WEBVTT 1 00:00:00.630 --> 00:00:02.280 Anna Delaney: Hello, I'm Anna Delaney with Information 2 00:00:02.280 --> 00:00:05.370 Security Media Group. I'm delighted to be joined by Kirill 3 00:00:05.430 --> 00:00:09.660 Boychenko and Hande Guven, both threat intelligence analysts at 4 00:00:09.660 --> 00:00:11.850 Recorded Future. Very good to see you both. 5 00:00:12.390 --> 00:00:12.930 Hande Guven: Hi, Anna! 6 00:00:13.290 --> 00:00:13.830 Kirill Boychenko: Good to see you. 7 00:00:13.900 --> 00:00:17.920 Anna Delaney: So you're here at RSA to cover a really important 8 00:00:17.920 --> 00:00:22.150 but unique topic in cybersecurity - combating human 9 00:00:22.150 --> 00:00:25.120 trafficking with threat intelligence. Can you talk about 10 00:00:25.120 --> 00:00:28.150 how the initiative began or evolved as well? 11 00:00:28.870 --> 00:00:33.310 Kirill Boychenko: Absolutely. For us, it began by a group of 12 00:00:33.340 --> 00:00:36.760 interested passionate analysts who wanted to do something to 13 00:00:36.760 --> 00:00:41.170 contribute to an important cause. And we had an opportunity 14 00:00:41.170 --> 00:00:45.310 to do so. So we joined our forces. And we were looking at 15 00:00:45.700 --> 00:00:51.160 what is known as 4P paradigm, which is protection, prevention, 16 00:00:51.160 --> 00:00:55.930 prosecution and partnership. And so we were thinking, what can we 17 00:00:55.930 --> 00:01:01.540 do? How can we employ similar models and methodologies from 18 00:01:01.540 --> 00:01:05.920 threat intelligence, to help solve problems of human 19 00:01:05.920 --> 00:01:11.110 trafficking, offer some solutions and see how we as 20 00:01:11.110 --> 00:01:14.410 cybersecurity and threat intelligence professionals can 21 00:01:14.410 --> 00:01:19.060 contribute to ending human trafficking. 22 00:01:20.230 --> 00:01:22.300 Anna Delaney: Hande, so what were the big takeaways for you 23 00:01:22.300 --> 00:01:23.410 from this project? 24 00:01:23.960 --> 00:01:26.330 Hande Guven: So one of the biggest issues with detecting 25 00:01:26.420 --> 00:01:28.730 internet-enabled human trafficking is the fact that 26 00:01:28.730 --> 00:01:32.900 it's very difficult to identify. There is no single indicator 27 00:01:32.900 --> 00:01:36.650 that will tell you sure proof that there is human trafficking 28 00:01:36.650 --> 00:01:39.620 happening. So that was the biggest challenge that we faced 29 00:01:39.620 --> 00:01:42.110 and using the threat intelligence methodologies, we 30 00:01:42.110 --> 00:01:44.390 were able to come up with various indicators and 31 00:01:44.390 --> 00:01:48.320 identifiers that when combined, can really get especially law 32 00:01:48.320 --> 00:01:52.160 enforcement officials to a place where they can find the 33 00:01:52.190 --> 00:01:56.270 references, the red flags that need further investigation. So 34 00:01:56.270 --> 00:01:59.420 that was the big takeaway for us that there isn't a single thing 35 00:01:59.420 --> 00:02:03.830 that will tell you sure way. But you can do you can take steps to 36 00:02:03.830 --> 00:02:06.200 get to a place where you know what you need to dig into 37 00:02:06.000 --> 00:02:09.180 Anna Delaney: And did you actually help people? I mean, 38 00:02:06.200 --> 00:02:06.680 further. 39 00:02:09.180 --> 00:02:14.010 what were the results? What were the key result that the win's 40 00:02:14.010 --> 00:02:14.310 here? 41 00:02:14.010 --> 00:02:17.781 Kirill Boychenko: Absolutely, we wanted to go beyond scare to 42 00:02:17.869 --> 00:02:23.396 actionable. We wanted to offer solutions that would help and so 43 00:02:23.483 --> 00:02:27.431 we came up with a proof-of-concept model. And 44 00:02:27.518 --> 00:02:32.694 essentially, it came to the following. So we needed to know 45 00:02:32.782 --> 00:02:37.957 what to look for. And we wanted to identify potential human 46 00:02:38.045 --> 00:02:43.308 trafficking scenarios. So for that we crowdsource keywords - 47 00:02:43.396 --> 00:02:48.571 keywords that are associated, either with active floors, or 48 00:02:48.659 --> 00:02:53.747 potentially advertisement of