Crius: A Fraud Threat Intelligence Platform

you know I've been working I worked on for my when I went back to school I couldn't be that Chris my joke is going to be hopefully the demo or now we can reduce mobile phone cases using search interviews now when you talk of threat intelligence what comes to our mind most of the time is that something related to what I did a domain file hashes and all that our friend here asks a very good question to Sean how do we come up with solution that actually factor in our local issues oh here has not had an issue via socialist of someone having lost a SIM card lost cash I saw a few Banks were

training of Weights based as my projects I believe most of us are part of that race people losing cash pay that due to swim or something type to their mobile phone [Music] so my truck will essentially be about that so so my names my socials I try to be much active on Twitter once in a while you can find me Corner LinkedIn right now I think I identify more with the French intelligence and mutual politics easement response I currently are used to depending where we are talking from to lead and create substance I've been part of a fixed an amazing days here who have actually helped establish some national computer emergency of computer incident response team

so in writing I think I'm trying to do the same for governance risk and compliance and most interested nowadays in getting adequate sleep bikes books and other kind of things in life so background of this problem for forgive these actually [Music]

to present your problem in this nature I think something with academicians and it's also good it helps you actually check whether the problem you're trying to solve is actually a problem so we have these so at the moment we have around at least 5.8 billion unique mobile phone numbers those 5.8 means that is someone without a SIM card that is an attack successful someone out there when you talk about that surface we think of that how much for the number of ideas Services domains that are publicly exposed when you're talking of mobile anything that has a SIM card is a potential attack surface for someone out there now approximately 12 million of Premium subscribers are victim of fraud

in very it was being very lenient very pessimistic this draft was the minimum amount you can transfer the Visa this is so let's say ah those days from Community brother sees us from Lord who are just the floating gave that is someone losing around watch [Music] wait huh 60 million yeah around 60 million actually being lost at one point right that's enough to solve some of our issues that we have around globally 29.3 billion is close that is your speed through mobile control so all of this is just to help you at least contextualizer the problem that we actually have now apart from all that we do have technical controls around there I think safaricom has been one of

the leaders trying to so this uh this issue out with a safaricom the umbrella program and technologies that we have we have to call her that will at least tell you this number has been reported a suspicious shortland so only four then you also have the Google SMS Blacklist Square Financial reporter number if we suspect it to his family or Russia another issue is also inadequate reporting so this was background of a problem that's why I thought Korea Sosa a good solution at that particular point we had this year yesterday here if you go through this at the CSI I recommend going to go through it they do quarterly reports on basically the health of cyber

security in Kenya none of those reports will actually give you statistics on the impacts of Florida dosen PESA guangiri in Kenya which I found to be very interesting so what are you trying to resolve or salt here if I give any of you this IP probably are going to tell me whether it's malicious or not right same thing to a domain forgive your file hash you are probably able to tell me within an admission so that this one is clean this one is infected or the other one is a malicious how about cancer so if I give you this random number and ask you this number said to send money to tell me whether he said or not

even within a day unless you are working with some you have to live with that Sabrina here guys working with Africa stalking Airtel events if you're not in that space uh you're not going to be able to answer at this question now why is answering this question important being able to determine whether this number is this is my dishes or not in a typical cyber security field means you can add it to a block list which means even if a user tries to fall victim of these they're going to be projects either same thing to domain if you add this domain to your firewall your proxy whichever controls you have which means you are protecting your users right now

for me it was always a challenge why can't we bring this into that and make it very easily accessible because I know all these still costs all these banks have access to this information for some interesting self-ish The Logical reason at least to me they don't easily share out such information so International that was basically the problem I was trying to solve some of the names with Victor was basically lack of adequate Frameworks and supporting Technical Solutions to effectively tackle that particular problem we do have Solutions if you ask me they are not sufficient Frameworks are very important from an academic point of view they give you the foundation they help you actually realize whether

the problem you are solving is what solving from a very innocent philosophical point of views too when you're solving problem you can either solve a problem at a very low level or you can solve a problem and at a very high level which means it's very scalable you can only scale your problem solution if you are very solid solid framework supports you that's why I think even in cyber security we have cost of 10 it's a framework that actually gains you uh it's uh we have the Maita in all those fragrance when it comes to mobile phone product I haven't come a closer framework that actually does a deep flavor when it's when you're talking of mobile uh product in general

we have Frameworks mobile phone fraud struggle because there are a lack of Frameworks it makes it very hard for you to study the problem and the understand almost anything that has been solved at the moment even in the it field has a framework behind it it might have been done 20 15 years ago by the is a framework behind us uh let me see anything I'm missing here so some of the issue I also identified those that should color is good it's trying to help solve this issue you can report A number being malicious same thing to what Google is Google SMS the only problem there is that all those features are based on a smartphone

