Teuta Hyseni - Keynote: Expect the Unexpected - BSides Prishtina 2022

my coworker

and i touched that anyway so i just felt compelled to say a couple of words in albania because i was born in colorado so but i just said it's an amazing opportunity actually this is amazing to see besides in pristina this is the first time um as you might know besides it's a really large conference that is held across the across the world so this is just a testimony that proves that even in kosovo uh in pristina we have a lot of youth and vibrant people who are also contributing to the industry of cyberspecificity also this is pretty special for me because i not all the time i have family in the audience so this is also another reason

why i feel like really stressful actually it's more stressful than if i when i don't but um and also um this is just a great start i i'm actually hopeful for the future anyway so i'm gonna just talk a little bit about myself um yeah i i mean i have i could talk with ours but i just want to say that i was born here i was born in jilan i finished the high school and elementary school in jilan and so i just got it i got lucky of course you know when you get lucky you know it's not always they uh it's not always like you don't kind of harvest the fruit you know right away

you usually do the hard work in front so then uh that's what happened to me i i i got a full tuition scholarship uh to study at texas lutheran university uh which you know was kind of a dream come true for me it was there it was actually surreal to me very beginning because i did not know a lot about texas but anyway so through the years i finished my bachelor of science degree in computer information system and a minor in business administration and i started working as a software engineer um it was interesting because i i was like whenever i started my first work was as intern i was also lucky to get at rackspace

rackspace is like was one of the biggest cloud computing companies as an intern i was the only one out of 40 to actually work on a really sensitive project i was paired with a ex-professor um and he was i don't know like what kind of engineer he was the highest one i think i don't know but imagine me as an intern working with a really knowledgeable person um my selfie team definitely suffered a lot but i learned that's like when i don't know like to me whenever i know that i don't know that's when yeah the moment of um i guess like improvement is so that's what happened um and so after that i moved to another company i worked

as a consultant again as a software engineer i think maybe if you um follow my talks i mentioned this i don't i actually did not want i mean i don't know i did not really have a understanding and i was not like sure that i guess like whenever i worked on the future i did not like to work with security because they always bring more work um and so but anyway i got like assigned to help someone during christmas with a project in application security and so uh during that time um i did not know what to expect because i did not know a lot about cyber security but i started working and and i mean who

doesn't want to break things so it was to me was awesome and uh quickly i got into actually leading projects and i never went back to software engineering because it was that great at least like in very beginning was exciting but then that's why i stayed i want to really make sure to emphasize this so as an engineering i mean except engineering engineers we build a lot of software which the main point is to actually make our lives better but i actually the reason why i stayed in security is that i feel morally obligated to create a safe and secure application for example back in the day um i guess like not everyone was required to

join the virtual world but now it's actually impossible impossible for someone to actually exist without having some sort of account online so to me that is that is why uh you know since there is no other way i guess and it's not going to be any more a choice moving forward i feel like we as the professionals we are actually morally obligated to create uh products that are safe um okay so um i always like to start my presentation with what's happening well it's a lot of things um i don't know like i i i at some point i had like 15 things but i just wanted to um you know like just uh shorted out

but uh right now we have increased ransomware attack uh we have cyber war actually it's like in you know we are in the middle of that we it's you know a life example a cyber war like nation sponsored cyber war um we have a lot of new i guess like frameworks uh technologies such as artificial intelligence we have autonomous cars we have iots so all even or appliances at home they are powered by an application or some sort so basically even or fridge can be hacked i mean i don't know like uh then we have cr blockchain um where someone tried to mine and you don't even know that um so overall there are a lot of things going

on and so as a cyber security engineer you always have to know what is happening because you know that's your kind of if you don't know what is happening then you probably will are missing something so i just you know um took a screenshot this is uh one of the microsoft live uh threats attacks that are happening in the world it is assumed or like a hit it perceived or ave within average in 2022 there are one ransomware attack for every level so it means that you know while i'm talking i don't know how many attacks are happening right now so so definitely the situation is not i guess like it's not going to get better

because as much more we get devices and things online or powered by applications this thing is going to get worse because the attack surface is just increasing okay so motivations the major one is financial but there are also political ideology and emotion so political and ideology for example hacktivism emotion sad to say but you know stacking or slacking or um i don't know child product pornography so those are things that actually trigger me that you know we need to create a safe environment for even for our future um so with that a lot of companies have actually embraced zero trust model what xero trust says that you you have to assume that you're already breached everything

