The Value in Sharing Your Experience With the World

December 30, 2019 • Monica Todros

Joining us this week is Espen Johansen, product security director at Visma, an information technology and services company headquartered in Oslo. He shares insights on the types of attacks he sees targeting organizations like Visma, as well as the lessons learned from a nation-state attack that Visma experienced in August 2018. He’ll give us his take on threat intelligence, as well as advice for organizations just beginning their own threat intelligence journeys.

We sat down with Espen Johansen at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 139 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Joining us this week is Espen Johansen, operations and security manager at Visma, an information technology and services company headquartered in Oslo. He shares insights on the types of attacks he sees targeting organizations like Visma, and the lessons learned from a nation-state attack Visma experienced in August 2018. He’ll give us his take on threat intelligence, as well as advice for organizations just beginning their own threat intelligence journey.

We sat down with Espen Johansen at Recorded Future’s 2019 RFUN: Predict conference in Washington, D.C. Stay with us.

Espen Johansen:

I started off, I guess, with this profession when I was quite young. I’ve always been interested in breaking into stuff and hacking, but I worked for 13 years in the armed forces first. Specialized in normal line management and also strategies and tactics and all that normal stuff. I was always into this hacking domain since I was a kid and trying to just learn along the way. Then I moved out of defense, moved into security in the private enterprise around 2000. I’ve been there now for 19 years in various security positions both inside and outside of Norway. So it’s kind of a passion for me, this stuff. I’ve been like this for my whole life.

Dave Bittner:

You and I are right around the same age, so we probably came up … Were you in that original 8-bit computer period, the Apple IIs and the TRS-80s, or did you come in later?

Espen Johansen:

I would say the ZX-81 Sinclair ones —

Dave Bittner:

Sure —

Espen Johansen:

The early days.

Dave Bittner:

Yeah, it was amazing that they did anything at all back then, wasn’t it?

Espen Johansen:

Yeah, it’s weird stuff. I was more interested in other things back then when I was younger. So I was not really geeky until I got older.

Dave Bittner:

Well, give us an overview of the kinds of things that you encounter day to day with your work at Visma.

Espen Johansen:

So my primary job is to lead the AppSec program that we do have at Visma. It’s a global program, and the primary job is just to supply the developers that we have, it’s about 5,000 of them, with good tools, methods, and help them stand. If they’re under attack, it’s my job to defend together with them, to assist them in becoming good and self-reliant. So we have this strong urge or this strong drive towards agile. So all the teams are supposed to be self-managed, and we have to help them in becoming self-managed and making good decisions, kind of like raising a child.

Dave Bittner:

That’s an interesting way to put it. Well, as an international organization, what are some of the specific challenges you face there with people coming at you from all over the world?

Espen Johansen:

So we would see all kinds of nation-states, all kinds of cybercriminals doing all kinds of cyber nasty all the time. It’s a normal day at the office.

Dave Bittner:

What do you think motivates them, the nation-state actors? What are the types of things that they’re targeting you for?

Espen Johansen:

It’s difficult to say because you can’t really get them to tell you what they’re after, so you have to analyze and figure out what they most likely are after. So it is tricky most of the time to actually know exactly what they’re after. But you can deduce some of it from the evidence that you’re presented with when they do actually attack you. So then you can analyze and try to figure out what was their original plan, and then compare that to other campaigns that they’ve done, the same actor in the past, or in the future also.

Dave Bittner:

You all experienced an attack back in August of 2018?

Espen Johansen:

Yeah.

Dave Bittner:

Can you walk us through what was that like? What happened and what sort of lessons did you learn from that?

Espen Johansen:

Now I’m going to give a quite long presentation on that later today, but I can give you a short version of that. The attack started about seven days before they hit us. They spawned a command and control domain and that command and control domain was then used later on.

Seven days after the spawning, before this they had harvested some credentials, true phishing, loads of phishing globally and some places not quite far from us, so on private domains of employees and stuff. And then what appears to be a credential stuffing attack, gained access to an old Citrix server, escalated their privileges, moved laterally and was able to steal Active Directory Hive from that and exfiltrated that, and we were able to discover it at the moment of exfil.

