Outsmarting cyber villains on a shoestring budget - Roshan Harneker | BSides Cape Town 2023

uh morning everyone thank you for making time for my session um the pressure's on I'm optimistic that some of what I have to say resonates I also invite debate disagreement Etc because it's only way we learn Etc but uh much of this is It's just aimed at being practical information to consider when you're trying to put together your own cyber threat intelligence program now I normally don't do about mes but I hear they nice ice breakers um so as you can see I'm a very short but Big Nerd uh next picture you'll see my uh my favorite thing my favorite PE uh um beings on Earth um I have ASD I I have aspes the nice thing about aspes is that

I can spot fatn in data really easily and I have a bunch of other analytical skills that I believe my ASD has helped me enhance over time without it being much of an effort what I'm awfully bad at though is reading a room um this bikes me in the ask sometimes when I'm lecturing because uh especially in in in um when you're in a scenario where you're doing webinars you can't see how bored your audience is that they are absolutely dying to go and have something to eat and often I get interrupted and ask can we please break you you're 15 minutes over our lunch um I'm going to do my best not to do

that um I'm also a very very prolific gamer it's my I would say it's probably my only real hobby work work uh experience wise I started out at what was then C Tech doing programming realized I hated it moved on to help desk at the now defunct U unit South Africa moved on to network operations moved overseas did a little bit of more network operations in systems Administration moved back home for various reasons I'm very glad I did um ended up back at another ISB and then decided I'm really bored and I need a new challenge and this dumbass decided that challenge should be I wonder if I'd be any good at managing people yeah right but that has been a very long

interesting AI with sometimes incredibly frustrating journey and my poor partner has been put through H back listening to me Ron ra about that however work experience like I said started out in help desk it was actually an internet casino that was even worse illegal um we to KN then help disk um I I managed to land a job at UCT um as a help disk manager then I moved on to educational technology Services which I had no interest in but it was a brand new project that were kicking off lasted five years to refurb and bring it it and AV into the 21st century because most of us City's lecture venues were still using overhead projectors which judging

from the age groups in the room many of you will remember from primary school okay so um yeah so from ACH I moved into I actually didn't move into but rather moved back because a lot of of what I missed being in management was the technical component of the work because it's actually technology that I love not telling py are you late again you know this is the 10th time and I'm going to have to call HR um and most of my background these these days is information and cyber security related but my big passion is actually digital forensics but there are many marriages between all of that so but that's a talk for another day and I am for my sins

after I left ucct 3 years ago I joined a mssp let's all collectively grown at once I'm not selling anything um the sales team loves me because I just I won't um and I'm also currently see so for the mssp that I work for this better um I'll be happy to answer most questions but I also need to be mindful about some of the ndas I've signed so where I can easily answer a question if there are any happy to where I can't it's not because I don't know the answer it's because I can't give it to you if I don't know the answer though I will tell you all right um I tend to take a very V

diagnostic approach to my my talks despite working for mssp and because this is a practical talk not a buy this or else you'll have have to listen to my fud for the next few hours great so um I specialize in these days building um computer security incident response teams I built the one at ucct we got we I still call them we CU I worked there for so long first. or credit first higher AED institution in on the continent to get it I hope in my previous colleague can tell me that we still have it um etc etc and um I also buil socks and that's why I got poached by mssb to build the sock for them my

latest interest is actually crypto and blockchain forensics but that's not what this St is about um I do love to learn I'm a I'm a lifelong learner I'm also a semi-regular guest lecturer um usually ads UC as an Min while and even though I love to learn you might identify with this part to I suffer from extreme impostor syndrome I and to that end I would appreciate feedback after the presentation from any of you who would like to give me any regarding the parts that you found useful or enjoyed and the parts you think I could have tackled differently or I wasn't clear about it just helps me evolve how I explain the concepts how I create these talks um fun

fact attended first bides in 2011 organized out of a icts building and Main um M main Ro room 203 and gave a lightning talk of which I cannot remember but I I know this happened and um the internet says happened so it has happened um and I other another fun fact uh at one point um you don't know her but Sam sitting there in the corner and I once were fortunate enough to get the Hawks for a full day and teach them how to conduct a digital forensic Imaging exercise using completely legal principles there was an eyeopener training the Hawks on how to do it but I thought it was fun um because and what

