Peering Into the Dark Places - An Interview with Michael Marriott of Digital Shadows

Michael Marriott.JPG

Interview with Michael Marriott of Digital Shadows:

Cyber Security Dispatch: Season 2, Episode 10
 

Show Notes:
In this episode of the Cyber Security Dispatch, we welcome Michael Marriott of Digital Shadows, a company specializing in security from dark web threats. Although we often see to hear about the dark web and the dangers of these hidden portals of the internet, its very nature means it is often spoken about in the vaguest of terms. Michael gives us a quick dive into an understanding of what the dark web provides and why it is not always the bad place it is supposed to be. We look at the market places that are housed within the dark web and thus talk about the types of cyber crimes that typically occur in these spaces. Our guest does a great job of explaining just how his company can protect customers from these types of threats and we also discuss how more widespread proactive user behavior could lead to decreases in these threats. Michael offers a lot of insightful information on rippers, security strategies and criminal personas, so this is an episode you are not going to want to miss.

Key Points From This Episode:

  • An introduction to the work of Michael and Digital Shadows.
  • Explaining the dark web and how it functions.
  • Recent developments in the dark web market places.
  • The service that Digital Shadows offers to its clients.
  • Looking at file storage and the problems that these services create.
  • How Michael’s organization goes about protecting other organizations from threats.
  • Removing the criminal value of identifiers such as SS numbers.
  • Some of the interesting ways customers are testing their security.
  • The latest tactics of cyber crime for market place impersonations.
  • The illegal work of ‘rippers’ and how they are flagged.
  • The life cycle of cyber criminal personas.
  • And much more!

Links Mentioned in Today’s Episode:
Michael Marriott — https://www.infosecurity-magazine.com/profile/michael-marriott/
Digital Shadows — https://info.digitalshadows.com/
Tor — https://www.torproject.org/projects/torbrowser.html.en
AlphaBay — https://alphabaymarket.com/
HANSA — https://www.deepdotweb.com/marketplace-directory/listing/hansa-market/
Amazon S3 Buckets — https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
rsync — https://rsync.samba.org/
Panama Papers — https://www.icij.org/investigations/panama-papers/
Morris Worm — https://limn.it/articles/the-morris-worm/
Dalai Lama — https://www.dalailama.com/

Introduction:
Welcome to another edition of Cyber Security Dispatch. This is your host Andy Anderson. In this episode, Peering Into the Dark Places, we talk with Michael Marriott of Digital Shadows. Michael shares his experience working to mine the dark web, the private and often unseen side of the internet, where criminals and others, share potential vulnerabilities and data.

TRANSCRIPT
[0:00:27.1] Michael Marriott: I’m Michael Marriott, Research Analyst here at Digital Shadows, we’re a cyber security company that is providing threat intelligence. So looking into the latest threats that are emerging that organizations should be concerned about as well as what data they’re exposing online. So we got a service that monitors for that exposed data and tracks throughout it. People are talking a lot about managing their digital risk and that’s - we provide this to enable them to do that.
[0:00:52.8] Andy Anderson: Yeah, you know, everyone sort of talks about the dark web, right? Even for someone in the space like, I’m not sure that I exactly know what the dark web is so for those – 
[0:01:02.0] MM: Yeah.
[0:01:02.6] AA: Even like myself, walk us through what exactly the dark web is.
[0:01:06.7] MM: The dark web refers to a part of the internet which needs specific software to access. That’s typically Tor domain so ones that .onion but there are a few others like I2P, as well. They provide increased anonymity through their software for people to browse the web. They go through various different layers and different IP addresses in order to obscure their identity. That’s not necessarily a bad thing, it’s got a really good things and benefits for that journalist if they want to be whistleblowers and things like that, but it also can entice cyber criminals because of this anonymity.
What we’ve seen is people are establishing dark web marketplaces to sell their wares and forums as well. There’s some interesting stuff on there but what we’re also seeing is that criminality is across the open web. There are bad things on social media as well but it’s not inherently an evil tool. I think that’s what it is important to remember. And then you call, was it last year in middle last year, there was AlphaBay and HANSA. The two biggest dark web marketplaces.
