Traveling the Globe With Threat Intelligence

December 9, 2019 • Monica Todros

Booking.com is one of the leading travel booking sites in the world, facilitating over one and a half million room nights via their platform every day. With that many clients, in addition to a network of third-party suppliers and partners around the world, Booking.com successfully fends off more than their fair share of attempted attacks.

Our guests today are two members from Booking.com’s security team who work every day to help protect the organization — Anastasios Pingios, principal security engineer, and Stuart Shevlin, intelligence program lead. We caught up with Anastasios and Stuart at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 137 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Booking.com is one of the leading travel booking sites in the world, facilitating over one and a half million room nights via their platform every day. With that many clients, in addition to a network of third-party suppliers and partners around the world, Booking.com successfully fends off more than their fair share of attempted attacks.

Our guests today are members of the team that work to protect Booking.com. Anastasios Pingios is a principal security engineer and Stuart Shevlin is program lead for intelligence. I caught up with Anastasios and Stuart at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C. Stay with us.

Anastasios Pingios:

Booking is the largest digital travel platform in the world today. We take security very seriously for that reason and we have to protect a lot of data from our guests, our partners, and of course our employees.

Dave Bittner:

That’s Anastasios Pingios.

Anastasios Pingios:

That means we face many different threats, a wide variety, from things you would see in ecommerce, things like fraud, like financially motivated threat actors, but also, since we’re a global company, things that affect the global businesses. Think about the geopolitical changes, protests that might be happening, hacktivists. A lot of times, all of these end up to physical threats. And apparently, probably you have seen in the news, things like APT groups that are specifically targeting travelers for intelligence collection. Again, we are in this business so of course we’re getting targeted. Stuart, want to add anything more?

Stuart Shevlin:

I mean, look, we’re sitting in the middle of a ton of data.

Dave Bittner:

That’s Stuart Shevlin.

Stuart Shevlin:

It’s valuable for a lot of people. We have a worldwide presence with physical offices, partners, guests, colleagues could be traveling anywhere, could be somewhere like D.C., could be a much higher threat location. They all come with their own risks. So we have that to think about, and then we have sanctions, controls, abuse cases, and of course, as Anastasios is well aware and deals with on a regular basis, we have the cyber threats that come with that as well.

I think from the intelligence side and trying to deal with this, we support a really large number of business units across the company and we’re really dedicated, I think, within intelligence to discovering these threats in their quite early stages, to the extent that that is possible, including through a lot of high-level collaboration with our counterparts facing similar challenges in other companies as well.

I think that’s something that we think is really important is that networking and that connection between companies that’s actually going on so well here today. In addition to that proactive work, we’re continually supporting our internal stakeholders in investigations and intelligence analysis related to the risks that they flag to us and we collaborate as much as we can across the company to rectify, to impact and prevent future occurrences.

Dave Bittner:

It strikes me that with an organization as large as yours, and the breadth of things that your organization touches, because you’re dealing with a lot of third-party suppliers, what might be a bit of valuable information for one part of the company may have different meaning and value for a different part. So, that dissemination of information must be important.

Anastasios Pingios:

Yes, absolutely. That was actually the main reason why we are expanding the threat intelligence beyond the cyber side, which is not very common, but we see a lot of value in that. Probably, you can add more detail Stuart.

Stuart Shevlin:

I think that’s a good answer. I think it is part of the reason that this came about is that … A lot of things touch a lot of stakeholders within the company and it’s important that we have a group that can communicate that out effectively.

Dave Bittner:

When you say you’re expanding it beyond the cyber, what does that entail?

Stuart Shevlin:

I think honestly expanding it beyond the cyber is a matter of necessity for us. As you’ve already touched upon, we have a pretty wide range of risks that we face, as any company in our position does, so we’re constantly watching to see when the next hurricane or typhoon might hit, where the next political crisis might arise in order to ensure the safety of our local staff, our business travelers and, to the extent we can, our partners and our customers as well.

Add in the highly inventive range of fraud actors dedicated to finding vulnerabilities in any global ecommerce company’s infrastructure, as well as just the nature of dealing with these millions of consumers and partners, our needs just naturally extended beyond the cybersecurity practice. And they’re so interconnected as well. I think that’s a very good point that you raised. Especially in the last few years, more and more of these cases are becoming linked together.

A geopolitical crisis might lead to incidences of hacktivism. That same group of actors might use that acquired knowledge to commit fraud for personal gain as well. Having a team that can expand beyond that cybersecurity domain I think is super important.

Dave Bittner:

Well, let’s dig in some to this notion of team building and how have you gone about building your own threat intelligence team within the organization?

Anastasios Pingios:

That actually started organically in the beginning. It started with a few people trying to dig more into the threats that we were facing and see what we can find. We started seeing that the whole travel industry had similar threats. As we realized this one we saw overlap and, very quickly, as we were growing, we realized that it is not as simple as it seems.

