Podcasts

Podcasts


Persevering through career setbacks and successes with Micah Hoffman

Micah Hoffman, OSINT expert and SANS instructor, explores the difficulties and the surprising upsides to imposter syndrome, as well as the role of motivation and community connection in building a worthwhile and satisfying career.


Notes:

Though many know him as the author of SANS course SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis, Micah Hoffman didn't initially set out to become a cybersecurity expert. In this episode, Jason and Micah discuss how his early career changes played a role in his experience of imposter syndrome as a cybersecurity practitioner, but also ultimately set him up for success.

He also touches on the importance of being open to unexpected opportunities that together add up to a fulfilling career. They discuss the importance of sharing resources and building community, and share a sneak peek at the newest GIAC cert - GOSI, GIAC Open Source Intelligence.

Bio:

Micah Hoffman has been active in the information technology field since 1998, working with federal government, commercial, and internal customers to discover and quantify cybersecurity weaknesses within their organizations. In 2018, Micah founded his own consulting company, Spotlight Infosec, that focuses on OSINT and cyber security.

To date, he has earned several GIAC certifications and has shared his knowledge with others by speaking at multiple conferences and posting on his https://webbreacher.com blog.

Micah has been a SANS Certified Instructor since 2013. He's the author of the SANS course SEC487: Open Source Intelligence Gathering and Analysis, and also teaches both SEC542: Web App Penetration Testing and Ethical Hacking and SEC567: Social Engineering for Penetration Testers.

Return to Episode List
Transcript:

Jason Nickola: This is "Trust Me, I'm Certified," brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome. Welcome back! Our guest this episode is Micah Hoffman, principal investigator at Spotlight Infosec and SANS instructor for SEC487, their open source intelligence course, which he also authored. Micah has a ton of experience in offensive security, teaching OSINT, and also gave one of the more valuable conference talks about imposter syndrome at BSides a few years ago. This was a really candid conversation with Micah about his path to a career in infosec, building a presence in the security community, giving back, as well as his own struggles with self-doubt and imposter syndrome, which nearly caused him to leave the industry entirely. I really enjoyed this conversation, and Micah offers a ton of useful feedback and tips for anyone else going through similar experiences. So please enjoy, and I hope you like it.

Jason Nickola: Welcome back to the show. We're here with Micah Hoffman. Micah, thanks so much for joining us.

Micah Hoffman: Thanks for having me on, Jason.

Jason Nickola: So one of the first things I'd like to dig into is how did you end up in technology in general. And then later, if you started in general tech, how did you move into security? What was that story like for you?

Micah Hoffman: It's actually an interesting one. I'm on my fourth or fifth career, I'm not quite sure. I have an undergraduate degree in psychology. Got a bachelor's degree there. And I remember when I was walking across the stage, I kind of thought to myself, I really hate psychology. I just - It's not what I want to do. And I remember telling my parents at the graduation reception like, you know what? I don't wanna do psychology. And their faces kind of dropped a little.

Jason Nickola: Every parent's dream, right?

Micah Hoffman: Yeah, exactly. I just paid for this, and now what? But I had already gotten into grad school, and so I went to a couple of years of a doctoral program in cognitive neuropsychology and decided I really liked medicine, so I dropped out of psychology, went over to medicine. I tried to get in med school for a couple years, didn't get in so more failure there. And I was working in a hospital and I was working night shift as a psychiatric nurse's assistant, and I would go out golfing at seven o'clock in the morning when I got off shift. I was out there one day, and the starter at the golf course paired me up with three people, and I had just been told that my hours at the hospital were going to be cut dramatically. And these guys happened to sell computers. And I've always been one of those tinkerers, one of those people that, probably like you and other people you know, that played around with computers. So they said, could you sell computers online? Could I sell them? Of course. And they were like, we'll pay you $30,000. I was like, "$30,000? Yeah!" So I became a computer salesman, and I hated it. Again, just did not like it. So I went into tech support and, fast forward, tech support turned into help desk, help desk turned into setting up my own servers and running websites, et cetera. Then I took a SANS course and found the power of penetration testing.

Jason Nickola: Right.