now I actually used to think everyone has a smartphone stupid of me a lot of people have smartphones which was still stupid I was trying to look for I hear the right politically correct time to use is a domestic manager I was looking for domestic money it's a very interesting conversation then I asked for a teacher like can I see to know who I'm working with in the store they don't have a phone they can take a picture please

and it was such a huge issue for one week for me to rush your stopper as in the people who are not people don't have phones that can take pictures which means a lot of people don't have smartphone if you look at the mobile front thing back to our life the different things issues tied into it you realize that a lot of the girls that are affected are actually guys people actually don't have a smartphone someone who is not going to take advantage of Truecaller someone was never heard of uh Google SMS such people don't speak affected so that's why for me years through college okay Google SMS is okay but the number of people that actually can utilize this

I don't have the exact statistics but I'll say a welcome figure probably even less than 20 percent if you look it from a Kenyan like a national uh point of view my research objective for these places was basically to design and Implement a Cybertron intelligence platform basically for phone numbers that was that the MVD then think of miter still with the phone numbers I think it will be very amazing if you will go to Korea's probably the future and you're able to actually know that this number has been tied to the other apt I don't like videos for phone numbers Maybe

location of operation and German committee and the amount of note the committee guy at least at that time was XYZ the external guy was during the cash was external because this particular person this number was active for two days before it was deactivated so such insights help us fully understand and appreciate the problem and come up with a better way over resolving or reducing its effects uh so cyber threat intelligence mobile phonator careers we know Uber was compromised right [Music] just has swag so guys no one dreams so again I think there's something here from Microsoft I had those coins some fancy thing here as a gift in parallel swimming pool floaters who knows the APT that compromise the

Uber

yeah there's actually uh [Music] it's actually an 88 18 year old kid oh I'm saying the APT specifically the APT the compliment that happened like two two days or three days ago still like a jumbo I was still a lot of based on the details by social engineering and all that gentleman on the back to know so Lazarus Mo doesn't really Target financial institute oh Lazarus typically Target financial institution Uber for them will be it will be very weird for others to go to Target over here anyone else yes please uh not clubs us India

so that Uber attack and just going into what correct intelligence gives me when someone compromises you the legal people indicators of compromise so these are very unique identifiers that you can use to know that someone has reached you now the advantage of this is that let me bring it home my channel for Nairobi these people they have a specifically right so you'll be told allow me to use for example came in here we are told Kevin we typically have operating right so if someone's from the office it says years of cable and I do there's a lot of expression at camping not all of them [Music] so even without Kevin interacting with that person or are you interacting that

person most people might know what to expect then they can take corrective action like it's okay it's okay you focus so this person who knows how could I operate basically has an indicators of compromiser for bride so before they become victims of dry okay oh they can take prayer preemptive action and then avoid whatever right follow so iosis helped you with that they help you know what happened to maybe companies organization in that space and help you avoid being a victim use a victim of anyone using those ions now cyber 30 intelligence is basically accurated and validated at least now this makes me very general but Psychotherapy intelligence or CTI is basically accurated and validated list

of iocs and ttps keeping here is it's curated and it's validated so when people say we they specialize in CTI we are CTR analysts majority of their work is finding out for example how Uber was a compromised then knowing that okay this particular person used this attack use this ID use this domain these are the hardships you are leaving behind then they shake out with the other organizations during CES session yesterday Jones hinted Arnold Jones if organizations can share this information then it means the same threat actor adversary might compromise me but for example they might not compromise Deborah because they've already has those are your sales tied to that particular attacker via threat intelligence and these threat

intelligence are trying to installed at times it's given out for for free depending on where you are coming from why is it important it can help you that I know what to proactively detect so even before and they are female variants come at you you can attractively detect now in cyber security means that so in soaking anything soak related we have been told you need to understand the fundamentals and everything if someone is going to come from a museum they are going to do a Recon on you identify what kind of infrastructure you're running and all that as they are doing that they are leaving traces behind us so you might know that this idea has been stunning me you might

know that okay this domain is sending emails to my users now as part of CTI ideally you will have received that information before under beforehand which means they are not affecting you but you are aware that maybe they might hit you so the moment you start seeing the Recon activities those initial activities you are now being proactive about it by the time they even come from is a user for them we call my owner from anyone who doesn't understand Swahili like I'm asking you so I hope there's one having issues with that soil right I'm a restaurant here definitely so so being able to do this proactively means your Defenders can be stop being reactive and being more overactive if

