From a love of Tom Clancy novels to military intelligence to “the ivory tower” of industry analysts, Rick Holland’s road to Digital Shadow’s CISO taught him many lessons along the way. Rick shares his advice for building an intel team, including: avoid homogenous groups; take time to strategize — and follow — processes for OSINT collection on the surface, deep and dark (or derp) web; and remember the importance of human relationships even in the tech-heavy world of threat intelligence.
Rick is a seasoned cybersecurity executive with a unique background as a practitioner, cybersecurity executive and Forrester Research analyst. Rick manages the global team responsible for Digital Shadows' information security and technology needs. Rick also runs Photon Research, the cyberthreat intelligence experts at Digital Shadows. He regularly speaks at leading security conferences, including SANS, RSAC and BSides. The media frequently quote Rick, including BBC News, Fox News, CNN, Dark Reading, Motherboard, NPR, The Register and The Wall Street Journal.
RICK HOLLAND
So for what we focus on, I would say primarily cybercrime related as an intel shop and then Digital Shadows as a cybersecurity vendor is looking outside the firewall, looking for corporate data VIPs. We're going to talk OSINT stuff here, doing open source stuff. We also do closed sources stuff. So my team does the closed sources stuff where you actually have to interact with an adversary. It's something that's gated. You can't use a search engine to find it. You have to gain access in. And so, I mean, I really do look at people process and technology in that order. Right?
MATT ASHBURN
Welcome to Needlestack, the podcast for professional online research. I'm your host, Matt Ashburn.
JEFF PHILLIPS
And I'm your co host, Jeff Phillips.
MATT ASHBURN
Needlestack is currently on a break as we gear up for our next series. But today we have a special bonus episode to our SOC series. Jeff had the chance to actually sit down with Rick Holland, who's a CISO at Digital Shadows.
JEFF PHILLIPS
That's right, Matt. Rick joined the show to tell us a little bit about building an intel team and some of his views on cybersecurity best practices. Was a great interview.
MATT ASHBURN
That's awesome. Well, great. Let's take a look at that interview.
JEFF PHILLIPS
Today I'm sitting down with a special guest, Rick Holland. Rick is the CISO at Digital Shadows, a reliac west company. He's also the co chair of the Sands Cyber Threat Intelligence Summit and a regular guest on the podcast Shadow Talk, which is from Digital Shadows, and interestingly enough, has an interesting background in that. Rick was an analyst with the well known industry analyst firm Forrester Research. Rick, welcome to the show.
RICK HOLLAND
Yeah, Jeff, thanks for having me. Excited to be here.
JEFF PHILLIPS
Super excited. It's a very unique background I didn't mention at the beginning. You also started out as an analyst in the military, so maybe we start with where this all came from. What made you join the military? How has that turned around and shaped how you look at the threat intel world?
RICK HOLLAND
Yeah, Tom Clancy books is how I got into the intelligence world. When I was in high school, I was a good student, but I really didn't feel like college was for me at the time. And I had been reading Patriot Games, I think, at the time, and I was like, man, I'd love to be Jack Ryan. And so I ended up going to the recruiters, and army is the route that I ended up going. So I spent four and a half years in army intelligence. I was stationed in Georgia. I was stationed in the UK, spent time in Kuwait, spent time on an aircraft carrier in the Persian Gulf. I spent time in Germany. So it was a really good experience. But it kind of was a foundation for me because I've been threat focused pretty much my entire career since then.
JEFF PHILLIPS
That's super shing. Now, you also made your way after coming out of the military you end up at Forrester Research. What do you think about being an industry analyst and providing all that expertise to vendors, to enterprises?
RICK HOLLAND
Yeah, it's interesting. Some of your listeners may know the name John Kindervog or Zero Trust, but John kinderg is a Forester analyst that created the Zero Trust model, and I was a longtime customer of John's in previous lives and a friend of his, and so he recruited me. I had never been at a company that could afford Gartner or Forrester, so I didn't know anything about it. And it was a very grueling interview process. You had to do a presentation, you had to write research. It was pretty grueling and ended up getting the job. And the one thing that Kindervog told me that was pretty cool is he's like, you get to kind of steer the industry now. John definitely with the Zero Trust, is still steering the industry. But for me, as a new analyst, I wanted to carve out my space because I came from the intelligence community, and then threat intelligence was becoming a thing in the private sector. I created the research agenda and the research that Forrester had on that space, and it was cool because at Forrester, you get to work with the largest companies in the world, large vendors on the cybersecurity side, small vendors on the cybersecurity side.