we strc to them was remember this needs to be done in a legally admissible way right so why this topic I get tired of reading of or listening to FUD when it comes to our industry I I prefer practical approaches to solving problems rather than throwing tons of money and expensive tools had a problem only for your vend to walk away and go bye now I'll send you renewal in about 10 months just to remind you I exist so cool so hope you like the title another colleague of mine came a previous colleague of mine actually came up with it I wish it was mine I thought it was great asked the permission she said yeah go for it then I asked if she

wanted to join me for the talk and she said nice try okay so my children um none of my slides are complete without them that's them behaving so we we're just going to leave leave it at that because uh they often don't um but what's the big deal right um again like I said earlier I would appreciate your any and all feedback that's constructive afterwards um that can help me grow and improve and um but what yeah so I mentioned that this topic particularly got tired of the fud I like the Practical approach but what is it the problem that we try and solve with CTI what is the purpose of cyber threat intelligence so very briefly it helps us

make faster and more informed and importantly fact-based security decisions and helps uh our analysts change their behavior for being reactive to proactive in the fight against malicious actors CTI can help us map our organizational threat landscape that can help us calculate risk s all um and give security Personnel the intelligence and contexts that they need to make more efficient decisions it can help us collect analyze and share information about potential security threats I'm going to talk a little bit more about collaboration and sharing later because I know I'm going to get ahead of myself and then repeat myself and then forget I've repeated myself so I'm just going to stick to the slides okay um some of what I said in

the blur was that I wanted to do a little overview on why cyber crime is an important issue to pay atten attention to now I know I need I'm preaching to the entire choir so I'm going to leave this I'm going to leave this as brief as possible just if if you think about it in terms of this research that a a company called Sur shark did we rank as fifth in the world in terms of cyber crime density and that the percentage of cyber crime um victims in South Africa among specific number of Internet uses it's actually it's just continuously increasing globally you're looking at roughly 81,000 people falling victim to a cyber crime incident worldwide uh this and

that those stats are about 18 months old uh that results in losses of billions and um common threats you've heard all of them before you've probably got three or four tools for each of them just so we have defense index fishing was obviously first online payment fraud was second extortion Tech supports games who doesn't have an elderly relatives who who's called you and gone there's this thing that's popped up on my machine that says I need to phone this number and give them my credit card because they found problems on my machine and I'm exaggerating for fit but I had one of those two two days ago how long was on that call for 2

hours no you know it's I think what's key is it's always going to be about education and awareness so for example I manage my mother's cell phone device I locked it down and I deleted a whole lot of apps I knew she didn't need and she is none the wiser I'm not going to go through any more of these stats I'm conscious that you didn't come here for Death by PowerPoint but those are rather damning numbers um and investment fraud was the most financially devastating cyber crime worldwide in 2022 happy to share um slides um I imagine post this and I'm also happy to add all my sources so that you know I didn't just go I wonder which num sound

sexier okay right our crisis when I I I borrowed this slide from another talk I did for universities and then I realized whoops I better re remove all the references to universities from them one and two a couple of them were ones that I have actually had to do work for and NDA and all that stuff so I don't need to spell out the Cyber crisis for you um but what I can tell you is the Cs the CSR hosted a hybrid info session in about April this year uh under the theme of cyber crime in South Africa an introspective look it's always introspective with no Solutions their findings based on the research that that they undertook shows

that South Africa is under siege um there have been some significant business plans to spend about 25% more on cyber security in the next 3 years is uneg may sound incredibly dramatic but we're also becoming more and more desensitized to major security incidents and breaches because we're reading about them virtually every day and now they're we barely blink when we read about them any longer it's a bit like our apathy or rather not necessarily ours but the apathy that you may have experienced with people who live in South Africa about the crime rate we have become desensitized to the fact that we are under siege and in in in in our our personal lives to by criminals but just

