Navigating the Shadows - Jonathan Gonzalez

for anybody who made The Great Migration from the University Center you know I appreciate it I almost melted um so thank you all for being here with me I'm going to try to make this a pretty informative and pretty interesting talk um I think this is some a talk that has not been covered in a lot of places and you know it may not necessarily be 100% cber but I think it will uh have you leave with something that makes you just say wow I I learned something new so that's the goal um the way this talk started about how I decided hey I want to talk about uh kyc AML and we'll talk about what that is and cyber threat

Intel is uh actually because of my wife um we actually just got married uh three months ago uh together thank I had to shout that out she's not here so she'll kill me if she didn't but um she's actually an anti-money laundering analyst um so she works for a consulting firm in which she works with financial clients and she reviews suspicious transaction alerts all day that's pretty much what she does so if a user at a bank does something suspicious it gets fled and she will review that a lot and me I'm I'm we both work remote so I'm very all over the place um I will kind of uh stumble into office 20 times

a day and you know I'm I'm kind of like that annoying brother where I'm just like what you do right so um after like the 50 million time in the morning she goes I'm reviewing this transaction because I think it's this this and this and um a little bit about me actually is I uh walked an incident with spons in digital forensics so when she talked to me about her triage process on how she investigated financials I said that's what I do well that's what I did um I can do your job um and do not say that do not say that to um because then I'll say the most stupid stuff I'll go up to and I'll just take a

financial T and I'll be like structuring and she'll be like get out of here dog so uh anyway I I I started to really like the similarities and I started to look at reporting uh specifically financial reporting and I really realized with a lot of that Financial crime reporting it intersects with a lot of cyber reporting so you see like doj Department of Justice indictment um Department of Justice reports and there's a lot of similarity in which in in those reports they talk about Cy the stuff we love they say this hacker uh had this bot net and they did this and as CTI professionals as DFI professional cyber professionals we love that right we want to see that execution

change seeing fishing to this this to this right but we don't really care about what they're doing at home right so they say they're using it uh to collect crypto currency uh and then mix it to distribute from money laundering like you know I watch Breaking back um and I I I don't think that's right so that's a little bit about what this talk is about sorry I'm just making sure the stopwatches on so as we all know cyber crime is on the rise I can give you 10 million statistics but the truth is between the exploitation of zero days between attacking U more verticles such as health care uh public government sectors uh it's just on the rise and with the

rise of cryptocurrencies the rise of uh cryptocurrency um ledgers and companies that aren't doing the proper controls that really AIDs that process so um there is an organization uh called the financial crimes enforcement Network fincent in which I was reading a lot of these reports seeing the cyber crime statistics seeing a lot of the same t such as fishing such as exploitation such as um uh sorry lost my train thought um but yeah uh basically exploitation fishing a lot of that Cal stuff within those financial reports and I was just thinking to myself and actually I was thinking to myself funny enough as I was watching my wife do her training videos you know those training videos when you

walk you do it at the very last day and your Manel texts you and he's like get it done today it was those videos but she was having to watch videos on fishing on uh commanding control sols on um bot Nets she was having to learn actual pretty technical terms so it got me thinking that hey I'm starting to see within the finsen Articles Within Bank reporting and between her job that she's learning cyber she has to take time within her job to Lear cyber because it's integrating so much and one of those reasons is within uh financial industry especially you have fraud fusion centers that are being created in which those are really teams that take

not only fraud they take uh anti-money laundering and they also take CTI professionals and they kind of mix them all together because that um communication loop with cyber crime is uh having all verticles so I saw that I saw the rols I saw the walk my wife was doing and I said they're learning cyber we need to Lear fraud we need to Lear Financial Concepts they're doing they po all we do an all um I put the worldo colliding me uh I also have the stal ship TS we do an all um this one one just because George castanza is a style King he just has all the fits okay so a little about me um I put about

me just because I hate the k um but I graduated from UTSA in 2020 in a Duo major in cyber and information systems and a degree in digital forensics I went I did numerous internships during my collegiate career if you are in college right now network network network get those internships because it helps you uh upon graduating I went to crowd strike and the falcon complete division in which I did digital forensics and incident response so I did full scale remediation from remoting into the client's computer and removing all the bad stuff I realized I love it not exactly what I want to do so now I do cyber threat intelligence which I love because I get talk to people I get

