but they're giving you hints like you're talking to them. So they'll say like, oh, how about you try this password? Or did you look here? And then it keeps you in the immersive part of the storyline.

Perry Carpenter: Yeah, I love that. And I'll definitely put links to that in the show notes as well, because I thought that that was so unique and a great way to flex the creativity in this space and something I think we need to see more of.

Rae Baker: I like having the crossover between design and the OSINT.

Perry Carpenter: Yeah.

Rae Baker: I get to explore all of it, really. And even coming up with the stories like this one we just put out, Betrayal, it's free. And I pulled from all kinds of true crime cases that I know of over years of watching it and put them into here, mushed them all together to make a unique storyline. And I drew up medical examiner reports. I sketched them out and scanned them in. It was very fun.

Perry Carpenter: That's a huge commitment to keep that up and to also make it to where it doesn't just fall apart after a while, start strong and then have the scenario or the minefield of clues start to fall apart or become less significant over time is a big achievement. So that's super cool. And I think people are going to be interested in that. So why don't we zoom out a little bit? When you're talking about OSINT, you're clearly kind of, if you're thinking of Lockheed Martin, Kill Chain, you're kind of in that reconnaissance phase.

Rae Baker: Yes. You're not kind of -- you're exactly in that reconnaissance phase. And you mentioned this is all passive from your perspective. If you were to come across a breached database, breached password database, you're not plugging in the passwords to see if they're working or anything like that. Is that correct? That's definitely correct. I will log them down. I will put them in a report. I do not save them. I do not use them. I can use them to find more information, but I won't actively access anything.

Perry Carpenter: Yeah. So you never move from passive to active, which is somewhat more restrained than some of the other people that I've known that have worked in OSINT. So I think that that's notable. From a tools perspective, why don't we describe your workflow, if there's a typical workflow that you think about, and then a typical tool set that you find most useful?

Rae Baker: So for tools, I have a bit of a thing.

Perry Carpenter: Yeah.

Rae Baker: So my book that I wrote focuses heavily on methodology rather than tools, because I believe that you can use any tool if you know the why, like why you're looking, what your next pivots might be, how you find those pivots, then any tool can be used, really. I have some tools that I go to regularly, like Corporate Search, Open Corporates, Corporation Wiki, OCCRP, just some of those standard free types of tools, but I don't connect with any. I don't hinder myself by focusing on tools. I feel like a lot of people coming into the field of OSINT who have never done it before or just starting out, it feels very overwhelming for them when they look at these lists and lists of tools and then they say, like, I can't do command line. I don't know how to use any of these tools. I can't do OSINT. But really, I mean, I think if you have the methodology, like anyone can do it and you don't necessarily need a whole bunch of tools.

Perry Carpenter: I love that. So then that begs the question, from a methodology standpoint, walk us through the broad strokes of that from your perspective.

Rae Baker: I like to do collection and charts a lot. So I'm very visual, obviously, with the design background.

Perry Carpenter: Yeah.

Rae Baker: So a lot of what I do, I will go through and I'll take notes, look at corporate records, names, phone numbers, all of these things, addresses, and I'll put them in a OneNote and then I'll make a chart of it to see how everything connects. And then that helps me add additional pieces to it. And then I get like a full picture of like all of China or whatever I'm looking at. And if I'm not stopped, I could go forever.

Perry Carpenter: Okay. Is there any specific case or scenario from the past couple of years that you've been doing this that stands out as a great story that describes what the heart of OSINT is for you and what the benefit that that has from a cybersecurity perspective? One case that I have done recently is looking into -- and this was just personal work. Yeah.

Rae Baker: I was looking into fishing vessels that were reported as scanning infrastructure. They were just doing their daily routines, but they'd get just a little bit too close to military activity or secret bases or submarines, wind farms, and Norway has been posting news stories about it. So I wanted to kind of recreate some of what I was seeing in their news stories and then see if I could find any more details. And I posted in my blog, but I connected a whole bunch of companies with people and found that one of the biggest companies think it said Noribo, Norbo -- it's Russian.

Perry Carpenter: Yeah.

Rae Baker: So they own a lot of those fishing vessels that are being used for this sort of reported activity.

Perry Carpenter: Ah, that's really interesting. The conclusion of our interview with Rae Baker after this. Welcome back to our interview with Rae Baker. So then if somebody is standing on the outside and they keep hearing about the importance of OSINT or they are very curious about it, what is their first step in trying to learn this in a way that's not going to have baggage associated with it? Like they're not going to get drawn into trying to figure out a thousand different tools, but they're going to start to do it right. What do you recommend somebody's toe in the water is?

