Demystifying The Use of Cyber Threat Intelligence In Today's Era

hey good evening thank you for the people who are staying here thank you the topic today that is really interesting for me and the youth who are here uh I I came here on from on behalf thanks to bide thanks to nikil and their team thanks to all the people who are here uh the objective today which I'm going to explain here that is about the trend intelligence part cyber Trend intelligence and the role of bug hunting bug Bounty basically reporting various vulnerabilities as well and the people who still struggling for the job or maybe they not happy with their job or maybe they are good into uh some sort of experiment you can see in their

own area it could be it could be forensics it could be research something like that it could be cyber crime intelligence it could be anything so Point here is like some case study which is there um with with the same topic which is diversifying the use of cyber thread intelligence in the in this area so first thing which comes in your mind like exactly what is sa intelligence what exactly is CTI I'm not going to tell what exactly CTI because many people have their own concept because some people have they have their own knowledge of VA and PT VA PT they have like uh to finding some sort of vulnerabilities and to manage assess categorize it high medium low reporting

somewhere or maybe you try to exploit to penetrate into something like that creating a PO reporting POV something like that to the agency and when further you get Hall of Fame something like that or maybe some sort of rewards that is there but does it really matter for the company who are looking for CTI domain or the policing or the government or the private sector because we have seen that in India or even in any places generally those who are into this domain somewhere they are not happy with their things tool use me myself from like government agencies perspective like when we do hiring of the people like that what the missing element are there if you talk

about any big shot colleges or something like that even they have the same thing the name is there oh this is a college but still when you ask about the person exactly what they have done in their domain what kind of knowledge they do have that is something which is far from the reality so without wasting time very beautiful thing for my perspective because I'm from the same domain dat love data data could be any domain the entire thing depending on in this era that is data and we are playing here because of the data so a journey the content from the forensic people who are from here who are from I who are from

DF simply what is happening here for me in a intelligence basically we think about what kind of Juicy information which we can get in last slide presentation we have seen that a person injecting some sort of random commands through URL correct so if you know that exactly he used percentage to percentage P something like that that that flag thing we have to check from the events and the the the URLs basically which is there but we we still facing one thing like when any any enforcement agency or police or any XYZ sending data to Google or to ISP something they mention private IPS rather the public IPS so think yourself Where We Are and what exactly

we are what we are doing what we know and what exactly we are playing so Point here is like for the CTI perspective that if the content is there for example you take one example if WhatsApp data has been deleted or any image has been deleted from your phone or from the Google cloud or from AWS wherever what are the mechanism what are the ways what the parameters where you can retrieve the data or collect the information if you know the manual process if you know the automation of something like that that is the real information rather depend on some tool that yes this tool can explain good information this tool can give good information so practical

things can give good information like some person ask you what the difference between Automation and manual of course when when you talk about automation the the code limitations similarly when talk about the manual that manual thing is what many tools so when you ask simple question Recon many tools are there but exactly when we use Recon full record something like that what happened exactly every tool have their own Beauty so when you do bench marking with different tools you'll get good information so my area is what like when you study about the fic part I have to play with all the tools and to Benchmark exactly what is there so when you talk about CTI cyber intelligence in India or

in the foreign perspective we depending on the vendors I'm not against the vendors basically but I'm saying that the vendors do what so why because green black window show font that is there but every thought about the data which is coming from the background how it is collecting how the parsing the data it is in different format how The ioc Works basically so sometimes this is also important for the same thing cyber crime cyber security cyber forensic cyber NOS rol cyber DF ml my point is here like in in Indian perspective when I work on sock many people working on sock sock solution they aggregate information and they show their information L1 L2 L3 like that but

point is like when you use this information for the government or from the private sector to provide information so a simple concept is that like client and server when you inject something SSL is there it goes to server so now it is a common misconception that https websites are safe stps websites are safe No Doubt but it's not legit it's not legit because anybody can use any free let enp or any free SSL basically it shows genuine but the authenticity talking about the genuinity that is not there so many people have still doubt that key STP say so point is here the the Diversified things from the crime perspective security perspective and the forensics perspective everywhere

