Security Analyst Spotlight Series: Rafael Amado
June 14, 2018
Organizations rely on Digital Shadows to be an extension of their security team. Our global team of analysts provide relevant threat research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient. Crucially, by having analysts within the intelligence and collection cycle, we’re able to minimize the real-time false positives that cause nightmares for most organizations.
In our Security Analyst Spotlight Series, we bring our analysts out of the shadows and into the spotlight, showcasing their expertise and interests so you can learn a bit more about a “day-in-the-life” of a Digital Shadows analyst.
Name: Rafael Amado
Team: Strategy and Research
Title: Senior Strategy and Research Analyst
Q: What sparked your interest in cyber security and intelligence?
A: I took a less-direct route into the industry, coming from a political economy and policy background. As a predoctoral researcher I focused on military and intelligence relationships during the Cold War, particularly between western nations and those undertaking economic liberalization policies. While working in public policy, I realized there’s a widening knowledge and generational gap between current policy makers and the issues facing the modern world. One of these is technology, and in the realm of international relations where my primary interests lie, the realities of cyber security and cyber warfare are, in general, very misunderstood. I therefore decided I could contribute a lot more to the policy debate in future if I had a strong cyber security background from working several years in the industry.
Q: What areas of research do you focus on?
A: My research areas are very varied, and I’ve covered a lot in my time at Digital Shadows, including looking at how disinformation campaigns are carried out and facilitated by the variety of easily-accessible tools and platforms available online. This research came off the back of the U.S. election activity in 2016, and we were keen to demonstrate how disinformation – which is not a new phenomenon by any means – is more than simply a political issue and affects business as well. Threat actors knowingly spread misleading information for reasons other than politics – for example financial gain or prestige.
Other areas I’ve been heavily involved in include the evolution of cybercrime and threats to major sporting events. Given my language capabilities, I worked closely with sponsors and organizers of the 2016 Olympic Games in Rio de Janeiro, Brazil, to develop monitoring plans for a wide range of threats affecting events of this scale. This included hacktivist activity against government organizations and sponsors, as well as financial crime affecting visitors to Brazil. My area studies knowledge and language capabilities were very useful here to make sense of the very distinctive Brazilian criminal ecosystem, which meant cybercriminals developed bespoke malware and phishing techniques to achieve their goals.
Q: You’ve recently co-authored a paper on cybercrime following the AlphaBay and Hansa takedowns. What are the most significant developments to come out of that research?
A: The main takeaway here is that the Operation Bayonet, the joint law enforcement effort to seize AlphaBay and Hansa, has not made consumers and organizations safer when it comes to cybercrime. The takedown efforts have had some noticeable effects, namely further damaging trust between users of marketplaces and criminal forums. However, cybercriminals are resourceful and determined, and they’ve reacted by moving away from the marketplace model altogether. Instead, they favour more specialized forums depending on the services they need; those wanting payment cards visit carding forums and Automated Vending Carts, while those in the market for tools and software tend to go to more technical hacking forums. From here a seller will advertise their services, before asking interested buyers to move onto one of many peer-to-peer channels to discuss business and arrange payment.
Rather than an alternative marketplace taking AlphaBay’s place, we’re seeing encrypted messaging platforms such as Telegram and Discord growing in popularity for this type of activity. I should stress that use of these platforms, as well as others such as Jabber and ICQ, pre-date Operation Bayonet, but it’s definitely where cybercriminals operating at this type of level are flocking at this moment in time.
Q: What have been your highlights working at Digital Shadows?
A: Two things stand out. The first would be the recent research paper we produced looking at file exposure through misconfigured network services such as SMB, FTP, NAS drives and S3 cloud storage, Too Much Information Misconfigured FTP, SMB, Rsync, and S3 Buckets Exposing 1.5 Billion Files. We received great feedback for this from both our customers and the wider security community. What I loved most here was joint effort that was required to produce this paper. In all honesty, writing it was the easy part. The major difficulty was building the scanning tool in the first place, and we have an incredible team of security engineers and data scientists who built this mammoth tool able to identify over 1.5 billion exposed files in just under three months. I can’t take any credit for that. The research ignited some much-needed conversation about risks emanating from your supply chain and third parties. A vast majority of the examples of exposed files we detected were a result of contractors backing up sensitive documents – such as penetration tests and security audits – on misconfigured NAS drives, but this is often overlooked when people discuss ways to secure their businesses.