as much um virtually by cyber by cyber criminals um I am weary that I have a soft voice if you can't hear me shout I'll try and talk louder okay some more lovely f that's um so micro Microsoft mcast uh did a state of um email security to support um these statistics that show that 97% of their respondents are targeted by email-based fishing um this was their seventh survey that was um conducted in depth and globally and South Africa was included in the stats for change so um responses were actually garnered from from about 13 countries ranging from your first worlds right down to your developing countries cool with great power comes great responsibility but we struggle with

limited cyber budgets to protect against large-scale attacks and budget being mostly allocated to activities that keep an organization profitable or running depending on what on what type of organization you have the scarcity of cyber security skills um means that most institutions don't have dedicated teams for info or cyber SEC and many can't afford the salaries required to attract experienced and or qualified analysts and during a distinction between experienced and or qualified for a reason we are not health professional and I've had many HR arguments with people about putting in I want an nf8 for that senior technical specialist role because that will prove to me the person studied yeah what psychology you want you want to be able

to get a task for a Workforce and and and hire a bunch of people who have proven experience whether they got it watching a ton of YouTube videos which there's absolutely nothing wrong with or whether they did it by going into the way back machine and seeing what we used to do in balal days oh God I'm really am old Etc you know the fact of the m is there is a cyber security skills Gap and we do struggle with the lack of competitive salaries and depending on where you in South Africa you struggle more cuz if if you're stuck in po you're going to be earning a fraction of what somebody doing the same work and Cape

Town or johannisburg would be doing for example M's law we all know M's law talks to us about the rate of change in technology and um when it comes to the rate of change in Tech and malicious activities th the that rate of change makes it incredibly difficult for organizations to keep up with the pace of digital Evolution great things are evolving malicious actors are evolving their tools me I am licensed for that for so many months more so I guess I'm going to keep to that and tell my team why aren't you doing more with it and another big problem is that most institutions through no fault of their own for the most part UCT looking at you

you use Legacy or and our and um end of life systems and infrastructure due to burgeoning costs poor Forex rates and the fact that the majority of the budget's going to go into whatever most uh feeds that organization and the work that it's meant to achieve whether it's a private sector um company that's in it to make money or a college or university or learning institution the the emphasis is never on please let give please please here's more money to spend on it oh absolutely here's a bajillion squids for you to go run a better security program for me a lot of the time the the financial decision makers don't actually see the value in what we do with with our

security tools because they can't see a Roi until something bad happens and we don't want something bad to happen that's why we ask for these things okay there's also a huge Reliance on third parties and Contractors Supply Chain attacks are are on the rise soloin Microsoft I name any new ones um yeah as an OCTA customer I really enjoyed reading there um F their latest admission oh yeah no that was a very late night anyhow um well there's also a lack of coordinated and structured response to cyber risk across Department I also believe there's not and my last line for this slide is that there's a lack of cyber awareness among staff but I also believe there's a lack

of awareness of what cyber risk looks like and and really that when you're drawing up your pretty little risk register where the heck is Security on it it it actually unpend all the work that you do whether you want it to or not whether you like that fact or not I'm seeing far too many risk registers that have security as an afterthought yeah right oh bring on the bad guys so some some coming um security threats again preaching to the choirs I'm going to go through this one pretty quickly fishing no always number one and I think we all know why criminals send convincing looking emails posing as legitimate entities to trick them into revealing

sensitive info um the the other part of fishing attacks is now how do I protect myself against QR code scams yikes so our adversaries are advancing the technology that they use to circumvent our systems faster than we can even keep up with the knowledge that they're gaining to know how to plug the holes that they're finding then there's Ransom way not going to talk about that data breaches don't need to tell you the result of data breaches um Insider threats they don't often come up but but they actually one of the damn it I I was about to give an example and I realized I couldn't but needless to say I've worked with a good

few Insider threats and they can come from current or former colleagues um who either misuse their access privileges intentionally or accidentally um and share um sensitive information but sometimes sometimes I think one of the things we should be looking at when it comes to our Insider threat is the people who are being targeted by syndicates what are their financial situations that it um and how is that information so easily available that the syndicates know who to start targeting to get little bits of info at first and then up the anti and up the anti and up the an uh DS attacks don't have to tell you more about that unpatched software and vulnerabilities the absolute bane of My

