Notes:
Though many know him as the author of SANS course
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis, Micah
Hoffman didn't initially set out to become a cybersecurity expert. In
this episode, Jason and Micah discuss how his early career changes
played a role in his experience of imposter syndrome as a cybersecurity
practitioner, but also ultimately set him up for success.
He also touches on the importance of being open to unexpected
opportunities that together add up to a fulfilling career. They discuss
the importance of sharing resources and building community, and share a
sneak peek at the newest GIAC cert - GOSI, GIAC Open Source
Intelligence.
Bio:
Micah Hoffman has been active in the information
technology field since 1998, working with federal government,
commercial, and internal customers to discover and quantify
cybersecurity weaknesses within their organizations. In 2018, Micah
founded his own consulting company, Spotlight Infosec, that focuses on
OSINT and cyber security.
To date, he has earned several GIAC certifications and has shared his
knowledge with others by speaking at multiple conferences and posting
on his https://webbreacher.com blog.
Micah has been a SANS Certified Instructor since 2013. He's the author of the SANS course SEC487: Open Source Intelligence Gathering and Analysis, and also teaches both SEC542: Web App Penetration Testing and Ethical Hacking and SEC567: Social Engineering for Penetration Testers.
Transcript:
Jason Nickola: This is "Trust Me, I'm
Certified," brought to you by GIAC Certifications, a podcast exploring
how to conquer imposter syndrome. Welcome back! Our guest this episode
is Micah Hoffman, principal investigator at Spotlight Infosec and SANS
instructor for SEC487, their open source intelligence course, which he
also authored. Micah has a ton of experience in offensive security,
teaching OSINT, and also gave one of the more valuable conference talks
about imposter syndrome at BSides a few years ago. This was a really
candid conversation with Micah about his path to a career in infosec,
building a presence in the security community, giving back, as well as
his own struggles with self-doubt and imposter syndrome, which nearly
caused him to leave the industry entirely. I really enjoyed this
conversation, and Micah offers a ton of useful feedback and tips for
anyone else going through similar experiences. So please enjoy, and I
hope you like it.
Jason Nickola: Welcome back to the show. We're here with Micah Hoffman. Micah, thanks so much for joining us.
Micah Hoffman: Thanks for having me on, Jason.
Jason Nickola: So one of the first things I'd like to dig into is how
did you end up in technology in general. And then later, if you started
in general tech, how did you move into security? What was that story
like for you?
Micah Hoffman: It's actually an interesting one. I'm on my fourth or
fifth career, I'm not quite sure. I have an undergraduate degree in
psychology. Got a bachelor's degree there. And I remember when I was
walking across the stage, I kind of thought to myself, I really hate
psychology. I just - It's not what I want to do. And I remember telling
my parents at the graduation reception like, you know what? I don't
wanna do psychology. And their faces kind of dropped a little.
Jason Nickola: Every parent's dream, right?
Micah Hoffman: Yeah, exactly. I just paid for this, and now what? But
I had already gotten into grad school, and so I went to a couple of
years of a doctoral program in cognitive neuropsychology and decided I
really liked medicine, so I dropped out of psychology, went over to
medicine. I tried to get in med school for a couple years, didn't get in
so more failure there. And I was working in a hospital and I was
working night shift as a psychiatric nurse's assistant, and I would go
out golfing at seven o'clock in the morning when I got off shift. I was
out there one day, and the starter at the golf course paired me up with
three people, and I had just been told that my hours at the hospital
were going to be cut dramatically. And these guys happened to sell
computers. And I've always been one of those tinkerers, one of those
people that, probably like you and other people you know, that played
around with computers. So they said, could you sell computers online?
Could I sell them? Of course. And they were like, we'll pay you $30,000.
I was like, "$30,000? Yeah!" So I became a computer salesman, and I
hated it. Again, just did not like it. So I went into tech support and,
fast forward, tech support turned into help desk, help desk turned into
setting up my own servers and running websites, et cetera. Then I took a
SANS course and found the power of penetration testing.
Jason Nickola: Right.
Micah Hoffman: And that's when I really - I think that was in the mid
2000s, 2005ish years. And that's when I really got into cyber.
