August 12, 2024 • 54 mins
Discover the fascinating world of OSINT (Open Source Intelligence) with expert insights from Melisa Stivaletti on this episode of The Audit!
Hosted by Eric Brown and Nick Mellem from IT Audit Labs, we sit down with Melisa Stivaletti, Chair at Epic and OSINT Director at GuideHouse. Melisa shares her remarkable journey from working at the Department of Commerce to the Department of the Army. We dive deep into the world of OSINT, discussing the nuances of open source research, tradecraft, and the transformative power of AI. Plus, Melisa shares valuable advice for those looking to break into the OSINT field and highlights the importance of lifelong learning.
In this episode, we cover:
▪ The difference between open source research and OSINT
▪ The tradecraft involved in OSINT, including the use of sock puppets
▪ How AI is transforming OSINT and the guardrails needed to manage its use
▪ The critical role of data governance and compliance in OSINT
▪ The future of OSINT and the importance of lifelong learning in this field
▪ Personal stories and advice for those looking to enter the OSINT community
Don’t miss out on Melisa's unique insights and experiences. Listen now and elevate your understanding of cybersecurity and OSINT.
#Cybersecurity #OSINT #InformationSecurity #ITSecurity #SecurityInnovation
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
All right, you are listening to the Audit Today
.
We have our usual cast, ericBrown and Nick Mellum from IT
Audit Labs, and we're joined byMelissa Stivaletti.
She is the chair at Epic andOSINT director at GuideHouse and
she has a pretty illustriouscareer and background.
So we're really excited to talkto her today about how she got
(00:25):
into the position she's in nowand do a deep dive on OSINT and
maybe some tools and maybe evenget into some deep fake
conversation, things like that.
So, without further ado,melissa, thanks for joining us.
Can you give us a littlebackground on yourself and say
hello?
Melisa Stivaletti (00:40):
Yeah, absolutely.
Thanks so much for having me.
I'm really excited to get totalk with you all for a plethora
of reasons, one of which, ofcourse, is that intersection
between cyber and OSINT, and Iknow we'll get into it later,
but it's a real privilege to getto be here and join you all
today.
So a little bit of backgroundon me.
(01:02):
My current role is I'm thedirector for open source
intelligence at GuideHouse.
Guidehouse is a consulting firmthat works across a plethora of
different industries.
The industry that I specializein is defense and security.
So really looking at thedefense intelligence enterprise
and the intelligence communityfor the US government enterprise
(01:23):
and the intelligence communityfor the US government.
So that's definitely, you know,my specific area which
definitely influences my outlookon open source intelligence,
and I know we'll get to that alittle bit more as well.
So, in terms of background, youknow, I started out my career
(01:44):
in government.
I was at the Department ofCommerce and at the Department
of the Army, spent a couple ofyears in Afghanistan Nick and I
were chatting about that beforewe started recording today and
it was really when I was inAfghanistan the second time that
open source intelligence reallycaptured my attention, and that
is because it was when the ArabSpring was going on.
So, for those of you who aren'tfamiliar with the Arab Spring,
(02:07):
it was really a revolutionarytime in the Middle East that was
driven largely by empowered bysocial media and the best
intelligence available aboutwhat was happening, whether it
be protests or disruptions togovernment or whatever like it
was all very public and the bestinformation that we could get
(02:31):
was from social media, which wasunusual for those operating in
the intelligence community.
When I was in Afghanistan,seeing, you know, the
information was really comingfrom the open source domain, I
knew that there was a shifthappening in where we would find
our intelligence and how wewould be able to inform
policymakers, and so from thatpoint.
(02:53):
I really pivoted my career tofocus primarily on the open
source domain, and so thatjourney has taken me to serving
across the intelligencecommunity, across defense,
dabbling some in academia, andit's been an incredible journey.
But the position that I'm inright now is by far the most fun
(03:14):
I have ever had in my careerbecause I get to feed into and
shape future Ocenters, anamazing team of folks in the
Ocent field at GuideHouse,servicing clients all over the
map, and it is just fantastic.
So that is a very long windedanswer to your question, but I
(03:38):
think I covered it.
Eric Brown (03:40):
Well, all good, melissa, thanks again for coming
on.
But just to get to know you alittle bit, we'll start with the
icebreaker and this one.
We just came up with this oneright before we started as we
were just kind of chattingamongst ourselves, so kind of
favorite go-to freezer food,maybe when you were growing up.
(04:00):
I think Nick's going to tell usdifferent, but we were joking
that Nick likes Hot Pockets, theham and cheese, oh, my goodness
, that's pretty funny.
Melisa Stivaletti (04:11):
So here's the thing I grew up in South
Carolina and determined at avery young age, in third grade,
that I wanted to be a vegetarianbecause I didn't want to eat
animals anymore.
Um, and I have never eaten meatsince, of any variety, in any
at all.
So since I was, you know, avery, um, tiny human, and so, um
(04:37):
, freezer meals, uh, weresometimes really important for
me because, you know, uh, my momwas a single mom and a business
owner and she cooked a lot.
But at that point, you know,cooking for a rising vegetarian
in the South was a little tricky, and so, I guess I would have
to say for frozen foods, therewere a lot of these little like
(05:02):
pasta, like frozen pasta dishes.
You know they weren't great, youknow, not ideal nutrition wise
but, today, man trader joe's hasvegetarian frozen food on lock,
so there's a lot of reallywonderful choices.
Now I remember those hotpockets, nick, though I do I
(05:24):
score off in all those things.
Nick Mellem (05:26):
I ate too many MREs in my days, so I don't think I
would pick up a hot pocket everagain.
Joshua Schmidt (05:32):
Sounds like Eric's done a little oscent on
Nick's eating habits.
I'd have to go with the pizzarolls.
Yeah, I grew up in a veryremote area so not a lot of fast
food and things like that.
Nick Mellem (05:47):
Pizza rolls nice, I would say bagel bites.
Those were pretty great backthen.
Eric Brown (05:52):
Well, melissa, it's interesting because you and I
are very similar Growing up.
I started out vegetarian aswell at a very young age, and
I'm still vegetarian at a veryyoung age and and I'm still
vegetarian dabbled a little bitwith uh being a vegan for a
(06:13):
while, um, but I like pizza toomuch.
Uh grew up also with uh, with asingle mother and um, just yeah
, that frozen pizzas, I think,were my staple.
But to this day, uh and I grewup on the East Coast as well.
Especially when I was growingup, though, you'd tell somebody
you were a vegetarian and thenthey'd say, oh well, you eat
fish, right?
Did you ever get that?
Melisa Stivaletti (06:32):
Oh yeah, all the time, do you?
Eric Brown (06:34):
eat chicken.
What?
Nick Mellem (06:37):
So be pescatarian, right, if you eat fish.
Yeah, yeah.
Joshua Schmidt (06:46):
So, as we were preparing for this podcast,
Melissa and I had a conversationon Monday for pre-pro and it
came to my attention thatthere's a bit of a definition
difference between the OSINT,that the day-to-day
cybersecurity experts like usour team thinks about OSINT in a
different way.
Melissa, can you explain howyou think of OSINT compared to
how the general population mightthink of that?
Melisa Stivaletti (07:04):
Yeah, and it gets, you know it gets even more
complicated than that becauseeven internally within the US
government and with our partners, you know, abroad, even that
you know the definition of OSINTcan get really tricky.
I would encourage and this willnot be the first time I mention
this, but I will encourage yourlisteners to look up the IC as
(07:28):
an intelligence community OSINTstrategy.
It is posted on the CIA websiteand the DNI website DNI as in
the director of nationalintelligence, and there is a new
definition of OSINT in thatstrategy.
But I'm going to zoom out alittle bit more and not even get
(07:50):
that specific and just talkabout the difference in my mind,
right, between open sourceintelligence and open source
research.
You know, because anyone who'sgetting on to Google or going to
the library or, you know,accessing social media like you
could, you're leveragingsomething that is in the open
(08:13):
source domain to gatherinformation.
Right, and so leveraging thatinformation, even if it's using
really exquisite trade craft oryou are using what in open
source we call a sock puppet, orwhich I'm happy to dive into a
little bit more as well, likeany of those things, right, some
people will say, is OSINT, butin my definition right and the
(08:38):
definition of the US governmentit's not, because if you're
researching in the open sourcedomain, you're not answering an
intelligence requirement.
So unless a policymaker,government, has tasked you to
answer a question that is beingused for intelligence purposes,
or you are researching forintelligence purposes, it's open
(09:01):
source research.
It's open source informationpurposes.
It's open source research.
It's open source information.
You know it's information thatyou know you're using for an
investigation.
Maybe we see a lot of reallyincredible OSINT tradecraft
pulled from open sourceinvestigations that are used by
private investigators and folksin the law enforcement arena,
(09:23):
but OSINT with intelligence atits core.
It's really important todifferentiate that for
tradecraft and at least fortoday's episode, I would just
say, if I'm using the word OSINT, I'm talking about a very
specific type of activity on theinternet.
Eric Brown (09:42):
Can you give an example of what that trade craft
might be for someone who ismaybe really unfamiliar with the
term, or even what that mightlook like?
Melisa Stivaletti (09:53):
Absolutely so I don't know if you're a
listener or if you all arefamiliar with digital dust or
your fingerprints right on theinternet.
And if you are researchingsomething, you know anything
that you're researching you'releaving behind little
fingerprints, um, and someonewho is researching for an
(10:16):
intelligence purpose doesn'twant to leave behind those
fingerprints, so they're goingto take specific actions to
obfuscate themselves, right?
They're also going to takespecific actions to be able to
access the information thatmight not be readily available,
right?
So there's some countries inthe world where you have to be
(10:41):
in that country to get access totheir internet, right?
And someone who's operating inOSINT is going to use Tradecraft
to obfuscate what they're doing, to access information that is,
you know, not readily availablefrom just any IP.
(11:01):
And you know, from just any IP.
And you know the tradecraft canget really, really complicated
and deep really fast, and thattype of tradecraft is certainly
used across a plethora ofdifferent disciplines and
applications for exploiting theopen source domain.
Nick Mellem (11:20):
I got to jump back.
Well, first off, I feel likeI'm watching an episode of
Homeland.
Did you refer to somethingcalled a sock puppet?
Did I catch that right?