Micah Hoffman: And that's when I really - I think that was in the mid 2000s, 2005ish years. And that's when I really got into cyber.

Jason Nickola: You know, I like to say that that's a different way and that's kind of a unique path. But the more of these you dig into, especially now where the formal security industry and the higher education space around this stuff is kinda just really developing and coming into its own. I think that there are so many different ways that people over the last 20 years or so have gotten into the security and two things from your story that I really identify with are both looking back and thinking, hey, I was actually like, kind of a tinkerer that was into tech and taking stuff apart and putting it back together before I realized I could work in this, and also starting off in sales. I did the same thing where I worked at a software company trying to do sales and eventually hated that but realized that I love technology. So I can really identify with both of those things. But looking back, you mentioned that you were a tinkerer as a kid and when you were younger. What do you think prevented you from considering that technology was a path for you, something that you could work in and be a professional and make a career in?

Micah Hoffman: I didn't think there was anything that prevented me. I grew up in the 1980s and at that point, the careers in technology that were out there that I knew about were either people teaching me how to do basic computer stuff, which I didn't want to do. Or, you know, classic, formalized programming and things that took a long time to study for. I didn't really get into it. I was into bulletin boards and BBS and those types of things. But it just wasn't my interest to do computers professionally, because I guess I wasn't aware of the space and cybersecurity hadn't really been invented back then. So, yeah, I just think it wasn't on my radar.

Jason Nickola: Right. I think that's so common even now, as we mentioned there are formal industries are on this stuff and lots of higher education programs. I think that we still have a challenge of how do we communicate with kids and high school age people, even some adults that are looking for the right career to get into. How do we find some of those intangibles and people that want to tinker and play and be creative and break stuff and fix stuff? How do we get in front of them more often? It's easier now than it was 20 years ago. But it's interesting as so many things progress that a lot of other things stay the same, and we have some of the same challenges.

Micah Hoffman: You brought up an excellent point there. So I used to run a team of penetration testers and vulnerability assessment people as part of one of my previous jobs, and what I found when I looked to hire people was I wasn't necessarily hiring for somebody that could code in python and break into a directory server or hack a website. I was trying to hire for those intangible types of qualities and attributes or traits of a person. The dedication, the determination, the initiative, the problem solving, the puzzling, the inquisitiveness, the curiosity, those types of things were always the predictors of a successful penetration tester or a security person. Because, you know, I can teach anybody how to hack a website, but I can't teach them how to be motivated and self-learning.

Jason Nickola: Yes, so true. So when you made the transition and you started working in help desk and progressing from there and really trying to build a career in technology, did you have anyone that was even if not like a direct mentor, somebody that you looked up to or could bounce things off of, or even just a model for someone in the world that maybe looked like you or sounded like you or came from where you came from and you could see that they were doing the same kind of thing?

Micah Hoffman: So when I was coming up and just starting in security, actually, when I was starting in security not really. I was kind of that sole security person or the sole person that cared about security in an environment where we were doing IT. So we were keeping the networks and the systems running. And I always liked to make sure my systems were hardened and do least privilege, and other people just hated me, probably, for doing that, not giving them root on all the boxes. So I was that that lone wolf within our organization mostly. But then as I moved into different places, there were kind of people every now and then. And then once I broke fully into cyber, there were absolutely, not rock stars, but people that were turning out good work and teaching and sharing their information with the world.

Jason Nickola: So, looking back on it, not necessarily having that kind of a model or mentor when you were just starting out, was that a challenge for you? Would you look at it as a challenge now, looking back? Did you think that way at the time? And I don't want to jump too far ahead, but you do a ton in the community and speaking and in trying to help others along in their careers as well. Did your early experience kind of inform how active you are now?

Micah Hoffman: I'm not sure if it's a one for one type of situation where nobody was there for me, and now I'm there for everybody. I think because there wasn't anybody there to help me out at a lot of this steps along my professional development, it made me need to learn, and need to process data either faster or in different ways or through trial and error. You know, I can't tell you the number systems I broke just by trying stuff out. And so I think that not having somebody there fostered that inquisitiveness in me like, I'll figure this out. I'm a capable person. And then, as I got older, I realized that while that works for people like me and others, not everybody is built that way, and having a mentor, having a buddy, having somebody that can bounce ideas with or that could just say, here's the starting point, is really important.