Jason Nickola: You know, I like to say that that's a different way
and that's kind of a unique path. But the more of these you dig into,
especially now where the formal security industry and the higher
education space around this stuff is kinda just really developing and
coming into its own. I think that there are so many different ways that
people over the last 20 years or so have gotten into the security and
two things from your story that I really identify with are both looking
back and thinking, hey, I was actually like, kind of a tinkerer that was
into tech and taking stuff apart and putting it back together before I
realized I could work in this, and also starting off in sales. I did the
same thing where I worked at a software company trying to do sales and
eventually hated that but realized that I love technology. So I can
really identify with both of those things. But looking back, you
mentioned that you were a tinkerer as a kid and when you were younger.
What do you think prevented you from considering that technology was a
path for you, something that you could work in and be a professional and
make a career in?
Micah Hoffman: I didn't think there was anything that prevented me. I
grew up in the 1980s and at that point, the careers in technology that
were out there that I knew about were either people teaching me how to
do basic computer stuff, which I didn't want to do. Or, you know,
classic, formalized programming and things that took a long time to
study for. I didn't really get into it. I was into bulletin boards and
BBS and those types of things. But it just wasn't my interest to do
computers professionally, because I guess I wasn't aware of the space
and cybersecurity hadn't really been invented back then. So, yeah, I
just think it wasn't on my radar.
Jason Nickola: Right. I think that's so common even now, as we
mentioned there are formal industries are on this stuff and lots of
higher education programs. I think that we still have a challenge of how
do we communicate with kids and high school age people, even some
adults that are looking for the right career to get into. How do we find
some of those intangibles and people that want to tinker and play and
be creative and break stuff and fix stuff? How do we get in front of
them more often? It's easier now than it was 20 years ago. But it's
interesting as so many things progress that a lot of other things stay
the same, and we have some of the same challenges.
Micah Hoffman: You brought up an excellent point there. So I used to
run a team of penetration testers and vulnerability assessment people as
part of one of my previous jobs, and what I found when I looked to hire
people was I wasn't necessarily hiring for somebody that could code in
python and break into a directory server or hack a website. I was trying
to hire for those intangible types of qualities and attributes or
traits of a person. The dedication, the determination, the initiative,
the problem solving, the puzzling, the inquisitiveness, the curiosity,
those types of things were always the predictors of a successful
penetration tester or a security person. Because, you know, I can teach
anybody how to hack a website, but I can't teach them how to be
motivated and self-learning.
Jason Nickola: Yes, so true. So when you made the transition and you
started working in help desk and progressing from there and really
trying to build a career in technology, did you have anyone that was
even if not like a direct mentor, somebody that you looked up to or
could bounce things off of, or even just a model for someone in the
world that maybe looked like you or sounded like you or came from where
you came from and you could see that they were doing the same kind of
thing?
Micah Hoffman: So when I was coming up and just starting in security,
actually, when I was starting in security not really. I was kind of
that sole security person or the sole person that cared about security
in an environment where we were doing IT. So we were keeping the
networks and the systems running. And I always liked to make sure my
systems were hardened and do least privilege, and other people just
hated me, probably, for doing that, not giving them root on all the
boxes. So I was that that lone wolf within our organization mostly. But
then as I moved into different places, there were kind of people every
now and then. And then once I broke fully into cyber, there were
absolutely, not rock stars, but people that were turning out good work
and teaching and sharing their information with the world.
Jason Nickola: So, looking back on it, not necessarily having that
kind of a model or mentor when you were just starting out, was that a
challenge for you? Would you look at it as a challenge now, looking
back? Did you think that way at the time? And I don't want to jump too
far ahead, but you do a ton in the community and speaking and in trying
to help others along in their careers as well. Did your early experience
kind of inform how active you are now?
Micah Hoffman: I'm not sure if it's a one for one type of situation
where nobody was there for me, and now I'm there for everybody. I think
because there wasn't anybody there to help me out at a lot of this steps
along my professional development, it made me need to learn, and need
to process data either faster or in different ways or through trial and
error. You know, I can't tell you the number systems I broke just by
trying stuff out. And so I think that not having somebody there fostered
that inquisitiveness in me like, I'll figure this out. I'm a capable
person. And then, as I got older, I realized that while that works for
people like me and others, not everybody is built that way, and having a
mentor, having a buddy, having somebody that can bounce ideas with or
that could just say, here's the starting point, is really important.