Melisa Stivaletti (11:30):
Yes, I kind of wish I had a prop now with
like a little sock puppet.
I do not.
Yeah, a sock puppet.
And for any of your listeners,this is not, you know, super
secret tradecraft by any stretch.
The investigations communityuses this terminology.
(11:53):
It's when you create an accounton Facebook, on Twitter,
whatever, and it's not you, it'sfake.
And so you have a fake accountand you use it to research,
access, interact with, pullinformation from corners of the
internet.
Sock puppets are frequentlyused to get access where you
(12:16):
have to log in to an account.
So you might not even be likeinteracting, you may not like
something or message someone oranything like that, but just to
get into a platform you have tohave a login and so being able
to log in.
That is frequently calledcreating a sock puppet.
It's also called a persona, butsock puppet is cooler sounding.
Nick Mellem (12:39):
Nick, you may know that as catfishing, Well, I was
thinking about socialengineering this whole time.
But yeah, cat.
Melisa Stivaletti (12:54):
Got you.
Eric Brown (12:55):
Hey, our intelligence community
professionals do not catfish.
Melisa Stivaletti (12:58):
Thank you, Melissa have you known any other
Marines that have two hairlesscats?
You know, I know someone fromArmy with a hairless cat, but
not two.
So this is unique, Nick, I'llbe inviting myself over to meet
the cats.
Maybe you can bring them out.
You know, I don't know ifthey're around and you can put
(13:20):
them on the video, but likeready.
Nick Mellem (13:24):
We're actively taking name suggestions for the
cats.
Josh, can you rattle off thelist of a few?
Joshua Schmidt (13:31):
So far we have Edgar Allen Paw and Katy Perry
and General Meow.
General Meow, the other one,general.
Nick Mellem (13:39):
There you go.
Yeah, mr Meow, mr Meow.
If you have any suggestions,we're taking them.
Melisa Stivaletti (13:46):
Okay, great.
Well, you have to really thinkabout.
You know what it would beshortened to, because when
you're hollering, you know toget your cat to come to you if
they decide that they want to,that day you got to have
something short.
So if it's, mr Meowgi, like,what are you going to go with?
You know, is it like hey, mrRight, you know what's the
(14:07):
shortened version of that.
It's important.
Nick Mellem (14:09):
This is the heavy hitting knowledge that the
listeners are looking for.
Melisa Stivaletti (14:15):
It is really important and since you've taken
us, you know you've opened thedoor, so this is your fault,
know you've opened the door, sothis is your fault.
Nick Mellem (14:25):
At our, mr Eric Brown, but let me get us back on
track for a second.
Melisa Stivaletti (14:37):
This is gonna be for you, Eric, and I have
material I now have to offer.
Nick Mellem (14:41):
So my apologies, but please.
Melisa Stivaletti (14:42):
One of my fun facts that I share on the
regular is that I rescued a catfrom Afghanistan after enlisting
him in the Marine Corps as astaff sergeant, so his full name
Staff Sergeant GarfieldStivaletti.
(15:02):
He was airlifted in a BlackhawkOut of Kandahar, Spent some
quarantine time in Kabul andthen lived in the lap of luxury
In the Stivaletti home Foralmost a decade.
Before going to cat heaven.
Nick Mellem (15:17):
That's the coolest cat story I've ever heard.
Melisa Stivaletti (15:21):
You opened the door.
I wasn't going to go there.
Joshua Schmidt (15:24):
I'm so happy you did.
Yes, that was the most epic catstory we've heard thus far on
the podcast.
Nick Mellem (15:30):
The highest ranking cat.
Eric Brown (15:36):
How did you enlist the cat?
Melisa Stivaletti (15:38):
Well, there were a couple of kernels
involved.
We could do the rest of theepisode on that cat.
Joshua Schmidt (15:48):
Don't not encourage them.
Melisa Stivaletti (15:49):
We're going to need a part, I will be
distracted easily.
Nick Mellem (15:53):
I got to know now was there a promotion ceremony?
Was there?
Was it a field ceremony?
You know what?
What happened in thisenlistment?
Melisa Stivaletti (16:06):
Yeah, I mean definitely a field ceremony,
right, because, and um, and hedid like have his paw print put
on the paperwork I do have, Istill have the documentation.
Um, we, we've got signaturesfrom two different colonels.
Um, it was, it was a wholeprocess and it and it allowed
him to get veterinary care.
Oh, very cool.
Eric Brown (16:24):
Nice.
Nick Mellem (16:25):
You took the words out of my mouth.
I was going to say that is thebest morale booster when I was
deployed.
We had dogs.
We had a Malinois and a LabClose to us.
They weren't directly with usbut being able to feed the dogs
and throw a tennis ball just forthat couple minutes.
So I connect there with themorale booster for sure.
Melisa Stivaletti (16:47):
Well, I will plug the organization that
helped me rescue him.
They're still in operationtoday.
The organization's calledNowZad, like the place, so
N-O-W-Z-A-D.
It is run out of the UK.
The founder's name is PennFarthing.
He has been awarded just anumber of accolades and
(17:13):
different awards from all overthe world and media, and he has
just published a book about thesort of the final days that his
organization was in Afghanistanduring the retrograde period to
include, you know, theatrocities that happened at
(17:35):
Abbey Gate in those final days.
So wonderful book, wonderfulorganization, and if you are a
cat lover or an animal lover,check it out.
Nick Mellem (17:45):
It's really cool.
That is very cool, melissa.
I you know Eric got brought upthe cats.
I don't think we knew we weregoing to go to this, this lane,
but I'm going to get us back ontrack with the whole thing.
Okay, fine, because I'm as muchas I'm curious about the field
information with the cats.
I got to know about, like, whatyour day-to-day operations are,
what, what do you?
(18:06):
You know I maybe can't talkabout what you're currently
working on, but you know, forpeople that aren't listening
what.
What does a day-to-day looklike for you?
Melisa Stivaletti (18:13):
Yeah, so in the day to day for me right now,
I have the privilege of being adirector at Guidehouse, so in
my portfolio I have a number ofdifferent teams that are
performing open source supportand enabling functions across
the intelligence community andthe defense intelligence
enterprise.
And rather than getting into myday to day because at this
(18:36):
point I'm doing work about work,not actual work, so it's a
little boring I'll talk aboutwhat my team does.
So on my team we have auditorsthat work on compliance.
So those are generally datascientists or folks that are at
(18:56):
least data science literate andthey're able to do the really
important job of ensuring thatUS citizens are protected, that
those privacy concerns areprotected, and so they audit the
work that is done by theintelligence professionals doing
the collection work to ensurecompliance with US law, which I
(19:20):
actually think is one of themost important jobs that you can
have in OSINT, because it'swhat sets us apart from all of
our competitors, right?
I promise you China doesn'thave that.
I assure you that Russiadoesn't have that, and because
we take such pride in beingcompliant with US law and
(19:45):
protecting US citizens that thatfunction, I just can't
overstate how important it is,right.
So that's one of them.
Another is is really gearedtowards tradecraft, so we call
it signature reduction, whichkind of talks about that digital
dust that I mentioned earlierand reducing that footprint and
(20:08):
maybe getting into the space ofsock puppets or personas.
And then we have folks thathelp with just like the
day-to-day operations of keepingthings on track, because we
have people doing OSINT all overthe world, you know, in the US
government, so making sure thatthey have the tools that they
need.
Which leads me into anotherarea that we support, which is,
(20:31):
you know, vendor engagement andtech scouting.
There's a lot of vendors outthere.
The audit labs might be anexample of a particular variety
of vendors out there in thisspace, but we have a
responsibility to help the USgovernment make sure that the
(20:51):
supply chain is on the up and up, that the tools are the best
possible, that the data hasintegrity, you know.
So we spend a lot of time withvendors.
I spend a lot of time gettingdemos of what is possible.
I did a webinar a while backwith one of our trusted partners
called Flashpoint.
Guidehouse is a tool.
(21:12):
Agnostic I kind of don't likethe word agnostic because
neutral, I think, is better.
Agnostic I kind of don't likethe word agnostic because
neutral, I think is better.
Agnostic implies we don't care.
We care deeply, but we'reneutral about our tool choices.
We also have data governancespecialists, so folks that in
the open source domain, data,big data, massive, massive,
(21:35):
massive amounts of data Like we,a person could never, never
exploit all of it, and so youhave to have data scientists and
data experts who can, you know,navigate the systems and and
the governance of data.
You know, metadata is really,really important.
And then, finally, another sortof enabling function that we
(21:58):
have is strategy.
So I will point back again tothe ICOcent strategy.
It's.
Osint is generally funded lessthan the other ints in the US
government and because of that,having a firm strategy for how
we spend our money is really,really important.
(22:19):
Open source is always punchingabove our weight when it comes
to the rest of the intelligencecommunity, but having a really
buttoned up, measurable strategyhelps us be even more effective
for our customers.
Nick Mellem (22:33):
Melissa with going through all this data.
Can you speak to any use of AItechnology for this?
Melisa Stivaletti (22:41):
Yeah, no, I totally can.
So I will point your listenersto do a little bit of open
source research themselves andlook up AI and the CIA and see
what Google gives them becauseof the open source enterprise.
Um, this is public knowledge.
(23:02):
Um, the the lead there at theopen source enterprise, his name
is Randy Nixon.
He's given a number ofinterviews about this, but the
open source enterprise at theCIA has integrated in generative
AI into their data holdings tohelp process and allow for some
(23:25):
sense making around their dataholdings, and it's been
transformative.
We were, you know, open sourcewas the first in the
intelligence community to putthis to real practice.
So there's a you know a chatlike function you know, in there
.
So I can say, like, why isRussia mad at Poland today?
(23:47):
Or like you know what happenedin Haiti today?
And it'll, and it'll just giveme all you know, a full synopsis
of you know, all of the sourcesthat we have, and protect the
analyst or the collector bygiving information about those
sources and give more detail andfidelity on the type of source,
(24:18):
which is very important,especially when you're dealing
with generative AI.
Eric Brown (24:24):
When you talk about information that might be
available to the intelligencecommunity.