Jason Nickola: Yeah, and what you touched upon there is so true and we're going to dig into imposter syndrome related things like trying to justify your successes. But one of the things that plays in not only that area for me, but also makes me feel kind of guilty is that I feel like our world, in our society, the professional world, and the world of education is really set up so that people who have a Liam Neeson-specific set of skills are more likely to succeed and make it through than others. So if you're a self-starter, that can kind of organize your own thing and you are achievement-based for specific events like test taking, and you can kind of talk your way out of things and be creative in that way. It is far easier to get ahead in the professional world and in the education world than it is if you don't have natural inclinations toward that stuff. And I feel like you want to say these were advantages that I have, and I use them to kind of get ahead. But you also have to recognize that the system is kind of set up in that way. And if you don't do that, then you never look at, well, who are all of these people that not only altruistically we have to try to enable so they can achieve actualization, but also what are we missing out on in terms of our output and the things we can create and the different viewpoints and experiences that we can build into products and solutions and media and things like that. And if you don't go through that process, it's really hard to identify that as a legitimate problem.

Micah Hoffman: Yeah, it's interesting because you don't have to suffer in order to understand the suffering of others. The way that I came up and the way that you can probably came up, and I'm just guessing here, because I haven't done a full background profile on you yet. But the ways that we came up when I was coming up in pen testing, there were those rock stars, those people that were out there and leading the way and all, and not everything in pen test was new but it was very segmented until we started coming together. And then what happened is that we had this in-flood of people and commoditization happened, right? So you no longer have to be that uber top person in the exploit development process who lives and breathes assembly in order to be a pretty successful person within cybersecurity. You can be somebody that comes in, reads the blogs to stay up to date, and does their job and goes home. But when I was coming up that was not the way that we did it, you know, you clocked out of your work and then you went home and you played around on your own home lab and you did other stuff, and I don't think it's a bad thing that we don't have to do that now. But I do think it sets up a differentiation for those people that do tinker and try and CTF on their own versus those that clock in and clock out.

Jason Nickola: For sure, that's a great point. So, you started in the last few minutes to paint kind of an arc in different phases, not only of your own career, but others in the industry. Was there a time when you're moving into tech, you're working IT and help desk, and you're kind of learning and setting up your own labs and everything's new, and you start to get a little bit of power and capability, and you feel really great about things. Was there an early honeymoon period like that for you and then a point where things started to get a little more real and doubts start to creep in as you start to grow and get bigger roles? Or would you characterize it differently than that?

Micah Hoffman: I've been a long-term sufferer of imposter syndrome and making it one of the presentations that I gave at a couple of BSides conferences. I came upon this psychological phenomenon of the Dunning-Kruger effect, where some researchers found out that people that rate their confidence in their ability to get stuff done falsely rate it when they first learned a task because they feel really empowered and super, like I can take over the world and route all the things and then as they realize that they really don't know all the things, that becomes a little bit despairing. And I absolutely had that. I went to my first SANS class and became very powerful. I think I took 504, it's a little hazy for me, but I think I took 504 and I came back to our little test network at the job I was working at. And I said, look, we've got this test network, this is exactly the way our systems are set up, watch me do this. At the time, we were using clear text protocols to manage everything, telnet protocols. So I did some sniffing, I did some of this, you know, pivoted and boom - I owned the entire network and I was the king of that mountain. I knew everything and really, I was the top security professional in my office, just taking that one class. But then I decided to move into the world of cybersecurity. It was very humbling to find out that that was just the very, very basics of what I started learning, and so I had an attitude readjustment.

Jason Nickola: So in the same presentation, or at least one of them where you cover imposter syndrome, you talk about the period where you actually considered leaving infosec altogether and moving on to another career field. Can you talk for a minute about what went into you feeling that way? What you maybe considered moving on and doing and why you ultimately stayed?

