Sangduk Suh, S2W: “large security accidents begin with very little and weak gaps in the surface”
Noticing a cyberattack or a data breach too late is the nightmare that makes every business owner toss and turn in bed at night.
While some companies succeed in finding and eliminating or mitigating the threat before it does major damage, there have been instances when the attack goes undetected by even the best malware and cyberthreat detection systems. Thus, it becomes too unexpected that any action taken will be too little, too late. In order to avoid accidents like this happening, businesses need to gather threat intelligence and be prepared to act as early as possible.
And with new and more advanced threats emerging everyday, the intelligence gathering technologies and their creators also need to improvise, adapt, and overcome challenges. To discuss this, Cybernews reached out to Sangduk Suh, the Chief Executive Officer at S2W, a company that does big data analytics for cyber threat intelligence.
Tell us the story behind S2W. What was the journey like since your launch?
S2W, a data intelligence company, has been growing remarkably based on its technology since it was founded in 2018 by researchers at KAIST's Network & System Security Lab. Starting with the launch of monitoring solutions for the dark web, which was like a blind spot for cybersecurity, it currently provides cyber threat intelligence services in various areas, including public, financial, manufacturing, telecommunications, e-commerce, games, and virtual asset transactions. In 2021, it was selected as a solution provider to Interpol, and this gives the S2W team such pride in contributing to the world's cyber safety.
Can you introduce us to what you do? What fields do you mostly focus on?
We are focusing on data intelligence-based security services. It is focusing on markets roughly divided into TI (Threat Intelligence) and DRPS (Digital Risk Protection Service). It provides intelligence to important institutions and companies in real time about various threats, leaks, and new attacks outside their control networks that they are not aware of.
On the other hand, the field of digital abuse detection is also a business area. "TRUZ," a data detection solution for abnormal transactions, identifies transaction frauds, cross trading, and abnormal marketing promotions that benefit malicious users on our clients’ platforms. It focuses on improving customer experience and protecting the brand value of our clients.
There is a difference between finding the source of the problem in external data analysis and internal data analysis, but the core technology is the same in collecting large amounts of data and analyzing them in real-time to find specific information or evaluate information.
What technology do you use to analyze large amounts of data?
Its representative TI solution "XARVIS" uses a natural language processing (NLP)-based AI engine to process vast amounts of data collected by its independently developed collection platform. This technology can process an average of millions of web page information per day. For important threat groups, S2W operates a system that accumulates their infrastructure and traces information with its own know-how. "TRUZ," a digital abusing processing engine, detects suspicious transactions and behaviors in the clients' system based on deep learning technology and blocks fraudulent transactions. Even when conducting a joint investigation into various international ransomware crime organizations such as Revil, Cl0p, and GandCrab with Interpol, collection coverage, depth, big data processing capabilities, and tracking data for threat groups were combined to provide decisive intelligence.
Have you noticed any new methods used by threat actors during the pandemic?
After the COVID-19 pandemic, security violations continue to increase in the process of rapid digital transformation such as remote work. The weakest surface, which is the beginning of attacks such as ransomware and phishing/smishing, that is, preparing security measures for Attack Surface is likely to be an important year. This is because even large security accidents begin with very little and weak gaps in the surface. Methods such as stealer logs for attempting to access a central server through remote terminals have been rapidly increasing in recent years. New or variant stealers that are not well detected by vaccines continue to appear, and their purposes are all the same. It is to steal access rights to the center from external terminals with weak security, which have soared due to pandemics or to extract information from terminal owners that can benefit financially.
Requests for the sale/production of these stealers are active on the dark web. In addition, black markets, which operate such attack tools on a large scale and sell stolen information in large quantities (or search for necessary information through websites, purchase specific countries, specific accounts individually, put them in a shopping cart, and sell them) on channels such as the Dark Web/Deep Web/Telegram.
With so many cybersecurity solutions available, why do you think certain companies and individuals are hesitant to try out new technologies and upgrade their cybersecurity posture?