Snowden's tool X-Keyscore, Ibelieve was the name of it kind
of was that early aggregator ofinformation where it could go
out and look across thecommunity and be able to pull
back data and some of that datawas coming from those digital
(24:47):
fingerprints or that dust thatpeople leave behind where you
could, say, sit on a Tor exitnode and scoop up a lot of
information coming out of thatexit node going out to the
internet or wherever it wasgoing, and that, combined with
things like super cookies orinformation that's sitting on
(25:09):
ISPs, can start to stitchtogether a pretty comprehensive
set of data about a particulartarget or targets.
But that's really availablelargely to the intelligence
community.
When you talk aboutintelligence, is it that sort of
data or is it data that thegeneral public could potentially
(25:30):
have access to as well?
Melisa Stivaletti (25:33):
Yeah, so you are now getting into an internal
US government debate about thedefinition of open source
intelligence.
So that's where you get intocommercially available
information vice.
Publicly available informationum could be commercially
available to the public.
So it could be a subset of PAI,because it's just something
(26:00):
that you or I could just go buyUm, and it's a very
disconcerting what we canactually buy, because if you
have real money, like you know,marketing firms have more open
source information than than anyof us.
I mean, have you ever justthought about going, you know,
on a vacation where you mightget to see whale sharks and then
(26:22):
all of a sudden, in your socialmedia feed you start seeing
whale sharks?
You know, I mean the, thecollateral telemetry data, um
that is collected on us.
The predictive power of it isastronomical, and so here's what
I will say the US government iscollecting far less than
(26:45):
marketers are.
So pick your marketing firm andthey're the ones that have all
the information, and far morethan the type that you're
referencing.
So I would just make thedistinction here between truly
publicly available information,commercially available
(27:08):
information, sensitivecommercially available
information that is onlyaccessible to the US government,
which really, at that point,makes it not open source anymore
, then it's in a differentcategory and the follow-up
question to that is maybebringing it down to a corporate
(27:31):
level, a non-marketing corporatelevel, where an organization is
trying to get more informationon the vendors that they work
with.
Eric Brown (27:38):
We're tool neutral as well.
One of the tools I've runacross in the past is a tool
called BitSight, where itattempts to create like a credit
score, if you will, of anorganization and how well that
organization does security wise.
Have they had breaches in thepast, or things like that?
So do you have any insights orany guidance on those sorts of
(28:07):
things or how people couldpotentially help their
organizations if they're in,maybe, that vendor space where
they're looking at protectingtheir company or bringing on new
vendors, how they might do thatwith open source research?
Melisa Stivaletti (28:21):
Yeah, absolutely, and I love that I've
already trained you guys to sayresearch and not intelligence,
because I was prepared to saythat researching a vendor,
especially one based in theUnited States, is not something
that the intelligence communitywould do in in a traditional
(28:42):
intelligence role, because we'renot collecting intelligence on
US persons, and what a lot offolks don't realize is that
companies are considered peopleand so a US company is
considered a US person and thennot collected on by the US
intelligence community.
And that's where the GuideHouseteam that does supply chain risk
(29:06):
management is like top notch,because they are using tools
that may be very familiar to youall, like LexisNexis and
Bloomberg and you know, pickyour tool where they are able to
really research a vendor anddetermine okay, well, where is
(29:29):
their ownership really and whatis?
You know, what is theirperformance like?
Joshua Schmidt (29:34):
I had a follow-up question circling back
to AI and large, large packagesof information, and when you're
trusting AI to kind of combthrough all that and come up
with some sort of an assessment,um, do you come across
hallucinations and and how doyou deal with that?
Melisa Stivaletti (29:52):
We have to to put in guardrails, right, and
those guardrails is certainlythe human in the loop.
So, you know, for anyintelligence professional or
aspiring intelligenceprofessional out there is like
well, ai is going to, you know,take my job or no.
So AI is not going to take yourjob, but AI is going to take
(30:14):
the job of people who are notwilling to work with AI.
So that's kind of mydifferentiator on that, and
having people in the loop isreally important.
And we also have theseguardrails, too, of like I was
mentioning the tool that opensource enterprise uses.
That's generative AI.
(30:35):
That's not pulling from thewhole internet, right, those are
curated sources and then you'recategorizing those sources and
so then, from there, theinformation that you're getting,
could it still hallucinate?
Absolutely, but your people inthe loop are going to be there
to help mitigate and say, oh,you know what, we don't actually
(30:58):
want to put glue on pizza, likeI think we're good.
Nick Mellem (31:01):
What about pineapple?
Melisa Stivaletti (31:03):
That's, or you know whatever right it is,
having the subject matter expertwho knows that topic in that
area, saving them the time ofreading you know 300 articles
and it taking them a month to doit and analyze it.
Instead, you're giving themthis output and you're having
(31:24):
them read and analyze that too,and they are going to be able to
to identify what thosehallucinations are.
Right.
Is anything foolproof?
Of course not, but it's.
It's pretty close and it'sbetter than anything we've been
able to do in the past.
Joshua Schmidt (31:39):
That's interesting because ostensibly,
a lot of the things that it'spulling from are different news
organizations from across theworld that might have their own
bias or their own spin on thereporting, and so the nuance is
basically left to experts inyour field, and what does it
look like managing a team ofpeople in the OSINT realm when
(32:00):
you're working with all thesedifferent professionals that
have different expertise?
How do you go about managing acomplicated group like that?
Melisa Stivaletti (32:08):
Yeah, you know, the critical part of being
a good leader in any space isto only hire people that are
smarter than you, and so I pridemyself on regularly being the
dumbest person in the room,which is very helpful, and so I
have folks working with me thatare able to take these really
(32:30):
complicated topics and distillthem down into something that
policymakers can work with.
I am biting my tongue on acomment on policymakers, given
the debate last night, so maybeedit that out.
Nick Mellem (32:49):
You're in a very safe place.
Melisa Stivaletti (32:52):
Oh, my goodness.
But yeah, so getting you know,distilling down massive amounts
of information and getting it toa digestible format for
policymakers to make criticaldecisions is a really um, it's a
delicate thing and it requiresa really well-rounded team who
can all think differently andoperate in a safe space so that
(33:14):
they can, you know, object andbe disruptors.
You know, I'm reading a bookright now that Carmen Medina
wrote about being a rebel in theintelligence community, and you
know, one of my jobs, I think,is to protect the rebels in the
intelligence community who arethinking differently about these
crazy big problems, especiallyin the data domain, to ensure
(33:39):
that they're able to help usnavigate it.
Nick Mellem (33:42):
We talked about AI and now you're talking about
these.
You know extremely smartindividuals that are working in
this space.
Is that the future of OSINT, oryou know?
What does that look like to you?
Melisa Stivaletti (33:53):
Yeah, you know.
So when open sourceintelligence kind of got its big
start, I mean, I think it'sbeen going on for forever, but
when, at least in the UnitedStates, fibis was founded, right
, it was newspapers,predominantly like radio, and
newspapers that were beingtranslated by language and
(34:15):
subject matter area expertsbeing translated by language and
subject matter area experts,and that, when you distill down
you know the open source arena,it does come down to those
experts, right, the nuance thatthey're able to pull from
information knowing the language, knowing you know the area,
(34:36):
knowing the language, knowingyou know the area.
Really, I don't see that everbeing replaced at all.
Like, however, I am not goingto be hiring a team of 500
people to translate documents,right.
So that's where the workforceis changing in open source,
(34:59):
because the landscape ischanging, and the way that the
landscape has changed in thelast 10 years has changed the
way that open source isconducted.
And so, for those that areinterested in coming into the
intelligence community in theopen source domain, what I would
(35:27):
ask for, I think, from any ofthem is to be lifelong learners
who embrace change, who embracetechnology, who are, you know,
comfortable being uncomfortable,and who are always thinking of
new ways to do things, becausethe algorithms are always
changing, the platforms that areutilized are always changing.
You know, kids these days laughat me because I'm, you know, an
elder millennial hanging out onFacebook and they're like,
(35:50):
really, you're so lame, you know, and there's so much rapid,
rapid change.
And so the main thing that weneed are lifelong learners who
are comfortable with change,because I could go on vacation
for two weeks and come back andmy skill set be rusty if I'm an
(36:12):
open source, because somethingcrazy has happened.
You know, open AI has releasedsomething that has completely
changed the way that I do my job.
Like that is a real thing andso you just have to have to lean
into it.
Eric Brown (36:25):
As we pivot into that next generation, if you
will, any thoughts on what, whatpeople can do or what are some
of the things that we should bethinking about from a policy
standpoint.
We talked about the debate alittle bit earlier and I just
(36:47):
know in a couple of days fromnow, there's going to be memes
coming out from the debate,there's going to be fake news,
there's going to be fake images,fake videos, fake sounds that
somebody who didn't watch thedebate or maybe wasn't close to
it gets a hold of one of thosepieces of media.
(37:08):
And the way in which societycan be manipulated through fake
images and fake sound bites is apretty important, I would think
, area of research that shouldbe done.
(37:31):
Yeah, there's a lot there, thereis Sorry, there's a lot there,
eric.
Melisa Stivaletti (37:41):
I'm going to try to break it down into some
chunks, one being is the abilityto trust the information that
we're seeing right in the media.
And you know, while I'mshamelessly plugging all kinds
of things to include petorganizations, there is the
Trust in Media Cooperative, orTIM for short, that one of my
(38:04):
mentors and heroes in the fieldfounded.
That is really aiming to helpwith this for the general
population right and for public.
So I would encourage yourlisteners to look that up,
because I think you'll find somehelpful tools that are really
accessible on how to sort ofvalidate information that you're
(38:26):
getting from the media.
The second really has to dowith critical thinking.
You know, I have a child thatI'm trying to raise to be a
critical thinker and you knowyou can't believe everything
that you see and you know.
One of the most important thingsin intelligence, but also just
(38:47):
like in life, is multiplesources for any bit of
information.
So if you are an averageAmerican, you see something you
know, get down to the originalsource and you can.
You follow that averageAmerican and you see something
you know, get down to theoriginal source and you can.
You follow that right and andthen see who all is reporting on
it, who was the first to reporton it, and don't just get that
(39:09):
information from one source,right?
So you have to be willing takethe time, and that's the problem
is that our, our currentsociety is not willing to take
the time, and that's the problem, is that our current society is
not willing to take the time.
And so that's whereorganizations like Trust in
Media may be able to help.
