Protecting Society and the Role of CERT with Tonu Tammer

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello everyone, welcome back to another episode of the 401 Access Denied podcast. I'm Joe Carson, the host of the episode today, and it's a pleasure to be here with you. I'm really excited. We're always looking to bring latest up-to-date information and also things to help you really get a better understanding of the cybersecurity landscape and what things you can do in order to make the world a safer place. And I have a fantastic guest with me today and somebody I've known for some time now. And so welcome to the episode today, welcome Tonu. If you can give the guests a bit of a background of who you are, what you do, and how you got into the industry as well.

Tonu Tammer:

Thanks Joe. So hello everyone. I'm Tonu, I'm director of CERT, which is part of Estonian National Cybersecurity Center. And what we do, well, that's an interesting question. We try and make our little corner of cyberspace clear of all the malicious things that could come to us or if something comes from outside world and targets our citizens and companies, we'll try to diffuse them as quickly as possible.

Joseph Carson:

Fantastic. So when was the Estonian CERT established? How long, has it been something new or has it been around for some time? Can you tell us a bit of background about the Estonian CERT?

Tonu Tammer:

We have been around since 1st of January, 2006, so that's just a year and a little bit before we first got hit in 2007 where I think at the time there was just three people. The number is magnitude different today, but also what we do has changed quite a bit and we are a member of FIRST since 2010, which is the largest sort of framework organization for national security teams, also different product security teams and number of different regional groups also.

Joseph Carson:

Okay. So what's the activities? What's a day in CERT look like for somebody working there? Is it battling cyber threats all day in, all day long or what does the activities look like? What is the day in the life of a CERT employee for it?

Tonu Tammer:

Well, it's a fantastic question, Joe. We don't actually control what we do during the day. Our agenda is well-defined by our adversaries who decide that they might want to make some money out of Estonian people or use the cyber resources of Estonia.

But apart from jokes, most often what we see are different types of phishing that most likely target different citizens with regards to different bank log-ins. And what happens on the background if you fall into the trap is that you actually authorize someone to log into the bank on behalf of yourself, ultimately you are led to authorize a financial payment from your account to the account of the criminals behind. And what we try to do is when we understand the dynamics of how criminals work to invest little and make some money back out of that investment, then we'll try and counteract that, meaning that we'll drive up the costs of criminals and reduce the revenues and ultimately we'll train them out of business if they come to us.

Joseph Carson:

Fantastic. Sounds like it's a big battle on your hands. One of the things I'd like to know is from the Estonian side of things, what's the most common types of attacks that you deal with? Is it phishing and ransom? Are they the two most predominant? Or is there other types of attacks that you see more trending?

Tonu Tammer:

Well again, reverting back to the business side of cyber criminals, they want to invest little and make a lot in return. So most typically what you would see is phishing because it's such a cheap attack and it yields possibly a good revenue. There have been on occasion ransomwares but I would not count them as main types of attacks that we deal every day. Actually what we deal far more often these days than ransomware are different DDoS attacks which originate from Russian minded hacktivist groups on the background.

Joseph Carson:

So more politically motivated than financially in some cases DDoS attacks, they can be a bit of both depending if they're looking from a service perspective, but it sounds like there are cyber mercenaries who've got an agenda.

Tonu Tammer:

I mean, ultimately it doesn't really matter. If the service doesn't work for the customers, then it doesn't work and it's our duty to try and help. And even for private companies, not to mention government, if they are under attack on the best of circumstances, we can step in within two minutes and try and help them. So we'll try and sort of populate our toolbox so that we can disrupt as much of the malicious activity as possible with as effective means as possible.

Joseph Carson:

Okay. And I guess the attribution I know is one of the difficult things in our industry. Where do you find most of these attacks originating from? Is it from countries where they're predominantly known as harvesting and providing safe havens for cyber criminals or is it kind of across the board? Do you find some of the criminals are locally in the country, that they're more on the physical side or is it predominantly across border?

