Connecting the Dots: How Threat Intelligence Protects the Applications by Catalin Curelaru

and welcome for the next talk uh in a moment we'll have kellene kurelaru give his talk on connecting the dots and how threat intelligence protects the applications um i did want to mention something that i forgot to mention at the beginning because i do that if you need to track uh continuing educational credits or cpes um just make sure that that's all your responsibility we can't know if you're here or not obviously it's virtual so if you take screenshots as you go that should be enough to prove to isaka or whoever your organization is so without further ado thank you very much uh cataline for the just talk yep thank you thank you max so uh i'm um

really really excited to be here at the besides toronto uh 2020 and today i'll talk a little bit about product security 2077 just just uh kidding basically uh we'll talk about cybertron intelligence um how threat intelligence can protect the applications so this agenda for today basically it's cybertron intelligence what it is and why we need cybercraft intelligence also a couple of insights uh based on our experience uh how we managed to protect the applications in visma but first of all who am i i'm catalin corellaro i'm a member of the product security operations team at visma quite a big nordic company uh that has over two 340 development teams lots of developers and we are in many

countries uh only 37 so not too many uh also uh one challenge that we have as a security team we are acquiring 20 companies per year as a base so just imagine um how challenging is to make security into this uh this kind of company a couple of areas of expertise that i'm doing in the product security team are bug bounty uh area dust and of course cyber intelligence and i am also the chapter leader of of us timisoara so cyber threat intelligence what it is and why you need you need it with cybertron intelligence basically you can achieve many things basically the first thing you can achieve it's knowledge knowledge that allows you to prevent or mitigate

a couple of attacks this is highly important because you don't have actually each of each time the knowledge uh because with that knowledge you need to provide context contacts like who is attacking you you need to learn who is attacking what are their motivations what are their capabilities could be nation states could be only cyber criminals that wants maybe to have some more money maybe some ransom operators but also sabotaging intel can provide you uh also context around a couple of indicators that those uh attackers uh are are using so uh with those iocs with those indicators you can integrate with your with your systems also you can inform the decision making authorities into your company to be

aware of the dangers that are around uh your company and around us as you know a nation uh or uh just as a company or also as individuals so i'm really really curious uh what uh do you think about the job of uh a cti analyst for example what kind of job do you think that cta analyst is doing what is interesting from your point of view maybe also what do you think is are the necessary strengths of cti analysts so are we james bond or just the sherlock holmes that are looking for uh some evidences that needs to be taken into consideration and to resolve a case uh maybe yeah just shallow hold not not just

james bond but actually in in the world we can see in the last couple of decades cat and mouse play so we see that the criminals are are always always um changing the murderous operandi with the mode of the they operate uh the techniques the tactics and the procedures they use so it's a little bit challenging um for for you as a security expert because we can see as a constant we can see uh packing news mostly each day maybe a couple of healthcare companies maybe different institutions so the cyber criminals the nation states are always changing so we as good guys we need to adapt we need to learn uh what uh they do how they do

and what are their motives and of course for this we need transparency transparency between companies and because we need uh between transparency also collaboration which is highly important uh collaborations between institutions uh from uh institutions from the intelligence part but also companies that uh are constantly receiving attacks uh that are learning from those attacks and to deliver uh that intelligence to other companies to know how to uh to operate and how to protect people from from those attackers so transparency and uh collaboration is highly highly important so what is uh the life cycle of uh threat intelligence uh so how does track intelligence uh get produced maybe you are you're asking real real data is

the same uh it's not the same as uh intelligence cyber track intelligence basically is a finished product that comes out of six part of uh cycle of data collection processing and um analyzes and analyzes uh this process is a cycle uh because new new questions and gaps in knowledge are identified during the uh during the program uh so to maximize the value of threat intelligence you produce it's critical that you identify your use cases and define objectives uh before doing anything else uh also dissemination after you've took all the steps are really important you need to disseminate and you'll need to get feedback uh afterwards so uh there are a couple of types of uh

direct intelligence based on uh the life cycle so the types that most uh of the literature is talking about uh it's often broken into a couple of subcategories uh as demonstrated by the threat intelligence life cycle the the final product uh will look different uh depending on the initial requirements source of information and intended audience it can be helpful to break down track intelligence uh in four categories based on this criteria of course can be can be can go further with other categories types but will not get into details because we we don't have enough time and there are limited constraints about the duck but um if you are little uh sherlock holmes uh then uh

these three types of drug intelligence should work should work for for you your company of course this is a oversimplification of the types of cti because in reality the implementations of these types may uh vary per organization i i really really like this this picture because it comes from an article and this is also simplified version of the cti program but it contains the strategical part technical part operational part and the sharing part with the dissimilation which is highly important and based on all the needs based on the security culture based on the retaining activities purple activities risk management architecture part uh you can disseminate to all the parts on on on your curb money so i find it

really interesting and uh we need to have a deeper deeper thought about this so uh why do you want to have track intelligence do you connect the dots by providing context of indicators and tactics techniques and procedures of protectors to to your tools to your cn tools and other tools that you have or do we infiltrate to some interesting parts of the web dark web uh open web view scan for different activities do you know if someone is mentioning your uh your applications maybe your brand name if someone is trying to make you have a bad reputation so all these are quite good things that needs to be considered if you want to have it