Life um weak passwords the fact that Mo so many organizations I've spoken to don't want to implement MFA because it's yet another Step In fairness in a South African context trying to implement MFA at a university is incredibly difficult for for a multitude of reasons the socioeconomic conditions that students live under mean that not many of them can afford smartphones that can have an author um in installed so that they can generate a a random OTP so these all you know they sound like Nob brainers but we also have to consider the South African context then social engineering oh man I love this social engineering one cuz I actually have used it done it very

successfully didn't exploit it but did it to prove a point there's also your third party risk and a lot of the breaches that we hear about over the seas often seem to stem from a third party not having the necessary Security in place or loging into their Gmail account while they're on their work device blah blah and and so forth the proliferation of bring your own device in iot that that's another reason why why we're facing so many cyber threats um and mostly because we don't know how to properly secure them then there's your compliance and Regulatory challenges depending on the nature of your organization's business they must adhere to various data protection regulations where non-compliance can lead to legal

reputational and financial consequences um I want to end with this thought before the next slide remember your your adversaries your malicious actors they only need to be they only need to be successful once we we need to be plugging mult multitude of holes constantly and in search of more but yeah on to the next one so M's Marvels I think this was a oh yeah there's the writing so you I'm sure most of you remember MAA it's also a verb these days if you read the Miriam um uh Webster dictionary and it's a verb to talk about making or forming or repairing something um using what you just what you have around what you have

around you so in the face of seemingly insurmountable challenges we all possess a remarkable gift the gift of meyerism which is the art of finding ingenious Solutions in the most unexpected places those Intrepid Souls who can turn a paper clip into a Lifeline or cardboard box into a sanctuary and a humble rubber band into a force of Nature and now we're going to dive in into some strategies to combat security threats and how you can mver your own bag of tricks to create a budget conscious CTI program uh quick question how many minutes do I have left 10es 10 o i better rush great okay so some strategies to combat your threats uh security wear training do

this as regularly as possible and don't be punitive about it use it as a learning exercise rather than you you duffed up again you clearly never listen patch management it's it seems simple but it's just never ever uh consistently done access controls Implement strong access controls including your MFA including your leas privileged access or in the name of limiting exposure to your Insider threat have an incident responsib no not something you grabbed off the internet made a few adjustments to put your company name on and went boom here we go ISO 27,1 here's my incident response plan just so I can meet that control um then data encryption as well ensure your data is being encrypted

in your sensitive data sorry is encrypted both in transit and at R to protected collaboration collaboration for me is probably and the the first speakers touched on on collaboration but I find there's this absolute Darth of people willing to collaborate with peer institutions or even each other to share threat intelligence to stay informed about emerging threats and best practices yes they are the isacs for for for various sectors but there's no real um civilian level ISAC movement um as as a maybe and this is something I've been giving a lot of thought to also ensure you have regular security Audits and assessments um these help you to identify vulnerabilities in areas for improvement but caveat um make

sure whatever you're getting audited against is actually relevant to your organization if you're not a bank do you really need to go the whole hog Etc and then of course vendor risk management is really important and organizations must continuously adapt their cyber security strategies to address evolving threats and ensure the safety Integrity of their digital environment boom okay so why this topic what's the purpose of cyber threat intelligence it helps us make fast and more informed and fact-based security decisions it also helps us change our behavior from reactive to proactive in the fight against malicious actors it can help us M our organizational threat landscape calculate the risk and give security Personnel the intelligence and context

to make more efficient and Intelligent Decisions it can also help us collect analyze and share there's that share word again information about potential security threats with our peers with trusted groups and obviously TLP it okay um I asked chat GPT to give him nice definition as you can see it wrote something pretty I I like to describe it like this it's a process of gathering and analyzing info about potential and actual cyber threats in order to better understand anticipate and respond to them this info can include your ic's indicators of compromise tactics techniques your ttps um vulnerabilities threat and threat actors it's used by organizations to identify and assess cyber threats and to develop effective

strategies to prevent detect and respond to them rather than go whoops need to plug use a Band-Aid and move on until the next big flood there are many different types of cyber threat intelligence um I'm just going to read them because I'm running out of time because somebody can't tell the time me um but you get strategic tactical operational technical humint oint love it used it several times a couple of forensics sces very success um cases very successfully there's close Source there's your indic indicators to compromise vulnerabilities geopolitical and Industry specific if any of you actually want more info uh very happy to be cornered somewhere and we can have a conversation cyber threat um CTI