individuals that are in human 49 00:02:53.835 --> 00:02:59.186 trafficking scenarios. Then we needed to know where so we had 50 00:02:59.273 --> 00:03:04.537 to identify sources that we later can investigate and see if 51 00:03:04.624 --> 00:03:09.800 we can surface any red flags, potential situations of human 52 00:03:09.887 --> 00:03:15.151 trafficking. We needed to know how we will do that. And that 53 00:03:15.238 --> 00:03:20.502 part was easier for us as threat intelligence professionals, 54 00:03:20.589 --> 00:03:25.765 because once we knew where, we were able to scrape the data 55 00:03:25.853 --> 00:03:31.116 from those sources, aggregate the data for further analysis. 56 00:03:31.204 --> 00:03:35.940 And the why which is most important is to provide this 57 00:03:36.028 --> 00:03:41.730 model, this methodology to first responders, so they can find red 58 00:03:39.200 --> 00:04:01.580 So what's next in the project? So you've got plans to continue 59 00:03:41.818 --> 00:03:46.906 flags, and ultimately help survivors of human trafficking, 60 00:03:46.993 --> 00:03:51.993 or perhaps it would aid ongoing investigations or further 61 00:03:52.081 --> 00:03:54.450 research into this problem. 62 00:04:01.760 --> 00:04:02.780 research on this research? 63 00:04:03.920 --> 00:04:06.650 Hande Guven: So like Kirill mentioned, we were basing our 64 00:04:06.650 --> 00:04:10.220 research reports on the 4P paradigm. So the proof of 65 00:04:10.220 --> 00:04:13.850 concept over here had to do with the partnership. One of the Ps 66 00:04:13.850 --> 00:04:17.630 is partnership. And so we're continuing our research reports 67 00:04:17.630 --> 00:04:20.090 where we will be publishing another report that we're 68 00:04:20.090 --> 00:04:22.730 currently working on. Unfortunately, I can't talk too 69 00:04:22.730 --> 00:04:27.590 much about it since it's still ongoing. But needless to say, we 70 00:04:27.590 --> 00:04:31.340 do hope that it will be data driven, it will hopefully 71 00:04:31.340 --> 00:04:37.070 disrupt some of the criminal ecosystem that contributes to 72 00:04:37.070 --> 00:04:42.680 that and will be aiding in the kind of erasure of this problem 73 00:04:42.680 --> 00:04:46.130 further. So be on the lookout for more research is limited 74 00:04:46.130 --> 00:04:47.510 amount of things I can say. 75 00:04:47.570 --> 00:04:50.390 Anna Delaney: We will be. So I want to move on to another 76 00:04:51.110 --> 00:04:55.370 research that you're doing at the moment on the Turkish dark 77 00:04:55.370 --> 00:04:59.210 web, and you've written two in-depth research reports two 78 00:04:59.210 --> 00:05:02.300 years apart. Could you just share an overview of your 79 00:05:02.300 --> 00:05:05.540 findings, but also compare and contrast the two? What happened 80 00:05:05.540 --> 00:05:06.500 those two years? 81 00:05:06.590 --> 00:05:09.770 Hande Guven: Sure. So we first began our Turkish dark web 82 00:05:09.770 --> 00:05:13.520 investigations in 2020. I'm originally from Istanbul, 83 00:05:13.520 --> 00:05:16.940 Turkey. So when Kirill and I were looking at new sources to 84 00:05:16.940 --> 00:05:19.340 add to Recorded Future's collection that we're from 85 00:05:19.340 --> 00:05:23.120 Turkish language forums, and dark web markets, and so on, we 86 00:05:23.120 --> 00:05:26.690 found a very robust ecosystem there that we don't think gets a 87 00:05:26.690 --> 00:05:29.960 lot of attention, whether it be media or another research 88 00:05:29.960 --> 00:05:32.870 publications or threat intelligence firms. So that's 89 00:05:32.870 --> 00:05:35.330 something that we really wanted to focus on to understand that 90 00:05:35.330 --> 00:05:39.500 ecosystem better. We found that they focused on two primary 91 00:05:39.500 --> 00:05:42.050 functions, one of which is patriotic hacking, or 92 00:05:42.050 --> 00:05:45.650 hacktivism. And the other is financially motivated 93 00:05:45.650 --> 00:05:50.300 cybercrime, of course. So that's what our research covers, we 94 00:05:50.300 --> 00:05:54.200 found that there was a big sense of kind of fraternity 95 00:05:54.200 --> 