David Shear, Analyst
David Shear is an Analyst who researches cybercrime communities, actors, and threats originating primarily from North and South America. As a Deep & Dark Web (DDW) subject-matter expert, he specializes in analyzing threat actors’ tactics, engagement, and targeting patterns to help organizations across multiple industries address and mitigate cyber threats. Prior to joining us at Flashpoint, David was a Systems Administrator for SecureWorks’s Network Operations Center before joining the Counter Threat Unit within the company’s Surveillance Division. His research on threat intelligence and information security has been featured in numerous publications, including Ars Technica, Dark Reading, SecurityWeek, SC Magazine, and Wired, among others.
Q: What are you currently working on?
A: Within the analyst team, my role is to identify gaps in our intelligence and see how we can fill them. I spend a lot of time researching emerging threat landscapes in the English-language underground and trying to shed light on some of the lesser known cybercriminal networks. The best way to accomplish this is by continually researching and monitoring underground communities. In many cases, I stumble upon valuable information just by observing the right community at the right moment.
In addition to my research, I recently did a Flash Talk on the Deep & Dark Web marketplaces being frequented by threat actors following the shutdowns of AlphaBay and Hansa. I also had the honor of speaking at FUSE—Flashpoint’s inaugural user conference.
Q: Why Flashpoint?
A: I developed an interest in web application security at a very young age. I loved learning about computers and hearing stories about cybersecurity in the news. I naturally stumbled upon several communities of people with similar interests. I joined the SubProto hackerspace in Myrtle Beach, South Carolina, which was founded by Joe Stewart, who is very well-known for his reverse engineering capabilities within the security community. As a mentor, Joe encouraged me to publish research. At the time, he was Director of Malware Research at SecureWorks.
I eventually joined Joe at SecureWorks, first working as a Systems Administrator and later as part of the Counter Threat Unit of the Surveillance Division. That’s what I was doing when I first heard about Flashpoint from a client. I looked up the company and found it to be well-aligned with the sort of work that I wanted to do, and the rest is history.
Q: How has your past experience influenced your role at Flashpoint?
A: I was also an underground subject-matter expert in my previous roles, so my past experiences serve as the foundation of what I do today. Here at Flashpoint, I have ample opportunities to spread my wings by expanding on my past research and pursuing projects that I find fascinating and groundbreaking. I’ve also been doing speaking engagements for quite some time, which is something I continue to do at Flashpoint. It’s awesome to be able to present on topics that I’ve been truly immersed in for so long.
Q: What sorts of emerging threats and trends have you observed recently?
A: I’m seeing an ongoing increase in the number of credential stuffing attacks, otherwise referred to as password reuse or “zombie password” attacks. This attack method entails taking compromised login credentials obtained from previous breaches and using them to access other accounts belonging to that user. The low price and widespread availability of stolen user credentials on Deep & Dark Web marketplaces has made credential stuffing a viable tactic for even the lowest tier of threat actors, resulting in far more of these attacks being waged against average citizens.
Another trend I’ve covered pretty extensively is the transition from traditional underground marketplaces to new types of decentralized networks and communities on the Deep & Dark Web. The lack of a central server makes it more difficult for authorities to take down as many threat actors in one fell swoop. This is largely in response to Operation Bayonet, a law enforcement operation which led to the takedown of both AlphaBay and Hansa Market. Constant downtime across the Tor markets is also an ongoing factor that contributes to this trend.
Q: How does the English-language underground differ from other communities on the Deep & Dark Web?
A: We generally see more attention-seeking behavior in these communities. While most Eastern European cybercriminals, for example, are largely financially motivated, more actors in the English-language underground are driven by desires to draw attention to their disruptive schemes.
By and large, these attention-seeking actors are typically more chaotic in their day-to-day activities. Their erratic nature makes our work as analysts easier in some ways, but more difficult in other ways. On one hand, these actors tend to make more OPSEC mistakes, which means they are often easier to track. On the other hand, it can require a fair amount of effort to anticipate what their next move will be.
Although financially motivated actors may also exhibit chaotic behavior, they tend to operate on a quasi-professional level. They usually don’t care about starting drama or having beefs with other actors because they’re trying to support themselves. Reputation matters when offering goods and services on the DDW, so the last thing they want to do is appear unreliable or volatile.
Q: What do you like most about your job?
A: As an analyst at Flashpoint, I have a plethora of resources available. If I have a question, there’s always someone who has an answer and is happy to help. I don’t think many companies have that. It’s reassuring to know that you’re on a team and can always ask someone if you’re unsure about something.
Q: What are your interests outside of work?
A: I like playing piano in my spare time—I played when I was younger and picked it back up about a year ago. I also love reading—it’s nice to get away from the computer after spending most of my workday looking at a screen, and I’m always trying to expand my knowledge.
Q: What would people be surprised to learn about you?
A: I have two different colored eyes. It’s easier to see when the lighting is better. People usually don’t notice if we’re indoors, so they’re surprised when they realize it. I get compared to a husky a lot.