The second highpoint would be my work on the WannaCry ransomware attack from 2017. While the days of the attack were stressful and hectic, when things had settled somewhat I was able to put some of my intelligence tradecraft training to use. I composed what we call an Analysis of Competing Hypotheses table that looked at the goals and objectives of the attackers behind the attack. This structured analytic technique is a great way to identify all the available data points for a given problem and then assess their relevance and the reliability of your sources. The table and accompanying blogs were a big success, being featured by SANS and reposted across various industry publications. When colleagues have had briefings with international law enforcement and security organizations around the world, the latter have commented on the strength and nuance of our analysis in that piece. Having that sort of support and recognition from industry peers is both rewarding and motivating.
Q: How do you see Digital Shadows’ research providing value to customers?
A: From a research and public intelligence perspective, being able to understand and translate the goals, motives and modus operandi of threat actors can be very useful to organizations trying to mitigate risks within their business. If you can recognize what an attacker’s objectives are, you are then better placed to identify which of your systems are most at risk. Knowing how threat actors – be it organized cybercriminal groups, nation states or individual hackers – operate means you can systematically develop of a model of their behaviour, much like a playbook of their tactics, techniques and procedures. From here you can then identify what critical assets you need to secure, and draw up a defensive security controls checklist that you can apply directly to your environment so these weak points don’t exist. We refer to this as threat modelling.
The other benefit of this type of approach is that organizations often struggle to picture themselves from an attacker’s perspective. A business may be compromised for its own assets – to steal its sensitive data or disrupt its critical systems – but it may also become a secondary victim if its assets can help an attacker reach their primary target. For example, a smaller organization may assume that it is of no interest to a large cybercriminal outfit or sophisticated attacker, but in reality, these attackers may look to the organization’s infrastructure as a staging post or pivot point to achieve their loftier objectives.
Q: What are some of the challenges working in the security research space?
A: Cutting through a lot of the noise in this space and providing insight that is relevant and operationally empathetic isn’t easy, but this is one of the guiding missions for the work that we do at Digital Shadows. In my area specifically, there are a lot of exaggerations and idealized concepts when it comes to what makes “useful intelligence”. Take Common Vulnerabilities and Exposures (CVEs) and patching as an example. Lots of CVEs are being created and reported, but the difficulty for organizations lies in how to prioritize what you patch. There’s an emerging common wisdom that discussions of CVEs on underground forums and chat channels are a good indicator of what vulnerabilities are the most significant and in need of attention. The reality though is that most of these conversations are by individuals who lack the capability to ever exploit a vulnerability, and they are merely sharing news articles between them the same way we do as colleagues in the office. Activity on the dark web and criminal underground generates headlines and looks impressive, but it shouldn’t be the only place researchers look to for their data.
Instead, organizations and their security teams are much better off prioritizing patches of vulnerabilities that are actually being exploited in the wild, not just discussed online. In particular, the focus should be on vulnerabilities that allow for remote code execution and local privilege escalation against ubiquitous applications such as Office, web browsers, content management systems and operating system kernels. Simplifying and narrowing the focus for security teams means they can divert their resources to the right problems. This should be the aim for anyone serious about producing quality security research, but of course, that’s easier said than done.
Interested in hearing more from our intelligence team? Check out our blog, our Security Analyst Spotlight Series, or subscribe to our weekly threat intelligence podcast: ShadowTalk.
Rafael joined Digital Shadows in 2015 and works as a Senior Strategy and Research Analyst. He has written several articles and papers, and his research regularly features in the international press. His previous research areas include threats to the 2016 Rio Olympics, the 2017 WannaCry attacks, and how organisations and individuals can combat the spread of disinformation and fake news. Alongside Michael Marriott, he co-hosts and produces the Digital Shadows podcast, Shadow Talk. Rafael has a background in International Relations and Political Economy. See his blog posts here.