to create Powerpoints and I get to create writing um if you're like the one person in here that says like I actually love that um maybe for you so feel free to reach out but in my whole career I've done appac I've done Dev SEC Ops DF CTI so I have seen all different stages of the execution chain which in like exploitation vulnerabilities which really kind of helped me in this presentation understand why it's so important um currently I'm doing my Graduate Studies at John Hawkins University uh and Global Security studies just because I like cyber but I think there's other areas um of security that we need to Boler down as a nation between um energy security Mar time

security Etc uh as far as Hobbies um I I love traveling so if anybody's on the credit card miles train I'm that guy I could get you a Paris for a nippel um I really like uh Warhammer 4K I tried Dungeons and Dragons but I was like it needs more guns um and I really love military history um everything about it so you know if you want to talk about why assult in general is frowned upon in history I would always love to talk about okay so what are the objectives from this talk understand the importance of kyc and AML within the Cyber threat ecosystem even though it may not always be apparent at times and sometimes seems

false it is apparent um cases where kyc and AML were involved and then discuss practical steps on how you could kind of get better with knowing the uh the day-to-day knowledge of financial crime Concepts so what is uh kyc know your customer and client uh it's a process used by financial institutions and other regulatory companies to verify the identity suitability and risk associated with a business relationship so a business relationship doesn't mean another company always it means a lot the customer so if you go open up a bank account right and they require two forms of a check you know um even a library called right where they want uh forms of your address to prove you live there

right that is kyc um Banks do it a lot of Industries Do It um one statistic I put in here is that financial institutions in North America spent $62 billion on financial crime compliance with kyc being a significant part of this expenditure so a lot of these institutions Banks especially but not always all being hit with fines like candy um it's kind of a double soul we can continue to hit them with fines but because you know they're large scale Banks um they're large scale institutions they kind of just shrug it off uh they file and then they hire a few more AML analysts so the risk is growing but also hopefully the amount of

deterrence we're imposing on these institutions is also growing so why is kyc important in Industries so you have protection against Financial crimes uh helps prevent against money laundering and fraud by making sure that you identify the identity of the customer and what the customer is trying to do in terms of that business relationship one of the things uh one of the two terms that are there is customer due diligence and enhanced due diligence so with customer due diligence sorry I have like a million notes that I'm just trying to make sure I get everything by the way don't write notes with light bread light red pen uh it's not always easiest to read but basically uh customer due

diligence is a lot of times when you open account right it's asking for those two forms of ID it's asking for uh those Baseline verification tasks um and it's trying to gauge risk in that service it's trying to gauge you as an individual or an organization what is your risk do you come from a certain geopolitical sector in which maybe money laundering terrorism financing um is High um are you trying to move massive amounts of money in a short amount of time or do something suspicious basically you're doing it upfront to gauge the risk between that relationship before you onboard them as a customer a client a partner Etc then you have enhanced due diligence and that is

specifically for those higher risk folk um and those higher risk transactions and that can require things more in depth such as detailed background checks where they can ask for more info if you say oh I'm moving all this money for business opportunity you have the right these institutions have the right to say okay let's see a business plan let's see more information um so enhanced due diligence can come anytime really within the process of an account opening transaction monitoring and that account maintenance so if you're opening up an account if you're maintaining an account um renewing it uh filing full credit increase that could all gauge assault and level and enhanced due diligence at any point then of course you have

Regulatory Compliance you have um those things that we probably had to remember for quiz once or twice you have the bank sequency act uh the Patriot Act uh and those were things like making sure that CDD and ed1 P making sure that these institutions have kyc programs and AML programs um and all of these are enforced by vinsen which as we said before the financial crimes enforcement Network so kyc it's not always just in Banks a lot of uh industries use kyc so telecommunications unless you all sced spal we do not give a Sim called to anybody right um I I hold one laugh so I take that out the window um so uh if you

try to find buy a device open up a business account to maybe get a deal online you have to uh provide some sort of kyc gambling money laundering underage gambling uh preventing all of those um fun little story which I wish uh prevented me from accidentally under underage gambling I think when I was like 12 uh anybody did Run Skate yeah yeah so I had an account uh I mined all day you know I broke my back in the fields just Mining and a guy came up to me I was in like fifth grade in the chat room and said hey if you mine all day at the end of like a week you know I'mma uh

