Combating Human Trafficking With Threat IntelligenceRecorded Future's Boychenko and Guven on Research to Fight Human Trafficking
There is no one way to detect human trafficking, and its eradication requires collective efforts and expertise. To help solve the problem, Recorded Future threat intelligence analysts Kirill Boychenko and Hande Guven adopted the UN's 4P paradigm - prevention, protection, prosecution and partnership.
The ultimate goal was to provide this model to first responders so they could detect red flags and help survivors of human trafficking or support ongoing investigations and research into the issue, Boychenko said.
As Recorded Future's research is guided by the 4P paradigm, they focused on partnership for the proof of concept, Guven said. Based on the research, Recorded Future will be sharing the findings in a report that will be "data-driven" and "hopefully disrupt some of the criminal ecosystem" that contributes to human trafficking.
In this video interview with Information Security Media Group at RSA Conference 2023, Boychenko and Guven also discuss:
- Ongoing research on the Turkish dark web;
- The ecosystem focused on patriotic hacktivism;
- Missteps that organizations often take when integrating various types of threat intelligence.
Boychenko's expertise lies in analyzing new and emerging threats, malware, adversary tactics, techniques and procedures, and engineering detections. Prior to joining Recorded Future, he worked at the UN, Council of Europe and American Bar Association, coordinating international projects on combating human trafficking and corruption and defending human rights and labor rights.
At Recorded Future, Guven is a member of the Advanced Cybercrimes and Engagements team and conducts research on cybercrime, hacktivism and dark web communities.
Anna Delaney: Hello, I'm Anna Delaney with Information Security Media Group. I'm delighted to be joined by Kirill Boychenko and Hande Guven, both threat intelligence analysts at Recorded Future. Very good to see you both.
Hande Guven: Hi, Anna!
Kirill Boychenko: Good to see you.
Delaney: So you're here at RSA to cover a really important but unique topic in cybersecurity - combating human trafficking with threat intelligence. Can you talk about how the initiative began or evolved as well?
Boychenko: Absolutely. For us, it began by a group of interested passionate analysts who wanted to do something to contribute to an important cause. And we had an opportunity to do so. So we joined our forces. And we were looking at what is known as 4P paradigm, which is protection, prevention, prosecution and partnership. And so we were thinking, what we can do, how can we employ similar models and methodologies from threat intelligence, to help solve problems of human trafficking, offer some solutions and see how we as cybersecurity and threat intelligence professionals can contribute to ending human trafficking.
Delaney: Hande, so what were the big takeaways for you from this project?
Guven: So one of the biggest issues with detecting internet-enabled human trafficking is the fact that it's very difficult to identify. There is no single indicator that will tell you sure proof that there is human trafficking happening. So that was the biggest challenge that we faced and using the threat intelligence methodologies, we were able to come up with various indicators and identifiers that when combined, can really get especially law enforcement officials to a place where they can find the references, the red flags that need further investigation. So that was the big takeaway for us that there isn't a single thing that will tell you sure way. But you can do you can take steps to get to a place where you know what you need to dig into further.
Delaney: And did you actually help people? I mean, what were the results? What were the key result that the win's here?
Boychenko: Absolutely, we wanted to go beyond scare to actionable. We wanted to offer solutions that would help and so we came up with a proof-of-concept model. And essentially, it came to the following. So we needed to know what to look for. And we wanted to identify potential human trafficking scenarios. So for that we crowdsource keywords - keywords that are associated, either with active floors, or potentially advertisement of individuals that are in human trafficking scenarios. Then we needed to know where so we had to identify sources that we later can investigate and see if we can surface any red flags, potential situations of human trafficking. We needed to know how we will do that. And that part was easier for us as threat intelligence professionals, because once we knew where, we were able to scrape the data from those sources, aggregate the data for further analysis. And the why which is most important is to provide this model, this methodology to first responders, so they can find red flags, and ultimately help survivors of human trafficking, or perhaps it would aid ongoing investigations or further research into this problem.
Delaney: So what's next in the project? So you've got plans to continue research on this research?
Guven: So like Kirill mentioned, we were basing our research reports on the 4P paradigm. So the proof of concept over here had to do with the partnership. One of the Ps is partnership. And so we're continuing our research reports where we will be publishing another report that we're currently working on. Unfortunately, I can't talk too much about it since it's still ongoing. But needless to say, we do hope that it will be data driven, it will hopefully disrupt some of the criminal ecosystem that contributes to that and will be aiding in the kind of erasure of this problem further. So be on the lookout for more research is limited amount of things I can say.
