January 17, 2019 • Zane Pokorny
Every Monday, we take you inside the world of cyber threat intelligence with our podcast, produced in partnership with the CyberWire. With a deft hand and dulcet voice, our host Dave Bittner takes us through current events, technical tradecraft, and insightful research, interviewing some of the top minds in the industry.
2018 was a great year for the Recorded Future podcast — we wanted to highlight some of our most popular episodes here, in case you missed them.
In this episode, Staffan Truvé, Recorded Future’s CTO and co-founder, leads a conversation with guest Rolf Rosenvinge, the CEO of RCG – CyberInsights, a Stockholm-based cybersecurity management consulting firm.
The discussion is wide-ranging, covering cybersecurity in the EU, including the effects of GDPR, the evolving relationship between CTOs, CISOs, and boards, and the role of threat intelligence in future security efforts.
Rosenvinge shares insights developed from years of experience, including a short list of key things he thinks about when working with his clients to handle big-picture cyber challenges:
He sees threat intelligence playing an increasingly vital role in security operations, noting its centrality to each of the five key capabilities laid out in NIST’s cybersecurity framework: “Identify, protect, detect, respond, and recover.”
What is cyber risk, and how can we accurately quantify the real risks that face individual organizations? Many security approaches in use today, whether it’s stacked security solutions or vulnerability scoring, lack context and timeliness, making them less useful for organizations trying to prioritize how to use their limited resources.
In this episode, Alexander Schlager, the executive director of security services at Verizon, discusses his belief that organizations need to concentrate on quantifying their cyber risk and using what they learn to evaluate and plan their security programs.
Take some of the solutions offered today. “There is a complete lack of outcome,” Schlager says. “We can quantify operational parameters, such as the time needed for repair, response time, and all of these things. But in the sense of security, like, what your security outcome will be, if we (or any service provider, for that matter) take care of your security posture — there’s no such thing.”
Listen to the episode to see why Verizon invests in reports like the DBIR and the Verizon Risk Report, and hear Schlager’s views on the essential role that threat intelligence plays in providing accurate measurements of cyber risk.
The Internet Storm Center is a program of the SANS Institute that monitors large-scale malicious internet activity, gathering millions of log entries from around the world every day. It’s a free, volunteer-run service that describes itself as “the internet’s early warning system.”
This episode of the podcast features Dr. Johannes Ullrich, who’s responsible for that early warning system. He also hosts the ISC StormCast daily podcast, a daily briefing of cybersecurity news that professionals around the world rely on to stay up to date.
He shares how he got into cybersecurity, the history of SANS, his thoughts on threat intelligence, and what broad trends in the security world he’s worried about.
Regarding privacy, for example, Ullrich worries that there may be no way to put the genie back in the bottle, and some major institutions may have to reconsider how much digital technology they integrate into essential processes — voting, for instance, is probably better off going back to just using paper ballots.
“What we have to learn and get a better handle on is evaluating risk correctly,” he says. “How much risk are we exposing ourselves to, based on what authentication method or what features we allow online? And some things, maybe, should not be done online.”
Two members of Recorded Future’s own research team, the Insikt Group, joined the podcast in this episode to talk about their report, “Chinese Cyberespionage Originating From Tsinghua University Infrastructure.” Winnona DeSombre and Sanil Chohan took us through their research, which tracked new malware targeting the Tibetan community, continuing an ongoing effort by the Chinese state to use cyberespionage to keep tabs on perceived domestic threats. They uncovered a sophisticated new backdoor with some peculiar characteristics, and also concluded that many of these activities are being originated from servers located at Tsinghua University, a major Chinese research university — “effectively the MIT of China,” according to DeSombre.
The report (which was one of our most popular pieces last year) highlighted a few key characteristics common to Chinese cyber activity — the depth and scale of sophisticated techniques used by the Chinese state against perceived domestic threats like Tibet, their savvy use of cyber activity in support of their economic development goals around the world, and the blurred lines between third-party and state-sponsored actors in the country.
Regarding China’s use of cyber in support of international development projects like its Belt and Road Initiative, Chohan had this to say: “It’s proving to be quite an interesting trend to observe from a cyber threat analyst perspective, because of course, in order for Chinese to make good on their investments, they’re looking for any kind of strategic economic advantage — and the kind of crummy way in which they tend to achieve that is through cyberespionage.”
Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations.
In this episode, Priscilla Moriuchi, director of strategic threat development at Recorded Future, joined us to share Insikt Group’s research on Russia’s vulnerability database to see how it compares to those of China and the United States.
Insikt Group’s research found that Russia’s vulnerability database is “highly focused,” but also “incomplete, slow, and likely intended to support the control of the Russian state over technology companies and users.” This conclusion was based in part on the fact that the Russian NVD publishes only 10 percent of known vulnerabilities and publishes them months behind China’s and the U.S.’s NVDs, suggesting that it does not really perform a useful security function in terms of providing timely updates to security practitioners.
The organization that runs Russia’s NVD is “military-run,” Moriuchi explains. “Its mission is to protect the information systems of Russia’s government and critical infrastructure … They don’t even pretend to have a public service mission like China does. They publish only vulnerabilities that are used on Russian information systems or in Russian critical infrastructure that they are concerned about protecting.”
We’ve got exciting things planned for the podcast in 2019 as we look to cross over half a million downloads and approach our hundredth episode. You can find the podcast on all your favorite listening platforms — or catch up on all our episodes at our archive, where you’ll also find transcripts of every episode.
Look for new episodes every Monday, and if you’re looking for another easy way to stay informed on cyber threats, try out our Cyber Daily newsletter.
Sign up for it now to get daily top trending results on technical indicators as reported by the web — free and all in one place. We think it’s one of the best ways to start your day.