you know everything that regardless of where the request comes you cannot assume that just because an application is behind a firewall that is safe so you always trust but verify uh so in particular this is how the product will work basically it's like the intended feature and actual functionality will match but you know we don't live in a perfect world we live in a real world so in general when you're building a product that is the intended functionality the red side is actual functionality and you know your intent or the future is right here but we always not intentionally create also security vulnerabilities and of course product blocks and this is the side where we actually

are concerned so today actually i'm gonna mostly concentrate on talking about threat modeling so um there is a fancy definition of what this modeling is but you know in general we humans threat model every time we make a decision for example i decided to do a skydiving a couple of years ago i did try modeling and i just assumed the risk so we do actually do threat but it is just you know another way for us uh in security to um identify or call this process um i like this um definition or kind of like the it sums up real well threat modeling is kind of a big picture of security you don't look at the trees

you look at the forest um so basically you kind of zoom out and look at the your application your architecture from a little bit higher um so why we use threat modeling so in general there are technical vulnerabilities and logical flaws or vulnerabilities so for example that is you know it just won't present them but this is like a logical flaw i don't think that that is actually safe um so we are humans and humans design products and we actually sometimes make mistakes so that is like the logical flaw um so but people ask like are we going to just stop doing like static analysis or that economic analysis pen testing no that is not the

you know the point of threat modeling these are all also required but threat modeling is um okay so you see like logical vulnerabilities are usually caused by threat modeling because in order to threat model you actually have to understand the product you have to understand the business requirements which most of the scanners don't know for example if you are building like a brand new idea that never existed like normal scanners will not be able to actually detect anything so that is the reason why you have to threat model um and of course like technical vulnerabilities most of them are caught by you know static and manual analysis analysis analysis sorry pen testing and dynamic code analysis

so when to thread model so usually so because i was a software engineer i feel empathy and i actually empathize with software engineers too so you want to actually do the threat modeling right here because uh in this phase the tech lead know already what to do you know what they want and how they are going to implement it so you already have them enough material to actually threat model so usually it's they you know kind of like the preferred phase on the sdlc is on the design phase because also so if you i guess like if you don't really engage security at all and you actually you just push the whatever feature of the

product in production what's going to happen is that you find issues vulnerabilities and then you're going to go back and fix them and you know what happened when you fix them for example like imagine if your whatever design and you have to redesign the whole product just to actually make sure that the vulnerability is gone so it costs it actually cut costs and the other thing that happens is that you want to build your product with security in mind because it's it you know i said also that secure you know we are obligated and you know there are also laws to actually build secure software um of course it's not wrong if you do it in

the end of the you know if even if the product is mature it is you know you are you're allowed there is no rules but this is where you get the best benefits um so there are like two types of threat modeling i used to be a consultant so i would work for uh different projects every maybe two months so i would do like threat from waterfall threat modeling basically they i will already have the entire project i will write i mean for example sometimes i had thousands of services to actual threat model the drawback is it takes forever the other thing that you you compile a 100 100 page probably report but then are you

effective because as i said then you kind of are similar you are doing the same thing as static analysis and neck analysis so they you are not really benefiting from the the i guess like the the point behind threat modeling so in agile world what happens is usually you want to partner with your engineering team and you want to move along with them because that's where like i don't know like i've worked with so many companies so i know like how um different flavors and where the security stand but generally you want security to actually be part of engineering team so whenever they build something the security engineer is there of course i am aware security team is

small so i know that we are never going to have like the you know one-to-one uh per engineer like a number of security engineers but of course you want to embed yourself you can also automate some of the parts but you know the important thing is you actually want to engage with them in early you know stages and also move along with it so you are not also the blocker no one wants to be blocking features uh type of modeling or methods another thing is i so i talk i have you know i've met a lot of people but the problem is that some people like processes and they don't necessarily look at their organization what they're doing or

anything they just want to embed processes because of heck of the process but that is not the point you have to assess your own you know organization you have to know how the things work imagine like if you just want to do it because you read it somewhere that's not like the point the point is that you have to understand your organization and embed the parts or pieces of the process within it but never like sacrifice the entire product or the entire i don't know like entire organization because you think that you have to go for each step of the process so you work with threat modeling as it works for your organization um so types is the arthritis pasta kill