Micah Hoffman: Absolutely. That came to a head at DerbyCon in Louisville, Kentucky, in December 2012. I was doing cybersecurity, and like I said, I'd been learning and trying out things, doing things. But there was always a list - I always keep lists of things I want to learn. And at that point in my career, that list was really, really big, and it was so big it was overwhelming. And then I went to DerbyCon and I saw these absolutely amazing, talented people present, and I thought, I'm not doing any of that stuff. I'm not doing this kind of stuff. I don't belong here anymore, and then I thought about all the things I had yet to learn, and I got very overwhelmed and sort of depressed, and it was not humbling. It was debilitating.

Jason Nickola: Right.

Micah Hoffman: And I went back home, and I took some weeks to think about things, and it took me a while to realize that just because I wasn't doing all of those things, I was still worthy, and I was still important in the field. And that's a message that I have to remind myself over and over again as I watch people talk about the latest this or the latest that on Twitter. And I'm like, gosh, I should be doing cryptocurrency right now, and so those feelings of inadequacy are important to keep you grounded. One of the things I've started to do and the perspective change that really helped me most was instead of looking at the people that you deem as ahead of you, or more senior than yourself, look at the people that were where you were or that are where you were when you were coming up. Look at those people that are just starting out, the people that are just coming in, because there's a distance that you've accomplished and that you've grown and you know so many more things than people coming up. And that recognition was really, really helpful to getting me not stable, but very subtle and comfortable with "I can't know all the things, but I'm going to try."

Jason Nickola: For sure. Yeah, sometimes you see a quote on a bumper sticker, or a coffee mug, or in a meme or something, and it's easy to dismiss them, but the reason why they end up that way is that they have value and they communicate broadly, right? And one that I really love is that "never forget that at one point, all you wanted was to be where you are, to have what you have, or to be doing what you're doing" and if you are a motivated and achievement oriented person and you're trying to build and grow and you're somebody like you, that would keep a list of the things that you wanted to learn, and you really had that kind of context for it, then there's some point in time where all you wanted to do was break into cybersecurity and be a pen tester. And there was another period of time where all you wanted to do was to teach other people and to learn about machine learning, or how to crack passwords or whatever it is, right. And I know for me personally and people that I identify with having the same line of thinking is it's so easy to be focused on what the next rung is, what the next milestone is, and in really lose sight of the fact that you've done some cool things, that even if you don't have a broader view of what anyone else thinks of them, just for your own personal growth, you are doing things that you set out to do and that you wanted to learn. And it is so easy to dismiss that stuff, but so important to just take a second and smell the roses and realize things are going okay and I'm doing a decent job and maybe cut yourself some slack a little bit. At least that's in my experience. It's easy to say, hard to do, but it's so powerful.

Micah Hoffman: It's extremely powerful and empowering too if you can take that time, that you have that self-reflection and you allow yourself to feel good about what you did. Recently we had our second annual OSINT summit. And by all accounts, from what I've heard from attendees and speakers, everybody had a wonderful time. We had about 130 people here in the Washington, D.C. area, and it was terrific. And when I thought about about all the people that came to learn and to do these things and how I helped this come into play, it was a little overwhelming for me that this is something good that I helped do. But there's the impostor syndrome peeking out. It's that "I helped do this." Many times the successes I have I attribute to a group, or it wasn't my success, it was the team's success, so I can't take the credit, which further fuels imposter syndrome.

Jason Nickola: Yeah, you know, you don't necessarily want to advocate for the opposite, right? You want to spread credit around where it's due and make sure that team efforts reflect the team. But I think what you're getting at is a lot of times - and I can personally identify with this and some of your research into imposter syndrome and other resources - what you find is that people who feel this way regardless of what they end up achieving. There's always some mitigating factor about why it's not that big a deal. And in this case, it wasn't me, it was the team, or even earlier in this conversation saying that, yeah, I've been able to do some things, but it's because the world is set up for me to succeed, which is true in large degree, I think. But there's a constant emphasis on how can I mitigate this, or somebody congratulates you or thanks you for something and says, "you know what? This thing that you did was really awesome." Like I look at the OSINT Summit and general OSINT content and curriculum. Not even just at SANS but overall. And I look at it like, not only is it so cool that you were the head of this conference and people came to the summit and they got to learn, and you wrote the course. But you also did it in an area that is so nascent and there aren't a lot of resources out there, and there are other people making some things happen that deserve some credit. But it's like you're not just producing content in an area where it's not just another Nmap tutorial, right? This is brand new stuff. And I think it's totally awesome and great and so needed, especially for the next phase of things. But how easy is it to just explain that stuff away, and say you know, if it wasn't me, they would have just got somebody else, right?