components so you get your data collection phase it's the initial phase you're Gathering data from various sources in your internal logs your external feeds your open source intelligence and your closed Source intelligence what a lot of people fail to realize is that your CTI doesn't have to be in a beautifully packaged platform before it's CTI your network is a veritable wealth of lots and lots of CTI that you just need to know and learn how to use and how is better and share with other with with trusted peers so that in in some cases if they haven't yet seen a particular ioc they're now in the proactive mode you reactively found it but they get to be

proactive data processing once you collect the data process it to remove the noise and irrelevant info um and Analysis very critical component where a skilled analyst examines the process data to identify patterns Trends and potential threats analysts use their expertise to understand the context and relevance of the information context contextualization context is so so important it's more valuable when it's placed in context of what it is that you need to protect for your organization and what what type of business or work your organization is involved in so analysts can provide context by linking threats to specific vulnerabilities and and attack um techniques potential targets Etc it also helps organizations assess the severity and relevance of threats that they are

facing threat feeds o always contentious so there are external sources of threat Intel and organizations subscribed to or they monitor and these provide them with continuous updates on known threats known ioc's and emerging attack techniques um I don't think I need to tell you what an ioc is so I'm just going to move on to the next one but what I do want to say about tdps that it's really important to understand how ttps are used by malicious Act is against your organization so that you can an start working towards anticipating and defending against those types of cyber attacks or that either meet with those ddps or similar tactics attribution while challenging attribution involves identifying individuals groups or or

nation states behind an attack attribution can inform response strategies and help organizations understand threat active motives actionable intelligence very important that there's there's this you can get so much threat Intel from loads of paid for and free feeds but you know it's like how relevant is it to me right now in in what I'm doing in the work that my company is doing Etc and so forth so it um yeah so it definitely helps making more informed decisions but also being able to take appropriate actions reporting um so for the findings and insights from the analysis of C uh CTI are often documented in reports these reports can vary in complexity from brief summaries to detailed assessments

depending end ing on the intended audience but I challenge you to consider when last one of your vendors sent you a report and you actually read this thing end to end was it useful to you and if it wasn't useful and if you did do it and it wasn't useful to you it's up to you to go to your vendor and say this is not the kind of info that I'm paying you for what I need is this because I need a far earlier alerting system than the one you're giving me one week or one months after the events have happened um info sharing internally once analyzed intelligence uh needs to be shared with relevant stakeholders within your

organization like your it teams your security teams and Executives to help facilitate that the most informed decisions can can be made and responded to integration CTI should be integrated into an organization's security infrastructure and that can include if you have one your sim systems your ids's and other security tools integration helps you to automate the threat detection and response so rather than you pouring over yikes dozens and dozens of injuries for hours on an end a platform that's being configured correctly with the feeds that you want to see will actually pop out answers at you a little faster and do a a level of verification the feedback loop um the feedback loop is essential for improving

the quality of the threat Intel organizations should gather feedback from their incident response activities and use that to refine their intelligence processes in information sharing externally in some cases information is shared with trusted Partners industry groups or government agencies to collectively defend against threats and and contribute to um broader threat awareness there are isacs globally like I mentioned earlier that also share threat Intel that's sector-based in the UK there's an initiative that the ncac is running called cisp um unfortunately you need to be working in the UK to sign up for it but it's free and cisp pretty much stands for connect inform share and protect they do follow the TLP protocol as well so you know your data is if you decide

to make something not TP white for example and the other important part is that the cisp service actually allows professionals to collaborate uh on Cyber threats in a confidential uh and secure way so collectively these components all work together to create a comprehensive program that can help an organization proactively identify and respond to their information security threats which ultimately will also help them enhance their overall security posture I am not going to talk about the permit of pain because you all already look like you are in pain but one thing I do want to say is it's a topic on its own which is also why I wasn't going to talk about it but I did want to