chain attack trees personal and grada those are all the types but i actually going to talk about stride um so tools that you can use of course microsoft no uh there are a lot of tools actually i use visual because i like to be in control of what i'm drawing and how i'm drawing and everything um so it doesn't even matter you can actually use a white board because why not but the problem with whiteboard though is that you take pictures but you cannot edit anymore so thread modeling actually also it's meant to be a living document or i don't know like you can you can record that in a document or so but it's to be

like a living thing so whenever you're building a feature you're just built on top of it not necessarily redraw everything um so um do it work or like perform through modeling as it works for you but definitely it's good to have something that you can edit so then you don't have to redo the whole thing um so there are four questions that we generally try to answer during this process um what are we working on what can go wrong what are we going to do about it did we do a good job so these are the four questions i mean definitely look like kind of easy but the threat modeling is actually really abstract thing

because you're trying to actually think about threats that can happen to your product without even having the code of course a lot of brainpower but i love that because it's just it's just like your imagination is the limit so what are you working on get familiar with application software it is hard for it's hard for you to threat model if you don't understand the nature of the product this is the reason why i said that you cannot necessarily use automated tool because if you don't know what the project or the product is doing you cannot effectively threat model so get familiar with the software know exactly not just like know what is doing where where are the you know services deployed

how they work together how they talk together have that knowledge so then you don't assume anything so insecure assumption is really not the uh best i guess like the best thing for insecurity uh the other thing is engage with the right people of course what are all the right people i actually love to talk or work with tech leads because they have the right amount of information that i need to actually do my my work um set goals of course um this is like what are you trying to thread model you cannot like just um because i don't know if you understand the scope creep um it's in pms world but you can actually go so much like further and

like lose track of what you're doing so setting goal scheduled scope is really important uh otherwise you know assessment of scope so uh if you're working on an agile environment you just threat model the actual piece that is changing because you're already done assumption is already done the rest of it so you don't want to redo anything um okay so what can go wrong so break down this system you know what are like the pieces of the entire you know if you're working on future what services are being changed what is changing because um just because the feature before and then now you're working on something else and adding things doesn't mean that that feature actually actually

it's not has not been impacted so break down the system make make sure you understand what is happening in the defy threat agents and possible attacks so in this point it's it's really important because again assumptions um some people think that you know the only you know at threat agents are the non-users also who don't have account those who i don't know malicious is sometimes really abstract it actually is among people so your threat agents are users known users internal even software engineers you as i said zero trust means that you only you know you trust but verify so even for your own organization it depends like how big it is but you always have to you know

make sure that you identify the right agents threat agents because um you don't want the you know like if you don't then things going to go silent you are not even you are not going to be able to actually identify know that you're being attacked or you know like you lost maybe like a lot of information but you never knew uh and understand the existing contra measures so of course as i said you know you don't want to reinvent the wheel also you don't want like to be that person that always complains and you know but doesn't have the doesn't have the data to pick it up so understand the contra matters and you always be prepared to answer questions

for example because as a security engineer of course you're going to spend time negotiating with people that is it like you have to be able to understand and like align all the i guess like the business impact and you know all the you have to understand like how to actually elaborate what is happening and how you know bad or good is a is an issue um yeah of course like rank valuable data and resources based on the risk and the value so not necessary i guess like some parts of your application or product or more valuable have have more like important data than some other ones for example like depending i guess like the question is

what would someone want from you like what are they what is the gold in your product what someone would want to take off so that's like how you think about when you try to rank the valuable information and then of course the the last thing which is the most important thing identify exploitable uh vulnerability so we are going to use stride which is spoofing tempering repudiation information disclosure and and then i think okay and elevation of privilege i wasn't sure what is happening so spoofing is something you know something you have something you are something somewhere you are location something you do so these are like the things that identify a user and so like with spoofing uh it's you

know pretend to be someone that someone else um so an example would be uh sim swapping so this involves a little bit of social engineering but basically it means that for example a it was uh some cryptocurrency investor or whatever lost like billions of dollars because someone called their provider and pretended they hit them and asked to send their cancel the sim card because they lost it and send a new one other address so what happened is that they they lost because of two-factor of course and so that guy is poor you know like he lost a lot of money so another thing i hope this will work i wish it's is it connected to the internet