Jason Nickola: Yeah, and what you touched upon there is so true and
we're going to dig into imposter syndrome related things like trying to
justify your successes. But one of the things that plays in not only
that area for me, but also makes me feel kind of guilty is that I feel
like our world, in our society, the professional world, and the world of
education is really set up so that people who have a Liam
Neeson-specific set of skills are more likely to succeed and make it
through than others. So if you're a self-starter, that can kind of
organize your own thing and you are achievement-based for specific
events like test taking, and you can kind of talk your way out of things
and be creative in that way. It is far easier to get ahead in the
professional world and in the education world than it is if you don't
have natural inclinations toward that stuff. And I feel like you want to
say these were advantages that I have, and I use them to kind of get
ahead. But you also have to recognize that the system is kind of set up
in that way. And if you don't do that, then you never look at, well, who
are all of these people that not only altruistically we have to try to
enable so they can achieve actualization, but also what are we missing
out on in terms of our output and the things we can create and the
different viewpoints and experiences that we can build into products and
solutions and media and things like that. And if you don't go through
that process, it's really hard to identify that as a legitimate problem.
Micah Hoffman: Yeah, it's interesting because you don't have to
suffer in order to understand the suffering of others. The way that I
came up and the way that you can probably came up, and I'm just guessing
here, because I haven't done a full background profile on you yet. But
the ways that we came up when I was coming up in pen testing, there were
those rock stars, those people that were out there and leading the way
and all, and not everything in pen test was new but it was very
segmented until we started coming together. And then what happened is
that we had this in-flood of people and commoditization happened, right?
So you no longer have to be that uber top person in the exploit
development process who lives and breathes assembly in order to be a
pretty successful person within cybersecurity. You can be somebody that
comes in, reads the blogs to stay up to date, and does their job and
goes home. But when I was coming up that was not the way that we did it,
you know, you clocked out of your work and then you went home and you
played around on your own home lab and you did other stuff, and I don't
think it's a bad thing that we don't have to do that now. But I do think
it sets up a differentiation for those people that do tinker and try
and CTF on their own versus those that clock in and clock out.
Jason Nickola: For sure, that's a great point. So, you started in the
last few minutes to paint kind of an arc in different phases, not only
of your own career, but others in the industry. Was there a time when
you're moving into tech, you're working IT and help desk, and you're
kind of learning and setting up your own labs and everything's new, and
you start to get a little bit of power and capability, and you feel
really great about things. Was there an early honeymoon period like that
for you and then a point where things started to get a little more real
and doubts start to creep in as you start to grow and get bigger roles?
Or would you characterize it differently than that?
Micah Hoffman: I've been a long-term sufferer of imposter syndrome
and making it one of the presentations that I gave at a couple of BSides
conferences. I came upon this psychological phenomenon of the
Dunning-Kruger effect, where some researchers found out that people that
rate their confidence in their ability to get stuff done falsely rate
it when they first learned a task because they feel really empowered and
super, like I can take over the world and route all the things and then
as they realize that they really don't know all the things, that
becomes a little bit despairing. And I absolutely had that. I went to my
first SANS class and became very powerful. I think I took 504, it's a
little hazy for me, but I think I took 504 and I came back to our little
test network at the job I was working at. And I said, look, we've got
this test network, this is exactly the way our systems are set up, watch
me do this. At the time, we were using clear text protocols to manage
everything, telnet protocols. So I did some sniffing, I did some of
this, you know, pivoted and boom - I owned the entire network and I was
the king of that mountain. I knew everything and really, I was the top
security professional in my office, just taking that one class. But then
I decided to move into the world of cybersecurity. It was very humbling
to find out that that was just the very, very basics of what I started
learning, and so I had an attitude readjustment.
Jason Nickola: So in the same presentation, or at least one of them
where you cover imposter syndrome, you talk about the period where you
actually considered leaving infosec altogether and moving on to another
career field. Can you talk for a minute about what went into you feeling
that way? What you maybe considered moving on and doing and why you
ultimately stayed?
Micah Hoffman: Absolutely. That came to a head at DerbyCon in
Louisville, Kentucky, in December 2012. I was doing cybersecurity, and
like I said, I'd been learning and trying out things, doing things. But
there was always a list - I always keep lists of things I want to learn.
