Never Underestimate Threat Actors’ Persistence
October 28, 2019 • Monica Todros
Our guest this week is Jöerg Schauff. He’s a principal consultant at Symantec, focusing on cyber and threat intelligence. He shares his insights on the challenges he sees his clients facing in Germany and how their experiences inform proper defenses internationally.
We’ll discuss the differences between run-of-the-mill thieves and nation-state threat groups, as well as how organizations can best make use of threat intelligence and set themselves up for success.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 131 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Jöerg Schauff. He’s a principal consultant at Symantec, focusing on cyber and threat intelligence. He shares his insights on the challenges he sees his clients facing in Germany and how their experiences inform proper defenses internationally.
We’ll discuss the differences between run-of-the-mill thieves and nation-state threat groups, and how organizations can best make use of threat intelligence and set themselves up for success. Stay with us.
Basically, I was studying electronics and electrotechnics and electrical engineering. At that time I met an old friend and he said, “Okay, I need help in our lab.” It was a time where MS-DOS was starting. I started to work on electronic measurement equipment for automotive purposes.
During that time I met the first firewall and proxy and all that stuff for security-related things. Sometime later I met a friend from the German security community, from the BFE and he was asking me, “Oh, we are looking for some people, won’t you join us?”
Then I moved to the German domestic intelligence service, the BFE and then I was responsible for firewall and proxy and VPN connections to field officers. I did pretty much anything which was somehow cybersecurity-related there, antivirus, incident response, and so on.
After 10 years there I got in contact with the field guys, the real agents that are doing the counter espionage stuff. They were starting to work on electronic attacks, they called it. They were wondering what is a virus? What is email? What does an email look like? What is an email header? I started consulting internally with these guys, and we were quite far away from each other in that office. They said, “Okay, we have to walk a while to get to you and vice versa, then why won’t you change to us and move from the IT department to the counter espionage section?”
That’s when I started my work at the cyber defense. Yeah, finally we were the beginners in that field at that time. We got in contact with all the European partners of the BFE, MI5, for example, the French guys from fringe intelligence services and so on.
They were asking, “Oh, we are really struggling with Chinese attacks. How do you handle this?” We were thinking, “What Chinese attacks?” Then we started to look for things we likely had, but we weren’t aware. Yeah, we set up the cyber defense in Germany at that time.
I did this for more or less six years. I was one of the case officers of the Bundes tax incident where APT28 was on about 30 machines there.
From there you moved on to the private sector?
Yes, finally, I found out that I had the end of my career there in the public service. I was wondering, what should I do? Will I stay here for more than 20 years on the same road? I said, “That’s not enough,” and then I moved from there to Deutsche Bank and became the head of cyber threat intelligence for the EMEA area.
At that time I had a very long multiplication period at the public service, so it took more than six months to leave. In the meantime, Deutsche Bank had changed its strategy again. There was not a real use for me or my team. Then I decided to do it somewhere else at the Allianz Insurance in Munich in the so-called ACDC, the Allianz Cyber Defense Center.
It was a pretty interesting job. Great team, great colleagues. Munich is unbelievably expensive, and it was very far from home from all my friends. I got homesick, and then I moved back and I got a chance to work with Symantec, and I’m now the principal consultant for certain governmental customers. It’s very, very interesting. I’m doing pretty much the same that I did in the public service for other customers now.
Well, I’d love to get your insights, your perspective on what the threat landscape is like in Germany. I think that’s not something those of us here in the States get a view of very often.
Basically, it’s not so much different from my point of view. Germany is one of the big players in the worldwide economy. Everyone or each company that is somehow on the international market is competing with China, with some other countries in the far East. Then these companies or these entities, let’s say our ministry of foreign affairs, for example, or the German military as part of the NATO, or big insurances, or whatever. As long as you are part of the top 10 in your vertical, then you are in the focus of, let’s say the foreign intelligence services, industrial espionage, and so on.
The problem is, I had some discussions with some people from the German automotive sector. They say, “Oh, the Chinese guys don’t spy any more on us. If they want to know something, they ask for it or they buy it.” I guess that’s not wrong, but it’s not true.
If you say what’s the task of an intelligence service? The task is gathering strategic and economic information. Of course they can sit with you at a desk and you discuss it and you hand over some papers for example, but they don’t trust you, so if they have the capability to get the information from your PC, from your machines, from your electronic devices, they will.
That’s their task, and if you hand over papers, then you have only a snippet of the whole data. If you can, let’s say rob the whole data of a company, or let’s say of a department of a ministry of foreign affairs for example, then you have the whole mindset. Then you have the discussions, you have the emails, you have the total, at least most of the written communication, which leads to certain decisions. This is what the intelligence services are after. If the German automotive industry thinks that they are no longer in the focus of the espionage from foreign countries, not necessarily only China. There’s, for example, BMW building a plant in Vietnam, and it’s quite likely that the Vietnamese adopt Chinese practices and start buying there too.
Yeah, I suppose it’s not just the successes that they’re after, they want to know where you may have failed, where some of your research may have come up short. I mean, there’s value in that kind of data as well that you wouldn’t necessarily share with the public.
Of course, yeah, that’s true. If you hand over, let’s say just a technical drawing, then you still don’t know how to produce it. You know how it has to look, but you still don’t have a clue how to do it. Then you have to at least ask for more papers or steal it from the PC of the engineers, for example.