Tonu Tammer:

Most attacks when you look at whatever form of an attack map actually originate from northern parts of America or Western Europe. And it's not that Western allies have suddenly decided to declare war on us, but if you look at the internet infrastructure that are located in those countries, then it's so cheap there. Whereas if you want to find a sort of a server in Antarctica, most likely you will never do that. And they are heaps expensive in Africa. So criminals, as I said before, are looking for ways to optimize costs then that's the result of them optimizing costs. It doesn't necessarily mean though that they themselves are located there and many attackers ultimately either end up in different parts of Eastern Europe or in Russia or in different parts of Africa. So just because an attack originated from country X doesn't mean that the attacker is there.

Joseph Carson:

Absolutely. They use a lot of proxies and to your point, cost is a big factor and if they find it cheaper to host, they're attacking services in other countries, they'll absolutely do that. What type of collaboration does the CERT collaborate? You mentioned they could be dealing with multiple countries, is there a lot of collaboration between CERT, is there a form of communication or a channel that's open? What's the communication between national CERTs?

Tonu Tammer:

Nationally, it depends on how well our counterparts in different countries can help us. Typically when we look at malicious activity that targets us, the criminals tend to use legitimate service providers who in general terms look after their good reputation themselves. So all we need to do is we do the notification that we've detected a malicious activity from one of their servers and they get their act together and remove it. When this doesn't work always or it doesn't work efficiently, we need to use our colleagues in the respective countries to give their sort of shoulder to get it working.

And of course last but not least we know that there's always going to be bulletproofs and countries which take cybersecurity perhaps a little bit more relaxed way than we do. So we've started since 2020 to increasingly work with private sector, and private sector who has the possibility to disrupt through some of their security products. So for example, if you have Windows, most likely you have Windows Defender, Microsoft is behind. If you have some of the Firewall vendors like Palo Alto, Cisco, Fortinet, you name it. So we'll try and push as much of the actionable information out towards them with the hopes that they bring it on board, their sort of knowledge base and through their products this sort of gets pushed out towards their customers and if they are in Estonia we can actually create the sort of positive feedback loop and virtually take something down even before it physically gets taken down.

Joseph Carson:

Okay, fantastic. And one of the things I'm interested is for the audience out there that might see a career in CERT, what type of skill sets are you looking for? And what's the training that the CERT employees go through in order to become some of the best defenders in the world and reverse engineering so forth? What's the type of skill sets that you need?

Tonu Tammer:

Well, first of all, the positive side is that for us, no day is a boring day, which means that we always get to see something new that most typical companies and the security people working there hopefully never get to see, but we see it much more often. So that's definitely a pro if you can say it like that. But in terms of training, all we need is on the least side, just that your eyes are glowing and you want to do cybersecurity and we can start your career path.

Joseph Carson:

Passion.

Tonu Tammer:

Exactly. We can start your career path.

Joseph Carson:

Passion and excitement, yeah.

Tonu Tammer:

Within house, but also if you have sort of computer skills, you are either a network administrator, system administrator, you've worked in security before, this is all beneficial. And most of the stuff that we do actually no product team or company does because they only look after one entity, whereas all entities, actually country and then citizens and companies in general. So it's a little bit different, but what motivates people is the fact that they can actually make a meaningful punch towards the bad guys.

Joseph Carson:

Okay. It's always good to get the right skillset and the right mind frame to help us. We always try to get more people in the interest of defending proactively rather than taking a criminal career. The other thing as well is do you find, is it mostly businesses or is it individuals or is it kind of like a fine mix between who become victims? So what's the type of people that contact you? Is it people who have been compromised, citizens who've lost financially from it? Or is it businesses who lost services? What's the most common that you would find that would be the ones that contact you?

Tonu Tammer:

I think the most common type are actually individuals and they don't necessarily contact us when they've fallen victim, but more and more because of our raising awareness, they do notify us if they see abnormalities such as they get sent phishing links over text messages. And they do notify us so they spot it. With the help of our activity, these sites get taken down and if someone who also received didn't notice or paid attention, then hopefully with our collaboration and collaboration towards the industry and hosting provider, we can remove the malicious content. So those that didn't notify or notice, they would not fall victim to the scam either. And the second would be then companies tend to notify us a little bit more on when something malicious has happened.

Joseph Carson:

Okay, so some suspicious it's more from the citizen side and when actually you're dealing with a real incident, real cases from the business side. And also what's some of the things, for example, when it comes down to kind of the awareness that you're doing, how are you providing awareness out there to the citizens? What type of awareness is going around? What's the means of delivering that?