In the beginning you think you’re going to get some people from the fraud department, from corporate security, from cybersecurity and put them and work together. But in reality, it is way more complex than this, even for things that you don’t initially think about. For example, how do you store the data you collect? What approvals do you need to store that data? How do you conduct your research online? What infrastructure do you use to do that? Do you use your corporate infrastructure? Do you use external infrastructure?

Of course, products helped us a lot in this one, intelligence-related products. But at the end it’s a really long journey, it’s not just one thing that you buy, you put in place, and suddenly everything works.

Stuart Shevlin:

It’s definitely a journey. I think the biggest challenge we’ve had is that Booking.com is a data-driven company, so we have to prove our value to the business. Sometimes that’s not very measurable in terms of intelligence. Avoiding a crisis, or proactively supporting the building of controls for an upcoming attack, is quite hard to measure. It’s quite hard to say, “Hey, here is the ROI on what we’ve done here.”

Dave Bittner:

Right. Congratulations, nothing happened.

Stuart Shevlin:

Yeah, exactly. You know what? If I got that every time it would be lovely. And we still haven’t finished this journey at the moment. I think the message, honestly that we probably pass on in this regard is that, if you’re thinking of building an intelligence function, just consider that scope and focus more on the outcome and the intelligence products that you’re trying to produce instead of the tools that will get you there. The tools are important, but you have to know what they’re going to aim towards and you have to know what that is going to look like at the conclusion of things.

Dave Bittner:

How do you go about shopping for those tools? How do you select what matches best with your needs?

Anastasios Pingios:

I will tell you this is like a common procedure. We don’t do anything very innovative in that area. What we typically do is continuously try to look at what’s out there, test out, talk to vendors, go to events like this one, like Recorded Future over here, to see what we can learn, learn from other people that have similar challenges. Eventually, when we find something that we think is going to cover a gap, evaluate it and see what it can provide to us. I would say it’s a common process, but at the end the tools themselves are not the only thing that is valuable. It’s all of the ecosystem that builds that intelligence team.

Stuart Shevlin:

Yeah, it’s a common process but it’s a process that works. At the end of the day, it’s about making sure that we’re aware of what’s on the market and making sure that our external contacts are telling us, “Hey, we’ve seen this, we’ve tried it, it works incredibly.” And making sure we accurately compare it against the vendors that we’re currently working with and others out there, on a regular basis, to make sure that they’re still providing an ROI to our stakeholders internally.

The procurement process is pretty rigorous. We have to make sure that it provides the benefits that we’re going to need as a company. I think we’re very good at that, whilst also being relatively creative in the mix of vendors we bring on as well.

Anastasios Pingios:

Another small comment on this one. I think Stuart already mentioned it earlier, but a really key point in that area also plays is the relationships. Not only for the tools themselves, to get the feedback from other users, but also the intelligence that you might get from other people. Because let’s say you have certain relationships with another similar company, and they’re getting attacked, it’s highly likely that you will also be attacked from the same threat actor, so it is good to have these relationships. Again, conferences, events, networking is very important in this area.

Dave Bittner:

Yeah, that’s interesting. It’s that old, you may be competitors, but the enemy of my enemy is my friend.

Anastasios Pingios:

Absolutely.

Dave Bittner:

Right. In terms of, again, back with the team, and the security team and the department itself, what part does the threat intelligence team play within the larger defensive organization?

Stuart Shevlin:

I think we actually have a major advantage in that regard. In that, the threat intelligence team at Booking, all the individuals within the team are fantastic advocates for the subject matters they’re experts in. I think they really are quite proactive in making sure they take steps to collaborate on a personal basis with our stakeholders.

Obviously you can have too many meetings sometimes, but there’s a lot to be said for those face to face meetings with coffee, and that very simple question of what can we do for you? And I think that’s where we can actually cater very well to the needs of the security department. I don’t think we’re perfect, yet. And I don’t think we’ve got to the point where we’re addressing the requirement of every team within the security department, or within the wider business, but right now it’s really ensuring those personal connections between the intelligence SMEs, and the stakeholders and other units, are strong. And, honestly, that we can speak openly, candidly with each other about the problems they might be facing.

Anastasios Pingios:

Yes. To give you some idea, some of the work that has already been formalized to a certain degree is strategic intelligence reports for our leadership to help them make decisions. Whether this is for something like natural disasters, or cyber threat, or anything else. Then we have operational intelligence reports that mostly go to engineering teams to proactively build defenses of upcoming attacks that we have sufficient intelligence to prove it. And, apparently, there is also the tactical side, which is enriching automated systems, helping the operational teams during incident response and other investigations. But, as Stuart mentioned, we are still on that journey, so there are many more areas we need to improve, and many more areas that we want to get more mature at.