the data and cyber and the threat is playing important role over here so these are few fundamentals thing Hing about infrastructures perspective Water Irrigation defense telecommunication basically haging over you yes or no you have seen that the company claimed that yes I'm from XYZ I'm not pointing name over here even that they leaded into threat intelligence they got stamped by some hackers how piece of code who defined this piece of code me you you you only and who defined the the framework basically you only so you know exactly how to do first and all so point is that in CTI if you understand exact how The salous Works how you can extract information how to find those

information how the framework architecture works then only it can give a beautiful information in terms of the entities it could be private player it could be government it could be anything which is there very old slide I hope you heard about these

things no doubt Point comes here aren't they aware about the cyber crime perspective aren't aware about the DS prodection Cloud security everything VAP stuff bu bound everything they do but still a word called zero day things are there so no doubt here what our rule is that what our CTI part is that what our forensic is that we should know exactly how how it happened we talk about attack Matrix we talk about the DFI process we talk about instant response so suppose a website gots dsed the concept is that dsab which log we have to study that logs give what parameter parameter attack so that information when you know when you know then you can get through these

all things jumping on any V ACC use use vulnerability find that is separate part so point is that when we study these fundamentals of understanding the case studies then only it can give some information for the things no doubt they can go to term perspective crypto angle you have seen def fake the telegram Bots are there who remove the clothes of women have you seen this heard this many people committed suicide but until unless it also defined by source of code hosting where hosting different countries IPS different different things are there so to create that bot that API again we use some sort of Technology some programming languages hosting something on good add or XYZ server that

is a flate form so like if you play a role you studied something like that you helping police or helping government or helping entity I got to know that this part having some vulnerability which while doing analysis of that API or that particular bot we found some juicy information and that juicy information talk about Isa Source GitHub usern it could be the answer that yes this person would be a developer that developer when you talk about that you give to the police and tell that GitHub data then only it can give good information so point is that that police don't know exactly what is GitHub they don't know exactly this so this is the gap which

you need to fill from the you people like when you work or maybe you are the client of something or maybe you providing services to the company like that this bot behind this is the email ID this is the GAA profile this is communicating with this database data source which is in public mode which could be in Cloud which could be AWS so sometimes this practical things can be help for the same thing so Point here is one area that is called this so my beauty is whato what exactly ISO modus of Rend in your language we can say that yes to hack some website we got zero date about cont we enter something random concept that is something called

the the the method basically so the intrusion point is what exactly the intrusion point is basically where we are uploading the content from the contactor page so that is the intrusion point so scanning all the website filtering all the concept that is the Cyber Prime cyber security part your VAP part but talking about CTI part exactly what that user use map for for example he use VPN he use proxy after some time he may use some real IP so when you see the layers of these websites you have first it goes to V so through the weben IPS after that it goes to the real IPS so that traffic we have to study then you get to know exactly which port

number which IP it hitting to the same thing so for the foreign IPS okay no but for the Indian IPS which is there it can be subject to the investigation so that pointers you can get to know exactly how this end map or things can be work out if initial investigation so now you ask me why we are focusing this all so one use case I have taken here there are many use case which could be there who are the potential suspect So when you say about website hack your website to so you are you understand exactly what is attack medium attack surface Ransom where basically attack for example like what data is asking what kind of key it

is asking what kind of like Ransom it is asking or maybe when you study about the ransom code like something at the anything some any data do ABCD so that ABCD is the strain and that ABCD you study on low Ransom and then you get to know exactly and after some time you get why you get after some time because if this thing can be created by any any any threat actor or something like that that sample could be uploaded onto the Caster ski or some different country then I they their team exactly reseearch those thing they can find the find the decryptors for the same thing accordingly they get to exactly what is what so random things are there hence we