[0:02:14.3] AA: Yeah, I remember who they owned by -
[0:02:18.2] MM: Yeah, the Dutch release in collaboration with a few of the law enforcement have - it’s pretty cool, they managed to seize AlphaBay which was the biggest one at the time. Then, they waited about two weeks but actually in the meantime, they’d gained access to the second biggest one, which was HANSA.
They waited for all the users to flock over to HANSA and then they announced that that was actually seized as well. So that was a great coup for law enforcement.
[0:02:43.3] AA: When you sign up for your new account, right?
[0:02:45.8] MM: Yeah, exactly.
[0:02:46.3] AA: Please include your IP address location.
[0:02:49.9] MM: Exactly. 
[0:02:50.3] AA: Where should we send you material?
[0:02:51.5] MM: There was some convincing, they even limited registrations. So like, “We’re overwhelmed, please hold, you know, we can’t deal with all this demand” and so on. That was a really good intelligence game. But as you can imagine, since then, whereas before it was like we’re on the dark web, it’s a little bit more secure, anonymity is better and now it’s – there’s been a bit of an evolution in criminal marketplaces - not necessarily on Tor or I2P but it’s on just other places online. So forums that are behind - you’ve got to log into in order to gain access to. But what we’re saying is that the administrators behind those sites are getting a lot more stringent and picky about who is gaining access to what. The idea of trust in criminally legal cases, because of these operations, it’s really being stubbed. If there is mechanisms which are fascinating, they’re using to try and balance this out and workout who they can trust and who may be a threat to them.
[0:03:49.0] AA: Yeah, basically, what you guys do is if I’m you know, a company and I have, you are sort of monitoring, whether any of my stuff or maybe an individual, right? Any of my data is eventually being taken to the dark web whether it’s available there. Is that the core of one of the products?
[0:04:05.1] MM: Yeah, that’s one aspect to them, what if the threat actors on these criminal locations, sharing about me as an organization - are they’re mentioning my brand? They’re mentioning my VIPs? Maybe they’re talking about targeting the software that I’m using? You want to find out about that before it starts so that you can be in a better position.
What we’re also seeing is that before that information is even targeted or the information is used as part of the tailor and attack - see one of these phishing campaigns that use really sensitive information about people that’s been exposed online.
There’s already loads of information already exposed about organizations before anybody has like a network intrusion into a company. I think organizations can focus on - that’s what we help to do - is cleaning up the information that’s already exposed, maybe by their employees, a disgruntled former employee or that third parties and prospects.
Yeah, while there are direct threats to their assets and people sharing them online - they want to know about that - it’s also just innocent exposure but it could leave them exposed. That’s what we do, we monitor for these across criminal forums, marketplaces but also, social media, search engines. If you go into just Google and type in private and confidential file type PDF. You’ll come up with millions of results - they’re just - they’re all out there. We want to be letting people know what’s there and how that can expose them.
[0:05:35.4] AA: I’m curious, why is Google — I mean, Google is like you’re sharing everything, all this information but there’s no sense from sort of the large – well, I guess that’s just the search engine. So if it’s there, they’re going to leave it there. But there’s no effort by anyone to sort of – other than you guys — to push that to say like let’s get rid of this stuff, let’s make sure this isn’t there? Where is it being housed? I’m just curious, where is it sitting?
[0:06:03.9] MM: There are different places where it could sit. You could have somebody that just – the organization could do it itself. They’ve uploaded the presentation, which they –  the person who uploaded it didn’t know that they had this private and confidential information on it.
It could be, commonly it contractors. So there is various services online and you’ve got S3 Buckets, which had been in the news quite a lot.
[0:06:25.5] AA: Yeah, I keep hearing that. What is an S3 Bucket?
[0:06:29.2] MM: It’s Amazon S3 Bucket, it’s a way of storing information on the cloud.
[0:06:33.6] AA: So it’s a file server?
[0:06:35.0] MM: Yeah, a way for storing files and then you can allow other people access to those files. Unfortunately, some people misconfigure them. So instead of having access for specific people that you want access to, you’ve actually just opened up for everyone.