Right, but it's taking time toget there, and the intelligence
community is not going tovalidate, you know, news media
(39:33):
for public consumption, likethat's not what our remit is.
But what is important in opensource research is to help
identify what is real and whatis fake.
And, and that is reallyimportant.
The way that the intelligencecommunity is addressing, um,
what we call synthetic media, uh, is through a number of
(39:56):
different R and D efforts.
Um, I'll plug one of them nowthat is publicly accessible.
So get out your your Googlingfingers, um, and check out um.
Darpa, semantic forensics, orsemaphore for short.
That is a defense researchinitiative that is coming to the
(40:19):
final stages of its work, andSemaphore is, you know,
(40:39):
certainly not of a thing, right.
Fake information is going to beproduced so quickly that being
able to identify if it's real orfake it's actually not
particularly helpful because wewon't be able to keep up with it
, and so that's where we'reseeing some new ways to look at
(41:04):
that information.
Some people call it narrativeintelligence.
There's a school in Mississippi, ole Miss, that has a Center
for Narrative Intelligence, andthey even will call it ICBNs
instead of ICBMs, they'll sayIntercontinental Ballistic
(41:28):
Narratives, right where there'sjust new narratives being like
launched, you know, acrossoceans into American territory
and really gutting us from theinside out.
So anyway, I've not answeredyour question, but there's some
food for thought.
Joshua Schmidt (41:45):
I love to hear that DARPA is developing this
technology.
You know they've given us somany amazing technologies like
GPS, drones, touchscreens whathave you?
As a musician producer, that'smy day trade and it's really
kind of flooding the market forroyalty-free music, for
commercial music.
On my Spotify playlist nowthere's AI-generated content
(42:09):
showing up on a daily basis.
So I'm glad to hear thatthere's some heavy hitters in
the space kind of coming up withthese tools that will hopefully
eventually be used to kind ofseparate the wheat from the
chaff.
But are there any othertechnologies that you see
emerging that are going to bereally important on the horizon
for detecting deep fakes or orkind of keeping our democracy
(42:32):
safe, keeping our country safe?
Melisa Stivaletti (42:35):
You know, I think I have to go now.
Really great, yeah, so there arereally incredible technologies.
This is the thing about America,right, like we are so
innovative and continue to beinnovative, and so we may be
(42:57):
inventing, you know, ai, andthen, and then also, on the
other side of it, inventingcountermeasures to deal with the
consequences of that AI, right?
So you know, I mentioned DARPAand SEMA4, that is one example,
right, but we we need moreresearch.
(43:19):
So so I think, rather than saywhat is also out there and there
are more things out there butwhat I'll say instead is to
maybe challenge your listenersand just say that this is a
field worth entering.
There's going to be a marketfor this field, it's going to
evolve and it's certainly anarea that's critical for you
(43:43):
know, just the general safety ofour public and you know the way
that we consume information.
I don't know that I'm supercomfortable going into much more
of that, just because in myworld of working in open source
intelligence, I don'tnecessarily hit, like US media,
(44:03):
validation of information, likethat kind of thing.
So it's a little bit of adifferent area, but it's so
important.
Joshua Schmidt (44:10):
Well, I just want to call out we're at 53
minutes into the recording, soit'd be a good time to maybe
kind of wrap things up.
I would like to ask Melissa,you know it seems like you have
a really intense job.
I know Eric and Nick do as well.
I'm a musician, so it can beintense, but I get to go and
play tonight at a pub and have adrink and entertain people, so
(44:32):
that's my lane.
But I'd like to ask you, youknow, what do you do outside of
work to kind of relieve thestress and kind of keep a level
head and deal with all thesethings coming at you?
Melisa Stivaletti (44:42):
Yeah, so you know, we we mentioned some of my
activities while I was inAfghanistan, amongst rescuing
cats.
I also practiced yoga when Iwas in Afghanistan and, as you
know, being the only female inmany of the places I was
practicing yoga, you know, beingthe only female, uh, in many of
the places I was practicingyoga, you know, could draw some
(45:02):
attention, and so, um, one thingthat I did is I looked around
and I said, hey, you, you canonly stare at me if you're doing
it with me.
And so I started teaching yoga,um, all over Afghanistan, um,
to, you know, young soldiers.
I'd have a guy you know who'sworking like all day long in the
(45:25):
turret or whatever, and he'slike, hey, uh, I heard that you
could help me with my back, youknow, and um, and so I started
teaching yoga in Afghanistanwithout certification or
anything.
And um, and you know, laterbecame certified and I'm really
passionate about about thepractice.
Um, I admittedly don't get topractice as much as I used to,
(45:51):
um, but I will note that, uh, Iam able to practice some with my
son, which is the other thingthat really balances me right.
He is almost eight years oldand will happily do cosmic kids,
yoga with me or go out and justlike stretch, and, you know,
(46:13):
get our core strong right and dodownward dog, and so we
definitely do that.
We really, as a family, enjoyhiking, core strong right and do
downward dog, and so wedefinitely do that.
We really, as a family, enjoyhiking and traveling as well.
Um, you know I like to explorethe world that we're trying to
protect.
So, uh, my husband and Irecently got back from a trip to
Patagonia and we had the besttime, you know, got to see
(46:34):
penguins and hike a glacier and,um, what a, what a wonderful
treat to get to see that part ofthe world.
So, you know, having having the, the passion for the world and
for my family and and for yogaand my faith as well, um, really
help me stay, you know, drivenand focused um towards the task
(46:57):
at hand, which is reallyimportant, and I'm really lucky
to have such an amazing team atGuideHouse with me helping.
You know our customers try toget to mission success, you know
, for national security purposes.
So it all comes back together.
Eric Brown (47:17):
Have you done any of the alternative yogas like the
goat yoga or things like that?
Melisa Stivaletti (47:24):
So I have a lot of friends that are farmers
and so I'm not particularlywilling to pay the premium to do
the yoga with the goats when Ican just go hang out with their
goats and then do my yoga.
Um, but I I can be talked intosome different kinds.
You know, aerial yoga I've I'vemessed around with that a
(47:45):
little bit and uh, and also umyoga on different locations is
like I'm here for that.
So, um, for for folks in the DCarea there's um Project Sunrise
look it up.
Um, we practice.
I say we practice.
I don't always I get to make it,but um, but we practice at um,
(48:09):
the Jefferson Memorial, um, onthe mall, like right, you know,
over the tidal basin, which youknow so inspiring.
Um, and it's you know, a grouptidal basin, which you know so
inspiring, and it's, you know, agroup of folks practicing in
national security and isdefinitely supported by some
pretty powerful folks in defenseand intelligence.
(48:33):
To include the founders of apodcast that I love.
It's not the Audit, but it'scalled Iron Butterfly and it
features women in theintelligence community over the
years.
Very cool.
And the founders of IronButterfly are always showing up
(48:57):
to Project Sunrise, so it'spretty cool.
Eric Brown (49:02):
It's great to hang out with you and hear some of
the things that you do in yourspare time.
One of the questions I wantedto ask you was do you attend any
security conferences?
Melisa Stivaletti (49:12):
Yeah.
So I love that you asked thisquestion because earlier, you
know, when Josh introduced me,he said oh, the Epic Chair and I
am the chair for the emergingprofessionals in the
intelligence community committee, for Epic, we're very Epic, Um,
and we are a committee foremerging professionals, um, that
(49:33):
uh falls under AFCEA, so that'sA F?
C, EC-E-A.
Don't ask me what it stands for, you can look at it, it's armed
forces Anyway.
So AFCEA fantastic organizationthey put on a plethora of
different conferences and Iliterally go to anything that
(49:54):
they put on that I can possiblymake it to, uh, because they
really are always on, you know,the edge of um quality,
technology, information andpolicy in the security domain,
and I'll I'll plug for you know,in August they're having their
annual um conference.
(50:14):
That is done in um conjunctionwith another organization that I
love very much, INSA, and soINSA and AFSIA put on a joint
conference once a year.
That is like the event to be at, and that one this year it's
totally open every year, youdon't have to have a security
(50:37):
clearance to attend, and it's areally fantastic way to learn
more about what's happening inthe broader defense and
intelligence communities.
Eric Brown (50:46):
Very cool.
I'm just trying to look up realquick what AFSEA stands for.
Melisa Stivaletti (50:50):
Oh yeah, see if you can, we'll see what your
OSINT skills are like.
Can you find it?
Put them on the spot.
I love it, yeah.
Eric Brown (50:59):
Oh my gosh.
Oces Communications andElectronics Association
International.
Melisa Stivaletti (51:04):
There you have it, and you know another
organization that is really upand coming in the OSINT space
that we'll be putting on moreand more, you know events is the
OSINT Foundation.
So you know, another sort ofshameless plug.
I'm on the events committee forthe OSINT Foundation, so the
you know another sort ofshameless plug.
I'm on the events committee forthe OSINT Foundation.
We've put on like a tech expoand award centers and that kind
(51:26):
of thing, but there's morecoming down the pike Absolutely
From the OSINT Foundation toinclude, you know, webinars and
that kind of thing.
So I definitely spend time inall three of those organizations
really making sure that myknowledge is up to speed.
Eric Brown (51:43):
So if somebody is just maybe new in their career
or at a point in their careerwhere they want to pivot and go
in a different direction, what'sa step somebody could take to
get into the true OSINTcommunity?
Melisa Stivaletti (51:58):
Yeah, so definitely, you know, if you're
a US citizen, the OSINTFoundation is a great place to
start.
You can really plug in andlearn a lot about the community
there.
But I'd also just recommendsome light trainings that will
kind of give you a little bitmore of a flavor of what the
(52:21):
work is.
Michael Bazell, intelTechniques, is fantastic.
Another trainer that I love isMichael Hoffman.
My OSINT training is one thatI've done that is cheaper.
There's plenty of moreexpensive ones out there that,
like, are cost prohibitive foran individual, just kind of
looking to get acquainted.
(52:42):
But those are two that arereally accessible and, you know,
super helpful and just kind oflearning a little bit more about
OSINT techniques.
Eric Brown (52:52):
That's great.
Thank you yeah.
Joshua Schmidt (52:55):
Thanks so much, melissa.
You have such a wealth ofknowledge and experience and
we're so honored that you cametoday and shared that with us
Once again.