Micah Hoffman: Yeah, truly, I appreciate the kudos. I'm trying to get used to saying thank you for that and accept the credit, and it is an interesting thing. What I've been able to do within the OSINT community is highlight other people that have been doing good work for a lot longer than I have in OSINT, to bring together resources that have been out there but have been so siloed, or people have not wanted to share for fear that their technique, their tool is going to get banned or blocked by whatever platform. So I think my main contribution to the OSINT world is the publication and the centralization of a lot of these things and in bringing a lot of it to light, like we did in the cybersecurity community 20 years ago. Just saying, hey, you know, yes, I have my own exploits, and I'm not gonna share with anybody. But I also have these that you might find useful.

Jason Nickola: Right.

Micah Hoffman: And that sharing is good.

Jason Nickola: So you mentioned DerbyCon 2012 and getting out and seeing all of the other things that people were doing and internalizing that maybe in a negative way. And if anyone pays attention to you now, over the last few years you speak often, you teach often, you produce a lot of content and you're out there. You're available. It's not hard to find Micah Hoffman out on the interwebs, right? So was that a conscious decision? And was it kind of coupled with you accepting that you can't do all of the things and moving on and trying to do what you actually can do? Or did you start to do that for another reason? So what, basically, was the impetus for trying to push yourself out there in the world and becoming the version of you that you are now?

Micah Hoffman: Well, it absolutely was not a conscious decision. My life, my career has been a series of opportunities that I either took advantage of or I did not. It's that path most traveled versus least traveled, and sometimes the paths are harder than the other path might be. But for me, the progression from cyber person that was working and delivering on some contract somewhere to SANS instructor with a nonprofit and community building and all was a gradual progression of this makes sense for the next step, and the next step, and the next step. It's kind of like the way I code python. I don't create a master document of everything that's going to be in the script and then make this monolithic thing. It's more, well, I know I need to read in a file. So let me make that module and oh, okay, well, that reads in a file. Now I need to make a web call. Okay, let's write that section. So I mean, I went into cyber. I took the SANS class. I had done some teaching. I taught how to be a better parent. And I taught parenting classes for a local nonprofit for many years, and I just love teaching. And the opportunities came to work with SANS, and I took advantage of them. But yeah, I can definitely see how the opportunities that I took helped me get to where I am.

Jason Nickola: Right. So you think it's accurate to describe you as a public-facing person, right? You're not Greybeard sitting in a basement and reigning over your kingdom in isolation or anything like that. I think it's interesting to think about your role, I guess, as a public facing person, as a teacher, as a speaker and a community builder, and your expertise in OSINT. Does your expertise in OSINT help you to be that public facing person? Do you view that process differently? Knowing that the other side of you is to use the information that's out there to achieve outcomes in the security field or what overlap do you see there?

Micah Hoffman: it absolutely is a challenge every day of on one hand, we use social media to find information to answer our questions. On the other hand, social media is a very important method of getting things out. A good example is with LinkedIn. We just got onto the LinkedIn platform and said, you know what? There's no open source intelligence community here. So SANS and I created it, and now we have hundreds of people in there, but when I said hey, everybody come to LinkedIn to share information on OSINT I got so many private messages, like, "seriously, you're doing this? Why don't you just put it on Facebook, Micah?" But it is a challenge. And every day I personally struggle with do I do this, or do I not? And on LinkedIn we have this community, but on LinkedIn I only connect personally with people that I know or have worked with. I won't connect with everybody because I have insights into what you can do with that. So it is challenging, but I have to assume some of the risk and do some of these things to help build the environment, the community, the companies that I want to build.

Jason Nickola: Yeah. I mean, there's a tradeoff if you want to reach people and provide information, and you know the altruistic side of it, but also develop your own kind of personal brand presence and some of the opportunities and things that come with that, then those are the tradeoffs that you have to make.