running out of time I'm just skipping these all pointers but these points are required what crime were committed what crimes so why I'm asking crimes you can take as an incident in your case this an incident for my case it's a crime so incident is was if any website was there and while doing some random script we have seen the API Skys over there in that information could be leakage source code leakage or any misc configuration is there so that information how it goes how it comes so that pointers is also required while doing these all analysis part TI CTI is again definition is evidence based knowledge simple language we are studying news channels similarly when you talk about

this hacks so this kind of attack will be done by some Russian hackers or Indian hackers country so countries these are the players how we Define these all things through the IP through the TDP the tactic is there procedures are there techniques are there accordingly you get to know exactly who are the players behind this situation so working on the same thing this is a reality a reality is like that around 34% people they they they they didn't have any prior experience of oent part this so using K is okay but again using of Kali tools to you know do a good investigation or to finding information that is a separate part similarly we do

have 85% this see the last one 83% of cyber TI at least use browser as a their tool is it yes is it still depending on the tools which is open source that's a beautiful thing but again when talk about the some agencies they're still not depending on the open source they're completely focusing on the commercial tool so just sad reality we have to focus on the things which is still available of the open source perspective moving ahead data data is data no doubt data is everything data intelligence information for me intelligence is very important we have to just segregate it not something perspective anization perspective these things are there but for me we have to

know exactly how this these things are working virtual private VP is reducted privacy fast flux fast flug DNS so one attack from one IP after that uh in 2 minute that the IP of that server is changed this called D fast flux kind of concept so like you can say loot balancers are there you can say like they the that that application hosted on some IP which behind that multiple IPS are there multiple VPS are there so by tracking something taking down those websites from the firewall ruls updating you know that firewall rules as it won't work so the point is like why it is happening what is the impact of that doing so when you ask

about the mitro framework last point exactly what is the observation what is the main point for the same thing so this is there so still people think blood prooof hosting heard about this recent many applications which was banned by Govern of India why is the reason behind that we the very various application which is could be done by you know some known friendly nations of India basically they are Sly taking over data we stting mobile application we want to use chat GPD people downloading chat GPD from Google Android Play Store no application is there still there they have the logo of chat GPD think is a real application silently taking over data data is beautiful similarly for the

other area if anything they have to download they still accept and go go go for the same thing anyways this is the Bulletproof servers which is talking about CTI

part so similarly everything hosted by SMS a number is there basically and second point is called that is the IP if IP is hosting in a different country and that comp don't have a strict law in it domain how it could we work out so there a we of these things anyways it's a s platform um moving ahead it's just a technical perspective like what exactly CTI part and uh we categorize the vulnerability like you know high medium low similarly we do have TLP that is called red green amember if any vulnerability or any weakness or any leak data is there and that we reporting to only one company for example I got vulnerability besides

aabad so it's my duty to report only to beside Amad if I'm posting something on public platform that is not the best manner even though we have to ask the time period po period report similarly here when you have some information when report to government of India something like that ncipc or you can say certain or you can say any thank you thank you thank you it could be zero it to duplicate multiple things are there so but talking about here is about this part that is the tlb which really help for the intelligence me here investigation to all email phone photo ID card website so when you in your case there's a hash value sha 1 md5 that is

one IP part that is two and third is called the URLs depending on these all things am I correct moving Ahad that if these things conncted through the this particular U you know any sort of criminal intelligence basically or forces perspective we have these element if something has been circulated on WhatsApp how you can delete these things if something already download on your phone so WhatsApp delet remotely basically so sometimes the fundamentals is also very important to know exactly where the roles of forensics legal and CTI play role into the picture now it's a beautiful example this is the The Campaign which is there now you see this is the second point a hacker claimed that ke cash me if you

can at gmail.com cash me if you can add gmail.com and that hacker could be available on you know um on dark web and while doing sent you won't get anything from the public platform but you got all that some data has been leaked some data has been leaked and that data could be be basket or XYZ where he used this email ID so in real real surface web we got that email ID we check that email ID we have big basket database and that League data connect that the his address is so and so pleas so sometime this linkage analysis of the dark web as well the surface web give a very good information so there a that is a role of