You've been joined by MelissaStivaletti, osint Director at
GuideHouse, and as well as ourhosts Nick Mellum and Eric Brown
.
You've been listening to theAudit presented by IT Audit Labs
.
I'm your producer, joshuaSchmidt.
Eric Brown (53:25):
You can find us every other Monday on all the
streaming services.
Please like, share andsubscribe, and share us with
your friends.
Thanks for listening.
To improve our clients' datasecurity, our threat assessments
find the soft spots before thebad guys do, identifying
likelihood and impact, while oursecurity control assessments
rank the level of maturityrelative to the size of your
(53:47):
organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio-video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(54:08):
source your security content.
All right, you are listening to the Audit Today
.
We have our usual cast, ericBrown and Nick Mellum from IT
Audit Labs, and we're joined byMelissa Stivaletti.
She is the chair at Epic andOSINT director at GuideHouse and
she has a pretty illustriouscareer and background.
So we're really excited to talkto her today about how she got
(00:25):
into the position she's in nowand do a deep dive on OSINT and
maybe some tools and maybe evenget into some deep fake
conversation, things like that.
So, without further ado,melissa, thanks for joining us.
Can you give us a littlebackground on yourself and say
hello?
Melisa Stivaletti (00:40):
Yeah, absolutely.
Thanks so much for having me.
I'm really excited to get totalk with you all for a plethora
of reasons, one of which, ofcourse, is that intersection
between cyber and OSINT, and Iknow we'll get into it later,
but it's a real privilege to getto be here and join you all
today.
So a little bit of backgroundon me.
(01:02):
My current role is I'm thedirector for open source
intelligence at GuideHouse.
Guidehouse is a consulting firmthat works across a plethora of
different industries.
The industry that I specializein is defense and security.
So really looking at thedefense intelligence enterprise
and the intelligence communityfor the US government enterprise
(01:23):
and the intelligence communityfor the US government.
So that's definitely, you know,my specific area which
definitely influences my outlookon open source intelligence,
and I know we'll get to that alittle bit more as well.
So, in terms of background, youknow, I started out my career
(01:44):
in government.
I was at the Department ofCommerce and at the Department
of the Army, spent a couple ofyears in Afghanistan Nick and I
were chatting about that beforewe started recording today and
it was really when I was inAfghanistan the second time that
open source intelligence reallycaptured my attention, and that
is because it was when the ArabSpring was going on.
So, for those of you who aren'tfamiliar with the Arab Spring,
(02:07):
it was really a revolutionarytime in the Middle East that was
driven largely by empowered bysocial media and the best
intelligence available aboutwhat was happening, whether it
be protests or disruptions togovernment or whatever like it
was all very public and the bestinformation that we could get
(02:31):
was from social media, which wasunusual for those operating in
the intelligence community.
When I was in Afghanistan,seeing, you know, the
information was really comingfrom the open source domain, I
knew that there was a shifthappening in where we would find
our intelligence and how wewould be able to inform
policymakers, and so from thatpoint.
(02:53):
I really pivoted my career tofocus primarily on the open
source domain, and so thatjourney has taken me to serving
across the intelligencecommunity, across defense,
dabbling some in academia, andit's been an incredible journey.
But the position that I'm inright now is by far the most fun
(03:14):
I have ever had in my careerbecause I get to feed into and
shape future Ocenters, anamazing team of folks in the
Ocent field at GuideHouse,servicing clients all over the
map, and it is just fantastic.
So that is a very long windedanswer to your question, but I
(03:38):
think I covered it.
Eric Brown (03:40):
Well, all good, melissa, thanks again for coming
on.
But just to get to know you alittle bit, we'll start with the
icebreaker and this one.
We just came up with this oneright before we started as we
were just kind of chattingamongst ourselves, so kind of
favorite go-to freezer food,maybe when you were growing up.
(04:00):
I think Nick's going to tell usdifferent, but we were joking
that Nick likes Hot Pockets, theham and cheese, oh, my goodness
, that's pretty funny.
Melisa Stivaletti (04:11):
So here's the thing I grew up in South
Carolina and determined at avery young age, in third grade,
that I wanted to be a vegetarianbecause I didn't want to eat
animals anymore.
Um, and I have never eaten meatsince, of any variety, in any
at all.
So since I was, you know, avery, um, tiny human, and so, um
(04:37):
, freezer meals, uh, weresometimes really important for
me because, you know, uh, my momwas a single mom and a business
owner and she cooked a lot.
But at that point, you know,cooking for a rising vegetarian
in the South was a little tricky, and so, I guess I would have
to say for frozen foods, therewere a lot of these little like
(05:02):
pasta, like frozen pasta dishes.
You know they weren't great, youknow, not ideal nutrition wise
but, today, man trader joe's hasvegetarian frozen food on lock,
so there's a lot of reallywonderful choices.
Now I remember those hotpockets, nick, though I do I
(05:24):
score off in all those things.
Nick Mellem (05:26):
I ate too many MREs in my days, so I don't think I
would pick up a hot pocket everagain.
Joshua Schmidt (05:32):
Sounds like Eric's done a little oscent on
Nick's eating habits.
I'd have to go with the pizzarolls.
Yeah, I grew up in a veryremote area so not a lot of fast
food and things like that.
Nick Mellem (05:47):
Pizza rolls nice, I would say bagel bites.
Those were pretty great backthen.
Eric Brown (05:52):
Well, melissa, it's interesting because you and I
are very similar Growing up.
I started out vegetarian aswell at a very young age, and
I'm still vegetarian at a veryyoung age and and I'm still
vegetarian dabbled a little bitwith uh being a vegan for a
(06:13):
while, um, but I like pizza toomuch.
Uh grew up also with uh, with asingle mother and um, just yeah
, that frozen pizzas, I think,were my staple.
But to this day, uh and I grewup on the East Coast as well.
Especially when I was growingup, though, you'd tell somebody
you were a vegetarian and thenthey'd say, oh well, you eat
fish, right?
Did you ever get that?
Melisa Stivaletti (06:32):
Oh yeah, all the time, do you?
Eric Brown (06:34):
eat chicken.
What?
Nick Mellem (06:37):
So be pescatarian, right, if you eat fish.
Yeah, yeah.
Joshua Schmidt (06:46):
So, as we were preparing for this podcast,
Melissa and I had a conversationon Monday for pre-pro and it
came to my attention thatthere's a bit of a definition
difference between the OSINT,that the day-to-day
cybersecurity experts like usour team thinks about OSINT in a
different way.
Melissa, can you explain howyou think of OSINT compared to
how the general population mightthink of that?
Melisa Stivaletti (07:04):
Yeah, and it gets, you know it gets even more
complicated than that becauseeven internally within the US
government and with our partners, you know, abroad, even that
you know the definition of OSINTcan get really tricky.
I would encourage and this willnot be the first time I mention
this, but I will encourage yourlisteners to look up the IC as
(07:28):
an intelligence community OSINTstrategy.
It is posted on the CIA websiteand the DNI website DNI as in
the director of nationalintelligence, and there is a new
definition of OSINT in thatstrategy.
But I'm going to zoom out alittle bit more and not even get
(07:50):
that specific and just talkabout the difference in my mind,
right, between open sourceintelligence and open source
research.
You know, because anyone who'sgetting on to Google or going to
the library or, you know,accessing social media like you
could, you're leveragingsomething that is in the open
(08:13):
source domain to gatherinformation.
Right, and so leveraging thatinformation, even if it's using
really exquisite trade craft oryou are using what in open
source we call a sock puppet, orwhich I'm happy to dive into a
little bit more as well, likeany of those things, right, some
people will say, is OSINT, butin my definition right and the
(08:38):
definition of the US governmentit's not, because if you're
researching in the open sourcedomain, you're not answering an
intelligence requirement.
So unless a policymaker,government, has tasked you to
answer a question that is beingused for intelligence purposes,
or you are researching forintelligence purposes, it's open
(09:01):
source research.
It's open source informationpurposes.
It's open source research.
It's open source information.
You know it's information thatyou know you're using for an
investigation.
Maybe we see a lot of reallyincredible OSINT tradecraft
pulled from open sourceinvestigations that are used by
private investigators and folksin the law enforcement arena,
(09:23):
but OSINT with intelligence atits core.
It's really important todifferentiate that for
tradecraft and at least fortoday's episode, I would just
say, if I'm using the word OSINT, I'm talking about a very
specific type of activity on theinternet.
Eric Brown (09:42):
Can you give an example of what that trade craft
might be for someone who ismaybe really unfamiliar with the
term, or even what that mightlook like?
Melisa Stivaletti (09:53):
Absolutely so I don't know if you're a
listener or if you all arefamiliar with digital dust or
your fingerprints right on theinternet.
And if you are researchingsomething, you know anything
that you're researching you'releaving behind little
fingerprints, um, and someonewho is researching for an
(10:16):
intelligence purpose doesn'twant to leave behind those
fingerprints, so they're goingto take specific actions to
obfuscate themselves, right?
They're also going to takespecific actions to be able to
access the information thatmight not be readily available,
right?
So there's some countries inthe world where you have to be
(10:41):
in that country to get access totheir internet, right?
And someone who's operating inOSINT is going to use Tradecraft
to obfuscate what they're doing, to access information that is,
you know, not readily availablefrom just any IP.
(11:01):
And you know, from just any IP.
And you know the tradecraft canget really, really complicated
and deep really fast, and thattype of tradecraft is certainly
used across a plethora ofdifferent disciplines and
applications for exploiting theopen source domain.
Nick Mellem (11:20):
I got to jump back.
Well, first off, I feel likeI'm watching an episode of
Homeland.
Did you refer to somethingcalled a sock puppet?
Did I catch that right?
Melisa Stivaletti (11:30):
Yes, I kind of wish I had a prop now with
like a little sock puppet.
I do not.
Yeah, a sock puppet.
And for any of your listeners,this is not, you know, super
secret tradecraft by any stretch.
The investigations communityuses this terminology.
(11:53):
It's when you create an accounton Facebook, on Twitter,
whatever, and it's not you, it'sfake.
And so you have a fake accountand you use it to research,
access, interact with, pullinformation from corners of the
internet.
Sock puppets are frequentlyused to get access where you
(12:16):
have to log in to an account.