you give me the stuff and then I'll send you like a PayPal of like you know $20 and I'm like 12 I'm like oh my God I don't have to ask my mom for more money I don't have to mow the lawn uh so I did it for like a week straight I ran home after school didn't do any homework you know just like did all that and then at the end of day guy comes up I transfer all my stuff to him and then he just vanishes and then I I realized you know during that time Roomscape actually kind of had a monetary underground system so he would take those resources from those people and uh illicitly sell them for

money which went against the CHS and condition so wish I knew that you know but um just a fun little Side Story um but real estate uh if anybody is trying to buy a house right now or has in the past you know uh God bless your strength but also uh yeah uh also you have to provide a lot of documentation anybody who has put an AO in the house has been like yes you know we got it and then it's like all right submit these 105 forms you know uh your first child's name you know within the next two hours so they require a lot of documentation healthare to insure proper builing prevent insurance fraud travel hos and

Hospitality human trafficking is a big thing um making sure that the people the guests who come uh the people who are going between multiple hotels in a short amount of time making sure they are who they say they are and uh the decimate nation is where they're going to um flights saw a big one trains you know post 911 era that has definitely um came down uh education education fraud making sure that hey uh you are who you say you are you know if anybody ever took like the OSP and stuff and you needed you know literally a camera in every single asset of your life for 24 hours uh it's to prevent a lot of that

stuff so let's talk about uh vendor kyc right kyc and the Cyber sec space so um we're going to use Conti as an example so uh Ki widely known as the successor to Ru ransomware uh kind of leveraged by wizard spidal some called the trickbot group leveraged ransomware as a service um so it would use Affiliates uh to distribute its Ransom wh delivered a wide amount of amount whale via fishing exploit kits and compromised websites so uh they were the big name of the game for quite a while and then what happened was um they were active since 2020 they were russan and uh one of the main things about them is they did double extortion so they would encrypt

it first and then they would say hey we're going to sell it online um if you don't pay uh so then they would distribute through their various uh data Le sites but they were very popular and very rising and then what happened was was they when the war in Ukraine broke out they said if anybody messes with Russia you know you're going feel the full force of coni um and what happened was a Ukrainian I believe at this point in time it's believe that a Ukrainian uh security researcher was able to kind of infiltrate and leak uh internal chats utilized by The kti Game and those I'll call it the cony leaks uh Cony leaks

because I believe that was the Twitter account so we actually gained a lot of insight on the cony Elite chat logs and you can actually look it up on GitHub GitHub um they translated from I believe like Russian in Ukrainian so we longed that they quite a big organization uh at any point in time they really had 60 to 100 members um they had pretty much a a wide Network um you know I I I don't necessarily want to call them an AP but uh they're advanc in the fact of they structure on Hy they had Littles but also they had um they just had a stack so they had codos to create the exploit code and uh you know

the ransomware they had testers to test it they had reverse Engineers which we'll see why in a minute they had HR individuals so these people actually put kind of thinly veiled links on job sites because the table was so high because they really weren't getting paid a lot for the most of them um and then of course you had Affiliates um affiliates with Cony uh didn't really like walking there so much just because a lot of times they got stiffed um and so that process was a little chaotic um so that's kind of the background of their internal so they had a large budget um they would dedicate a lot of money uh at s in times to acquire security tools for

their own research and this is where kyc really comes in so so first they wanted uh High uh what's it called premium licenses for Zoom info and crunch Bas Pro which those are kind of ENT databases which give you a lot of information about businesses the hierarchy within the business how it works how much funding it has um Etc so if you're doing extortion of a company uh you really use those to really make sure that hey the top of the company you have that highy list and you can contact them but also you know their internal kind of Revenue you know how much money they could give you so they were trying to acquire to get gain them for the

leverage within those negotiations Cobalt strike who's called a Cobalt strike right it's one of the top exploit tools um right there with like Al uh can do a wider range of things so they were trying to I believe they paid 60k they tried to acquire it by creating a fake company and saying hey Will fake company give us a license uh Cobalt strike is pretty much like uh no we we don't like to give it to bad guys do what you know you normally do just you know uh get a crack copy and take your risk with an info stealer um and apparently what they tried to do was they try to pay a third-