[0:06:49.6] AA: I keep hearing that, you know, it’s an issue, why is Amazon go like the defaults are like nobody. Right? You got to turn on and like there are seven helps windows for safety. Are you sure you want everyone in the world to see this? I mean, this seems like you know, Amazon’s brand is getting tarnished by the speaking and sort of – 
[0:07:05.7] MM: Yeah, they actually have changed that. They’ve now made it private by default - but it’s not always that simple because you want to go around, “I’ve got this files on X person to have control of it.” It’s quite easy to lose control of those settings. I would also say, it’s not just Amazon S3 buckets.
[0:07:23.4] AA: Right, it’s a common example.
[0:07:25.3] MM: Yeah, that’s a recent example, these cloud bases services. We’ve been researching to other online services that are exposing information and you’ve got things like FTP servers, which are file transfer protocols; you’ve got rsync, which is a way of synchronizing and exchanging files; you’ve got SMB (Server Message Block), which is another way of sharing files. 
These services are — many of these are from the 80s and 90s. People have been using them for ages, they’re really well used but they have been misconfigured and the amount of data that is exposed is pretty staggering. We detected 12 petabytes of data and in context the Panama Papers was 2.6 terabytes. So it’s about 4,000 times the Panama Papers leak. 
[0:08:15.2] AA: So you essentially — another service, you essentially come into an organization, you see all of those potential misconfigurations and issues, how do you do that?
[0:08:25.6] MM: Different sources, we need different ways of collecting that information. We’ve built specific technologies to do each of those things, got a spider for the dark web and on forums. Google provides an API (Application Programming Interface), so you can look for your information on that, you can — there is social media and then I can’t go into our secret source for some of our features -
[0:08:49.2] AA: It’s fine.
[0:08:50.9] MM: Yeah, we take different approaches to finding different, publicly exposed
information.
[0:08:55.0] AA: Would you ever go into an organization’s own sort of - you don’t handle - it’s all sort of everything that’s outside your organization, you’re looking there like matching with you. 
How do you do that? So let’s say the company that I’m worried that like, you know, someone’s stolen some of my proprietary customer data, right? How do you take that and look for it, right? Do I have to then - and then how do I not make you another potential threat vector, because I’m not sharing that information with you. 
[0:09:26.7] MM: Yeah, in terms of the things we take, we take identifiers of an organization. So it might be there their name, the snippets of code that identify them, it could be their IP ranges or domains or anything that might define them. Then, we pull in the data, so there’s no trace of us having kind of pointed that out online. So you’re not being exposed in that way. That’s how we make it relevant to the organization. 
One of the other aspects is having an analyst team as well. Often, with this sort of thing that threat intelligence is high, developing field, traditionally is being about having loads of bad that you find online and then feeding it into an organization - so by making it relevant to the analyst, it kind of, helps to stop analysts in firms being exposed to information.
[0:10:15.7] AA: You know, obviously, you’re helping to protect the company’s own data, right like stuff about their IP, what not. You also protect essentially help them think about the data that they have about their customers as also getting out or is that not really involved?
[0:10:30.6] MM: Yeah, that’s exactly an example, it’s all geared to that helping them make better decisions about things. Because it could take the contractor’s example, so many of those exchanging data out - what’s really common that we’ve seen is that they’ll get a contractor in to do a security test for their organization. And then they’ll go away and maybe do a security test with some other organizations and then they’ll go back up those reports.
Unfortunately, they back those up and then they’re now publicly available. In terms of like a gold mine for attackers, we always focus on these zero days and attackers and APTs (Advanced Persistent Threat) and nations expos. Actually, you’ve just exposed all your vulnerabilities and exactly - if you’re attacker - how you would get into that.
Perhaps focus on how - when you work with contractors - how you confirm exactly what they do with the information, having some regulations, having some procedures and policies around that, it could be a sensible way because you’re being exposed in this way.