So you might not even be likeinteracting, you may not like
something or message someone oranything like that, but just to
get into a platform you have tohave a login and so being able
to log in.
That is frequently calledcreating a sock puppet.
It's also called a persona, butsock puppet is cooler sounding.
Nick Mellem (12:39):
Nick, you may know that as catfishing, Well, I was
thinking about socialengineering this whole time.
But yeah, cat.
Melisa Stivaletti (12:54):
Got you.
Eric Brown (12:55):
Hey, our intelligence community
professionals do not catfish.
Melisa Stivaletti (12:58):
Thank you, Melissa have you known any other
Marines that have two hairlesscats?
You know, I know someone fromArmy with a hairless cat, but
not two.
So this is unique, Nick, I'llbe inviting myself over to meet
the cats.
Maybe you can bring them out.
You know, I don't know ifthey're around and you can put
(13:20):
them on the video, but likeready.
Nick Mellem (13:24):
We're actively taking name suggestions for the
cats.
Josh, can you rattle off thelist of a few?
Joshua Schmidt (13:31):
So far we have Edgar Allen Paw and Katy Perry
and General Meow.
General Meow, the other one,general.
Nick Mellem (13:39):
There you go.
Yeah, mr Meow, mr Meow.
If you have any suggestions,we're taking them.
Melisa Stivaletti (13:46):
Okay, great.
Well, you have to really thinkabout.
You know what it would beshortened to, because when
you're hollering, you know toget your cat to come to you if
they decide that they want to,that day you got to have
something short.
So if it's, mr Meowgi, like,what are you going to go with?
You know, is it like hey, mrRight, you know what's the
(14:07):
shortened version of that.
It's important.
Nick Mellem (14:09):
This is the heavy hitting knowledge that the
listeners are looking for.
Melisa Stivaletti (14:15):
It is really important and since you've taken
us, you know you've opened thedoor, so this is your fault,
know you've opened the door, sothis is your fault.
Nick Mellem (14:25):
At our, mr Eric Brown, but let me get us back on
track for a second.
Melisa Stivaletti (14:37):
This is gonna be for you, Eric, and I have
material I now have to offer.
Nick Mellem (14:41):
So my apologies, but please.
Melisa Stivaletti (14:42):
One of my fun facts that I share on the
regular is that I rescued a catfrom Afghanistan after enlisting
him in the Marine Corps as astaff sergeant, so his full name
Staff Sergeant GarfieldStivaletti.
(15:02):
He was airlifted in a BlackhawkOut of Kandahar, Spent some
quarantine time in Kabul andthen lived in the lap of luxury
In the Stivaletti home Foralmost a decade.
Before going to cat heaven.
Nick Mellem (15:17):
That's the coolest cat story I've ever heard.
Melisa Stivaletti (15:21):
You opened the door.
I wasn't going to go there.
Joshua Schmidt (15:24):
I'm so happy you did.
Yes, that was the most epic catstory we've heard thus far on
the podcast.
Nick Mellem (15:30):
The highest ranking cat.
Eric Brown (15:36):
How did you enlist the cat?
Melisa Stivaletti (15:38):
Well, there were a couple of kernels
involved.
We could do the rest of theepisode on that cat.
Joshua Schmidt (15:48):
Don't not encourage them.
Melisa Stivaletti (15:49):
We're going to need a part, I will be
distracted easily.
Nick Mellem (15:53):
I got to know now was there a promotion ceremony?
Was there?
Was it a field ceremony?
You know what?
What happened in thisenlistment?
Melisa Stivaletti (16:06):
Yeah, I mean definitely a field ceremony,
right, because, and um, and hedid like have his paw print put
on the paperwork I do have, Istill have the documentation.
Um, we, we've got signaturesfrom two different colonels.
Um, it was, it was a wholeprocess and it and it allowed
him to get veterinary care.
Oh, very cool.
Eric Brown (16:24):
Nice.
Nick Mellem (16:25):
You took the words out of my mouth.
I was going to say that is thebest morale booster when I was
deployed.
We had dogs.
We had a Malinois and a LabClose to us.
They weren't directly with usbut being able to feed the dogs
and throw a tennis ball just forthat couple minutes.
So I connect there with themorale booster for sure.
Melisa Stivaletti (16:47):
Well, I will plug the organization that
helped me rescue him.
They're still in operationtoday.
The organization's calledNowZad, like the place, so
N-O-W-Z-A-D.
It is run out of the UK.
The founder's name is PennFarthing.
He has been awarded just anumber of accolades and
(17:13):
different awards from all overthe world and media, and he has
just published a book about thesort of the final days that his
organization was in Afghanistanduring the retrograde period to
include, you know, theatrocities that happened at
(17:35):
Abbey Gate in those final days.
So wonderful book, wonderfulorganization, and if you are a
cat lover or an animal lover,check it out.
Nick Mellem (17:45):
It's really cool.
That is very cool, melissa.
I you know Eric got brought upthe cats.
I don't think we knew we weregoing to go to this, this lane,
but I'm going to get us back ontrack with the whole thing.
Okay, fine, because I'm as muchas I'm curious about the field
information with the cats.
I got to know about, like, whatyour day-to-day operations are,
what, what do you?
(18:06):
You know I maybe can't talkabout what you're currently
working on, but you know, forpeople that aren't listening
what.
What does a day-to-day looklike for you?
Melisa Stivaletti (18:13):
Yeah, so in the day to day for me right now,
I have the privilege of being adirector at Guidehouse, so in
my portfolio I have a number ofdifferent teams that are
performing open source supportand enabling functions across
the intelligence community andthe defense intelligence
enterprise.
And rather than getting into myday to day because at this
(18:36):
point I'm doing work about work,not actual work, so it's a
little boring I'll talk aboutwhat my team does.
So on my team we have auditorsthat work on compliance.
So those are generally datascientists or folks that are at
(18:56):
least data science literate andthey're able to do the really
important job of ensuring thatUS citizens are protected, that
those privacy concerns areprotected, and so they audit the
work that is done by theintelligence professionals doing
the collection work to ensurecompliance with US law, which I
(19:20):
actually think is one of themost important jobs that you can
have in OSINT, because it'swhat sets us apart from all of
our competitors, right?
I promise you China doesn'thave that.
I assure you that Russiadoesn't have that, and because
we take such pride in beingcompliant with US law and
(19:45):
protecting US citizens that thatfunction, I just can't
overstate how important it is,right.
So that's one of them.
Another is is really gearedtowards tradecraft, so we call
it signature reduction, whichkind of talks about that digital
dust that I mentioned earlierand reducing that footprint and
(20:08):
maybe getting into the space ofsock puppets or personas.
And then we have folks thathelp with just like the
day-to-day operations of keepingthings on track, because we
have people doing OSINT all overthe world, you know, in the US
government, so making sure thatthey have the tools that they
need.
Which leads me into anotherarea that we support, which is,
(20:31):
you know, vendor engagement andtech scouting.
There's a lot of vendors outthere.
The audit labs might be anexample of a particular variety
of vendors out there in thisspace, but we have a
responsibility to help the USgovernment make sure that the
(20:51):
supply chain is on the up and up, that the tools are the best
possible, that the data hasintegrity, you know.
So we spend a lot of time withvendors.
I spend a lot of time gettingdemos of what is possible.
I did a webinar a while backwith one of our trusted partners
called Flashpoint.
Guidehouse is a tool.
(21:12):
Agnostic I kind of don't likethe word agnostic because
neutral, I think, is better.
Agnostic I kind of don't likethe word agnostic because
neutral, I think is better.
Agnostic implies we don't care.
We care deeply, but we'reneutral about our tool choices.
We also have data governancespecialists, so folks that in
the open source domain, data,big data, massive, massive,
(21:35):
massive amounts of data Like we,a person could never, never
exploit all of it, and so youhave to have data scientists and
data experts who can, you know,navigate the systems and and
the governance of data.
You know, metadata is really,really important.
And then, finally, another sortof enabling function that we
(21:58):
have is strategy.
So I will point back again tothe ICOcent strategy.
It's.
Osint is generally funded lessthan the other ints in the US
government and because of that,having a firm strategy for how
we spend our money is really,really important.
(22:19):
Open source is always punchingabove our weight when it comes
to the rest of the intelligencecommunity, but having a really
buttoned up, measurable strategyhelps us be even more effective
for our customers.
Nick Mellem (22:33):
Melissa with going through all this data.
Can you speak to any use of AItechnology for this?
Melisa Stivaletti (22:41):
Yeah, no, I totally can.
So I will point your listenersto do a little bit of open
source research themselves andlook up AI and the CIA and see
what Google gives them becauseof the open source enterprise.
Um, this is public knowledge.
(23:02):
Um, the the lead there at theopen source enterprise, his name
is Randy Nixon.
He's given a number ofinterviews about this, but the
open source enterprise at theCIA has integrated in generative
AI into their data holdings tohelp process and allow for some
(23:25):
sense making around their dataholdings, and it's been
transformative.
We were, you know, open sourcewas the first in the
intelligence community to putthis to real practice.
So there's a you know a chatlike function you know, in there
.
So I can say, like, why isRussia mad at Poland today?
(23:47):
Or like you know what happenedin Haiti today?
And it'll, and it'll just giveme all you know, a full synopsis
of you know, all of the sourcesthat we have, and protect the
analyst or the collector bygiving information about those
sources and give more detail andfidelity on the type of source,
(24:18):
which is very important,especially when you're dealing
with generative AI.
Eric Brown (24:24):
When you talk about information that might be
available to the intelligencecommunity.
Snowden's tool X-Keyscore, Ibelieve was the name of it kind
of was that early aggregator ofinformation where it could go
out and look across thecommunity and be able to pull
back data and some of that datawas coming from those digital
(24:47):
fingerprints or that dust thatpeople leave behind where you
could, say, sit on a Tor exitnode and scoop up a lot of
information coming out of thatexit node going out to the
internet or wherever it wasgoing, and that, combined with
things like super cookies orinformation that's sitting on
(25:09):
ISPs, can start to stitchtogether a pretty comprehensive
set of data about a particulartarget or targets.
But that's really availablelargely to the intelligence
community.
When you talk aboutintelligence, is it that sort of
data or is it data that thegeneral public could potentially
(25:30):
have access to as well?
Melisa Stivaletti (25:33):
Yeah, so you are now getting into an internal
US government debate about thedefinition of open source
intelligence.