So we were able to do the normal blue team stuff, basically changing the passwords and heightening all the sensors, preparing them for the second wave because this was obviously not the actual purpose of the attack, what was the next phase, preparing for that and were able to stop that.

We saw they tried to log on with their stolen credentials about seven days later. In that sense, based on the fact that we discovered it quite early and we had good help from good bounty hunters out there, we could close the door from them quite early. So we’re also telling the story widely. We chose to go public with it, but you don’t attack us without punishment. We don’t take this as a kind gesture when people attack. So we are hell bent on figuring out who did this and why. So we always find out who it is and then we choose to share the stories. That is our default.

Dave Bittner:

When you were expecting that they were going to come back, when you say they attempted to log on, at that point I suppose they didn’t know that you knew.

Espen Johansen:

No.

Dave Bittner:

So what sort of preparations had you been doing? What sort of traps had you laid for them for when this inevitability came to pass?

Espen Johansen:

I don’t think I can comment too much on that. That’s internal stuff. But this is what we’d need to do when you’re on the blue team because you know that when you’re in the firing line, when you’re getting hit by someone, you know that you’re on your own. There are no police forces that come riding in and put up a barricade around you, so you have to defend yourself. So that’s why you have to have multiple layers of defenses and you have to be prepared for all kinds of cases. And some of that is basically raising the awareness of the end users, making them aware of what they need to do in case of emergency, and to be able to basically change passwords of all users in an enterprise is something that you have to do sometimes. So when you change 10,000 passwords in a day, that’s a tremendous effort, isn’t it? It takes a while. You have to do that coordinated centrally and all that stuff. So it’s an impressing feat of the ones that do the blue team work on our side.

Dave Bittner:

And your conclusion is that this is most likely from Chinese threat actors?

Espen Johansen:

Yeah, we got that advice from Recorded Future. We contracted that attribution task out and we were very happy with the work they’ve done. It’s been an epic effort from them and I don’t know if they want to be named, but some of them have been named. So the work they’ve done is outstanding and I’m quite happy to say that they wanted to go public and it’s also something we supported, because of course if you ask some mysterious agency somewhere who did this, you can get the answers from them also, but they are cowards. They don’t speak their own mind in public. You need someone else that can voice their opinion publicly and can go out into the public and get scrutinized for it. That is one of the charming sides of Recorded Future. They have the balls to actually go out there and state their own mind, state their own opinion.

Dave Bittner:

For organizations that are trying to decide if they want to go public with information like this, what sort of advice do you have for them as they’re weighing that decision?

Espen Johansen:

I would advise them to do it. One of the reasons why I choose to go public with this, and it’s also why I’m backed by the corporate on this, is that we’re not the ones who should own the shame in this one. It is the attacker who owns the shame. So we have to be able to pinpoint who did this and ask them to accept the fact that they have been doing the wrong things. It’s not us, we are just defending ourselves. In other ways around it’s a demand of transparency from all of our teams now. For all the time I’ve been at Visma, transparency is something that is fundamentally anchored in everything we do. If you look at the other side around, the evidence is out there anyhow, so lots of other targets were hit by the same actor about the same time, and some of them have chosen not to speak.

They are now faced with having to answer questions from their clients. “So why did you not speak about this?” This is a compelling argument also. So if you go out in public, I would like to commend or give kudos to the Norwegian Hydro, which also suffered a massive attack and they lost lots of money in their attack, but they chose to be transparent from day one. They shared the entire story. So I think it’s only when you share your stories that people can learn.

Another reason for why I’m sharing this is that the report from Recorded Future contains IOCs, indicators of compromise that other people can read and they can read the methodologies. They can actually learn how this actor works in detail and then prepare their own defenses. I think that if you don’t share these stories, you’re depriving the public of the ability to defend itself.

So you have to share it. I think you should feel compelled to share. If you’re told not to share, you have to ask why. Why should we not share this? Are we embarrassed? Are we embarrassed because we were breached? So why should we be embarrassed about that? It’s nothing to be embarrassed about.

