Speaker: Ryan MacDougall, Senior Social Engineer & OSINT Trainer at Social-Engineer LLC
Background: Teaches "Practical OSINT for Everyday Social Engineers" course, Volunteer for Innocent Lives Foundation
Key Focus: Practical OSINT techniques for everyday life, not just professional investigations
Introduction & Philosophy
Ryan MacDougall emphasizes that effective OSINT is about mindset, not just tools. His approach focuses on practical techniques that anyone can use in everyday situations, from vetting contractors to understanding neighbors.
Core Philosophy: "It's not the toolset, it's the mindset. The point is using these skills for everyday non-work-related use can help navigate the world in a much more effective way."
Professional vs. Personal OSINT:
- Professional: Limited by client budgets and scope, focused on specific attack vectors
- Personal: Unlimited exploration for understanding, safety, and everyday advantage
- Ethical Boundary: When sensitive information is found professionally, it's reported to the client rather than exploited
Natural Observation & Everyday OSINT
Teaching OSINT Through Everyday Activities:
MacDougall uses children's books with his son to practice observation and research skills:
Truck Book Investigation:
- Children's books often contain real phone numbers and license plates in illustrations
- Searching area codes and phone numbers to locate businesses geographically
- Using magnifying glasses to examine small details in images
- Plotting findings on a physical map to create learning experiences
- Example: Armored Waste truck traced to Eagan, Minnesota (18 minutes from St. Paul)
Training Value: These simple exercises build the fundamental observation skills needed for professional OSINT work. The ability to notice and investigate seemingly insignificant details is crucial for social engineering operations.
Case Study: Neighbor Investigation
Step 1: Address Identification
Started with Google Maps to confirm neighbor's address, then used public records to identify property owners
Step 2: Voter Records Analysis
Found three names at the address: Victor (recognized), an unknown name with same last name (assumed wife), and another unfamiliar name
Step 3: Business Records
Discovered business associated with the address, leading to company ownership information
Step 4: Social Media Correlation
Facebook page provided photos confirming identities and educational background
Step 5: Professional Verification
LinkedIn and professional records revealed the neighbor is a bank vice president (federally bonded)
Investigation Insight: "The trick with OSINT is sometimes you have to assume information and then go down a rabbit hole to prove it otherwise. Social media tends to be a mask that people use to give you the best parts of their personality."
Target Assessment: This methodology demonstrates how to build comprehensive profiles from minimal starting information. For red teams, understanding someone's professional background, education, and business associations provides multiple potential attack vectors.
Case Study: Contractor Vetting
The Scenario:
Vetting a contractor recommended by friends with only first name and phone number
Investigation Steps:
- Phone Number Search: Revealed home builder business association
- Business Records: Manta.com provided address and establishment date (1998)
- Name Correlation: Adding first name to business search yielded 9M results, narrowed by location
- Google Cache: Retrieved deleted resume showing career progression from chef to HVAC to construction
- Additional Businesses: Discovered cannabis business ownership and new construction company (established 2019)
Vetting Outcome: "I learned a lot about Dan in this trip, but ultimately it raised additional questions. What happened to his home builder business after 20 years? Why did he start a new one at the start of this year?"
Due Diligence: This approach shows how OSINT can reveal potential red flags in business relationships. For organizations, similar techniques can vet suppliers, partners, and employees to identify potential risks.
Practical OSINT Methodology
Core Principles:
Mindset Over Tools
Focus on investigation methodology rather than specific software tools
Natural Observation
Pay attention to surroundings and seemingly insignificant details
Documentation
Systematic recording of searches and findings for reproducibility
Documentation Framework:
- Line 1: Search engine used + exact search terms
- Line 2: URL where useful information was found
- Line 3: Key information extracted from that source
Operational Security: Proper documentation allows multiple investigators to follow the same research path and verify findings. This is crucial for team-based red team operations where information needs to be shared and validated.
Tool Philosophy & Best Practices
Preferred Tools:
- Search Engines: Google, Bing, DuckDuckGo, Yandex (each has different indexes)
- The Harvester: For email address discovery
- Simple Python Scripts: Custom tools for specific tasks
Tool Philosophy:
"Tools come and go. If you've learned one tool and you get really stuck on one tool, the moment the developer decides to not develop that tool anymore, you're stuck. It's how you find information, categorize information, and delineate noise from signal that's important."
Privacy Protection:
- Separate VMs or VPS for investigations
- Burn investigation environments after use
- Browser isolation for sensitive research
- Awareness of what public information exists about yourself
Advanced OSINT Techniques
Physical-Digital Transition:
Moving between physical observation and digital investigation:
- Parking lot observations → Vehicle research → Owner identification
- Signage and logos → Company research → Employee targeting
- License plates → Registration lookup → Owner profiling
Paywall Strategy:
PeopleConnect/Intelius Approach:
MacDougall originally used paid services but found they can overwhelm with information. His revised approach:
- Avoid paywalls initially to maintain focus
- Use free resources to build foundational understanding
- Only use paid services for specific missing information
- "I actually gained more information by staying out of that because it was just overwhelming"
Information Management: The ability to manage information overload is as important as the ability to find information. Red teams must know when to stop researching and start acting.
Q&A Insights
Rabbit Hole Management
"Go 3-4 steps down a path. If not finding useful information, pull back and try different approach. Spiderweb out rather than going deep in one direction."
Demographic Challenges
Older generations: Less social media but more public records. Younger generations: Extensive social media but less life history.
Unexpected Findings
Criminal involvement, pornography associations, unexpected business connections commonly emerge during investigations.
Key Realization:
Knowledge is Confidence: "The common phrase 'knowledge is power' is I think better said 'knowledge is confidence.' The more you know about your target, friend, or potential provider can make you more confident in either accomplishing your goal or just being more comfortable in the general setting that you're in."
Professional Applications
Cross-Industry Value:
Penetration Testing
Laser-focused target research for more effective attacks in less time
Sales
Personal and professional details for better rapport and deal closing
Security
Vetting employees, suppliers, and business partners
Personal Safety
Understanding who your children interact with and their backgrounds
Career Advantage: "What upper level management doesn't want a strikingly effective pentester on their team? As a salesperson, knowing just a few additional details about prospects both personally and professionally can make you more efficient at closing deals."
Key Takeaways for Security Professionals
Essential Lessons:
- OSINT effectiveness comes from mindset and methodology, not tool mastery
- Everyday practice builds skills more effectively than occasional professional use
- Proper documentation enables reproducibility and team collaboration
- Know when to stop researching - information overload can be counterproductive
- Physical observation and digital investigation should work together
- Basic techniques often yield better results than complex tool-dependent approaches
Final Thought: "None of these techniques are revolutionary - I would classify them all as basic but practical OSINT skills. Using these skills for everyday non-work-related use can help navigate the world in a much more effective way."
Operational Excellence: The most effective red team operators are those who integrate OSINT into their daily thinking, not just their professional workflow. This creates a continuous improvement cycle where everyday observations enhance professional capabilities.