So that's where you get intocommercially available
information vice.
Publicly available informationum could be commercially
available to the public.
So it could be a subset of PAI,because it's just something
(26:00):
that you or I could just go buyUm, and it's a very
disconcerting what we canactually buy, because if you
have real money, like you know,marketing firms have more open
source information than than anyof us.
I mean, have you ever justthought about going, you know,
on a vacation where you mightget to see whale sharks and then
(26:22):
all of a sudden, in your socialmedia feed you start seeing
whale sharks?
You know, I mean the, thecollateral telemetry data, um
that is collected on us.
The predictive power of it isastronomical, and so here's what
I will say the US government iscollecting far less than
(26:45):
marketers are.
So pick your marketing firm andthey're the ones that have all
the information, and far morethan the type that you're
referencing.
So I would just make thedistinction here between truly
publicly available information,commercially available
(27:08):
information, sensitivecommercially available
information that is onlyaccessible to the US government,
which really, at that point,makes it not open source anymore
, then it's in a differentcategory and the follow-up
question to that is maybebringing it down to a corporate
(27:31):
level, a non-marketing corporatelevel, where an organization is
trying to get more informationon the vendors that they work
with.
Eric Brown (27:38):
We're tool neutral as well.
One of the tools I've runacross in the past is a tool
called BitSight, where itattempts to create like a credit
score, if you will, of anorganization and how well that
organization does security wise.
Have they had breaches in thepast, or things like that?
So do you have any insights orany guidance on those sorts of
(28:07):
things or how people couldpotentially help their
organizations if they're in,maybe, that vendor space where
they're looking at protectingtheir company or bringing on new
vendors, how they might do thatwith open source research?
Melisa Stivaletti (28:21):
Yeah, absolutely, and I love that I've
already trained you guys to sayresearch and not intelligence,
because I was prepared to saythat researching a vendor,
especially one based in theUnited States, is not something
that the intelligence communitywould do in in a traditional
(28:42):
intelligence role, because we'renot collecting intelligence on
US persons, and what a lot offolks don't realize is that
companies are considered peopleand so a US company is
considered a US person and thennot collected on by the US
intelligence community.
And that's where the GuideHouseteam that does supply chain risk
(29:06):
management is like top notch,because they are using tools
that may be very familiar to youall, like LexisNexis and
Bloomberg and you know, pickyour tool where they are able to
really research a vendor anddetermine okay, well, where is
(29:29):
their ownership really and whatis?
You know, what is theirperformance like?
Joshua Schmidt (29:34):
I had a follow-up question circling back
to AI and large, large packagesof information, and when you're
trusting AI to kind of combthrough all that and come up
with some sort of an assessment,um, do you come across
hallucinations and and how doyou deal with that?
Melisa Stivaletti (29:52):
We have to to put in guardrails, right, and
those guardrails is certainlythe human in the loop.
So, you know, for anyintelligence professional or
aspiring intelligenceprofessional out there is like
well, ai is going to, you know,take my job or no.
So AI is not going to take yourjob, but AI is going to take
(30:14):
the job of people who are notwilling to work with AI.
So that's kind of mydifferentiator on that, and
having people in the loop isreally important.
And we also have theseguardrails, too, of like I was
mentioning the tool that opensource enterprise uses.
That's generative AI.
(30:35):
That's not pulling from thewhole internet, right, those are
curated sources and then you'recategorizing those sources and
so then, from there, theinformation that you're getting,
could it still hallucinate?
Absolutely, but your people inthe loop are going to be there
to help mitigate and say, oh,you know what, we don't actually
(30:58):
want to put glue on pizza, likeI think we're good.
Nick Mellem (31:01):
What about pineapple?
Melisa Stivaletti (31:03):
That's, or you know whatever right it is,
having the subject matter expertwho knows that topic in that
area, saving them the time ofreading you know 300 articles
and it taking them a month to doit and analyze it.
Instead, you're giving themthis output and you're having
(31:24):
them read and analyze that too,and they are going to be able to
to identify what thosehallucinations are.
Right.
Is anything foolproof?
Of course not, but it's.
It's pretty close and it'sbetter than anything we've been
able to do in the past.
Joshua Schmidt (31:39):
That's interesting because ostensibly,
a lot of the things that it'spulling from are different news
organizations from across theworld that might have their own
bias or their own spin on thereporting, and so the nuance is
basically left to experts inyour field, and what does it
look like managing a team ofpeople in the OSINT realm when
(32:00):
you're working with all thesedifferent professionals that
have different expertise?
How do you go about managing acomplicated group like that?
Melisa Stivaletti (32:08):
Yeah, you know, the critical part of being
a good leader in any space isto only hire people that are
smarter than you, and so I pridemyself on regularly being the
dumbest person in the room,which is very helpful, and so I
have folks working with me thatare able to take these really
(32:30):
complicated topics and distillthem down into something that
policymakers can work with.
I am biting my tongue on acomment on policymakers, given
the debate last night, so maybeedit that out.
Nick Mellem (32:49):
You're in a very safe place.
Melisa Stivaletti (32:52):
Oh, my goodness.
But yeah, so getting you know,distilling down massive amounts
of information and getting it toa digestible format for
policymakers to make criticaldecisions is a really um, it's a
delicate thing and it requiresa really well-rounded team who
can all think differently andoperate in a safe space so that
(33:14):
they can, you know, object andbe disruptors.
You know, I'm reading a bookright now that Carmen Medina
wrote about being a rebel in theintelligence community, and you
know, one of my jobs, I think,is to protect the rebels in the
intelligence community who arethinking differently about these
crazy big problems, especiallyin the data domain, to ensure
(33:39):
that they're able to help usnavigate it.
Nick Mellem (33:42):
We talked about AI and now you're talking about
these.
You know extremely smartindividuals that are working in
this space.
Is that the future of OSINT, oryou know?
What does that look like to you?
Melisa Stivaletti (33:53):
Yeah, you know.
So when open sourceintelligence kind of got its big
start, I mean, I think it'sbeen going on for forever, but
when, at least in the UnitedStates, fibis was founded, right
, it was newspapers,predominantly like radio, and
newspapers that were beingtranslated by language and
(34:15):
subject matter area expertsbeing translated by language and
subject matter area experts,and that, when you distill down
you know the open source arena,it does come down to those
experts, right, the nuance thatthey're able to pull from
information knowing the language, knowing you know the area,
(34:36):
knowing the language, knowingyou know the area.
Really, I don't see that everbeing replaced at all.
Like, however, I am not goingto be hiring a team of 500
people to translate documents,right.
So that's where the workforceis changing in open source,
(34:59):
because the landscape ischanging, and the way that the
landscape has changed in thelast 10 years has changed the
way that open source isconducted.
And so, for those that areinterested in coming into the
intelligence community in theopen source domain, what I would
(35:27):
ask for, I think, from any ofthem is to be lifelong learners
who embrace change, who embracetechnology, who are, you know,
comfortable being uncomfortable,and who are always thinking of
new ways to do things, becausethe algorithms are always
changing, the platforms that areutilized are always changing.
You know, kids these days laughat me because I'm, you know, an
elder millennial hanging out onFacebook and they're like,
(35:50):
really, you're so lame, you know, and there's so much rapid,
rapid change.
And so the main thing that weneed are lifelong learners who
are comfortable with change,because I could go on vacation
for two weeks and come back andmy skill set be rusty if I'm an
(36:12):
open source, because somethingcrazy has happened.
You know, open AI has releasedsomething that has completely
changed the way that I do my job.
Like that is a real thing andso you just have to have to lean
into it.
Eric Brown (36:25):
As we pivot into that next generation, if you
will, any thoughts on what, whatpeople can do or what are some
of the things that we should bethinking about from a policy
standpoint.
We talked about the debate alittle bit earlier and I just
(36:47):
know in a couple of days fromnow, there's going to be memes
coming out from the debate,there's going to be fake news,
there's going to be fake images,fake videos, fake sounds that
somebody who didn't watch thedebate or maybe wasn't close to
it gets a hold of one of thosepieces of media.
(37:08):
And the way in which societycan be manipulated through fake
images and fake sound bites is apretty important, I would think
, area of research that shouldbe done.
(37:31):
Yeah, there's a lot there, thereis Sorry, there's a lot there,
eric.
Melisa Stivaletti (37:41):
I'm going to try to break it down into some
chunks, one being is the abilityto trust the information that
we're seeing right in the media.
And you know, while I'mshamelessly plugging all kinds
of things to include petorganizations, there is the
Trust in Media Cooperative, orTIM for short, that one of my
(38:04):
mentors and heroes in the fieldfounded.
That is really aiming to helpwith this for the general
population right and for public.
So I would encourage yourlisteners to look that up,
because I think you'll find somehelpful tools that are really
accessible on how to sort ofvalidate information that you're
(38:26):
getting from the media.
The second really has to dowith critical thinking.
You know, I have a child thatI'm trying to raise to be a
critical thinker and you knowyou can't believe everything
that you see and you know.
One of the most important thingsin intelligence, but also just
(38:47):
like in life, is multiplesources for any bit of
information.
So if you are an averageAmerican, you see something you
know, get down to the originalsource and you can.
You follow that averageAmerican and you see something
you know, get down to theoriginal source and you can.
You follow that right and andthen see who all is reporting on
it, who was the first to reporton it, and don't just get that
(39:09):
information from one source,right?
So you have to be willing takethe time, and that's the problem
is that our, our currentsociety is not willing to take
the time, and that's the problem, is that our current society is
not willing to take the time.
And so that's whereorganizations like Trust in
Media may be able to help.
Right, but it's taking time toget there, and the intelligence
community is not going tovalidate, you know, news media
(39:33):
for public consumption, likethat's not what our remit is.
But what is important in opensource research is to help
identify what is real and whatis fake.
And, and that is reallyimportant.
The way that the intelligencecommunity is addressing, um,
what we call synthetic media, uh, is through a number of
(39:56):
different R and D efforts.
Um, I'll plug one of them nowthat is publicly accessible.
So get out your your Googlingfingers, um, and check out um.
Darpa, semantic forensics, orsemaphore for short.
That is a defense researchinitiative that is coming to the
(40:19):
final stages of its work, andSemaphore is, you know,
(40:39):
certainly not of a thing, right.
