A Journalist’s Perspective on Global Cyber Threats

February 3, 2020 • Monica Todros

Hakan Tanriverdi is a journalist covering cybersecurity for Germany’s public broadcasting network. In our conversation this week, we discuss the challenges of reporting on a highly technical subject area, making your stories accessible to the general public, and having the courage to ask the obvious questions. We’ll get his insights on being a good consumer of news, as well as his thoughts on where journalism is headed.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and welcome to episode 144 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Hakan Tanriverdi is a journalist covering cybersecurity for Germany’s public broadcasting network. In our conversation this week, we discuss the challenges of reporting on a highly technical subject area, making your stories accessible to the general public, and having the courage to ask the obvious questions. We’ll get his insights on being a good consumer of news, as well as his thoughts on where journalism is headed. Stay with us.

Hakan Tanriverdi:

I started working after finishing J-School at Süddeutsche Zeitung, which you might know as the newspaper that later broke the Panama Papers. I worked online for them covering mainly digital-based news, meaning platforms, Facebook, Snapchat, how they do that stuff, and I always had a certain interest in IT security, but that was always … I don’t have a background in information science so it was like, sounds interesting but sounds hard also. But then at one point I switched and said whatever, I’m just going to dive in and see where this journey is going to end. And then I kept specializing and nowadays I mostly write about APT stuff or cybercrime in general.

Dave Bittner:

Can you give us some insights on what that learning curve was like? What was it like for you to get up to speed on that specific topic?

Hakan Tanriverdi:

I noticed that I kept asking the same questions. So when a breach would happen I would go and ask, how did it happen? How can you be sure that the attackers moved from this point to that point? And so on. And I kept asking the same questions over and over again. And doing this for some years, you somewhat start to understand a little bit better how the stuff works, but at the end of the day, it’s just so technical and even if someone will tell you, okay, this is how they did it and this is, I don’t know, they use the routine in the DLL, DLL hijacking or something like that, I couldn’t quite picture it.

So at one point, this is two years ago, or one and a half years ago, by now, I said I’m going to start learning programming, and I went, I attended Columbia. They have a bootcamp thing where I went for four months and I learned a little bit of Python and so on. And since I did that, I flatter myself by thinking I understand it a little bit better, if that makes sense.

Dave Bittner:

Yeah, absolutely. I think that’s really interesting. Do you feel as though you have a better perspective, a more informed insight on things since you took those programming courses?

Hakan Tanriverdi:

Oh, definitely. It starts with simple things like understanding how a SQL database works and then you immediately understand why an SQL injection would be something a hacker might try as a first step. Since I do have to work with some kind of APIs and so on, I understand the concept of passive DNS a little bit better and I can see how you would use it to try to understand the infrastructure a specific group might have used. So in that sense it did help tremendously for my purposes.

Dave Bittner:

It’s interesting to me because from my own point of view, when I’m interviewing people, I always find it helpful to remind myself that if I don’t understand something, that can be okay. Because if I’m asking a question, it’s likely that someone out there who’s listening or reading something that I’ve written has the same question and is looking for the same understanding.

Hakan Tanriverdi:

That’s precisely the point and I totally get where you’re coming from. And this is something I also did. So because as a journalist, if you’re speaking with highly technical people, they somewhat expect you to not understand everything and start with the basics, which is fine. But if you want to do some more in-depth reporting and you can get the guys you are dealing with more often, you can then just move on to the more technical stuff.

And even then, I’m going to ask all the time, I didn’t understand that, could you please repeat what you said? And so on. But we are talking about deeper with more insights. If that makes sense. So, I do still ask dumb questions. I haven’t stopped with that.

Dave Bittner:

I totally get where you’re coming from there. I do the same thing. I am curious where you think we stand these days in terms of how journalists are interacting with the folks on the technical side of things. Do you think we’re doing a good job of explaining what’s going on?