Dave Bittner:

When you’re in the midst of incident response when this has happened and everyone’s emotions are running high, can you give us some insights as to what it’s like when you’re in the middle of that situation?

Espen Johansen:

Yeah, I think we have a name for it. We call it a fog of war because you don’t know. It’s impossible to make decisions when you don’t have enough intelligence to give you guidance. You’re basically falling back on your own drills. So if you have trained a lot, if you’re good at this stuff, then you know what to do. You do the normal security, you secure evidence and you do all the normal stuff and you have to wait until you have sufficient intelligence to be able to make a qualified decision.

So the fog of war is a terrible place to be for some, I love it myself. It’s the place where you try to figure out what’s happening. You try to connect the dots. So you need good basic training and know how to deal with the uncertainty of things. And also on the inside of such an event you have persons whose credentials have been stolen and they have been mimicked, so their identity has been stolen. So the trust that you then … You lose some kind of … The perception of a reality that’s made of cotton candy in that kind of event.

So I had lots of talks with the ones whose identities were stolen, and some of them were experiencing post-traumatic stress after this. So do they feel safe, do they feel secure? And these are some of the stressful effects you can feel on a human level in this. But if you’re not equipped to handle this fog of war in your organization, you just have to practice, do all kinds of activities to practice for how to make decisions without proper decision making intelligence available.

Dave Bittner:

A lot of organizations have trouble seeing the value in that, of investing in that kind of simulation, that kind of practice. But it seems as though it’s money well spent.

Espen Johansen:

Oh yeah. A good breach fixes that problem. So if you have a good breach, you tend to realize that you have to spend money like that.

Dave Bittner:

Right. Well, let’s talk a little bit about your own threat intelligence teams and how threat intelligence works into your own organization. How do you use it and the value that you find from it?

Espen Johansen:

So threat intel basically started just by trying to figure out from our own logs. We tried to start this entire process with just asking ourselves some simple questions. So one of the questions was how many attacks have you had against your servers in the last 30 days? It’s a very simple question, bloody difficult to answer, but it’s a very simple question. And that inspired some of the teams, well, most of the teams, to start reviewing their logs. Basic stuff. And the second question is how did these attacks differ from the month before? When making people aware of seeing changes in behavior from the attacking side, so that led us to do the natural succession, which is the third question. Who did this and why?

So when you have these three questions answered, then threat intelligence is the natural answer because the teams themselves are autonomous. They’re supposed to be self-managed, so they need detailed threat intelligence. They need understanding of the threats that affect them. So in that sense, our threat intelligence work is primarily focused on translating the threat intelligence from actors like Recorded Future, into a context that is actionable in the teams. The teams in my sense are the 300 plus development teams that we do have. So they need to get that information into their own context so they can act on it. And that is, I believe, the art of this threat intelligence discipline. To have all these attribution tables available for us makes it easier to create translation in context.

Dave Bittner:

And is that a matter of making sure that the right bit of actionable intelligence gets put in front of the right person within the organization, that those conduits are open and flowing?

Espen Johansen:

Oh yes, highly important. We have to have a basic respect for the craftsmanship required to gather intelligence, and Recorded Future has proven that they have that craftsmanship. When you take that intelligence and you translate into the context of, for instance a team that builds an ERP system for plumbers, so you have to understand the context of that ERP development team. That is basically my job and the threat intel teams in our place.

So how do we translate it? What do they really need to know and when do they need to know it? So if we spam them with loads and loads of information, it’s not actionable anymore. It’s just overload. So how do you present information in the right way at the right time to the right person? That I believe is the insider art that needs to be mastered in most companies. It takes a while to grow that maturity, but it’s really worth it.

I think the big learning from this entire incident is that when you can present the management team or directors with the conclusion that okay, this was done by this threat actor, that gives them an array of options. So what do you do with that information? So the alternative is that something happened, we have no idea who did it but this happened, at least that’s all we know. So you can’t do anything. The only thing you can do then is invest more in security. But if you have some secure attribution to some kind of actor, then you have a choice. So in this case it was a nation-state and Recorded Future was kind enough to point in the direction of China. That meant the only cure for that is to go public. Send a clear message that we do not accept this kind of behavior, and we will always go public with these things.