party legitimate business to get it for um they did that also with sonic wall they tried to obtain uh Sonic wall appliances for rols engineering and they try to attain Cisco devices as well as cin black Edo and sofos Edo I believe the Edo for sofos uh they try to obtain it legitimately um to use it for RSE engineering to really try to see what they could do with it uh one of the things they were trying to attain from I believe caran black and sofos was code signing certificates so that they could you know sign their binaries uh and be trusted so that's really a good measure of how you know these vendors we may not

be hearing it we may not be seeing it but I I I definitely know for a fact at some level these companies are doing kyc for their security tools now are they doing it great I don't really know I try to find as much documentation as I could you know I try to DM folks I was like Hey how do you all do K kyc and they're like I don't know you go away and bl but um yeah so uh that that's an interesting thing to think of right we may we think about about how you know they get into environments with fishing with exploitation and stuff but we don't really think about how you know we think

they just code at a laptop all day we don't really think about how they're trying to acquire infrastructure to really utilize it that for their Gams so uh this was a Cony chat um this was about oh cin black um that little white is um it's a uh across world I want keep things PG here uh but basically they were trying to obtain Colin black and then they said they could obtain it and they were like who needs it and they said I don't really need it anymore and they said what about ryuk I guess at this time ryuk was still operating in some capacity they said I don't know if rayu really needs it um

but you know hey we you know maybe down the road if we want to research it itself um we don't really know who our Target is but really they're just going back and forth saying like hey I can get it I can get the tool what can we do with it who wants it right uh Sonic wall is another these are all the conty chats that I just kind of found uh translated on GitHub so this one was regarding sonic wall um I believe the 410 appliance which is their mobile application um device which basically allows like mobile uh mobile devices to access like applications from anywhere I believe so uh they were utilizing researchers who obtain sonic wall

devices legitimately they paid them uh who were able to grab it and what they were trying to do was they were trying to obtain it for vulnerability research um I believe they mentioned yeah they were using it for vulnerability research and um in Photo Chat stone is uh Stone was kind of the head of the kti checked um he says who can figure out this vulnerability in Sonic wall and make a walking scan to see you know maybe on showan whatever Mass scanning who's vulnerable uh this one was cve 2020 5135 which was a critical sonic wall VPN portal uh over buffal overflow it's not really sure um if they obtained uh the way to exploit that

vulnerability uh there wasn't really documentation for the more that attri Ed uh Mass exploitation attributing it to kti but it definitely showed that they were looking at the capability to mass exploit uh via resar scanning so as we see they're trying to acquire products trying to use it for their own nefarious gains um and they're really just trying to see hey this was an already established cve that wasn't really being exploited they will try to see what the cve does and see how they could do it more so um now we kind of pivot into anti-money laundering like uh I do want to clarify I am not a financial crime Expo um I am just an avid hobbyist but

basically anti-money laundering right we all saw breaking bad you know uh Saul Goodman I thought I would put on my saw outfit but it is too hot um but it is a prevention of transactions to eventually convert illegally obtain money into legal money through various forms uh the goal of of anti-money laundering is to identify prevent in activities related to illicit activities these activities could be things like human trafficking um smuggling um drug smuggling um just a lot of different things uh one thing that I didn't know was also anti- money laundering measures are very apparent in prisons um you know one thing out of this research I definitely realize is how big the prison

e uh crime ecosystem is and how large um people are doing people are doing very big ven mode uh transactions from within a full by full cell you know they're running multi-million dollar operations in some prisons uh so it was definitely interesting to see that but why is anti-money laundering important so you have protection against Financial crimes right this ensures trust between the Enterprise and consumer you go up to a bank you give them their money uh your money they tell you hey your FDIC insured for what 250k usually something like that but you you have the trust that your money is going to stay there or it's going to be shifted around you know with the cor process but legally so

you're making sure that hey this Bank isn't doing something bad it's not holding your Freds fish fry and just tumbling your money around um anti-money laundering supports law enforcement in a lot of different ways so by doing anti-money laundering investigations you're able to support law enforcement Intelligence on their current investigations you can able to um do attribution enhancement so able to help law enforcement say hey this is who we think is a primary source these are who I think the Affiliates are these I think is a supplier this is who I think is a partner um you know I've kind of I've seen my wife just do amazing things from what she told me as far as