Tonu Tammer:

There are multiple ways how we do the delivery. So first of all, every morning we put out a newsletter on what happened over the last 24 hours. And this isn't to point out that Carson notified of this or fell victim to that, but we do notify in quantitative terms on how many different DDoSs we saw targeting which sector, what sort of scams were notified, et cetera, et cetera, so that constituents reading the newsletter and overview can do their own risk assessment based on real evidence what is actually targeting themselves to begin with. And we do different quarterly events, we do an annual event targeting ICT and security community where we try to raise general awareness of different things that do work, things that don't work. It's always good to learn from the mistakes of others and not repeat themselves. So there is multiple ways that we try and help people to come out of their daily routine and look at world through our viewpoint.

Joseph Carson:

Yeah, absolutely. And it's always not only good to hear about the lessons learned, but also the successes as well. I always find hearing where they've been able to react and what techniques was used to prevent it turning into much bigger catastrophe. I'm also interested as well, one thing I've noticed many years ago, the phishing campaigns that targeted Estonian language were not very well-written. They were very poorly written, unless the attackers maybe hired somebody in languages to do translations for them. And the more recent times I've seen the attacks that using Estonian language has improved significantly. Are you finding a lot of more of the generative AI types of tools and more better translators that's creating much more, let's say, authentic looking types of phishing scams? Is that something you're seeing a trend? Because I think that so many language for a long time was sufficiently protected because translations were not that easy. What are your findings around the language improvements over recent years?

Tonu Tammer:

Well, Estonian language isn't totally good because it's complicated and also good for passwords because we have so many cases and twists and turns, how the language sort of flows. But the main answer why the language skills of criminals have gone up is because simply Google Translate has improved. And you can probably ask these days, it depends how you ask ChatGPT, might refuse to give you an answer, but if you ask it in a sort of nice way, it might actually give you a good answer. But we also know of a case where actually criminals employed a translator. So they've actually had the proper translator from I think it was Ukrainian or was it Russian to Estonian. So a company contacted us afterwards, "Yeah, we need the translation for this." So you can't really avoid any of the techniques these days and you need to look again from the criminal mindset point of view to try and see, "Okay, I invest a little bit, does it improve my chances of returning more money or not?" Because that's ultimately their driver.

Joseph Carson:

Yeah, because they're running it as a business and they want to have an ROI and so they're going to-

Tonu Tammer:

I've yet to see a billionaire who invested a million and only made in return 10k.

Joseph Carson:

Exactly. Other thing is how do people contact you? What's the mechanisms? And does all countries' CERT operate in the same way? So for example, if somebody sees something suspicious or get a phishing email, what's the way that they report it? Is there a portal that they go to or contact? What's the mechanisms for reporting cyber crime?

Tonu Tammer:

Great question. So for us, you can reach us through portal report.cert.ee, you can reach us by phone, you can send an email cert@cert.ee, and this is the most sort of traditional way how anyone can reach any CERT that operate either governmentally or nationally. But also what we have done and to try and reduce the sort of bureaucratic workload is if you go to our reporting site report.cert.ee, there is the possibility to notify immediately police, for example, if you fell victim to something and similar function exists on the police website, so cyberpolice.ee Where they can notify us immediately and why force someone to put two address lines into Gmail when you can just show your willingness there and it accounts for someone actually notifying both authorities at the same time.

Joseph Carson:

Yeah, absolutely. The quicker response is usually the best response. I find that the longer you leave things, the less breadcrumbs, the less evidence you can actually have that will actually be able to do proper forensics. So the earlier notification and if you have to deal with both and getting them both involved much earlier, this CERT and law enforcement, is definitely something that will benefit. So is there any types of statistics that I think I remember there's a quarterly report and an annual report that comes out. What types of information you seen? What's the big trend that you get from the report itself?

Tonu Tammer:

Big trend, if I look at the annual report that came out I believe it was February, so notifications went up by one fifth. Luckily the number of incidents, ie events that had a negative impact didn't quite follow that trend. So it proves that we are able to build resilience and also people are veterans sort of detecting malicious activities, not falling into traps. And they're also good in notifying us so that we can try and reduce the uptime of malicious activity that targets people falling prey to the scams. So numbers do go up but the number of incidents I believe was increased only less than 10%, but the amount of notifications went up by almost 20% year on year.