Rae Baker: First, I would recommend going onto Twitter or Mastodon, whatever you use for social media. Twitter has a lot of OSINT people on it. Go on there, find somebody who's doing what you want to do and follow them. See how they investigate. If you like what they do, then you can try and emulate it. And then you can pick a news story that reports on details and then you can try to recreate it through your own research. And you can use those experts that are already posting things as a guide to how to do certain techniques. And that's kind of what I've always done is recreate things that other people have done and see if I can do it.

Perry Carpenter: Yeah.

Rae Baker: And then maybe I find more information that's interesting and then I pivot to that and I just try out my own techniques. So I think it's like a practice makes perfect kind of thing.

Perry Carpenter: Right.

Rae Baker: You figure out things along the way and how you want to do them and kind of align it with some experts that you already enjoy their content.

Perry Carpenter: And then are there any qualities, personality traits or anything like that that you've seen that map to a good OSINT professional? Or is it basically kind of curiosity and the drive to continue to look at stuff?

Rae Baker: Curiosity is a huge one. I would also say creativity. Believe it or not, there are quite a few artists who are now OSINT analysts because somehow there's a correlation there with like the creativity and what we have to do as analysts. But yeah, just the willingness to want to go more. You see something interesting and it doesn't just stop there. You want to know who's behind it, who owns these companies, who's doing what.

Perry Carpenter: And then if you would, just tell us a little bit about the book. What was the initial seed for that? What was it like to put something together? I mean, this is a pretty hefty resource as well.

Rae Baker: It's actually bigger than it was supposed to be. I think it was supposed to be 400 pages and it's 500 something.

Perry Carpenter: Yeah. My first book for Wiley was like that too. It was supposed to be a certain page count and then I blew past it by like 150 pages.

Rae Baker: Once I get going, I'm just so excited.

Perry Carpenter: Yeah. Well, and there's tons of great pictures and graphs and everything else in it as well. But talk us through what brought this about and what are you super proud of about it?

Rae Baker: What brought it about was just as everything very happenstance. I have a habit of, for New Year's, I make a New Year's resolution that feels completely untouchable, crazy, insane to me. And then I try and reach it. And that's kind of what I've been doing the whole time. Like be better at public speaking, do a conference. And I just do this kind of every year. And that was my latest wild idea. And I pitched an idea to Wiley and they were like, great. So I just decided to write an OSINT book. And it's a general OSINT book. A very beginner can do it, work through it and understand it. And also intermediate level, there will be plenty of new stuff for you in there. I talk about what OSINT is, how you perform it. And then I talk about ethics and mental health. And when I kind of roll into more of the technical stuff, I talk about social media, intelligence, industrial control systems, of course, transportation, which includes ships, rail, trucks, and just general road shipping and airplanes or aircraft, I suppose, because it covers everything. I also talk about cryptocurrency and financial intelligence related to that. So I think I cover a fair amount of topics that are not often covered in a lot of these OSINT books. So I'm hoping people are excited about these new topics that I'm talking about. But like I said before, it all focuses on methodology. So while I do have a few tools in there that I suggest because I use them, you definitely don't need to know them to read and understand what we're talking about in the book, I hope. And I tried my best to include a whole bunch of pivot charts in there to see how I would have done the work on a specific topic. So if I'm looking into an address, an email address, a ship name, I tried to include a pivot chart. And it was very hard to get them on the page. So I hope you like them.

Perry Carpenter: Nice. So I'm going to put you on the spot then. So as an author who's created a book in this space, if you were to think about or recommend one other book or resource related to OSINT that you hope everybody takes a look at that's not your own, what would that additional resource or book be?

Rae Baker: Oh, there's so many. Of course, OSINT Curious. We have plenty of videos and stuff up and they are amazing. I would also obviously say Michael Basel's books because they're like the gold standard, it seems. And then again, I honestly use Twitter a lot. It started to go a little crazy there for a little while, not only because I had a whole bunch of Twitter in the book, but because I use it so much for my investigations. But there are a whole bunch of people who post really good blogs on there on geolocation and ship tracking, flight tracking. You can pick pretty much any area you're interested in and follow a whole bunch of really good analysts and learn a ton.

Perry Carpenter: Okay. Last question for me is, is there a question that you wish that I had asked or thought to ask that for some reason I have with my hard heart not thought to ask?