Hakan Tanriverdi:

So I work for an outlet that is aiming for an absolutely mainstream audience. So we’re talking about 8:00 news being watched by millions of people. And if you want to get that spot, which we try to do every time we release a story, then we absolutely have to try and convey the message as clearly as possible so our first reader, viewer, listener, whatever, is most likely to ask basic questions. And if we get that reaction, this is something we have to deal with. So we do this two or three times and then hopefully it will be understandable enough.

I don’t think that we reach that goal every time, but we try to do it. It also depends on the stuff you’re reporting on. If it’s something like phishing, I would think that most people by now have a certain understanding of what this might be because they get some random emails asking for their passwords or so on.

If you’re talking about lateral movement within company networks, I’m not so sure. So at that point we just would explain it with visuals and stay on that topic until we have the feeling, okay, this might be understandable enough.

Dave Bittner:

What sort of advice do you have for those people who are on the technical side of things when they’re communicating with a journalist? What sort of preparation should they take?

Hakan Tanriverdi:

I would say never assume, is a good rule of thumb. So even if I’m talking with people, I make the observation that the guys I’m talking with male, female, that they at one point think that I know what they’re talking about, but most of the time I’m somewhat familiar but don’t understand it. And the easiest thing would be to always ask, while you’re explaining it to me, to say, okay, are you able to follow what I’m saying? Am I going too fast with this? Do you need to have more details? And so on.

And yeah, this is something I’ve experienced quite often that somebody would explain something to me and how stuff works and then I’d start with something I should have understood in the very first seconds, but I was too shy or whatever to say that I didn’t understand it until I couldn’t hide it any longer. So then I was like, okay, please can we go back to step one and start right there from there again?

Dave Bittner:

Yeah. I think that’s a really important insight. I think for myself, it took a little while for me to get over that fear of admitting that I didn’t know something and realizing that no, there’s actually strength there to say to someone, please help me understand better. Most people want to be helpful and they want to help you understand.

Hakan Tanriverdi:

Definitely. Also, sometimes people just need to re-explain something. The second time around they have a better understanding of what it is they want to say, so the conversation will open up and people talk more freely and candidly. So that’s also something that might be worth considering, just asking the same question again because it’s not easy to get this stuff right, so why not try a second time? At least that’s what I do.

Dave Bittner:

Do you have any particular types of stories that you’d like to go after? Anything in particular that catches your eye?

Hakan Tanriverdi:

I try to concentrate on stuff where the technical side meets the geopolitical side of things because if something happens, somebody finds a zero day or so on, I read the blog posts and find it interesting and I’m amazed by how they did it.

But generally speaking, I love to write stories that tell how nation states have moved to digital espionage, if you want. They try to achieve their goals not only by human sources or traditional ways of doing this business, but also by hacking into stuff, or by trying to pass on intellectual property and so on.

So I’m really, really interested where these two sides meet. Capable adversaries doing their thing, but for purposes that are more high level, more to the benefit of a nation state. I tend to chase these types of stories. But if it’s a data leak or data breach with millions of patient data, which is a story we did, then I will do that story also. But generally speaking, more APT stuff, that’s what I love doing.

Dave Bittner:

Do you feel as though there’s any area that’s under-reported, things that aren’t getting the attention they deserve?

Hakan Tanriverdi:

Honestly, I do think that. This might be different in the U.S., at least that’s how I see it, but in Germany, I would love to have a more precise discussion about what and how APT attacks really work and why these groups are doing it and for what purposes and what happened after a breach. So most of the time with the general stories, what will happen is you will write, this happened at that date. They noticed the breach, I don’t know, one year after, one year too late, or whatever. But I haven’t read a story, and I haven’t been able to write that story myself, where we could pinpoint and say, okay, this happened in, I don’t know, 2016 and three years later, four years later, we can say, it was for that purpose. Like the F35 I want to say, where there was a hack and later on you could see they built a jet that looks like the other jet. So these types of stories, I would love to see more, but also more details, honestly.

Dave Bittner:

Do you find that the media business is evolving itself that’s making it harder to play that long game? It seems to me like many organizations they’re chasing clicks or after viewers right now. And so it’s harder to have those long-term stories.