[0:11:32.2] AA: I’m curious, it’s a tangent to what you’re talking about, but I was talking with a - CISO Event speak yesterday, he was talking about - they have a very different way of thinking and identifying their customers. They don’t really use passwords anymore once you opt into the program and now they’re identifying you by 60 attributes on your phone or 30 on your desktop, right? They know where you are with all these factors. 
But what’s interesting is - and that’s cool, right? I mean, what’s also interesting is from a compliance perspective, that could be really problematic, right? Because now I have all of this potential PII (Personally Identifiable Information)   about where you’ve been, what you’ve - but he’s like, “Actually don’t have PII because I basically have just converted all of that data into information that’s not - it’s no longer valuable to anyone but my organization because I have essentially like transformed that PII, right? Into math, right? Into numbers that only my systems understand, right?”
Maybe if you were a data scientist and had the models and you grab the data that’s in there and then they throw away a lot of that - the initial stuff. So I’m curious where you’re seeing, is that something that’s happening a lot where basically companies are saying: “You know what? I don’t want PII anymore. I might need it momentarily but the idea that I’m going to store it for you know, years, whatever, beyond like the moment in time when it was useful for me, probably around the transaction.” I am curious whether you’re encountering that, seeing that. What your thoughts are on that?
[0:13:05.7] MM: Yeah, so I heard the talk that you are referring to, it was really great. It is really great approaching these types of issues. In terms of the personal data and always incidentally PII and personal data often used interchangeably. 
[0:13:18.8] AA: Yeah, but probably not. 
[0:13:19.7] MM: But now these ties into what people are taking more seriously because in the US we’ve got PII and that is a very specific definition of what is personally identifying information to me and you’ve got compliance frameworks around that and now with GDPR (General Data Protection Regulation)   coming. as we’ve been all talking about -
[0:13:36.3] AA: Oh so much, tell me something new I don’t know about GDPR. 
[0:13:40.3] MM: So yeah, just on the definition side, personal data is what we are looking at. Personal data includes a little bit more than PII. So personal data will be things like cookies as well. So defines an organization is more; there’s already so much exposed information out there. It’s even looking at it every single day. It’s still staggering to how much of this is out there - you’ve got marketplaces online that specialize in selling credit cards. And you can go there, you can also filter by social security number, pick up a social security number and names for a dollar, hundreds of thousands like that.
[0:14:18.6] AA: Everyone knows the story that the social security number was never supposed to be used - everyone’s security and it was never supposed to be a unique identifier for you but it is convenient because it sits in databases and it is always the same life number and everybody only has one - so that is why it is convenient to use it. But I am hopeful and I am curious to the kind of companies that you’re working with encountering like are they starting to say, “You know what? I don’t want social security numbers and it shouldn’t be ever a part of my structure on how I deal with something.”  
Also if someone has my social security number I have given it out probably 10 times this month because I am going to doctors and all kinds of stuff you know - it is everywhere on paper. It is only valuable when you can use it to do something; so you could go to the bank or you could go to the IRS or you could go to these different organizations and then do something with it, right? 
So how do we get to a place where the people who were you would make money off my social security number are like, “Good luck with that,” right? Like I need a picture of you, I need to know where you are - let’s identify you a little bit better. 
[0:15:27.9] MM: You are absolutely right and there are multiple ways to prevent people to accessing your [inaudible] - so you can have multi-factual authentication. So you need somebody to see the codes to do that and all of these things that you recommend are ways in which you can solve that problem - but I think we often overlook that organizations have got to make business decisions as well. So this would create more friction for our users. So what is going to be the cost of that? 
While we appreciate that this is a concern, I think we have always got to remember it is a business decision for them. So it is really important that we’ve got these trail blazers not making advances in this type of area but the reality for a lot of organizations would be, “My hair is on fire, here is what I am doing. I’m trying to do my day to day tasks.” They’ve taken that macro view. It takes a real leader to kind of start doing that and that when it’s combined with compliance frameworks, like GDPR, it is going up. That can help. 