she will have just a whole graph out with just a million suppliers million Affiliates just from starting at one single data point so they really help with attribution um and it helps uncover motivations in which I think is a large part of why I did this talk is because we look at a lot of crime now from a cyber lens but a lot of cyber crime is having more of a financial lens when it talks about motivation and I think we really need to just be accustom to seeing that more and we need to be kind of take the initiative to kind of see that more and it enhances Global Security so it disrupts the supply

chains and financial operations of criminal and terrorist organizations so it disrupts terrorism financing human trafficking operations um smuggling operations by you know you follow the money and that's where it goes um Also if anyone is interested I I didn't put this in my slide by just want to say a good book to start out with if you are interested at all is it's by Andy Greenberg it's called tracol in the dok um and yeah pull out those phones um and it's basically about a lot of things it's about alphab Bay it's about the do net um but it's it will get it will Peak your interest as a cyber security individual but also as a financial crime

individual so I I want to say that right now before I forget uh it's called tracel in the do by Andy green all right moving on so the AML transaction monitoring process is a huge part of anti-money laundering um this is by aams which aams is um a wide certification body within anti-money laundering and financial crime they are kind of like Sands except you don't have to donate an AR in the lake to pay for a sand saww um but they are a very globally recognized body so this is a transaction monitoring process and this is the one that I saw my wife do um and if you have done a security Al if you have done a you know

uh digital forensic sensitive response um investigation you will see a lot of similarities so let's go and start out with it let's start at step one so you're an analyst and you see an alert uh by your AML kyz software right uh you see it's uh it says hey there is something for structuring uh there is an apparent kind of pattern for structuring uh does anybody know what structuring trend is yes so structuring is when you are either pulling money or um depositing funds into your own account or other accounts um and the banks use a threshold so $10,000 is usually that threshold it is very suspicious when an individual pulls n Grand leaves goes to

the ATM and pulls another two grand um the reason being is the the states or the federal government can ask you questions they want to know why do you need this amount of money most people don't like to be asked that question so they structure funds yeah she's a financial crime professional so uh when she nods I I just go yes I'm doing right um but essentially yeah and a huge part of structuring is also sometimes they do certain amounts at certain amount of times um and if you are in cyber security that sounds a lot like Beacon right so you know you kind of see those similarities so you understand the trigger event it's saying hey you know

they're doing a certain and amount underneath a own threshold we see it for this reason try to identify if there was a patter on something suspicious so you you say okay this is what I'm look at first as all security analysts right we got to understand the environment know the customer so if it is just a random individual right do they need to uh submit 9,000 999 every single day for week right I would say man that's that's big boy money I I don't know why he's doing that and if he's just making hey Netflix purchases on his account you know little things I may say okay that stands out now if you are a very money intensive

company in which you're doing a lot of money transactions um you know I'm trying to think of what's gas St gas stations right you may have a lot of big transactions going through and that may kind of cause the suspicion level to go down so you have to understand your customer and the environment so if you say okay this is kind of suspicious understand the activity so you're looking at that account and then like any security aler right you're branching out to the connections did it make contact with any other account um any other uh machine uh any other ven mode uh account any other cash app account uh so you're trying try to see what network

of activity is within that alert and you're trying to scope it in to try to create those patterns trying to create those relationships and you may see hey it's transacting to One account but that's also transacting to another account so you may say oh man this is more suspicious um step four eliminate the normal so we may say okay we know Netflix accounts we don't care about that we know um you know uh your morning uh avocado toast you know you'll never own a house but you know we don't care about that um it's these transactions we really want so you will hone in on that as deep as you can you may use various

forms of ENT such as public databases you know if someone it's a if it's a Veno account and the person's husband is in prison you may use a prison database to see like hey um what is the in for you know what has his accounts look like so you can kind of go off of those pivot Points um after that you understand uh the remaining activity so you can say okay there's like three relationships where this money is moving towards none of them seem to justify that amount moving so rapidly in so many an amount of times this is suspicious so you may report in consider divesting that is a suspicious activity report and I got Breeze through I made