data that is a beautiful meaning of data and that that information you can use from the cyber crime as a cyber certain inal perspective where you can connect both the linkages the question is like when you search about the data Json based jumping it the it could be any mongodb db. SQL CH for that that give information for the leakage basically which is which is available over there now next point is what this this this this so the beautiful is what this beautiful Point beautiful you are this why I'm saying beautiful Ur is basically this this is the game profit Mania profit Mania profit Mania profit Mania if I use the same you same logo same photo of that

profit manual then people think yeah this is a really real real profile but the game is what underscore dot underscore double A like that so nowadays maximum crimes are happening as well so when you think about the threal part over here so when you ask data from Facebook or this meta platform they provide that the profit man are having this so when you talk about double gangler double gangler websites are there like something.com something.com something.com but there maybe some is double some it could be things gs.com doin doxyz white. wi site. XY but somewhere the domain and the subdomain May link with the same thing so it's similar case when you find the duplicate website of G20 or covid similarly think

about the username perspective this also homework can provide the good information for the same thing so now we have one information scenario one scenario two in one scenario you say sir I have one number one IP from one IP what exactly you can get you won't get anything but talking about multiple IPS at least you can pinpoint who is the perpetrator and what exactly he's trying to get information that IP could be from is of men IP could be from different country but the point is that the objective maybe that objective is what the fishing page fishing page of what your company fishing page of what SBI bank fishing page of what fishing page of anything so so that is the thing so

point is like when you have multiple multiple multiple scenarios multiple numbers multiple ass headers so that data when you when you study when you find you get the pinpoint yes these are from Jara from new fromat and then they give good information so some like hackers to to who to The Experts so when when they do study how they got you video and I got very beautiful thing flut now it past person is saying like this and we are here talk about you know so point is that when we see these all things when we get to know these thre actors not hackers thre actors they're deadly actually they have good knowledge they have good findings

and they say yes sirc website not track me if you can so things like that hosting we good ID redacted privacy one information any yet so when you search DNS that R IP look up you got kch Mahindra apc.com similarly hosted one called hdfc.com but the domain the hosting server the hosting IP is same when reverse IP look up of that all things you'll get the information exactly he is pointing what now the cash is what when you go to this website and when you do some sort of purchasing when you do some sort of transferring of money there's a payment gway that payment gway of what could be UPI that UPI give the good information

exactly who is the person website but the payment getaway be communication point that can information help to cat the trator application see certificates are there the strings basically talking about like how are they communicating so when you talk about the ABK part or different thing this information which is there but nowadays Google Firebase they're using similarly behind that it's very tough to find this information a beautiful thing again this application website XY 613 doin doin domain Indian registry easily we can get the information no doubt from China country second they asking for the recharge of money the the the the orange button while doing recharge it react to the different website the third indicator is what app download so one a

website second recharge application third this app download EPK file when you react to the website called getaway. sign UB when you click on recharge something it goes to trade line Ubi 1 2 3 4 5 6 7 these are the indicators so when you find these all indicators it can help exactly who's the perpetrator you got a point so that is the thing which somehow helped to cat the nap when you gang because of these all maybe mixin is not giving information because he that thing hosted in China or different country maybe getaway is not giving by this but this ABK and the communication point and the trade line UPI maybe that can give some information

so that pointers when you flag it apart from the cyber security point there indicators that can help for the linkage of the these things moving ahead see the source code the application part 47 something like that this server the port number as well so like the tool you have mentioned Shan sensis XYZ do reverse analysis reverse thing then we get good information that is the power of CTI over here that the power of these things why this source code is there so searching this source code searching this J.G Javascript file recoding these all things hosting the content about the Alibaba as well this that can give again good information like what other things are hosted for the same thing that is