[0:16:20.5] AA: I mean I do think that GDPR is in, we don’t need to get into anymore details about what GDPR is but I think what is going to be interesting is that the business - it is the first time I think that a lot of green eye shade - CFO’s are like, “Whoa we’ve got to make sure we comply with this because 4% of revenue turnover depending on what side of the plot you’re on, is a real big number. It’s not hard to figure out if we eff this up how expensive is this going to be, right? Because four percent is often the profit margin on some customers. It would be certainly not a pleasant thing to report in a court ordered report, right? 
[0:16:56.9] MM: Exactly and it ties into this thing about business decisions. So if all of a sudden that’s a bit more of a financial impact then you can balance that out and prioritize it a bit better. Yeah, you’re right.
[0:17:06.3] AA: Well talk to me about what rare stuff surprised you when you guys have worked with a company. Let’s hear some fun stories, what did you come up with? Are you like, “Okay let’s try this out, and things just go red everywhere,” right? 
[0:17:23.6] MM: Yeah, so there’s a couple of cool examples. So as people will give us the things that they care about, as we previously mentioned. So in one case that was a staging domain that their website that they were developing and they were like, “We’d really like it if you would just monitor for anybody mentioning that website, because no one should really know about it.” So they went away to be monitoring for it and it turned out, it cropped up on a criminal forum. 
And they were testing their malware against that staging website while it was being staged. So it was quite interesting that the attackers are doing their own QAing of their own malware so when it went live, they were ready. Yeah so being able to pick that up was pretty cool, to give them a heads up that they can knock that down. 
So in a similar way we had a few of these websites being developed. The person developing it they shared credentials for the website, publicly available so anybody that wanted to go and gain access to that then they can do it. Yeah, there is a bunch of really interesting things just constantly exposed. 
If we go back to the stuff that we’re talking about what defines a user online - not just a social security number. There are multiple other identifiers, which say, “This is that user.” It is coming from this location, it’s got these cookies, it’s got this browser information and that’s the fingerprinting, you can get a good idea of that. And that’s generally being used to stop fraud happening - so if someone logs on from somewhere and tries getting access to a bank account., even if they’ve got a bit of information, it will flag it, “Oh this doesn’t look quite right.” And so we’ve recently seen is a new market place, which seeks to combat that a little bit. It is called Genesis and somebody that has created this new – 
[0:19:08.1] AA: So they’ll sell you not just a social security number, they’ll sell you all that other stuff and you go there. 
[0:19:11.9] MM: They’ll sell you kind of fully imitating a user online. So you can get a plugin for crime and all of a sudden you are that user: you’ve got the cookies; you’ve got the log on information for maybe a social media account; you’ve got banking information so you can then go on and spend money. It just appears that you are that user.
[0:19:30.7] AA: It’s fully built out, ready to go.
[0:19:33.5] MM: Yeah, they’ve got a plugin for it, they’ve got configuration files for those users. 
[0:19:36.8] AA: Do they get reviews? I mean is there like an App Store for the dark web? Where you’re like, “Well, I mean he said all of this stuff but it was definitely not worth the…” 
[0:19:45.2] MM: Yeah, there actually is.
[0:19:46.6] AA: You know pictures of people in handcuffs like, “It didn’t work, man.” 
[0:19:50.7] MM: Yeah, no you are absolutely right. So there’s a huge - that reputational trust is so important and you’ve got loads of reviews online for these types of services and that is common. If you want your product to grow then you need those reviews. Because people are – as I talked about before with the trust, people need to know that it is going to be alright. 
There’s also - we’ve done research before for, there is another service called ripper.cc and a ripper is somewhat of a criminal that is selling stuff but actually when you pay the money there’s nothing behind it. So he is ripping off other cyber criminals. 
And there’s a domain called ripper.cc and that lists out all of these different rippers. So people can then and again - its always plugins for browsers. They’ve got another plugin which if ever you are dealing with somebody, you can all flag up there if somebody has reported this guy. 
[0:20:37.8] AA: And who said there is no honor among thieves, right? 
[0:20:40.9] MM: Exactly, yes. So that was fascinating to see the structures that got in place to - 
[0:20:47.0] AA: But I do – I was in a conversation earlier today and thinking about the trust that the internet was built on by a relatively small number of people. It was a community that was researchers, right? Literally you knew who you were talking to and even when malware would come out you kind of knew - that people were knowing who the author was right? Because it was sort of academic that idea. 