Since information on the dark web, deep web, and hidden SNS channels is information that cannot be seen well on the general web, it is expected that companies and individuals would have difficulty in deciding to prepare for this as a precaution. The Dark Web doesn't have a surfing tool like a regular portal. And data on the dark web often disappears and comes back again. Invisible channels and what happens in these places have existed in blind spots in the field of cybersecurity.
Even if various ransomware attacks or credential leaks break out recently, it is difficult to think that these things will happen to you before you are directly damaged. Companies invest in profit-making, but it is not easy to make investment decisions in preparation for accidents. Security officials we met often wanted security incidents to occur on an appropriate scale. This is because only then will there be a justification for introducing a new solution.
Companies do their best to prevent their security from being known to the outside world or to reduce the size of the accident. Also, they don't want to disclose that their security has been strengthened. This is because it gives an impression to the public that there has been a problem. For this reason, even if new threats arise, new solutions are not applied or selected so easily.
Another reason is that numerous solutions are calling for versatility. Everyone boasts powerful features with AI technology, and they say they can solve all the problems. If you are considering introducing one, it is important to check two things – "Are there any real cases?" and "are the clients in use satisfied?"
What are the most common problems companies can run into if quality threat intelligence solutions are not in place?
Ransomware criminal organizations are becoming large and organized. The Dark Web is a venue for ransomware groups and hackers to share information, and there is much information related to attack methods and timing of activities. It is necessary to check the status of corporate-related leaks in the Dark Web, and it is necessary to include not only the company but also information related to vertical and horizontal affiliates in the scope of control. These attacks, which gradually dig into weak gaps from the outside, can be prevented to some extent. The Attack surface should be checked continuously, and terminals and accounts leaked to the stealer should also be managed. Without such continuous management, it can be seriously damaged in an instant.
And it is terrible if you are the last one to know about it, when the media, customers, competitors, and management agencies are already aware that you’ve been attacked and all your important assets are already under the control of hackers, and corporate secrets or client information are circulating outside.
You should always defend against attacks and prevent accidents. And if anything happens, you should be the first one to know about it. That’s what we promise to our clients.
Besides threat intelligence solutions, what other security practices do you think are essential for modern companies?
With the growth of online commerce, various types of digital abuse have also diversified. Problem-solving solutions reflecting this are also important. The virtual world collectively referred to as metaverse, will be accompanied by more types of accidents and super-large-scale security issues than the real world. In a digitally composed world, everything is faster and larger in scale than reality. Behind the expectation that a world of infinite possibilities and imagination will open, there are also concerns about security issues, crimes, and unhealthy activities on a huge scale. Companies considering metaverse or virtual asset-based business opportunities should also consider security important. Strong speed requires stronger brakes. Companies that are well aware of this will win the race.
Since you also specialize in cryptocurrency security, would you like to share what threats surrounding cryptocurrencies are prominent nowadays?
The field that S2W monitors with expertise so far is the area of various fraudulent transactions on the dark web through money laundering of cryptocurrency. Illegal transactions, such as ransomware, malicious code purchase, hacking requests, leakage account sales, and fraud occur through malicious addresses. As transactions using cryptocurrency in various industries are increasing, it is possible to slow down or stop transactions by analyzing addresses and communications used for criminal purposes in real time.
Recently, scams related to NFT have exploded. There are so many scams and they’re so frequent that even if this happens, it will just be considered as “unlucky”. Blockchain technology is accepted as a symbol of transparency and reliability. It gives the belief that cryptocurrency is not hacked, and NFT is not illegally copied. However, in the process of applying these technologies, numerous risks exist. Certain values stored at specific addresses will be secure. However, there are endless hacking methods, such as tampering with addresses, intercepting transactions, and changing the entire site to send it elsewhere. We are highly interested in this area and are actively studying ways to strengthen security.
And finally, what's next for S2W?
We will continue to expand channels we detect to find threats that exist and plan to actively promote international cooperation or partnerships with competitors to provide high-quality intelligence to clients. With the technology accumulated in the unique field called Dark Web, we intend to become a big data intelligence company to expand our business into various fields, such as blockchain, e-commerce, e-sports, and entertainment. Companies that value justice have superior competitiveness and sustainability and S2W will prove this to the world.