too many bad jokes but uh so a suspicious activity report that is a report filed by these people these analysts to notify ify authorities and banks of suspicious Financial crimes so it provides kind of an only warning and it facilitates that immediate collaboration between FIS and law enforcement so um within this suspicious activity report you may say here's a case number here's a customer this is what they're suspected of doing um it's kind of out of the ordinary because of reasons a b and c this is who it's sending the money to and this is why suspicious um it's currently ongoing and we recommend you know filing law enforcement actions Etc so you kind of

have if anybody's everever done an incident jur ticket or something it's a lot of that the who what why when again that context and putting any amount of ioc's and we're actually going to talk about that so uh finsen actually released a new S Type A Narrative uh for cyber events uh starting in 2016 um as far as how it has been um considered by institutions it's kind of mixed reviews but basically with this AML teams and kyc teams are going need to collaborate a lot more with uh cyber teams because if you have a cyber event at your bank in which you think I think it's more than $5,000 of potential impact so even if

they didn't uh get in and steal the money even if it's potentially $5,000 which you not gaug uh you have to create a solful cyal event in that you put things like IP addresses um the time of day uh device identifi if you could put in you know a MAC address IP address um any methodologies this is when they'll collaborate with cyber teams you know you may put something like miter in there you may put something like what it's doing is it fishing so you're putting a lot more of cyber related ioc's because you're collaborating uh I don't have time to go through this I think but basically um AML was very apparent in the Bangladesh

bank heist uh which some of you guys may know uh Lazarus was able to send money uh from uh Bangladesh bank system to a bank in the Philippines uh they were able stop a large amount of it but 81 million uh went to the Philippines 20 went to Sri Lanka uh AML was able to see a misspelling with Sri Lanka's um Sri Lanka's uh transaction and they were able to stop it uh that $81 million they were able to find some of it about 15 million the others unfortunately because of a lack of AML uh went into casinos and that money was ready never seen again so because of that um the owner of that bank that let the money go

to the casinos uh the branch manager the um the employees they all went to jail and uh there was a large amount of AML uh AML um refining of their laws in the Philippines so that was a huge one and that just shows we all heard about the Lazarus Heist you know the Bangladesh Banks Heist but seeing it from an AML perspective and seeing the impact that they did that's another side of the story so how can you loan look at Financial um journals such as s in cams if you're into crypto chain analysis uh join groups like financial fraud groups on LinkedIn uh if you're on a bank talk to your AML kyc folks and just when you

read a report look at the financial crime aspect don't glance over it really ask questions and dive deeper because that just makes you a better Intel a better analyst um professional thank you we did it we did it just under time does anyone have questions awesome oh yeah you go more in depth about the prison Financial we systems run yeah so um I was just glancing at that but yeah so there're all databases um in which you can search for convicts um within the the prison system um and a lot of times you will have wives girlfriends friends who are able to kind of smuggle money into them uh and because there's an underground marketplace within that um

so a lot of times you will see kind of suspicious transactions in which someone is sending money who has a large amount of like family members right within uh the prison but you know maybe that money is going to someone who works at the prison yeah does that sound I mean a lot of times prison you can get a contra in um so I mean I used to work in law enforcement as well so getting Contra it's not very difficult and obviously systems like payp anything cash everything the thing most people may not understand is B have PR of data on every customer so I used to review large amounts of data Excel sheets with everyone's transaction

and I'm having to go through why are they why are they sending PayPal every couple of minutes you know it's suspicious no exactly and that's why it's important for those skills like SQL and like Snowflake and all that where you can even slump like where you'll doing that big data analysis because you know I'll I I'll tell my wife I'll say uh she'll be stuck on something and I'm like oh change your query to this you know uh stop wild cing it you know and let in you know so I guess I have a question someone like myself in financial crimes that understands the transaction monitoring of things that understands how uh illicit funds can either enter you know

legitimate funds how can someone like myself reach out to individuals that are in cyber threat Intel and maybe give them ideas or maybe you know helping them understand what I do to help yeah so my my uh opinion honestly is reach out to folks to walk in those cyber throd Fusion CS because especially the managers the managers have to oversee a cyber threat Intel professional usually an AML professional and usually someone who did law enforcement so for example at synchrony we have on a a digital RIS which they monitor the underground for things like info steers let me get out of the way so we have a Digital Risk team which monitors underground for uh information

Steel that have like humy credential uh within that team you have an AML professional you have someone who did kyc you have someone who did like