Hakan Tanriverdi:

I definitely would say this is something to consider, but also at the same time I do have the feeling that more and more people try to understand what is happening on a technical level. So you have journalists, or people coming into journalism, that have a tech background and they know some, I don’t know, some programming languages and are more adept at what this stuff really means. So I will love to focus on the positive side of things, which is I see more journalists really doing the long form reporting in that sense.

Dave Bittner:

Where do you suppose we’re headed in terms of journalism and covering tech in particular? Do you see many changes on the horizon?

Hakan Tanriverdi:

That’s a tough question, honestly. I don’t have an answer ready off the top of my head because I can see it going in so many ways. What I do have the feeling is that with … So what changed is, but this changed a couple of years ago, is the way people started to look at Facebook. In the U.S. this is obvious after the election and so on. And how platforms were, or were not, used for disinformation and whatnot.

So since that view changed, I have no clear picture of … I wouldn’t see something where I would say, okay, it’s going to move in this direction. Not at this point, at least.

Dave Bittner:

Do you have any thoughts on how the consumers of media can do a better job with their own built in filters? Making sure that they’re not ending up inside of a bubble, to make sure that they’re getting a variety of viewpoints.

Hakan Tanriverdi:

So what I would say is one of the most important things is just always to check the source where something came from. So if it’s a writeup of an article that’s relying on the reporting of another outlet, I would read that story but also read the primary source because sometimes stuff gets reported, not for nefarious reasons, but for various reasons. There are some mistakes when you’re doing the second story and so on, so I would always read the primary source. And if you do that, you can immediately spot if something has sketchy sources or if it’s based in facts, so to speak. This is something I would always advise, or try to do myself.

Dave Bittner:

I’m curious if you have any insights on the use of threat intelligence itself from your point of view, the work you’ve done, do you have any thoughts on how organizations are making use of threat intelligence?

Hakan Tanriverdi:

I can speak to myself by saying that I try to read every report that comes out. So if a company publishes a blog post, I try to read it. I used to read it in the sense to get a better understanding of what actually happened, but nowadays I’m trying to look for those IoCs and then go and try to find more information that I can find, say more passive DNS data, or maybe some stuff that was uploaded to VirusTotal and so on. This is something I try to read and try to do.

What I’ve noticed on the company side, or what people have complained to me about, is that they would call it intelligence that’s not actionable so that you spend time reading stuff but you don’t have that much time, so the stuff you read has to be good. And most often they have problems with applying what they read to what it is they’re doing in their networks, so it didn’t pay off for them in that sense. This is something I hear quite often. Same thing with the false positives in your appliances and so on. I would say these are two things that closely align.

Dave Bittner:

Would you say overall, are you optimistic about the future or when it comes to these threats and the APTs, or are you pessimistic, or somewhere in the middle?

Hakan Tanriverdi:

I try to be optimistic, but if you look at… There’s stuff that’s happening for sure. At least in Germany it is. But also this is if you look at things in a way that will somebody, will a company, be breached, most of the time the answer’s going to be, if it is beneficial to the adversary, then yes, because then they’ll just have more time and more resources. I don’t have a view in the sense whether I’m positive or pessimistic on my outlook on that sense.

Dave Bittner:

Our thanks to Hakan Tanriverdi for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

The Essential Skills of Evaluating and Communicating Risk

The Essential Skills of Evaluating and Communicating Risk

May 25, 2020 • Monica Todros

Our guest is IT risk analyst James Dawson James provides advice to global organizations on the...

Making the Framework for Threat Intelligence Easy

Making the Framework for Threat Intelligence Easy

May 18, 2020 • Monica Todros

Our guest is Chris Cochran, threat intelligence and operations lead at Netflix, and co-host of the...

Planning for Resilience Amid Global Cyber Threats

Planning for Resilience Amid Global Cyber Threats

May 11, 2020 • Monica Todros

Our guest is Adeel Saeed, veteran cybersecurity expert, technologist, and former CISO at State...