maybe not okay i think i can live with it but basically it's deep still facial and voice owning this is not like anymore like a distant thing it is already happening and there are a lot of companies who are investing to actually identify what is real and what is big um especially if you're famous and you have a lot of you know videos and you have a lot of material out there chances are you're gonna be you know creating like some uh fake videos are high so that's the reason why sometimes i just change my my my voice but you know like that's the um i wish this had worked it's a perfect example but

or like voice cloning like take your voice bits you know put it together and actually ask let's just say you're you know really high up ask someone hey i need all the money send it to me right now that's it you know like and who who for example especially like people are really good at following instruction in order so uh tampering so it's all have to do with integrity so changing data or uh code um look for jay uh because it was like a nightmare of like christmas nightmare or christmas gift whatever you want to call it uh or for example there was a ruby gem that was there was a storm uh that it was a back door that basically

pretended to be part of your code but it was not actually um so another and the next thing is repeat repudiation so not reputation so claiming not to do particular action um logging things is really important for auditing or telemetry whatever but you know making sure that you log every action that is happening in your product is important so that also uh making sure that you you log properly with addressing the right people like each user needs to be identified properly so when that action happens you know like you can go back because it's it's now i think like more than anything we have a lot of data but we just need to make sure that we actually use them

properly so an example would be when you have one account of certain software or whatever and there are multiple people using it so when things happen you don't know who what happened or who did it so that is like basically saying i didn't know i did not do so of course if you if you you know if you have like only one user that means that you cannot point out who did it uh information disclosure this is really common uh so basically the leaking or leakage of sensitive information an example is eq facts if you remember this was pretty big deal a lot of social security numbers were leaked and then i i don't know like how

still they i don't want to talk anyway uh but yes they leaked all the social security numbers and uh it's of course like they had like some programs to you know make sure that you get like some you know uh protection but of course you know once it happened it happens so um denial of service so basically making or putting down your service um making you know it it has to do with availability of your service so if a service let's just say um i don't know like any really important um action goes down it means that you know the other users cannot log in or for example if someone stole someone's password and then just you know brings down the

service then the person cannot like actually log in change it so therefore yeah um but you probably uh miriah i think i'm pronouncing it right you you don't probably remember this when half of the world was in dark um and then well the last thing is elevation of privileges which has to do with authorization so being able to perform unauthorized action so pretending like you're an admin uh yeah i i don't know if i want to tell a story while i was a consultant but um basically like elevating privileges meltdown as a spectre bypass user application restrictions from accessing the protected kernel memory so it's like uh elevating privileges to access someone who they are not

uh other considerations cryptography data protection error handling those are all like important parts which are not maybe like part of uh stride but you have to consider myself when i do a threat model i don't necessarily follow the rules or anything i don't have a process it's just like something it's a muscle that you build on and so you actually work more and more in projects um and then what are we going to do about it this is like an this is like when you close you have to close the loop um one thing like i said you know difference between being a consultant and actually owning a product is that you have to be really like this is the

hardest part because you know finding issues maybe it's not easy but it's not the hard part it's actually implementing or you know um actually making sure that those are remediated um so prioritize and identify risks uh provide remediation mitigation so when i mentioned you have to be sympathizing with or engineers is that you cannot just say like here's a bug here's a vulnerability fix it by and you know i will come and check you you know if you fix it you have to actually work provide solutions and of course you know work um you know negotiating what is the best you know solution because sometimes you know let's just say osp says something but that doesn't work necessarily because

you have some other service it's not even like the same language so you have to be able to at least provide a pseudocode or an example how some like an issue is can be fixed uh and add automated tests so you know if you know that something happened before why not automate that you know make sure that you check overtime so that that thing has not been broken since then so add you know automation to make sure that you validate things that you want that are particularly there are things that are really important and you know you cannot like just let it uh out of the chance uh the sore meta references um i think i

have all of them um and this is those this like i try to make it easy if you want to contact me or get in touch i'm more than happy to talk to you i love people i love security and i love to contribute to this community because that's how i actually got into security i don't have a formal uh education and security but i actually learned because i you know i i for some reason i i was kind of like assigned to a project but then i loved it and i just learned by myself everything that i know um last thing definitely like if you're a cyber security engineer or you think to join the security

security in like world i we really need more people because you know as much as i want to you know i most of people are good but there are some good so we need to protect the majority imagine like we cannot like pre we cannot expect that just have the formal to have like some knowledge so we need more to protect you know malicious people and that's it people thank you very much this is awesome thank you very much