And at that point in my career, that list was really, really big, and
it was so big it was overwhelming. And then I went to DerbyCon and I saw
these absolutely amazing, talented people present, and I thought, I'm
not doing any of that stuff. I'm not doing this kind of stuff. I don't
belong here anymore, and then I thought about all the things I had yet
to learn, and I got very overwhelmed and sort of depressed, and it was
not humbling. It was debilitating.
Jason Nickola: Right.
Micah Hoffman: And I went back home, and I took some weeks to think
about things, and it took me a while to realize that just because I
wasn't doing all of those things, I was still worthy, and I was still
important in the field. And that's a message that I have to remind
myself over and over again as I watch people talk about the latest this
or the latest that on Twitter. And I'm like, gosh, I should be doing
cryptocurrency right now, and so those feelings of inadequacy are
important to keep you grounded. One of the things I've started to do and
the perspective change that really helped me most was instead of
looking at the people that you deem as ahead of you, or more senior than
yourself, look at the people that were where you were or that are where
you were when you were coming up. Look at those people that are just
starting out, the people that are just coming in, because there's a
distance that you've accomplished and that you've grown and you know so
many more things than people coming up. And that recognition was really,
really helpful to getting me not stable, but very subtle and
comfortable with "I can't know all the things, but I'm going to try."
Jason Nickola: For sure. Yeah, sometimes you see a quote on a bumper
sticker, or a coffee mug, or in a meme or something, and it's easy to
dismiss them, but the reason why they end up that way is that they have
value and they communicate broadly, right? And one that I really love is
that "never forget that at one point, all you wanted was to be where
you are, to have what you have, or to be doing what you're doing" and if
you are a motivated and achievement oriented person and you're trying
to build and grow and you're somebody like you, that would keep a list
of the things that you wanted to learn, and you really had that kind of
context for it, then there's some point in time where all you wanted to
do was break into cybersecurity and be a pen tester. And there was
another period of time where all you wanted to do was to teach other
people and to learn about machine learning, or how to crack passwords or
whatever it is, right. And I know for me personally and people that I
identify with having the same line of thinking is it's so easy to be
focused on what the next rung is, what the next milestone is, and in
really lose sight of the fact that you've done some cool things, that
even if you don't have a broader view of what anyone else thinks of
them, just for your own personal growth, you are doing things that you
set out to do and that you wanted to learn. And it is so easy to dismiss
that stuff, but so important to just take a second and smell the roses
and realize things are going okay and I'm doing a decent job and maybe
cut yourself some slack a little bit. At least that's in my experience.
It's easy to say, hard to do, but it's so powerful.
Micah Hoffman: It's extremely powerful and empowering too if you can
take that time, that you have that self-reflection and you allow
yourself to feel good about what you did. Recently we had our second
annual OSINT summit. And by all accounts, from what I've heard from
attendees and speakers, everybody had a wonderful time. We had about 130
people here in the Washington, D.C. area, and it was terrific. And when
I thought about about all the people that came to learn and to do these
things and how I helped this come into play, it was a little
overwhelming for me that this is something good that I helped do. But
there's the impostor syndrome peeking out. It's that "I helped do this."
Many times the successes I have I attribute to a group, or it wasn't my
success, it was the team's success, so I can't take the credit, which
further fuels imposter syndrome.
Jason Nickola: Yeah, you know, you don't necessarily want to advocate
for the opposite, right? You want to spread credit around where it's
due and make sure that team efforts reflect the team. But I think what
you're getting at is a lot of times - and I can personally identify with
this and some of your research into imposter syndrome and other
resources - what you find is that people who feel this way regardless of
what they end up achieving. There's always some mitigating factor about
why it's not that big a deal. And in this case, it wasn't me, it was
the team, or even earlier in this conversation saying that, yeah, I've
been able to do some things, but it's because the world is set up for me
to succeed, which is true in large degree, I think. But there's a
constant emphasis on how can I mitigate this, or somebody congratulates
you or thanks you for something and says, "you know what? This thing
that you did was really awesome." Like I look at the OSINT Summit and
general OSINT content and curriculum. Not even just at SANS but overall.
And I look at it like, not only is it so cool that you were the head of
this conference and people came to the summit and they got to learn,
and you wrote the course. But you also did it in an area that is so
nascent and there aren't a lot of resources out there, and there are
other people making some things happen that deserve some credit. But
it's like you're not just producing content in an area where it's not
just another Nmap tutorial, right? This is brand new stuff. And I think
it's totally awesome and great and so needed, especially for the next
phase of things. But how easy is it to just explain that stuff away, and
say you know, if it wasn't me, they would have just got somebody else,
right?