Micah Hoffman: Well, actually that was something that I spoke - I did a keynote talk at BSidesCharm and the talk was on joining the information security community. So just cybersecurity community, as opposed to the information security industry. And I remember then around that time, I think it was around the 2012 timeframe as well. That or 2013, I made the conscious decision to stop hiding from cybersecurity. I'd always been told stay away from hackers and they work in dangerous and nefarious places and all. And we laugh about this now, but as somebody with previous security clearance and working certain realms, you don't want to mess up. So I stayed away, and then one day my buddy said, "hey, come to NoVA Hackers with me." This northern Virginia hacker group, I was like, ooh, hackers I can't. And then I found out that it's just the word that people use to describe themselves, that they weren't doing anything different than what I was doing. And so I started to change my perceptions of what was out there, and I started to try things instead of just "oh, I can't participate in that."

Jason Nickola: So for other people who are at various phases of their career, whether just getting started out or they're an accomplished practitioner and want to make the jump more into a community member, rather than just a professional in isolation, how do you recommend doing that? What advice do you have for people that are actively trying to get out of their comfort zone and be a member of the larger community?

Micah Hoffman: I think the biggest word I can throw out there is passion: finding your passion. Yes, you can get a certification in whatever type of cyber you want or in OSINT, but if it's not your passion then learning and growing in that area is going to be painful. Within cybersecurity, there are a huge amount of things to be interested in and curious about. What I always tell people that are new to the field is they say, well, should I learn python? No, don't just learn python. Go and find something that's interesting to you, whether it's attack or defense or DFIR or policy or whatever, find something that compels you to learn more, because by learning more you'll get farther than if I assign you something to do. That is absolutely the number one thing that I'd recommend to people is find something, some groups, a project to work on. And the reality is that nowadays there are a huge number of projects, whether it's working on an open source project that you use GitHub for, or whether it's working on a framework or just helping to manage some group somewhere. There are CTFs in people, and resources everywhere.

Jason Nickola: Right. And I think one of the things to keep in mind is that regardless of what phase you're at and why you're putting yourself out there, why you're joining communities or building things, or trying to make information more accessible to others, there's your own personal gain out of that, but you never know how that is going to help other people who see you doing that. So I'll give you a specific example in my own life. I have seen you specifically and others doing things like resume workshops and speaking at conferences and putting meet ups together and trying to disseminate information and make things more accessible and mentor and help people as they're moving through their career and just be open and positive and genuinely caring about the state of other people. And I don't think that you are others or sitting down and saying, "I'm going to do this so that Jason will feel better about doing these things himself." But even if you're just trying to find what that community is, or take your own next step, you really never know how that is going to enable others and when you might be the answer to "I had someone who looked like me and sounded like me and was doing the things that I was fearful of doing." And seeing them do that can be really powerful and enabling. It's hard to do it without it, right? Especially for marginalized pockets of society, if you don't have those kinds of models, and you never know when you are going to serve that for someone else, so there's kind of - we've got here talking about community. There's a larger community conversation. Even if you're just kind of focused on yourself and your own benefits, you never know how people are going to perceive and benefit from seeing you having done that.

Micah Hoffman: Yeah, after I did the impostor syndrome talk, which was on YouTube, I had people come up to me and it was overwhelming in a good way. People still every now and then send me a tweet or direct message saying, that talk you did back when, it really helped me through a tough time. I think that I want to show other people that no matter how far along you are in your career or how much you're deemed an expert or whatever, that there are always things that can trip you up, can slow you down, and make us just as human as everybody else, but you're absolutely right. Whenever somebody tags me and says, hey, you know, this helped, it's an amazing feeling.

Jason Nickola: It is. So let's shift gears a little bit and you have the GOSI certification associated with SEC487, which is the SANS course on open source intelligence that you've authored and kind of spearheaded. When is that launching? How do people get involved with that and why would you recommend that somebody who is a security practitioner, or maybe other industries that might not be so obvious, why should somebody try to get training in open source intelligence and get certified in that?