Fake information is going to beproduced so quickly that being
able to identify if it's real orfake it's actually not
particularly helpful because wewon't be able to keep up with it
, and so that's where we'reseeing some new ways to look at
(41:04):
that information.
Some people call it narrativeintelligence.
There's a school in Mississippi, ole Miss, that has a Center
for Narrative Intelligence, andthey even will call it ICBNs
instead of ICBMs, they'll sayIntercontinental Ballistic
(41:28):
Narratives, right where there'sjust new narratives being like
launched, you know, acrossoceans into American territory
and really gutting us from theinside out.
So anyway, I've not answeredyour question, but there's some
food for thought.
Joshua Schmidt (41:45):
I love to hear that DARPA is developing this
technology.
You know they've given us somany amazing technologies like
GPS, drones, touchscreens whathave you?
As a musician producer, that'smy day trade and it's really
kind of flooding the market forroyalty-free music, for
commercial music.
On my Spotify playlist nowthere's AI-generated content
(42:09):
showing up on a daily basis.
So I'm glad to hear thatthere's some heavy hitters in
the space kind of coming up withthese tools that will hopefully
eventually be used to kind ofseparate the wheat from the
chaff.
But are there any othertechnologies that you see
emerging that are going to bereally important on the horizon
for detecting deep fakes or orkind of keeping our democracy
(42:32):
safe, keeping our country safe?
Melisa Stivaletti (42:35):
You know, I think I have to go now.
Really great, yeah, so there arereally incredible technologies.
This is the thing about America,right, like we are so
innovative and continue to beinnovative, and so we may be
(42:57):
inventing, you know, ai, andthen, and then also, on the
other side of it, inventingcountermeasures to deal with the
consequences of that AI, right?
So you know, I mentioned DARPAand SEMA4, that is one example,
right, but we we need moreresearch.
(43:19):
So so I think, rather than saywhat is also out there and there
are more things out there butwhat I'll say instead is to
maybe challenge your listenersand just say that this is a
field worth entering.
There's going to be a marketfor this field, it's going to
evolve and it's certainly anarea that's critical for you
(43:43):
know, just the general safety ofour public and you know the way
that we consume information.
I don't know that I'm supercomfortable going into much more
of that, just because in myworld of working in open source
intelligence, I don'tnecessarily hit, like US media,
(44:03):
validation of information, likethat kind of thing.
So it's a little bit of adifferent area, but it's so
important.
Joshua Schmidt (44:10):
Well, I just want to call out we're at 53
minutes into the recording, soit'd be a good time to maybe
kind of wrap things up.
I would like to ask Melissa,you know it seems like you have
a really intense job.
I know Eric and Nick do as well.
I'm a musician, so it can beintense, but I get to go and
play tonight at a pub and have adrink and entertain people, so
(44:32):
that's my lane.
But I'd like to ask you, youknow, what do you do outside of
work to kind of relieve thestress and kind of keep a level
head and deal with all thesethings coming at you?
Melisa Stivaletti (44:42):
Yeah, so you know, we we mentioned some of my
activities while I was inAfghanistan, amongst rescuing
cats.
I also practiced yoga when Iwas in Afghanistan and, as you
know, being the only female inmany of the places I was
practicing yoga, you know, beingthe only female, uh, in many of
the places I was practicingyoga, you know, could draw some
(45:02):
attention, and so, um, one thingthat I did is I looked around
and I said, hey, you, you canonly stare at me if you're doing
it with me.
And so I started teaching yoga,um, all over Afghanistan, um,
to, you know, young soldiers.
I'd have a guy you know who'sworking like all day long in the
(45:25):
turret or whatever, and he'slike, hey, uh, I heard that you
could help me with my back, youknow, and um, and so I started
teaching yoga in Afghanistanwithout certification or
anything.
And um, and you know, laterbecame certified and I'm really
passionate about about thepractice.
Um, I admittedly don't get topractice as much as I used to,
(45:51):
um, but I will note that, uh, Iam able to practice some with my
son, which is the other thingthat really balances me right.
He is almost eight years oldand will happily do cosmic kids,
yoga with me or go out and justlike stretch, and, you know,
(46:13):
get our core strong right and dodownward dog, and so we
definitely do that.
We really, as a family, enjoyhiking, core strong right and do
downward dog, and so wedefinitely do that.
We really, as a family, enjoyhiking and traveling as well.
Um, you know I like to explorethe world that we're trying to
protect.
So, uh, my husband and Irecently got back from a trip to
Patagonia and we had the besttime, you know, got to see
(46:34):
penguins and hike a glacier and,um, what a, what a wonderful
treat to get to see that part ofthe world.
So, you know, having having the, the passion for the world and
for my family and and for yogaand my faith as well, um, really
help me stay, you know, drivenand focused um towards the task
(46:57):
at hand, which is reallyimportant, and I'm really lucky
to have such an amazing team atGuideHouse with me helping.
You know our customers try toget to mission success, you know
, for national security purposes.
So it all comes back together.
Eric Brown (47:17):
Have you done any of the alternative yogas like the
goat yoga or things like that?
Melisa Stivaletti (47:24):
So I have a lot of friends that are farmers
and so I'm not particularlywilling to pay the premium to do
the yoga with the goats when Ican just go hang out with their
goats and then do my yoga.
Um, but I I can be talked intosome different kinds.
You know, aerial yoga I've I'vemessed around with that a
(47:45):
little bit and uh, and also umyoga on different locations is
like I'm here for that.
So, um, for for folks in the DCarea there's um Project Sunrise
look it up.
Um, we practice.
I say we practice.
I don't always I get to make it,but um, but we practice at um,
(48:09):
the Jefferson Memorial, um, onthe mall, like right, you know,
over the tidal basin, which youknow so inspiring.
Um, and it's you know, a grouptidal basin, which you know so
inspiring, and it's, you know, agroup of folks practicing in
national security and isdefinitely supported by some
pretty powerful folks in defenseand intelligence.
(48:33):
To include the founders of apodcast that I love.
It's not the Audit, but it'scalled Iron Butterfly and it
features women in theintelligence community over the
years.
Very cool.
And the founders of IronButterfly are always showing up
(48:57):
to Project Sunrise, so it'spretty cool.
Eric Brown (49:02):
It's great to hang out with you and hear some of
the things that you do in yourspare time.
One of the questions I wantedto ask you was do you attend any
security conferences?
Melisa Stivaletti (49:12):
Yeah.
So I love that you asked thisquestion because earlier, you
know, when Josh introduced me,he said oh, the Epic Chair and I
am the chair for the emergingprofessionals in the
intelligence community committee, for Epic, we're very Epic, Um,
and we are a committee foremerging professionals, um, that
(49:33):
uh falls under AFCEA, so that'sA F?
C, EC-E-A.
Don't ask me what it stands for, you can look at it, it's armed
forces Anyway.
So AFCEA fantastic organizationthey put on a plethora of
different conferences and Iliterally go to anything that
(49:54):
they put on that I can possiblymake it to, uh, because they
really are always on, you know,the edge of um quality,
technology, information andpolicy in the security domain,
and I'll I'll plug for you know,in August they're having their
annual um conference.
(50:14):
That is done in um conjunctionwith another organization that I
love very much, INSA, and soINSA and AFSIA put on a joint
conference once a year.
That is like the event to be at, and that one this year it's
totally open every year, youdon't have to have a security
(50:37):
clearance to attend, and it's areally fantastic way to learn
more about what's happening inthe broader defense and
intelligence communities.
Eric Brown (50:46):
Very cool.
I'm just trying to look up realquick what AFSEA stands for.
Melisa Stivaletti (50:50):
Oh yeah, see if you can, we'll see what your
OSINT skills are like.
Can you find it?
Put them on the spot.
I love it, yeah.
Eric Brown (50:59):
Oh my gosh.
Oces Communications andElectronics Association
International.
Melisa Stivaletti (51:04):
There you have it, and you know another
organization that is really upand coming in the OSINT space
that we'll be putting on moreand more, you know events is the
OSINT Foundation.
So you know, another sort ofshameless plug.
I'm on the events committee forthe OSINT Foundation, so the
you know another sort ofshameless plug.
I'm on the events committee forthe OSINT Foundation.
We've put on like a tech expoand award centers and that kind
(51:26):
of thing, but there's morecoming down the pike Absolutely
From the OSINT Foundation toinclude, you know, webinars and
that kind of thing.
So I definitely spend time inall three of those organizations
really making sure that myknowledge is up to speed.
Eric Brown (51:43):
So if somebody is just maybe new in their career
or at a point in their careerwhere they want to pivot and go
in a different direction, what'sa step somebody could take to
get into the true OSINTcommunity?
Melisa Stivaletti (51:58):
Yeah, so definitely, you know, if you're
a US citizen, the OSINTFoundation is a great place to
start.
You can really plug in andlearn a lot about the community
there.
But I'd also just recommendsome light trainings that will
kind of give you a little bitmore of a flavor of what the
(52:21):
work is.
Michael Bazell, intelTechniques, is fantastic.
Another trainer that I love isMichael Hoffman.
My OSINT training is one thatI've done that is cheaper.
There's plenty of moreexpensive ones out there that,
like, are cost prohibitive foran individual, just kind of
looking to get acquainted.
(52:42):
But those are two that arereally accessible and, you know,
super helpful and just kind oflearning a little bit more about
OSINT techniques.
Eric Brown (52:52):
That's great.
Thank you yeah.
Joshua Schmidt (52:55):
Thanks so much, melissa.
You have such a wealth ofknowledge and experience and
we're so honored that you cametoday and shared that with us
Once again.
You've been joined by MelissaStivaletti, osint Director at
GuideHouse, and as well as ourhosts Nick Mellum and Eric Brown
.
You've been listening to theAudit presented by IT Audit Labs
.
I'm your producer, joshuaSchmidt.
Eric Brown (53:25):
You can find us every other Monday on all the
streaming services.
Please like, share andsubscribe, and share us with
your friends.
Thanks for listening.
To improve our clients' datasecurity, our threat assessments
find the soft spots before thebad guys do, identifying
likelihood and impact, while oursecurity control assessments
rank the level of maturityrelative to the size of your
(53:47):
organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio-video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, spotify or wherever you
(54:08):
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.