Micah Hoffman: Yeah, truly, I appreciate the kudos. I'm trying to get
used to saying thank you for that and accept the credit, and it is an
interesting thing. What I've been able to do within the OSINT community
is highlight other people that have been doing good work for a lot
longer than I have in OSINT, to bring together resources that have been
out there but have been so siloed, or people have not wanted to share
for fear that their technique, their tool is going to get banned or
blocked by whatever platform. So I think my main contribution to the
OSINT world is the publication and the centralization of a lot of these
things and in bringing a lot of it to light, like we did in the
cybersecurity community 20 years ago. Just saying, hey, you know, yes, I
have my own exploits, and I'm not gonna share with anybody. But I also
have these that you might find useful.
Jason Nickola: Right.
Micah Hoffman: And that sharing is good.
Jason Nickola: So you mentioned DerbyCon 2012 and getting out and
seeing all of the other things that people were doing and internalizing
that maybe in a negative way. And if anyone pays attention to you now,
over the last few years you speak often, you teach often, you produce a
lot of content and you're out there. You're available. It's not hard to
find Micah Hoffman out on the interwebs, right? So was that a conscious
decision? And was it kind of coupled with you accepting that you can't
do all of the things and moving on and trying to do what you actually
can do? Or did you start to do that for another reason? So what,
basically, was the impetus for trying to push yourself out there in the
world and becoming the version of you that you are now?
Micah Hoffman: Well, it absolutely was not a conscious decision. My
life, my career has been a series of opportunities that I either took
advantage of or I did not. It's that path most traveled versus least
traveled, and sometimes the paths are harder than the other path might
be. But for me, the progression from cyber person that was working and
delivering on some contract somewhere to SANS instructor with a
nonprofit and community building and all was a gradual progression of
this makes sense for the next step, and the next step, and the next
step. It's kind of like the way I code python. I don't create a master
document of everything that's going to be in the script and then make
this monolithic thing. It's more, well, I know I need to read in a file.
So let me make that module and oh, okay, well, that reads in a file.
Now I need to make a web call. Okay, let's write that section. So I
mean, I went into cyber. I took the SANS class. I had done some
teaching. I taught how to be a better parent. And I taught parenting
classes for a local nonprofit for many years, and I just love teaching.
And the opportunities came to work with SANS, and I took advantage of
them. But yeah, I can definitely see how the opportunities that I took
helped me get to where I am.
Jason Nickola: Right. So you think it's accurate to describe you as a
public-facing person, right? You're not Greybeard sitting in a basement
and reigning over your kingdom in isolation or anything like that. I
think it's interesting to think about your role, I guess, as a public
facing person, as a teacher, as a speaker and a community builder, and
your expertise in OSINT. Does your expertise in OSINT help you to be
that public facing person? Do you view that process differently? Knowing
that the other side of you is to use the information that's out there
to achieve outcomes in the security field or what overlap do you see
there?
Micah Hoffman: it absolutely is a challenge every day of on one hand,
we use social media to find information to answer our questions. On the
other hand, social media is a very important method of getting things
out. A good example is with LinkedIn. We just got onto the LinkedIn
platform and said, you know what? There's no open source intelligence
community here. So SANS and I created it, and now we have hundreds of
people in there, but when I said hey, everybody come to LinkedIn to
share information on OSINT I got so many private messages, like,
"seriously, you're doing this? Why don't you just put it on Facebook,
Micah?" But it is a challenge. And every day I personally struggle with
do I do this, or do I not? And on LinkedIn we have this community, but
on LinkedIn I only connect personally with people that I know or have
worked with. I won't connect with everybody because I have insights into
what you can do with that. So it is challenging, but I have to assume
some of the risk and do some of these things to help build the
environment, the community, the companies that I want to build.
Jason Nickola: Yeah. I mean, there's a tradeoff if you want to reach
people and provide information, and you know the altruistic side of it,
but also develop your own kind of personal brand presence and some of
the opportunities and things that come with that, then those are the
tradeoffs that you have to make.