Yeah like Robert Morris was like the son of one of the – I think he is the son of an NSA guy or the son of one of the first creators - like the Morris Worm, the first big worm right? I am curious about sort of the two trusts networks because you’ve got trust among the criminals but when you think of the internet overall, it is just a much – at least I hope there are many more good people than bad people, right? 
And why is it that we can’t share enough - I mean, it shouldn’t be that hard to point at the criminals and say, “This guy is not doing good stuff,” right? Just make it very hard for that person to kind of, they could do it once but once they get – if they tag someone sort of the community starts to quickly identify that. 
Is it really just the anonymity tools or?
[0:21:58.1] MM: Yeah, so you do get people building up a persona and then if that persona is tarnished by these negative reviews then that kind of ruins it for them and they might have to go on to another one and build that up. So it certainly does disrupt but you could always just build up another persona and because of the anonymity and you can always – 
[0:22:16.8] AA: And there is no jurisdiction and there’s no international police force also to across the countries and it gets really problematic. 
[0:22:24.0] MM: Yeah, problematic. Going back to the kind of no honor amongst thieves, so you would see the Russian speaking forums. Well they’ve got an unwritten, well no sometimes a written rule, that is, “Do what you want with this information, just don’t target any Russian.” 
[0:22:40.2] AA: Yeah so don’t, yeah stay outside. Don’t crap where you eat, right? 
[0:22:46.2] MM: Yeah, absolutely. 
[0:22:47.3] AA: Yeah and I think it is interesting that this space is multiple levels sort of operating and surely the technological stuff but there are some really interesting geopolitical factors as well. Like I think in some ways in cyber we’re replaying some of the ideas of the Cold War. We are not going to fire missiles between these major powers because that could be quite problematic for all of us but we are still want to kind of like poke and mess with each other and sort of show who is running things or whatnot. 
And so that is happening in the cyber space because we could kind of do that and at least not yet does that necessarily cross over into seeming an overactive war where we are going to start firing missiles and sending aircraft carriers, and that sort of thing. 
[0:23:34.5] MM: Yeah that’s been how it’s been up until I don’t know recently. Whether that is going to change because people, cyber would be the fifth domain and where it is that space to go during The Cold War. Cyber is genuinely a domain and I think often we can underestimate it’s impact that it can have within those. And it is not always completely separate from the other domains. If you are going on an offensive strategy you use all of the domains. 
And I think when you are looking at signaling the information and if you underplay the cyber domain element then it can lead to a little bit of escalation so I do think you need to keep an eye on that to make sure -
[0:24:18.0] AA: Yeah, will it across over into the others? I mean it’s interesting like I was actually hearing the Dalai Lama speak and he was talking about how war, it made sense at one point because you’ve got limited resources and so I need those right? But now the majority of the economy is built on trade. It is an exchange if you look at the actual value and so now we are at this point where it is actually as you poke your supposed enemies and you destroy this trust you reduce trade, you are actually probably hurting yourself as much as you are hurting them on sort of a global scale. 
And I am getting really worried about what’s happening because you are starting to see an erosion of this trust - and the benefits that the internet is bringing, are we also – if we do spend so much time poking each other and sort of ruining that trust - there is a chance that we’d lose a lot of the benefits that we built up and certainly potential ones for collaboration and the additional trade that we’ll see.
[0:25:16.6] MM: Yeah but in the same way that space and the sea was like used for war purposes, the internet isn’t a bad thing. It is actually just a way that people share information online and yes it can be misused but I think overall it’s good and it’s there. So we just need to know how to deal with it but yeah, I understand. 
[0:25:42.4] AA: Well thank you so much. Anything else before we leave? 
[0:25:44.7] MM: No, just thanks for having me on. 
[0:25:47.3] AA: No, this was great. I really appreciate it.

EditorAndy Anderson, Dark Web, Cybercrime, Personally Identifiable Information, Malware