00:05:57.410 camaraderie, a lot of the sources were difficult to get 96 00:05:57.440 --> 00:06:02.360 into. And also on the cyber, on the hacktivism aspect, or the 97 00:06:02.360 --> 00:06:06.290 patriotic hacking aspect, we found that the hackers see 98 00:06:06.290 --> 00:06:10.550 themselves as an expansion of the Turkish military almost in 99 00:06:10.550 --> 00:06:13.940 cyberspace, which was interesting to us. So they take 100 00:06:13.940 --> 00:06:19.040 on a lot of enemy states as they perceive them to be or entities 101 00:06:19.040 --> 00:06:23.240 that they perceive to be enemies of Turkey. And they use low 102 00:06:23.240 --> 00:06:28.820 sophistication methods like DDoS attacks, or defacements, to kind 103 00:06:28.820 --> 00:06:32.870 of inflict reputational damage. So that's certainly kind of 104 00:06:32.870 --> 00:06:35.390 something to keep in mind for other organizations, because 105 00:06:35.390 --> 00:06:38.720 they could be a target of at anytime. And when we compare 106 00:06:38.720 --> 00:06:40.970 that to our human trafficking research, they're sort of 107 00:06:40.970 --> 00:06:43.640 different from one another, just because we looked at dark web 108 00:06:43.640 --> 00:06:48.620 sources for the Turkish language research, versus our human 109 00:06:48.620 --> 00:06:52.430 trafficking research focus more on the open web? Because we find 110 00:06:52.430 --> 00:06:56.210 that although, you know, dark web sounds so scary, and there's 111 00:06:56.570 --> 00:06:59.540 a good amount of fear mongering about that, we also find that a 112 00:06:59.540 --> 00:07:02.600 lot of threats do come from the clear web, they're hiding in 113 00:07:02.600 --> 00:07:06.050 plain sight. So for something like human trafficking, that's 114 00:07:06.050 --> 00:07:07.850 the big difference that they are everywhere. 115 00:07:08.940 --> 00:07:10.440 Anna Delaney: Kirill, anything to add in terms of what 116 00:07:10.680 --> 00:07:12.810 organizations can take from this research? 117 00:07:13.380 --> 00:07:17.310 Kirill Boychenko: Definitely. What we found from building 118 00:07:17.310 --> 00:07:22.680 collections on Turkish language dark web, is that threat actors 119 00:07:22.680 --> 00:07:27.630 who operate on those platforms, they discuss different tools, 120 00:07:27.660 --> 00:07:32.310 they talk about different attacks, they brag about the 121 00:07:32.310 --> 00:07:36.330 attacks that were conducted. All that information that is useful 122 00:07:36.330 --> 00:07:40.140 intelligence for companies and organizations to understand the 123 00:07:40.140 --> 00:07:45.990 motivations, the skill, and to be prepared for a potential 124 00:07:45.990 --> 00:07:51.630 attack, be it a DDoS attack, a use of malware, potential, spear 125 00:07:51.630 --> 00:07:56.190 phishing attack, or anything else. And so with our visibility 126 00:07:56.190 --> 00:08:01.890 into those sources, this is something that companies can use 127 00:08:01.890 --> 00:08:03.210 to up their defenses. 128 00:08:03.870 --> 00:08:06.420 Anna Delaney: Right. So let's talk about organizations' threat 129 00:08:06.420 --> 00:08:08.730 intel's programs more generally, and what you're seeing them 130 00:08:08.730 --> 00:08:12.360 doing well, and not so well. So when it comes to synthesizing 131 00:08:12.360 --> 00:08:15.540 all sorts of threat intel, whether it's third parties, open 132 00:08:15.540 --> 00:08:20.370 source or their systems, what missteps do you see them often 133 00:08:20.370 --> 00:08:25.170 make that they can improve on? So, Kirill first and then Hande? 