Micah Hoffman: Well, actually that was something that I spoke - I did
a keynote talk at BSidesCharm and the talk was on joining the
information security community. So just cybersecurity community, as
opposed to the information security industry. And I remember then around
that time, I think it was around the 2012 timeframe as well. That or
2013, I made the conscious decision to stop hiding from cybersecurity.
I'd always been told stay away from hackers and they work in dangerous
and nefarious places and all. And we laugh about this now, but as
somebody with previous security clearance and working certain realms,
you don't want to mess up. So I stayed away, and then one day my buddy
said, "hey, come to NoVA Hackers with me." This northern Virginia hacker
group, I was like, ooh, hackers I can't. And then I found out that it's
just the word that people use to describe themselves, that they weren't
doing anything different than what I was doing. And so I started to
change my perceptions of what was out there, and I started to try things
instead of just "oh, I can't participate in that."
Jason Nickola: So for other people who are at various phases of their
career, whether just getting started out or they're an accomplished
practitioner and want to make the jump more into a community member,
rather than just a professional in isolation, how do you recommend doing
that? What advice do you have for people that are actively trying to
get out of their comfort zone and be a member of the larger community?
Micah Hoffman: I think the biggest word I can throw out there is
passion: finding your passion. Yes, you can get a certification in
whatever type of cyber you want or in OSINT, but if it's not your
passion then learning and growing in that area is going to be painful.
Within cybersecurity, there are a huge amount of things to be interested
in and curious about. What I always tell people that are new to the
field is they say, well, should I learn python? No, don't just learn
python. Go and find something that's interesting to you, whether it's
attack or defense or DFIR or policy or whatever, find something that
compels you to learn more, because by learning more you'll get farther
than if I assign you something to do. That is absolutely the number one
thing that I'd recommend to people is find something, some groups, a
project to work on. And the reality is that nowadays there are a huge
number of projects, whether it's working on an open source project that
you use GitHub for, or whether it's working on a framework or just
helping to manage some group somewhere. There are CTFs in people, and
resources everywhere.
Jason Nickola: Right. And I think one of the things to keep in mind
is that regardless of what phase you're at and why you're putting
yourself out there, why you're joining communities or building things,
or trying to make information more accessible to others, there's your
own personal gain out of that, but you never know how that is going to
help other people who see you doing that. So I'll give you a specific
example in my own life. I have seen you specifically and others doing
things like resume workshops and speaking at conferences and putting
meet ups together and trying to disseminate information and make things
more accessible and mentor and help people as they're moving through
their career and just be open and positive and genuinely caring about
the state of other people. And I don't think that you are others or
sitting down and saying, "I'm going to do this so that Jason will feel
better about doing these things himself." But even if you're just trying
to find what that community is, or take your own next step, you really
never know how that is going to enable others and when you might be the
answer to "I had someone who looked like me and sounded like me and was
doing the things that I was fearful of doing." And seeing them do that
can be really powerful and enabling. It's hard to do it without it,
right? Especially for marginalized pockets of society, if you don't have
those kinds of models, and you never know when you are going to serve
that for someone else, so there's kind of - we've got here talking about
community. There's a larger community conversation. Even if you're just
kind of focused on yourself and your own benefits, you never know how
people are going to perceive and benefit from seeing you having done
that.
Micah Hoffman: Yeah, after I did the impostor syndrome talk, which
was on YouTube, I had people come up to me and it was overwhelming in a
good way. People still every now and then send me a tweet or direct
message saying, that talk you did back when, it really helped me through
a tough time. I think that I want to show other people that no matter
how far along you are in your career or how much you're deemed an expert
or whatever, that there are always things that can trip you up, can
slow you down, and make us just as human as everybody else, but you're
absolutely right. Whenever somebody tags me and says, hey, you know,
this helped, it's an amazing feeling.
Jason Nickola: It is. So let's shift gears a little bit and you have
the GOSI certification associated with SEC487, which is the SANS course
on open source intelligence that you've authored and kind of
spearheaded. When is that launching? How do people get involved with
that and why would you recommend that somebody who is a security
practitioner, or maybe other industries that might not be so obvious,
why should somebody try to get training in open source intelligence and
get certified in that?
Micah Hoffman: I think there's really two questions there. One is why
get certified and then two is who should really be looking to do OSINT.