Dave Bittner:

Can you give us some insights on what it’s like operating at a global scale? Your organization is all around the world. You have people all over and that means you’re dealing with information coming to you from many, many different sources in many different formats.

Anastasios Pingios:

I will say this has two sides. One side is, this is very positive since we get to see a lot of things very early, we get to have visibility all around the world, but at the same time we also need to be able to proactively monitor and make sure that we prevent threats that we discover. One other interesting part in that thing is that that applies just to most companies that have a global presence, that we are able to find links in seemingly unrelated events. And I think this is the key part of this thing.

In some cases, let’s take a hypothetical scenario, so let’s say that there is a protest in a country. What would normally happen in a global business is the corporate security team would make sure the employees are safe. They’re either working from home or they are notified that this is going on. And let’s say a couple of days later there is a cyberattack, for example, a denial of service attack, something like that, again, in most companies that would be dealt with the CISO team, and they will deal with that thing, they would make sure that all of the services keep on running. But there would be nothing that connects those two, and in a lot of cases there might be a clear connection between them. If you find this connection, then you can actually find the motivation, the intention and start actually getting more proactive because then you know that you have certain threat actors actually targeting you.

Stuart Shevlin:

Yeah. I think Anastasios is right. I think it’s particularly common in cases of fraud. Actors use a whole host of methods, obviously you get phishing attempts via email. You even get them approaching people in person to trick our users into doing anything from installing a malware to performing fraud on their behalf, for example. So being aware of those methods, trends, understanding the steps needed to take to proactively prevent and rectify the impacts of such attempts to abuse our platform, harm our customers and partners, is really important to making sure we can facilitate the work that Booking.com does. And that we make it easy for people to experience the world.

Dave Bittner:

Yeah. It strikes me, too, I mean, all this is happening under the surface. Your work is behind the scenes and, to the customers, all they’re seeing is that when they come to your website, when they have their bookings being done, it’s just happening. Ideally, they’re not even aware of all this stuff that’s going on that your team’s working on.

Stuart Shevlin:

That’s the best case scenario.

Anastasios Pingios:

Yes. We used to have the same procedure to make it as frictionless as possible. Ideally people should not even care that security is in place. It should just work. And this is something that we had from the tech side of the business. We are a very tech-oriented company so we want to innovate as much as possible. That also includes security. We don’t want to hassle anyone with security unless it’s absolutely necessary. And apparently, as it was mentioned earlier as well, in a certain case we notify customers, we notify partners, and of course our employees, if we know there is a certain threat out there. But in general we want to keep it as transparent as possible.

Dave Bittner:

Yeah. What are your words of wisdom? What are your tips based on the things you’ve learned spinning up your own threat intelligence organization? What sort of guidance would you have for other organizations who may be doing the same?

Stuart Shevlin:

Don’t instantly think that you’re the expert in everything in the company is the most important thing, I would say. Go in, take the time to identify your stakeholders, have a coffee with them. They’re a wealth of information. Ultimately, they’re going to be the consumers of your products as well. You’ve got to make sure that you’re catering to the gaps that they identify, and that you’re using those discussions to highlight gaps that they might not even know exist yet, at this point.

It’s a collaborative game at the end of the day and I think that also comes into benchmarking as well. People, I think from the outside, have this idea that people that work in security intelligence are scary, or maybe not the most open people in the world, but honestly you’ll find out a lot of people within companies in these roles are really happy to talk through how they started the processes that they used. Even if they can’t go into the details, or they can’t tell you what they did in a prior life, they’ll at least be able to put you on the right path.

So, I think just be open to really listening to people, internally and externally.

Anastasios Pingios:

For me, actually, the wisest advice I have heard, a few years ago from an intelligence officer, he said that, “Intelligence is not about stealing secrets, it’s about providing answers.” I think this is really key to me. That what you need to do as an intelligence function is to make sure that you are helping the decision making process. You shouldn’t care about anything else. That’s the goal of it.

Dave Bittner:

Our thanks to Stuart Shevlin and Anastasios Pingios from Booking.com for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

A Grab Bag of Pulse Reports

A Grab Bag of Pulse Reports

June 22, 2020 • Caitlin Mattingly

Recorded Future’s Allan Liska is our guest once again this week This time, he brings a collection...

Tooling up to Protect Federal, State, and Local Governments

Tooling up to Protect Federal, State, and Local Governments

June 15, 2020 • Caitlin Mattingly

Our guest is John Zanni, CEO at Acronis SCS, a company dedicated to providing secure backup,...

Broadening Your View With Security Intelligence

Broadening Your View With Security Intelligence

June 8, 2020 • Caitlin Mattingly

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he...