Dave Bittner:

I have heard from some security researchers who take the approach that attribution isn’t really that important. It’s secondary, that as long as we know the indicators and those sorts of things, that attribution is for nation-states by nation-states, but that for private organizations it’s not so important. But what I’m hearing from you is that it matters. It’s part of how you craft your next round of defenses, if you will.

Espen Johansen:

I would say it’s not unimportant, it is imperative. It’s critical. So if you compare the nation-state dilemma with a normal criminal dilemma, so a criminal attack, it’s even simpler to the attribution in that context. So if you have a normal, let’s say a fraud situation, let’s just imagine the unfathomable, that Dave becomes a fraudster and he wants to use one of my systems to send lots of fraudulent invoices to people. So the knowledge, if I were to present that knowledge to the board of directors that Dave is the guy who did this, that gives them options.

Dave is easy to deal with because we know where you live. So we send a police officer to your door and the police are hyper efficient when you can give them that information, and then we can remove a threat. So you might be a repeat offender. So if you remove the criminals from the streets by using the trait of attribution, you reduce the problem. Of course, new Dave will come along and then we have to do the same thing again. But it’s just normal crime. You remove one criminal at a time.

So attribution is a very powerful tool and it gives you options. So without attribution you have no idea who did this, and that means that the only thing you can do is invest more in the next magic box or the next magic model, or the next magic algorithm or whatever is popular these days. So it becomes an everlasting spiral. So you have to send some messages from time to time to both criminals and nation-states, I guess.

Dave Bittner:

What is your advice for organizations that are starting their own journey with threat intelligence, who have reached that level of maturity where they know they want to make it a part of what they do? What sort of tips do you have for them to get started?

Espen Johansen:

A basic tip is just do it, because intelligence is not that difficult. Call an adult, find someone else that does it from before and figure out how they do it. We are freely sharing everything we do. We have transparency as a card carrying principle for everything. So we are willing to share with anyone who wants to listen, how we do threat intelligence and how we basically model this, and I’m sure many others do the same things. So for me, threat intelligence is a completely natural thing to do. You have to understand your threats, you have to analyze them and discuss.

So is it really nation-states who are your primary threat for that kind of application, or is it the cybercriminals who are the actual threat actors out there? And so are you afraid of DDoS attacks? We’ll land behind CloudFlare or something. That’s typical advice. If it’s nation-states, then prepare your press corp so you need to be able to go public if they strike you, and some of them are more sneaky than others. So you can see all nation-states anyhow doing this. This case it was China, it could have been anyone, but we’ll do the same with any nation-state that does it regardless of where they come from.

The report from Recorded Future is now being used as partially curriculum in some universities. What I really hope is that the publication of this means that many others will review it and read it and maybe have comments and disagree. So for me, the optimal result is that some really, really smart scientist someday finds something wrong with it, and maybe can give us a different attribution. All we want to know is who did this, and we have shared the entire reasoning behind this.

All details are shared and if people read it and have another opinion, please share it. Come publicly and discuss. We’re just happy about this because we want people to at least understand how this one actor works and hopefully someone else will tell their stories about other actors and how they work. We have the same enemies, everybody here. Nation-states shouldn’t be attacking corporates. It’s just rude. Go attack each other instead. Pick someone your own size.

Dave Bittner:

Our thanks to Espen Johansen for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Curating Your Personal Security Intelligence Feed

Curating Your Personal Security Intelligence Feed

September 21, 2020 • Caitlin Mattingly

Our guest is Sal Aurigema, associate professor of computer information systems at the University of...

Passion, Curiosity, and a Dash of Mischief

Passion, Curiosity, and a Dash of Mischief

September 14, 2020 • Caitlin Mattingly

Kevin Magee is chief security officer for Microsoft Canada He joins us with his story of early...

The Highest Security Intelligence in the Shortest Time

The Highest Security Intelligence in the Shortest Time

September 7, 2020 • Caitlin Mattingly

Craig Adams is the chief product and engineering officer at Recorded Future He joins us with...