one which is there attribution Point different tools are there taking Snapshot from grou I to Laz one domain this a domain basically the domain is this domain is this Amazon eBay eBay Amazon and this slide changes is there basically so in the last slide we have seen that so last presentation that favicon we reverse URL searching reverse image searching so that can give good information for the ti part your may may have basically with the help of that feicon that SBI logo or some some client logo if you check on the website how many logos are there for this time period or how many websites has been generated sometime that reverse engineering reverse search reverse

doxing from this thing that can give good information so point is here through email only we got to know that exactly how many websites have been registered so we got website called amazon. something and we check that Amazon something we got other websites also there means these are the par domain that can use for or futuristic C crime or Intel part and no doubt the beautiful part is what that the not the professors yes guess guess guess benchmarking and communicating or using multiple tools as well if you think about Google image can be put information are you sure think about Bing it can be give a good information are you sure so why searching for image for reverse image

analysis so those who are into GE in or image in or so Min social media intelligence they always try different tools like we are using VAP for different tools similarly for researching something we have different tools point is here we search about a cartel called Dark web with these these you know these we got these things so multiple things can link with the websites like yes this is the fake so one is called the role of cyber crime cyber intelligence or you can say cyber security pointings like when you find vulnerability or VP or something like that report can really help angle is always required I you can't do anything from the IP at least you need

legal intervention through Court through police if you say I can go to Google I can search where my phone lost it can tell only if your GPS is enabled or maybe you have some zero not zero so you some some vulnerability or some sort of um you know spy application is over install on that thing or maybe any application which can give real location UB Uber or something like that but but still people search on Google and when they search something some company said yes you can download my application it can pinpoint it will do what it will scan everything it will install ask permission SMS contact and everything Gallery you give yes finally start enter

your number se you enter that number 80% 90% stop kindly register while clicking on register what happened that you give your email ID and finally what happened pay some money you pay the money when so point is that he inst that application already installed in your mobile it took contact it took SMS information then hacker don't anything because he have access of OTP and the News comes data because you you installed that application we don't know exactly that application application was fake basically anyways last slide is this I mean the important point the depth investigation for the all people over here like what clear yes or no yes exactly so when you

say we didn't get any information so when you see what kind of homework you have done so far what kind of ir when those who are into those are depending on the playbooks Playbook frankly saying and depending on the predefined cheat sheet so people like this they they find these all thing they they check these all thing they check exactly what is the main trigger point attack surface attack medium attacks pointers which is there for the same thing example example like this thing I use power shell I use some sort of technical so these pointers are there so when you hack something doesn't mean Red Team Bullet team sorry blue team different different teams are there but

when you talk about ni that is what so point is that the the concept which we are using these all K is there all the open source commercial tools are there but the approach which we using for offensive that is the different thing of C es ah LS but the concept is what concept is same the tool buff Suite intercept on disable yes same thing but is the same thing you can use for attacking mode different defensive mode that is your probability for the same thing so miter framework for CTI part and cyber crime part that play important role for the crime intelligence so when you heard about EUR bust cyber crime bust here because of

this information which is there how you heard about as attack youve heard about different AP attack heard about transparent tribee how about apds how about any side copy how they're working sending fishing email the medium is email fishing roting some server using mitm attack something so mitm exploit these These are the points which can help the cyber security angle into your cyber clme part so that is the m part for the same thing companies malware related telegram group the name you can say sgpg black market F malware War Cryptor 1.6 so what exactly so when you use VM when you use your sub machine which is not your real machine sometime that that tool can give good information

but maybe but that to may be a B tool but until unless it can give good thing telegram channel for for illegal Goods web shopping sgpg the so these are the some pointers which was monitored by some tool that's called 6z basically and these are the content which is available for the do Market places tool depending on your your us basically so point is that Frameworks are there clustering grouping all yeah depending on these things so now the generation is what exactly we need some good good Frameworks Frameworks perspective when you have practical experience then only you can able to point anyways a quick go through for this this perspective like how this things retrieve information from the