Rae Baker: I don't think so. We got the book, we got case. Sometimes I honestly do so much I forget what I'm doing.

Perry Carpenter: Right. Yeah. Honestly, one of the things I'm most excited about when I look at your profile and for you is the Kase stuff. I think that that's an amazing idea and I hope that it does amazing things.

Rae Baker: We had over a hundred signups for that free one probably in the first six hours.

Perry Carpenter: Wow.

Rae Baker: But I think a lot of the disconnect is people don't know what it is. So we say immersive scenario and people are like, I don't know what that is. They know a capture the flag, but it's not quite that. It's a lot more storyline and video and stuff.

Perry Carpenter: Right.

Rae Baker: So we wanted to put out a free one so people are like, oh, this is what Kase is. Our goal is to create a scenario that speaks to a group of people. So people want to be a private investigator, but they want to see what it's like.

Perry Carpenter: Right.

Rae Baker: In this free one, we're testing out a report. So we're making them report back to us so we can grade it and say it's okay.

Perry Carpenter: That's cool.

Rae Baker: And then we have a dialogue of a stakeholder saying like, good job or no, that's not quite right.

Perry Carpenter: I have another podcast that as part of that had this kind of underground -- it was never really admitted to, but there was an alternate reality game embedded in it that had a lot of CTF-ish like stuff. So things hidden in spectrograms and Morse code that was hidden and everything else. It got a really good following. I've always thought that somebody should marry OSINT work with a true crime podcast and actually have kind of like a real time ARG that is OSINT based.

Rae Baker: Yeah.

Perry Carpenter: So seeing what you're doing with Kase really kind of fired that back up in my brain as well.

Rae Baker: They're so fun to make. It's great when we worked like months on it and then we put it out and people like, this is great.

Perry Carpenter: Yeah. We would do this thing. So really, really complicated clues or what we thought were, and then people would tear them down and just like get to the answer within like three hours of us publishing an episode. And it's really, really cool to watch the ingenuity there, but also really, really frustrating when you think that this should take at least a couple of days.

Rae Baker: When we beta test, it's the weirdest thing. The things we think were hard are easy and the things we think are super easy, no one can get.

Perry Carpenter: Yeah, we're in that space now. We've got a set of like three or four clues that we're going to end the season and nobody's gotten those yet because maybe, and we're trying to hit somebody over the head with it and make it so obvious they missed it.

Rae Baker: Our stories are dramatic, but the questions are supposed to be very close to what would actually be asked if you were doing this sort of work. I mean, as much as we can with the storyline, but it's supposed to give an idea of what that type of work might be like.

Perry Carpenter: I hope that you enjoyed that interview with Rae Baker. And I hope that you can see that open-source intelligence investigation is one of those topics where people can get overly fixated on tools and things like that. But at the core of it, it's really the discipline, the methodology that matters. I also hope that you were encouraged hearing stories like Rae's about how our current job doesn't necessarily dictate what our future job is. If you're not satisfied, you can get into a new career. You can get into a new discipline. It takes curiosity and dedication and time, but you can do it. Use something like Rae's Kase scenarios and her book and all the other things that she mentioned as ways to fuel your journey. And with that, thanks so much for listening. And thank you to my guest, Rae Baker. If you're interested in understanding practical real-world OSINT techniques and methodologies, grab a copy of "Deep Dive: Exploring the Real-World Value of Open-Source Intelligence." It definitely deserves a place on your bookshelf. Also, if you want to find a creative and immersive way to begin practicing your investigative techniques, be sure to check out Kase Scenarios. That's Kase with a K. You can find them at kasescenarios.com. I've loaded up the show notes with more information about Rae, as well as a ton of relevant links and references to the information we covered today. If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, it's actually pretty simple. First, if you haven't yet, please go ahead and take just a couple seconds and give us five stars and leave a short review on Apple Podcasts or Spotify or any other podcast platform that lets you do so. That helps people who stumble upon the show have the confidence that this show is worth their most valuable resource, their time. The second big way that you can help is by telling someone else about the show. Word of mouth referrals are the lifeblood of helping people find good podcasts. Oh, and if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcast. If you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. The show was written, recorded, sound designed and edited by me, Perry Carpenter. Cover art and branding for "8th Layer Insights" was designed by Chris Michalski at ransomware.net. The "8th Layer Insights" theme song was composed and performed by Marcus Moskat. Until next time, I'm Perry Carpenter signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.