Joseph Carson:

That's great. Yeah, that's great to see that people's more willing to, let's say, one of the big things I was asked years ago was during a seminar for parents and law enforcements and teachers, so it was one of those forums and I was asking the question, "What thing can I do that would leave something that everyone could do, a best practice?" And one of the things that I recommend is never be afraid to ask for help. And I think that's one of the most things is that a lot of people feel that I feel embarrassed or I feel like I did something wrong or it's stupidity or I made a mistake or I didn't know what I was doing and it's my fault. But I still think it's giving people the confidence to not be afraid to ask for help. And the more people that report, the more we get visibility. And to your point, you mentioned earlier that we learn from those, we'll learn from the techniques and the more people that report, the more we can see the trends, the more we see what's important for us to deal with. So I think that's some of the most important things, absolutely.

Tonu Tammer:

Absolutely. So the false sense of shame that if you've fallen victim then you sort of start to believe, "Okay, no one else talks about it, then why should I talk? I'm the only one that got abused." And then actually we see that happening quite a lot and we see this false sense of shame. And while we encourage people, and especially companies, to come out more and to share their experience on why things went wrong, because otherwise it's some government entity saying that, "Hey guys, you should do this," and then if actually one CEO tells to another, "Yeah, this probably wasn't my best decision at the time and try not to repeat that," then I think that has a completely different take than government agency saying that.

Joseph Carson:

Yes, we just become a facilitator of how they can communicate together, that's all it becomes. For the audience listening in, is there any best practices or tips that you suggest or resources for people, whether it being citizens or businesses to become better, what's the resources you would point them to in order to better become more resilient?

Tonu Tammer:

We have many tools that each individual and organization can use out of our toolbox. Just go to cert.ee, it'll forward you to the appropriate section in the agency's website. For example, we are the only team that publicly has made available our repository threat data in the forum that you can't dig in on what's happening there or what is in there. But through DNS, you can consult it. And if we believe that a site that you want to enter beyond reasonable doubt is malicious, either relating to malware or phishing because those two are bad by any definition, then our system would actually block you from reaching there.

So it's a great complimentary feature to any individual and organization because every morning when we wake up at 5:00, didn't have our two cups of coffee yet, we tend to be a little bit different than in our prime at after three cups of coffee running supercharged at 10:00 AM. So it's likely that things do go wrong and it's good to have another safety net running behind. And if something gets blocked incorrectly, you always know who to contact and let us know, "Guys, this is the one time you didn't get it right."

Joseph Carson:

Absolutely. Defense and depth is important and threat intelligence sharing helps us be better at the indicators of compromise, the more we learn the techniques, the best practices, absolutely. Tonu, It's been fantastic having you on the show and I think it's really educational to give people a little bit behind the scenes about what a CERT is, what it does and what it covers. And I think for those listening in, hopefully the businesses will be more willing to cooperate and share and work together because it is a teamwork effort in order to make the world a safer place. And definitely the more we have people playing in the team definitely helps us get there. So any final words of wisdom, anything that you would like to share with the audience before we finish up today's episode?

Tonu Tammer:

Absolutely. It's very simple actually, if you look at how criminals cooperate, the more we on the defending side build barriers and sort of don't trust one another, we are actually empowering the bad guys. And in order to make a meaningful impact, we need to start talking a lot more, sharing a lot more, not feeling shame and understanding that we're not out there alone. Not only us are the ones who get targeted. And that actually, if you're on the internet, you do get targeted.

Joseph Carson:

Absolutely, that's wise words. It's a pleasure having you on and looking forward to catching up in the near future. And absolutely many thanks for the wise words and the education that we've shared with the audience today.

So for everyone, definitely make sure to tune in every two weeks for the 401 Access Denied podcast. Hopefully this has been educational, exciting. We'll make sure that all the links that we shared in today's episode will be in the show notes and look forward to future episodes and hopefully we'll catch up again soon. So thank you everyone, take care and stay safe.