cluster part we got we got the the date and time frame that is called attribution Mac date MC not that like laptop one modified access and created date of that appc

from theft header so point is what like to prove something that that is there anyways this is the fics part which is already covered and one slide which I for the dog web do into dog web dog is something else but when talking the forensics part or CTI part how CTI play role so using T closing something things going it but we have think from different areas it's not only one area it can be from user specific like phase one from system what we can get from phase two from the open source of the the linkage analysis perspective of the tools and third is called of course we require some police angle to check exactly this IP belongs to this country

but India with telegram simple yes or no leads from there basically so point is that the as an average I'm I'm asking something as an average basically that is the answer for the same thing tools tools tools this method now now the Gap is what here maybe you good into registry analysis maybe good into finding vulnerability but without using right blocker if you do these all things that case won't be accepted by court of law because we have to maintain the chain of custody so sometime the fundamental point is that right blocker so your technology you think that is separate part maybe you going into volatility to to m to memory analysis but have we

created the hash value of that volatility that Ram D what what time we have created and finding the information from the juicy file that is the things which is there anyways let me close this because things are there a quick case study perspective the case study is about the you read about this case study people heard about that yes I'm using VPN or something like that I can save you you're safe tilt if alas are not behind you alas are alas were the law enforcement agencies basically and no no worri is that two types of agers are there one is like so sharp nobody can able to guess and second is like yes it can be so they using five level of

security the third point is that offered up to five lar security for VPN the do has seize because non cooporation of something like that so point is that like when when this information from the CTI part when you have multiple information multiple data then only you can able to pinpoint exactly this hack this Ransom attack has been done through this vpm this IP basically and this safe net or safe net or in or not providing information to the alas basically the last case Professor case man exactly so point is that here like this is the bunker Nat bunker in Germany so how this cyber said and this play role to catch the know na the

perspective 13 people was there 20 to 59 is a person may be put into python he good into passing something he's also the part of that particular hacking group but you don't know exactly he was doing something for wrong purpose why took bulletproof hosting server using VPN but at least when you see the chaining basically when you have your own IP of your machine your VPN for NE The Mask IP then new IP the proxy IP multiple IPS multiple IPS multiple Network traffic will be slow basically so similarly somewhere some point if any registration perspective any as this perspective these things these linkages can give information for the same thing which is there and no doubt cyber crime

perspective very clear that my friends not only the websites are there phone numbers also use her these credit cards also use SIM cards different different point of sales things are also used for the same thing so these things required for the analysis for the same thing anyways uh some examples was there for the fundamental perspective which was

there okay so no problem so some pointers like some CTR like blockchain perspective CTI dark web so these are there okay some are commercial some are open source now we can follow these all things maybe we can get the latest thing which is there but what exactly we need we need this kind of rc3 crawler sensors which is in reconnaissance perspective record perspective this is so when you study in a future perspective you can focus on these areas research angle you do a c investigation it's not only finding bugs that can be helpful for the same thing if you into enforcement you understand the legal sensity basically what legal things are there how legal things can we really help to find the

information or got the things basically anyway so I'm done from my side and if any query you can ask but I know exactly running out of time my query my my creds are there yeah this is my favorite basically Google and dark web and iot intelligence and you people those were pointing something like today uh parts are given one good website so that is also help for me for the N part that is really thanks for the same thing contribution is like this only and that contribution really B that is the main thing uh okay so this is the done okay this is my credential you can connect with this this is my number as

well I I expect that those who are good thing they can report something government is not listening if you report to ncipc if you report to certain you can mail to me as well you can mail to i4c as well so that can really help for the immediate response if any crime is there if any vulnerability is there if any bug is there not the bug basically I won't give any you know h of him something like that but at least I can give immediate response to pinpoint that person who exactly is doing this all because every cyber crime is linked with cyber security vulnerability or DS attack everything's linkages is there and the conviction rate of India is 3%

you know

nothing the conviction rate is thank you so much J