Micah Hoffman: I think there's really two questions there. One is why get certified and then two is who should really be looking to do OSINT. Obviously, there's OSINT analysts that are out there, all-source intelligence analysts and all. But one of the things that I find is that what we teach in the 487 OSINT class can help everybody from digital forensics people, when they've dumped a phone and they have user names or they have locations or they have a social media profile, we can teach you how to harvest data better. Or pen testers that to recon or social engineering, again, we we'll teach you how to do it a lot better. So there's a huge number of people that should be taking the class. And as more and more people hear about OSINT, the word OSINT, in the world we are getting more of just every type of person in class. And the GOSI GIAC Open Source Intelligence cert is coming out in beta in April and it's coming out live in June. It's kind of the icing on the cake, because if you look at the open source intelligence world, there are places that will train people up and the training usually leads to a certificate of completion. But there's no organization out there that has that I know of an OSINT certification that's recognized or that's made by a certification body like GIAC and has the weight and standardization of GIAC behind it. So I think the GOSI is neat. We actually wanted to call it something that Phil Hagen, the SANS instructor, mentioned. He mentioned it should be like "GIAC ICU" so it'd be like "Gee, I see you." I wanted that, but GOSI sounds all right, too.

Jason Nickola: So, where do you see the next phase of OSINT going? Fairly quickly, it seems as an outsider, that it's gone from kind of a niche thing. I remember being at DEF CON a few years ago and doing one of the badge challenges and mentioning the word OSINT and then having someone make fun of me and criticize me for using lingo that no one else understood that made me sound pretentious. And I was just trying to say open source. So I think very quickly it's gone from something that is more niche and that maybe a few people heard of to now it's this thing, it's here, it's more broad, and we're getting some training and certification like SEC487 and GOSI. But where do you see the next phase of OSINT in the security world, how does it start to fit in to the next phase of things?

Micah Hoffman: I've got a couple of projects that I'm developing that are going to help out the OSINT community, so I can't talk about them directly. But I do think that what the OSINT community and OSINT world needs is more of the rigor and standardization that we've seen in some parts of the cyber security community, whether it's process or it's centralized places to find things. Right now, I'm seeing people share out these cool tweets that tell you how to do this or do that. But it's a tweet, its temporal. It's on a platform that's not great for recording that so I think where we'll be going is trying to come together as a community to make some more centralized resources available and agree on things like methodology and other things along that that line.

Jason Nickola: So we've talked about all kinds of awesome stuff on here. What kind of general advice would you give to anyone listening? Who wants to maybe break into OSINT or is trying to build a career in security or battling with some imposter syndrome or trying to get themselves out there in the community - lots of different profiles of people, but general parting advice? If you had one thing to say, what would be?

Micah Hoffman: Find somebody that can help you navigate the waters. Back when I was coming up, I didn't have that, as we talked about earlier. But nowadays, there are so many resources and so many certifications and so many distractions out there that for somebody coming into the field, any field, whether it's OSINT or cyber and just saying, where do I start? It can definitely be a challenge. So my suggestion is find somebody on Twitter or at your work or at your school or somewhere that can be that mentor and help you at least take the first couple of steps. Because once you take those first steps of reading these blogs or getting that book or trying this capture the flag or whatever it happens to be, you start down that path, and then you can figure out what your next step is based upon your interests, based upon your passion. So I think finding a mentor's an important piece of that overall puzzle.

Jason Nickola: I totally agree. That's fantastic advice.

Micah Hoffman: Thank you.

Jason Nickola: Thank you so much, Micah, this has been really great. I appreciate it.

Micah Hoffman: Absolutely, thanks for having me on Jason.

Jason Nickola: Thanks to all of you for listening to this episode and to Micah for joining us and being so honest about his journey and some of the challenges he's experienced along the way. In addition to his work with Spotlight Infosec and SANS, Micah is also a co-host of the OSINT Curious podcast, so definitely give that a listen. And we will be back in two weeks with Chris Elgee, builder and breaker at Counter Hack Challenges. Chris will chat with us about practically applying some of the skills that you're gaining through self-study or training and how to do lots of cool and crazy things with the new infosec skills that you build up. So definitely keep an eye out for that. Visit giac.org/podcast to sign up for updates and to receive alerts about each episode as they're released, and definitely subscribe and follow us wherever it is that you get your podcasts. Thanks and we'll see you soon!

Receive GIAC Podcasts Alerts