so those are a couple of whys a couple more good why's are do you connect the information with all your company with all the dots maybe so maybe sounds good maybe not but uh a properly implemented cti program can provide you all of the wise uh it i must confess that it's not easy um it requires lots of effort uh but i will share a couple of um key facts from from our experience how we connected the dots uh to try to protect our applications so a key intelligence how can we protect so we developed a program inside the company for we we call it the visa application security program we think that it's uh

it's quite advanced because it it compromised a couple of uh uh applications and services so we developed a program with multiple services and solutions that we offered to seller service delivery teams so we offered all these acronyms to the uh service delivery teams as a service or as a solution and if they want to onboard to this services then they will get some points to the security maturity index which is quite interesting so all these acronyms that we offer so we offer uh a vast software assurance maturity model a bottom up approach we offer security trainings and of course we are we offer ssas which is security self-assessment psa privacy self-assessment risk assessment we offer

which is the security and the privacy incident process we offer product security operation center we offer of course um so it's called analyzes we offer dust dynamic application security test we offer uh mava which is manual vulnerability assessment and automated third-party vulnerability service atvs and smi which is security maturity index that pro that proves the maturity of an application which is really interesting and the last but not the least is the cti which it's offered also as a service for all the service delivery teams so uh how can you implement a program first of all uh you need to define your use case here what are the needs for your company you have from the beginning two options

either you develop your own tools uh or rely on cti platforms that are already uh doing the the cti life cycle for both options you need to prepare for some money of course uh some money from the first option that are needed uh are in terms of people lots of people that needs to infiltrate to some special places to gather to collect the data to process the data and to provide the data for analyzes also you will need people that will develop tools you will need tools that will be integrated so there are of course lots of effort necessary but you'll need to have a decision of course uh the first option to make every everything by by yourself

by the comp by your company or uh to contact the company or platform that is doing the threat intelligence and you will pro you will rely on their uh data and you of course you must be confident that the data it's accurate and they are collecting as much information as is possible so their calling and indexing mechanism needs to be very curated and cti data is collected processed and analyzed to understand the threat actors motifs targets and attacks for both options and with both both options you will enable track intelligence to make faster more informed and data-backed security decisions change also change the behavior from reactive to proactive in the fight against the trade actors

which will be really really useful uh and i'll concentrate on the the program on a couple of main aspects like monitoring operational part also the technical and strategical part are important because uh on the technical part you'll outline the tactics techniques procedures of threat actors for a more technical audience and the strategical part is for broader uh trends typically meant for non-technical audience the premium fraud compromise the data and type of scouting are really important because with the monitoring services like cyber criminal communities pay sides you'll monitor all those uh information for relevant payment card numbers for example bank identifiers or specific references to financial institutions um also with the compromise the data some criminals regularly

upload massive catch of data of usernames password to bayside's dark web marketplaces uh or make uh them available for sale on underground marketplaces so monitor these sources which trust intelligence uh to watch out for uh leaked credentials compromise data or proprietary code will be awesome and will be an advantage for for your um your company also typoscopting is is is one of the key aspects here because it will provide you protection against phishing so surveillance is good in terms of monitoring the tax technology stack technology partners for any zero-day vulnerabilities and uh maybe social handles and also brand names but you'll need to go uh deeper the main question is how and what you your app contains

your technology stack needs to be correlated with the entire environment you need to start connecting the dots so you need to see what's there you need you maybe you have node.js angular jquery how you relate those information that you received which all your resources your storage accounts web apps databases buckets and so forth and also you need to have all the environments more interesting you have you need to have the to correlate that information with your public endpoints but also more interesting with your private part for any secret key leaks any code leaks and so forth to go further what to implement you the main thing is to have data that you collect you need

um to process it and after we after that you need to analyze to understand the threat access motifs targets and attack behaviors so for that you need query you need to query your data that you already collected against forums space sites and many other places a couple of examples that i want to to show you here are examples around uh real case scenarios that we had for example we've had a couple of public end points of course we have uh the internal toys from the software development teams ingested into the track intelligence program we have and based on that information of course we've got lots of alerts that made noise like you can see the first example on

the right side it's noise is false positive the second one the same but we've received uh on this on the third one we've received uh an alert because it was private information uh from the our infrastructure into the paste bin site that was a red flag another red flag was for a dark web marketplace mansion someone wanted to to sell an account to um a dark web marketplace that's another red flag so we managed to catch a couple of uh really really nice things but of course this is quite spammy from tattoo time so another another interesting things that i want to mention here a couple of takeaways that you'll need to consider based on these findings is that you

need to um map all the intelligence because uh you will get lots of uh false positives but you need to see exactly what you have there uh of course real time alerts are the base here of course transparency it's another thing that it's highly highly important but all of this into the context of the ttps or the threat actors you need to correlate everything and to have a prioritization what is really important for your application and what is important for your business because more than everything it's important to stay safe and protect your customers thank you very much and yeah wake up and more questions in discord awesome thank you very much uh so we

have a question that came in and uh it was around um what about kind of the smaller organizations that might not even have their full-time security person do you see any of those organizations using threat intelligence yep so that's a really good question because the bigger scope for the track intelligence when you're a big organization maybe it's uh easier because you have the money to invest in tools you have people uh assigned to do this kind of job when you're a smaller company you need to rely on a synth it's quite hard to infiltrate to some dark places because you need to correlate and collect all the data you need to gain trust if for example

you are a small company to infiltrate to some driver places so it's challenging but if you rely on osint then it's it's good and for a small company maybe it's enough if you respect the the basics for the web application security then it will be good cool great thank you very much uh and thank you for the presentation um we'll end here but you can