highlight that it is important in relation to CTI and years why it's become a Cornerstone of many CTI teams and platforms because they use it to guide um it's used to guide just okay what what am I going to concentrate on it represents visually how your ioc's are more difficult for an adversary to change than others Etc and so forth um pus actually released a paper saying well they don't quite agree with the Pyramid of pain they think it needs a couple of changes I'm not including that in that I still think there's a lot of value in this but the one last thing I want to want to mention about the permit of pain is would you really be was want

to waste all your time on hash values which are list is Trivial because you can change them in seconds or are you going to worry about the ttps which once you've identified what your adversaries are doing um against your environment and made a modification to prevent their tactic from working next time they now need to put in extra effort to either build in a tool or buy a new tool in other words what you've done has made it more difficult for them to break into your systems meaning they move on to Sams because no I'm not touching that one less effort please I didn't sign up to do this for 16 hours for no payback

for no for for absolutely no success so yeah So eventually they'll just move on to easier targets um yeah great your budget conscious CTI program important to I can go into this in Greater depth but I have a sense that I'm not going to be able to Define your objectives and scope assess your available resources use open-source intelligence it's there collaborate with industry groups where possible um if if a if an industry group won't collaborate with you create your own I'm sure you'll find other like-minded people who will want to be part of that type of initiative consider the use of free and or lowcost CTI feeds and tools automate automate automate the harder you make

the the job of actually um analyzing and bringing together your your feeds the less inclined your analysts are going to be to even want to look at them invest in training also prioritize threats in relation to the business that your organization most U conduct but also the threats that they most often are um attacked by create a basic instent response plan once you've created it uh use it not some pretty document to go and add to your I SMS look look auditor I've got this too um I'm not ripping at Auditors I have to sit through so many of these audits but it's and and so similar problems often creep up create a feedback loop Implement basic security

hygiene keep informed of Trends and threats seek free training and resources if if if your organizations unable to send you unpaid for ones think about Outsourcing but not too hard um like I said I'm not here to solve a thing um and I I've always been of the opinion that I'd rather try and build something myself first than spend money on a tool that I don't understand yet also don't forget to measure the efficacy of the program that you put together once you put it together caveat very short list yay so just remember in your journey of creating your own CTI program all indicators are not created equally which means you shouldn't necessarily be spending the same amount of time

analyzing all of them look at the ones that you've already already decided make the uh may have the most impact on your organization verifier ioc's do not try to cover every single TTP that the MIT framework tells you to because you're going to cry one and two it's unnecessary look at the ones that are actually relevant to your organization make use of threat aggregators they will make your life so much easier and don't stop learning and innovating I think I'm really done um yeah so just some information I'm not going to go through this because it's really these are some of the tools of the trade what I did find very interesting and I do want to mention this before I am

probably carried out of you is that um so I actually went to read up some white papers and there was a combination of um uh commercial and open source and vendor threat feeds combined that it's been found they provide the best benefit but some research um can't remember the precise University names it was it was actually fairly recently that that that this was done but what what was found was that there wasn't any real overlap between the O the open and the and the paid threat Intel feeds in in terms of indicators the other question that people who bought PID for feeds were asked were um did you find the free ones useless and they said no actually we

just found them noisy and we like the fact that these were already curated to our environment so some food for thought for you when considering do I use open source or do I use paid for feeds that if you're willing to put in the time to curate your open feeds to show you only what's important to you there's no massive difference between what between um what you get when you buy one versus what you get when you C when you curate the open source ones some platforms to consider if any of you want to take a screenshot um also advantages of using such a plat of using CTI platforms automation is wonderful automation when coupled with Sim and saw

is even better but automation doesn't automatically automatically have to mean you must use a s there are a couple of these um CTI platforms that have levels of automation builtin they also help you quickly prioritize your security concerns they're able to help you integrate your multiple feeds rather than individually monitoring or feed by feed by feed and thus you actually speed up your investigations and they assist with recordkeeping yikes I am really out of time aren't I so unfortunately I then can I tell you about how to use um there's this great tool it's it's by the NATO admirability Code system what and this is actually used for human intelligence but the same principles apply these are the cavates for you to

consider when you want to know the reliability of info and these are the caveats when it comes to considering the accuracy of info and I am done thank you very very much for your [Applause] patience