RICK HOLLAND
So it was a really good experience. Four and a half years there, Rick.
JEFF PHILLIPS
So I should have clarified that the military background was intelligence, but as you just mentioned, it wasn't threat intelligence and cyber security related.
RICK HOLLAND
No, I did traditional, I was imagery intelligence, and I did all source intelligence when I wasn't doing that. So I didn't have the cyber CTI side of the house. So I basically just kind of took the things that we would have learned. AIT is in the army training, where you go to learn your skill set and then tried to adopt that and some of those principles to the private sector.
JEFF PHILLIPS
Got you. All right, so then out of Forrester, you end up with an opportunity at Digital Shadows. Can you tell me a little bit about your work there? I do understand that you actually got to take what you were talking about at Forestar and build a threat intel team from the ground up. So what was it like coming in and going into Digital Shadows, and what was it like building a team with that organization?
RICK HOLLAND
Yeah, it's interesting because I felt like I was in the ivory tower as an industry analyst and I was telling people what to do, and I really wanted to go and help build a company and then ultimately ReliaQuest acquired US. Closed that deal last month. So it was kind of an exciting thing there. But in addition to trying to help build out a company to have an exit, I also got to build out the intel team. And at one point, I did a complete rebuild on the intel team there. So that was a very exciting opportunity. And I still continue to run the intel team today for I guess probably about four years now.
JEFF PHILLIPS
Is there a certain type of individual you're looking to join that intel team? Do you have to have the background? Can you teach somebody that?
RICK HOLLAND
It's a great question, Jeff. When when we first started, we had groupthink and I talk a lot about I've done presentations on cognitive biases and things along those lines. But when we first started, we had group think in that everyone on the team, like 80% of them were veterans or, you know, civil servants in the intelligence community, that that sort of thing. Or law enforcement people that work the intelligence community. And thankfully, over time, we started to diversify that group because you never want a homogeneous group if you're doing intelligence work. You want different perspectives, different backgrounds, different races, religions, sexes, all that sort of stuff there. So we've been able to build a diverse team. I think we're probably about half female, which is pretty exciting. And I have noticed in the intel space in cybersecurity tends to be a little bit more diverse than some other functional areas within cybersecurity. But we want to recruit people that are I was a Russian literature student in graduate school and I speak Russian. And then we're going to teach them the cyber side. Or you bring in an incident responder who doesn't know anything about intel and you teach the intel side.
RICK HOLLAND
So it's really try to have a wide ranging group of people with different backgrounds. If you want to be successful as an intel shop, that's super interesting.
JEFF PHILLIPS
And that's a great point with that diversity of thought. And I've been hearing that a little bit more as I've talked to different individuals, that you can bring some of that other background and we'll teach you the cyber side. But if you know a certain part of the world or a certain country, you're an expert in that.
RICK HOLLAND
That brings some great journalists, actually, journalists has been one where you've seen a lot of journalists going into cybersecurity vendors but then also into just regular enterprise intel teams as well. Because journalists investigative by their nature, right, they're always looking for stories and things like that. So that's a really nice place that people can look for, especially with the layoffs happening in journalism space. Right?
JEFF PHILLIPS
Sure. So one thing is to build the team. What did it look like from a tooling perspective? I mean, maybe you should say a little bit about what Digital Shadows does. So you kind of maybe have a leg up with thread intelligence, but you're building the threat intel team there. What did you have to think about from tooling for the threat analysts to their OpSec skills and the information they're dealing with? Can you tell us a little bit about that element of your team?