If you have a look at the Chinese 10 or 50 year plans, they are somehow condemned for success. They want to be a market leader in nearly every sector, in nearly every vertical in a very short period of time. In Europe or in the United States, it took about, let’s say 120 to 150 years to get where they are now. The Chinese want to catch up, and they don’t have 150 years time. They only have 20 years of time, or 50 years of time. Then they have to take some kind of a shortcut, so they are forced to spy on you.
I want to get your perspective on threat intelligence. Obviously that’s an area that you have a lot of experience with. You were the head of cyber threat intelligence at Deutsche Bank. What is your take when it comes to how organizations approach threat intelligence?
The first thing is that they have to get the idea that they need it. Many companies rely on their antivirus companies or whatever they have there. That’s not enough, because that’s a race between the defenders and the attackers.
Often the attackers win, or it takes a week or a month to integrate new knowledge into your antivirus products. In the meantime, you are still vulnerable. Then you have to become proactive and start your own research. First, do my antivirus products or my anti security products protect me from threat A or threat B? That is something you have to verify. You need the threat intel to get a threat landscape, a threat picture. What is threatening me? What is threatening my vertical? What is threatening my country? Then you have to verify how and what is threatening me.
Then do my products that I have there in my company protect me against these threats? For example, there is Pastebin. Some years ago there was a paste there which listed several hundreds or thousand Chinese command and control domains. Only 10 percent of them were integrated in the defenses of a German aerospace manufacturer. If these guys had their own threat intelligence, they likely would have known about these pastes and were able to integrate this information in their own cybersecurity products, but they hadn’t.
Finally, there was a very severe incident there. The data got exfiltrated to the C2 servers that were named on the Pastebin. At that time, these pastes were already more than a year old. If they had had a threat intelligence, the incident could have very likely been prevented.
That is why you need your own threat intelligence.
Do you think there are some common misconceptions that organizations have when it comes to threat intelligence?
Yeah, most organizations think that an APT is just another form or another variant of cybercrime. Basically the typical cybercriminals are interested in short success. Getting in, get the money, get out, and never come back.
The APTs, the foreign intelligence services, are on a strategic level. That means once you are in the focus, you will stay there forever, likely. Unless they have all the information you got, then they leave you perhaps two or three years alone and they come back. They will come back, that’s the difference.
That brings me back to my talks with the German automotive sector. They think the times of cyber espionage are over, but that will never change. Once you are in the focus of an intelligence service, you will stay there, especially if you are a person of interest, at least because you are a very talented engineer. Then you leave the company that has been in the focus of the intelligence services, then they will follow you to your new company. You are the guy that produces the value for them.
I suppose that’s one of the things that threat intelligence provides you is being able to know the difference between when you have criminals who are just on their way in and looking to get out as quickly as possible, versus someone who’s looking to set up camp and stay awhile.
Yeah, basically cybercriminals are adopting TTPs from intelligence agencies and vice versa. Nowadays we have cybercriminals that wait for a year to get to the final action at their victims. The cybercriminals that have more time than the years before, because they are not any more after your bank account. They are trying to rob the whole bank. That’s the difference to let’s say five years ago. You have these guys from Lazarus Group, for example, that tried to steal $1 billion from the Bank of Bangladesh. These gangs are very, very advanced, so that some people from the cybersecurity scene call them an APT too. The classical APT is usually a state sponsored group.
What sort of things are you hearing from your government clients in terms of the priorities they’re setting, the types of challenges that they face?
They are fighting two wars in the end. They have the same problems with ransomware, with coin mining and all the state-of-the-art cybercriminal activities on one hand. On the other hand, they are in the focus of Chinese or Russian or wherever they are coming from APTs.
It’s hard for them to prioritize because their day-to-day business fighting with cybercriminals, patching, and so on. They have the same problems that the economy has. They don’t have enough skilled staff, for example. They don’t know how to prioritize their tasks. Which system has to be patched in which timeframe and so on. They are very, very afraid of the political or political espionage. For example, APT28 would likely attack the ministry of foreign affairs or the German military.
Then you have the problem that you have like a supply chain in the economy. You have the same, for example, in the governmental area. That means, for example, the NATO systems are interconnected. Where it might be that your systems have a higher security standard than, for example, cybersecurity systems in Eastern Europe. You are connected, and then RD systems are trustworthy and so on. This is a real problem.
What are your recommendations for organizations that are looking to integrate threat intelligence, who are looking to get started? Where should they begin?
I think they should have a consultant there that helps them to establish their own cyber threat intelligence. They should at first develop the process internally. What do we do with threat intel? That’s another problem. It’s not enough to have an organization that collects intelligence for you. You have somebody who’s consuming it and creates the actions from it, so that’s not so easy. The cybersecurity organization has to step aside and they have to work closely with the threat intel people together. Then it’s not too easy, because the cybersecurity guys are usually too talented to be interested in gathering threat intel. The threat intel people do not necessarily understand cyber and cybersecurity.
I had some meetings with people from the FBI some years ago. This works like you have a liaison officer, basically a field agent who is a very, very good investigator in the real world. These guys usually don’t understand cyber. Then we said, “Okay, we need a cyber guy at the desk.” Then the cyber guy came to the desk. He didn’t understand the investigative part, so you need to have a translator or a person who can understand both worlds.
This is usually the most difficult part of it. The most important thing is that if you are competing on the world market with a Chinese or far East company, then it’s likely that they try to get into your network. Then they never ever will step back. They will attack each day and you cannot underestimate this threat.
Our thanks to Jöerg Schauff from Symantec for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.