Obviously, there's OSINT analysts that are out there, all-source
intelligence analysts and all. But one of the things that I find is that
what we teach in the 487 OSINT class can help everybody from digital
forensics people, when they've dumped a phone and they have user names
or they have locations or they have a social media profile, we can teach
you how to harvest data better. Or pen testers that to recon or social
engineering, again, we we'll teach you how to do it a lot better. So
there's a huge number of people that should be taking the class. And as
more and more people hear about OSINT, the word OSINT, in the world we
are getting more of just every type of person in class. And the GOSI
GIAC Open Source Intelligence cert is coming out in beta in April and
it's coming out live in June. It's kind of the icing on the cake,
because if you look at the open source intelligence world, there are
places that will train people up and the training usually leads to a
certificate of completion. But there's no organization out there that
has that I know of an OSINT certification that's recognized or that's
made by a certification body like GIAC and has the weight and
standardization of GIAC behind it. So I think the GOSI is neat. We
actually wanted to call it something that Phil Hagen, the SANS
instructor, mentioned. He mentioned it should be like "GIAC ICU" so it'd
be like "Gee, I see you." I wanted that, but GOSI sounds all right,
too.
Jason Nickola: So, where do you see the next phase of OSINT going?
Fairly quickly, it seems as an outsider, that it's gone from kind of a
niche thing. I remember being at DEF CON a few years ago and doing one
of the badge challenges and mentioning the word OSINT and then having
someone make fun of me and criticize me for using lingo that no one else
understood that made me sound pretentious. And I was just trying to say
open source. So I think very quickly it's gone from something that is
more niche and that maybe a few people heard of to now it's this thing,
it's here, it's more broad, and we're getting some training and
certification like SEC487 and GOSI. But where do you see the next phase
of OSINT in the security world, how does it start to fit in to the next
phase of things?
Micah Hoffman: I've got a couple of projects that I'm developing that
are going to help out the OSINT community, so I can't talk about them
directly. But I do think that what the OSINT community and OSINT world
needs is more of the rigor and standardization that we've seen in some
parts of the cyber security community, whether it's process or it's
centralized places to find things. Right now, I'm seeing people share
out these cool tweets that tell you how to do this or do that. But it's a
tweet, its temporal. It's on a platform that's not great for recording
that so I think where we'll be going is trying to come together as a
community to make some more centralized resources available and agree on
things like methodology and other things along that that line.
Jason Nickola: So we've talked about all kinds of awesome stuff on
here. What kind of general advice would you give to anyone listening?
Who wants to maybe break into OSINT or is trying to build a career in
security or battling with some imposter syndrome or trying to get
themselves out there in the community - lots of different profiles of
people, but general parting advice? If you had one thing to say, what
would be?
Micah Hoffman: Find somebody that can help you navigate the waters.
Back when I was coming up, I didn't have that, as we talked about
earlier. But nowadays, there are so many resources and so many
certifications and so many distractions out there that for somebody
coming into the field, any field, whether it's OSINT or cyber and just
saying, where do I start? It can definitely be a challenge. So my
suggestion is find somebody on Twitter or at your work or at your school
or somewhere that can be that mentor and help you at least take the
first couple of steps. Because once you take those first steps of
reading these blogs or getting that book or trying this capture the flag
or whatever it happens to be, you start down that path, and then you
can figure out what your next step is based upon your interests, based
upon your passion. So I think finding a mentor's an important piece of
that overall puzzle.
Jason Nickola: I totally agree. That's fantastic advice.
Micah Hoffman: Thank you.
Jason Nickola: Thank you so much, Micah, this has been really great. I appreciate it.
Micah Hoffman: Absolutely, thanks for having me on Jason.
Jason Nickola: Thanks to all of you for listening to this episode and
to Micah for joining us and being so honest about his journey and some
of the challenges he's experienced along the way. In addition to his
work with Spotlight Infosec and SANS, Micah is also a co-host of the
OSINT Curious podcast, so definitely give that a listen. And we will be
back in two weeks with Chris Elgee, builder and breaker at Counter Hack
Challenges. Chris will chat with us about practically applying some of
the skills that you're gaining through self-study or training and how to
do lots of cool and crazy things with the new infosec skills that you
build up. So definitely keep an eye out for that. Visit giac.org/podcast
to sign up for updates and to receive alerts about each episode as
they're released, and definitely subscribe and follow us wherever it is
that you get your podcasts. Thanks and we'll see you soon!