RICK HOLLAND
Sure. So for what we focus on, I would say primarily cybercrime related as an intel shop and then Digital Shadows as a cyber security security vendor is looking outside the firewall, looking for corporate data VIPs. We're going to talk OSINT stuff here, doing open source stuff. We also do closed sources stuff. So my team does the closed sources stuff where you're actually having to interact with an adversary. It's something that's gated, you can't use a search engine to find it. So you have to gain access in. And so I mean, I really do look at people process and technology in that order. Right? And we already talked about the diversity of people that's there. But the people are the most important thing. I mean, you could have the best tech stack, the best infrastructure, the best tooling, but if you lose people and you don't have next person up retention planning for someone, that leaves right? Then that can hose your whole thing. So I think that people is the most important part of a shop and then the processes that you have so that people are enabled. Hey, this is our playbook for doing research on GitHub.
RICK HOLLAND
This is our playbook for interacting with Russian cyber criminals on one of the closed source forums and things along those lines. And then finally you have your tech stack. Tech stack could be the tools that you use to do your research. It could be or it would be the infrastructure that you're connecting from to do your research. So it really is that people process and technology. I think a lot of times people just focus on the tech side and they don't really think about the people in the process, which is really what needs to happen to make the most out of your tech.
JEFF PHILLIPS
Can I poke on that a little bit more on the process side when we talk about OSINT and for those listening to us, if you're not coming from a government or military background, that's for open source intelligence, which is an entire intelligence discipline within the government. But in essence, amongst other open sources besides newspapers, magazines, is the internet, right? So it's a public open source information that you're able to access there. When you talk about the processes and dealing with adversaries, that's within the playbook. How do you make sure whether protecting your identity, protecting the company's identity, protecting the infrastructure from any malware, is that all kind of wrapped up in those processes?
RICK HOLLAND
Yeah, you call it tradecraft, right? So we have our tradecraft and intel shops have that. And it's the way that you try to do things and you try to do things consistently from the networks you connect to and connect from the legends or personas that you run. Which is an interesting one in particular because you may have multiple people that are running a legend. And when I say legend here, I mean sock puppet will be a term that some folks may be familiar with, right? But you have created this online identity that you're going out to collect information and it could be open source information from you could be engaging with people on forums that maybe kind of call that deep web, right? If it's someplace that and then I don't like to call it Dark Web because I call it Dirt Web usually, but Dark Web would be onion sites, some of these ransomware sites where they're announcing their victims or on onion sites, and you need a Tor browser to do that. But you have your playbooks and how you're going to interact, how this particular identity is going to speak and the tone and how they're going to engage.
RICK HOLLAND
And you may build up one legend may have a particular skill set, so you have someone that's technical, that's feeding into it, and then the person that's doing the work may actually be a Russian speaker. So you might have multiple people that are kind of building out this profile and then you also have to do care and feeding of these profiles, these legends. You could get booted from a forum if you're not active, if you're not engaging. So there's a whole discipline around it. And it's not something that I would not recommend anyway, to do it without processes in place. Because when you're doing open source research, when you're doing closed source research, you could be putting your staff at risk depending on the type of activity and the type of actors you might be investigating. OpSec operation security is really, really important.
JEFF PHILLIPS
That makes a lot of sense. And I hear you. We talked a little bit in the podcast about sock puppets and legends, not a ton, but I think that is something we're going to have to tackle in some future episodes about what that's all about. What can you do? What can't you do? Are there policies in place for your company? Are you allowed to even do that? What are you able to do? Definitely happens all in the military and a lot in the government side, so definitely an interesting topic to dive in. We might have to bring you back for that.
RICK HOLLAND
Yeah, I mean, that could be a whole segment. Just in that alone, for sure.
JEFF PHILLIPS
Well, we have been in interesting times. How is your team? We've had COVID a lot of us are working remotely. How has that affected your Threat Intel team? Are they working from home? Has that changed any of your processor tooling or even team dynamics? What's it been like the last couple of years for your Threat Intel teams?
RICK HOLLAND
It has been interesting. Digital Shadows has always been a remote, friendly kind of hybrid workforce, particularly in the US. We started in the UK, so there was a collection of people in London, actually. London is a great place to recruit from because you have so many multinational dual citizens there that's actually really good. If you want to have a Chinese British person or an Iranian British person or a Russian British person, you have that melting pot is really good for intelligence work. So we were fortunate in that we didn't have to switch to a new way of doing business or we didn't have to change our trade craft significantly because we were already remote friendly. Now, where we did have challenges is there were some people that we had hired and I hadn't seen him in person for 18 months or they had not worked with their peers for 18 months in person and it was just on a screen like we are now. So if you're trying to I'll give you a very specific example. We do these quarterly I mentioned cognitive biases. You can use these things called structured analytic techniques to overcome cognitive biases.