Delaney: We will be. So I want to move on to another research that you're doing at the moment on the Turkish dark web, and you've written two in-depth research reports two years apart. Could you just share an overview of your findings, but also compare and contrast the two? What happened those two years?
Guven: Sure. So we first began our Turkish dark web investigations in 2020. I'm originally from Istanbul, Turkey. So when Kirill and I were looking at new sources to add to Recorded Future's collection that we're from Turkish language forums, and dark web markets, and so on, we found a very robust ecosystem there that we don't think gets a lot of attention, whether it be media or another research publications or threat intelligence firms. So that's something that we really wanted to focus on to understand that ecosystem better. We found that they focused on two primary functions, one of which is patriotic hacking, or hacktivism. And the other is financially motivated cybercrime, of course. So that's what our research covers, we found that there was a big sense of kind of fraternity camaraderie, a lot of the sources were difficult to get into. And also on the cyber, on the hacktivism aspect, or the patriotic hacking aspect, we found that the hackers see themselves as an expansion of the Turkish military almost in cyberspace, which was interesting to us. So they take on a lot of enemy states as they perceive them to be or entities that they perceive to be enemies of Turkey. And they use low sophistication methods like DDoS attacks, or defacements, to kind of inflict reputational damage. So that's certainly kind of something to keep in mind for other organizations, because they could be a target of at anytime. And when we compare that to our human trafficking research, they're sort of different from one another, just because we looked at dark web sources for the Turkish language research, versus our human trafficking research focus more on the open web? Because we find that although, you know, dark web sounds so scary, and there's a good amount of fear mongering about that, we also find that a lot of threats do come from the clear web, they're hiding in plain sight. So for something like human trafficking, that's the big difference that they are everywhere.
Delaney: Kirill, anything to add in terms of what organizations can take from this research?
Boychenko: Definitely. What we found from building collections on Turkish language dark web, is that threat actors who operate on those platforms, they discuss different tools, they talk about different attacks, they brag about the attacks that were conducted. All that information that is useful intelligence for companies and organizations to understand the motivations, the skill, and to be prepared for a potential attack, be it a DDoS attack, a use of malware, potential, spear phishing attack, or anything else. And so with our visibility into those sources, this is something that companies can use to up their defenses.
Delaney: Right. So let's talk about organizations' threat intel's programs more generally, and what you're seeing them doing well, and not so well. So when it comes to synthesizing all sorts of threat intel, whether it's third parties, open source or their systems, what missteps do you see them often make that they can improve on? So, Kirill first and then Hande?
Boychenko: Yeah. It seems like certain problems been there forever. And many companies, including ours reported on them, but they're still present. Ransomware is a problem, we found ransomware samples in our Turkish dark web research seems to be seems to be an ongoing problem. It seems that there are some low hanging fruits in terms of defenses that companies could employ, but not always do is limiting privileged access. Not letting users just access company's resources, principle of least privilege, defense in-depth patching, those are very obvious things, but in many cases, they're not full properly. And then we have an attack surface on our hand. That is, unfortunately, seemn to be growing and not going away.
Guven: Another sort of, in a similar vein, is that another thing. Focusing too much on only certain state-sponsored actors or only threats that are coming from certain countries. So we think that for example, the Turkish dark web and the patriotic hacking communities, they're although not very sophisticated, they can inflict damage. So not disregarding them, especially since they are always reacting to global events and the current ongoing in the political sphere. If you're located in a country that sort of has that kind of problem with international relations, kind of being on the lookout for that because they go for the lower hanging fruits like also Kirill was saying, but it is still surprising, the kind of the size and the gravity of companies that fall victim to it. So being ready for defamation, and DDoS attacks, things of that nature.
Delaney: Because threat intelligence is great to have, only if you can act upon it quickly. So what does good look like when it comes to operationalizing this threat intelligence?
Guven: I think taking advantage of the great amount of spread intelligence that's already out there, right? So having early visibility into threats. That's why you know, dark web monitoring, forum monitoring, etc, is very important so that you can actually get in on the intelligence at the chatter level before it even escalates anything further. Similarly, with financially motivated crime, infostealers getting access to infostealer data before they even hit dark web markets. So being proactive, I think would be the best case scenario.
Boychenko: Yeah, and some of the advantages of threat intelligence is the depth of collections, the speed, and how far and wide can threat intelligence solutions go in terms of covering different sources. So with that at your disposal, you have a lot more information and that is always good in our field.
Delaney: Well, this has been fascinating talking with you. Thank you so much, both of you, for your expertise.
Guven: Thank you.
Boychenko: Thank you, Anna.
Delaney: And thanks so much for joining us. For ISMG, I am Anna Delaney.