you're more proactive you have a better nights which means you are not feeling the a lot of issues so this was basically how peers was set up this might explain it better so how fast basically is set up e slash on my far right left there we have to address after contacts maybe any users any organization the moment we do that when we will explain it better for Pirates of the house dictionary French you send that okay people fall for these skill center it's a privacy because if you have a daughter son I love when in school probably might not really know the teacher's name so if someone tells you are my school item is

closed going back to our uh our actresses it's a school thing but then maybe that's most people are saying when you end up sending all that if you are lucky in in this context maybe you are well informed that you realize that oh Germany then with that you can send that SMS to a specific number so right now looking for Clear source and MVP we have an indicated number that you basically send off one you can either forward the SMS especially for the bank loan at bank loan SMS someone telling you okay Siri is giving you this loan for this number so you can forward that whole SMS to our previous number uh once you do that

it will eventually reach somewhere here so we have a web server that is a publicly facing building up a clear API behind them so when you send your phone that when you forward that message or that phone number it goes to this dedicated phone number here that phone number connects to our SMS gateway that is that is the next Gateway receives the real phone number that's a bit of a pre-processing on patch so then communicate that to careers now that reprocessing what it does is it Picks Them sender number end Peaks Indian and numbers in that in that body then whatever was not a number he speaks as comments so what you end up is one recorder

saying that this record was sent by Jones his Jones phone number then all the numbers that were picked in there the good things phone numbers have a defined length so with a bit of Rejects and Magic by us you can pick the phone number then everything else you pick them and that comments so that is turned into the clear system no the analysts are the Morton is able to access everything in clearance hopefully I'll be able to demon that so they're able to see that okay we have received this phone number from XYZ we can do additional analysis on that remember CTI is meant to be curated and verified so the human user now does the curation and

the validation we have a bit of a lot of if statements that try to do a bit of a statistics statistical analysis just to automate a few things by the human user eventually that's the final analysis and validation once they have done that that record now now becomes a better once analysis is also done in verification you can decide to post that number on Twitter a lot of infosight guys they hang up on Twitter so there's a vote there that we basically published based on Twitter telling people that these members being marked as Xyz then it gives additional tags context tags remember the framework we are talking about you need to be able to classify your

number so what's this about hearing scam one year we have a different demo was this something from committee which is different was this something from those uh mobile bank loan so it does a bit of classification then shares that uh knowledge out and then all those fees you can't integrate with missed now the moment you're able to integrate this with Miss then create functionality explodes because for example if CA integrates with means and they form an organization so means Palau information sharing platform so it allows you so if I have a missed server I can have a child or select servers connecting to my list missed instance so they don't interact directly to careers now they interact with another Miss

instance and then they think have we found a better political term for Mustangs left in that context I don't think so so

which you now fully control you can introduce additional relationship additional processing just to introduce more value to the organization so whichever Nationals have something they call constituencies so for example CA might Street Nairobi as its own constituency might reach Mombasa has its own constituency or because such also have what they call sectorial sites each sectorial SAS can be a constituent so she is the master then the other constituencies are me are it's the other Center constituences us CA is a concerned so Chris capabilities understand the reporting stolen from fraudulent phone numbers so it has API capabilities and work Focus API meaning that it's easier for organization too easily integrated with it it supports business to business so

uh for example if you're an organization that is dealing with the phone numbers you can integrate it with the careers for example 80 Africa shocking they can integrate the repository with the clear sender share information with us clears at the end of the day was meant to be actual social skills team that is accessible to anyone once they validate themselves so just breaking those silos and ensuring that this information is a freely more openly available then you have consumer to business which means as an individual I can pick my phone and reporter number two the clear system another capability is basically searching and the verification of shortland are phone numbers so what this does is that think of it

this way right now safaricom I'm not sure about the other telepoza but if you are going to the transaction then you need to akikisha this application right so this can be an additional step two hatikisha because that probably builds would probably share this more later some of these products some of these groups they actually disabled artificial so if you're only relying on a kikisha that state is gone which means your risk cyber security depends in them so this can be an additional step so one you try to send a cash transferred using mpesa using your bank the query that's number will increase clearance gives them a risk score they communicate this risk to the end user that it's okay you

understand Lawrence but Lawrence has been flagged as a malicious use of this number has been flagged before do you want to proceed he says you proceed then they ask you so those two steps are basically your empowering either putting in better controls too as a aspect that the user uh any other thing I've been mention mentioned about uh supposedly repeat identification publishing of feeds so some appears are functionalities so this was just uh by the way in case my demo doesn't clock so