RICK HOLLAND
That could be a whole segment there as well. But something like confirmation bias, like you see what you want to see, right? And structured analytic techniques help you talk about a problem, externalize it. And we have been doing them remote, like these remote workshops. We'd take something like hey, this threat actor did this. Why do we think or who do we think this threat actor was? And we do these remote on zoom kind of brainstorming sessions. Now that we're seeing each other in person again, it becomes like a whole team building event. We take the afternoon off, no official work. We do some planning and you may do an hour, an hour and a half of discussion on a particular threat topic and we break down and we come to some intelligence assessments and things along those lines. So it has been really nice to be back in person because I think the collaboration you just can't be in person collaboration and we hadn't seen our peers, many of them had been a year plus before anyone had seen someone, just a lone person on a zoom screen. So it's been nice to be able to travel across the US to travel across to London again.
JEFF PHILLIPS
Well, and I think sometimes people think about a threat in telling us that you could be or any of the type of fantasy even in the stock that you can sit there in your dark little world and be doing things. But you mentioned some interesting dynamics and maybe it's more specific to your but where there's some teening going here, whether it's based on language or understanding that country or being an expert in certain cyber things but just like any other parts of the business, working together and teaming seems to add a lot of value.
RICK HOLLAND
Sounds like 100%. I do like the hybrid though, because I think people have gotten to the point where it is nice to be at home a couple of days a week or more and where you can dig into a problem set like oh, maybe you've got to do research on a particular target that you're going after. And it's just easier to be zoned out on your couch with a laptop on your chest, maybe for some folks to go and do those type of works, but then be able to collaborate and learn new skills, educate, deconstruct a problem is nice to be able to do in person as well.
JEFF PHILLIPS
Absolutely. Well, before we close up here, Rick, you've got a very interesting background. You've built teams from the ground up here. Any recommendations or tips for intelligence analysts that are just getting started? So, tips for general practitioners out there?
RICK HOLLAND
There's probably three things that I would say. One is that you do not have to come from the intelligence community to do intelligence work. As I said, with the people recruiting, if you have a language skill that could be very valuable to enterprises, to vendors that are out there. So that's just kind of one thing. Don't think that you have to be some elite or elite cyber hacker to be able to do this work. You don't. The second thing is for people that are more technically inclined, learning Python, I think is a very good language to have because there's so much data manipulation and moving it from one place to another. And you might be doing something with an API on an open source application that's out there and you want to take that data and move it someplace else. So Python is a good skill to have. And the third one, again, I talk about people a lot and this is very you already mentioned the Sancti Summit, so this is I recognize my own bias towards the Sancti Summit, but we're in our 11th year, it's going to be in January. We're going to be in Crystal City in Virginia at the end of January.
RICK HOLLAND
But find something like that because there's the community, right? And actually just having come back from defcon and black hat the whole hallway con and meeting people, it's better than any kind of tool training that you could have or investments that you make there, like building out your network, learning how people that are trying to tackle similar intelligence problems are doing it. From a people process and technology perspective, I just don't think you can beat the human relationships and the human networks that you can build. So, yeah, definitely promoting the Sancti Summit in January of 2023.
JEFF PHILLIPS
That's awesome. Well, Rick, I really appreciate your time. For all those listening, we will have links to follow Rick to check out these different podcasts as well as the Summits. So again, thank you for your time today, Rick.
RICK HOLLAND
Yeah, thanks for having me. It was fun.
MATT ASHBURN
Well, thank you to Rick for joining us for that interview and to everyone for tuning in today. As always, if you liked what you heard, you can subscribe to our show wherever you get your podcasts, you can watch episodes on YouTube and view transcripts and other episode info on our website that's authenticate.com. Needlestack authentic with the number eight Needlestack. And, of course, be sure to follow us on Twitter at needlestackpod. We'll be back on September 13 with new episodes on fact checking and debunking. We'll see you then.