134 00:08:25.570 --> 00:08:30.880 Kirill Boychenko: Yeah. It seems like certain problems been there 135 00:08:30.880 --> 00:08:34.750 forever. And many companies, including ours reported on them, 136 00:08:34.750 --> 00:08:40.360 but they're still present. Ransomware is a problem, we 137 00:08:40.360 --> 00:08:47.230 found ransomware samples in our Turkish dark web research seems 138 00:08:47.230 --> 00:08:53.050 to be seems to be an ongoing problem. It seems that there are 139 00:08:53.050 --> 00:08:58.270 some low hanging fruits in terms of defenses that companies could 140 00:08:58.270 --> 00:09:05.170 employ, but not always do is limiting privileged access. Not 141 00:09:05.200 --> 00:09:12.070 letting users just access company's resources, principle 142 00:09:12.070 --> 00:09:17.260 of least privilege, defense in-depth patching, those are 143 00:09:17.290 --> 00:09:21.250 very obvious things, but in many cases, they're not full 144 00:09:21.280 --> 00:09:27.640 properly. And then we have an attack surface on our hand. That 145 00:09:27.730 --> 00:09:31.030 is, unfortunately, seemn to be growing and not going away. 146 00:09:32.020 --> 00:09:35.080 Hande Guven: Another sort of, in a similar vein, is that another 147 00:09:35.080 --> 00:09:39.850 thing. Focusing too much on only certain state-sponsored actors 148 00:09:39.850 --> 00:09:43.630 or only threats that are coming from certain countries. So we 149 00:09:43.630 --> 00:09:46.000 think that for example, the Turkish dark web and the 150 00:09:46.000 --> 00:09:48.370 patriotic hacking communities, they're although not very 151 00:09:48.370 --> 00:09:51.910 sophisticated, they can inflict damage. So not disregarding 152 00:09:51.910 --> 00:09:56.110 them, especially since they are always reacting to global events 153 00:09:56.110 --> 00:09:59.800 and the current ongoings in the political sphere. If you're 154 00:09:59.830 --> 00:10:03.850 located in a country that sort of has that kind of problem with 155 00:10:04.210 --> 00:10:07.180 international relations, kind of being on the lookout for that 156 00:10:07.180 --> 00:10:10.000 because they go for the lower hanging fruits like also Kirill 157 00:10:10.000 --> 00:10:14.440 was saying, but it is still surprising, the kind of the size 158 00:10:14.440 --> 00:10:19.450 and the gravity of companies that fall victim to it. So being 159 00:10:19.450 --> 00:10:24.250 ready for defamation, and DDoS attacks, things of that nature. 160 00:10:25.090 --> 00:10:27.250 Anna Delaney: Because threat intelligence is great to have, 161 00:10:27.400 --> 00:10:30.610 only if you can act upon it quickly. So what does good look 162 00:10:30.610 --> 00:10:33.430 like when it comes to operationalizing this threat 163 00:10:33.430 --> 00:10:34.180 intelligence? 164 00:10:35.710 --> 00:10:38.050 Hande Guven: I think taking advantage of the great amount of 165 00:10:38.050 --> 00:10:40.450 spread intelligence that's already out there, right? So 166 00:10:40.570 --> 00:10:44.980 having early visibility into threats. That's why you know, 167 00:10:44.980 --> 00:10:48.400 dark web monitoring, forum monitoring, etc, is very 168 00:10:48.400 --> 00:10:51.010 important so that you can actually get in on the 169 00:10:51.010 --> 00:10:54.610 intelligence at the chatter level before it even escalates 170 00:10:54.610 --> 00:10:59.140 anything further. Similarly, with financially motivated 171 00:10:59.140 --> 00:11:02.890 crime, infostealers getting access to infostealer data 172 00:11:03.100 --> 00:11:07.960 before they even hit dark web markets. So being proactive, I 173 00:11:07.960 --> 00:11:10.090 think would be the best case scenario. 174 00:11:11.140 --> 00:11:14.500 Kirill Boychenko: Yeah, and some of the advantages of threat 175 00:11:14.500 --> 00:11:19.990 intelligence is the depth of collections, the speed, and how 176 00:11:20.020 --> 00:11:23.440 far and wide can threat intelligence solutions go in 177 00:11:23.440 --> 00:11:27.070 terms of covering different sources. So with that at your 178 00:11:27.070 --> 00:11:31.960 disposal, you have a lot more information and that is always 179 00:11:31.960 --> 00:11:33.250 good in our field. 180 00:11:34.510 --> 00:11:36.130 Anna Delaney: Well, this has been fascinating talking with 181 00:11:36.130 --> 00:11:38.320 you. Thank you so much, both of you, for your expertise. 182 00:11:38.410 --> 00:11:38.920 Hande Guven: Thank you. 183 00:11:38.950 --> 00:11:39.580 Kirill Boychenko: Thank you, Anna. 184 00:11:40.110 --> 00:11:42.600 Anna Delaney: And thanks so much for joining us. For ISMG, I am 185 00:11:42.600 --> 00:11:43.320 Anna Delaney.