Everyday Heroes: The story of Talos' Ukraine task unit

Page 1

The story of Talos’ Ukraine Task Unit

JJ Cummings, National Security Principal
It's been a long and interesting road. We went to Ukraine, roughly Seven years ago.
Right after the Black Energy attacks, we reached out to the sales team there and said that we'd like to come over and establish some partnerships, and figure out ways that we could help in that region.

We've built relationships and partnerships with various government agencies and individuals in Ukraine, and hired Ukraine researchers, as well.

this did not start for us in February. in terms of contingency planning for our employees, we began in late November.

It was a really emotional time. not only have we spent Seven years in ukraine, but I had employees that I was worried about evacuating, and I had partners that we had worked with who were in harm's way. I had a country that we'd, quite frankly, fallen in love with too which was not ever going to be the same as when we left last time.

One of the first things we did was to extend an offer to government and critical infrastructure in Ukraine. We offered our security software and services free of charge, as well as providing them with dedicated threat hunters.

We were all talking about what we could do, and how could we best help? That’s how we created the Ukraine Task Unit.
There was a supply chain from the Fulton, Maryland Talos offices to Krakow, Poland, and then into Lviv, to get whatever people needed.

What we're looking for in threat hunting is evidence of a very targeted attacks against Ukraine.

The task unit is filled with people who can help from a geopolitical perspective, and have insights into why certain actions are being taken. There are also people who look for disinformation campaigns, as well as vital information that can help us best protect Ukraine from cybersecurity attacks.

We have about 45 threat hunters who are dedicated to identifying new behaviors that might be targeting Ukrainian organizations. I believe, right now we are at about 45,000 endpoint deployments, which is representative of 45,000 things that we're protecting.

Ashlee
We got the nod from the Ukrainian authorities to be much more aggressive in terms of our blocking. We were able to do things that you wouldn’t normally do in a day to day threat hunting environment.
111001000100100001111110001001000010011100010010001111000110100101010100111001000110011110 01000100100001111110001001000010011100010010001111000110100101010100111001000110011110010 00100100001111110001001000010011100010010001111000110100101010100111001000110011110010001 00100001111110001001000010011100010010001111000110100101010100111001000110011110010001001 00001111110001001000010011100010010001111000110100101010100111001000110011110010001001000 011111100010010000100111000100100011110001101001010101001110010001100111100100010010000111 111000100100001001110001001000111100011010010101010011100100011001111001000100100001111110 00100100001001110001001000111100011010010101010011100100011001111001000100100001111110001 00100001001110001001000111100011010010101010011100100011001111001000100100001111110001001 00001001110001001000111100011010010101010011100100011001111001000100100001111110001001000 01001110001001000111100011010010101010011100100011001111001000100100001111110001001000010 011100010010001111000110100101010100111001000110011110010001001000011111100010010000100111 00010010001111000110100101010100111001000110011110010001001000011111100010010000100111000 100100011110001101001010101001110010001100111100100010010000111111000100100001001110001001 00011110001101001010101001110010001100111100100010010000111111000100100001001110001001000 111100011010010101010011100100011001111001000100100001111110001001000010011100010010001111 00011010010101010011100100011001111001000100100001111110001001000010011100010010001111000 110100101010100111001000110011110010001001000011111100010010000100111000100100011110001101 00101010100111001000110011110010001001000011111100010010000100111000100100011110001101001 010101001110010001100111100100010010000111111000100100001001110001001000111100011010010101 01001110010001100111100100010010000111111000100100001001110001001000111100011010010101010 011100100011001111001000100100001111110001001000010011100010010001111000110100101010100111 00100011001111001000100100001111110001001000010011100010010001111000110100101010100111001 00011001111001000100100001111110001001000010011100010010001111000110100101010100111001000 110011110010001001000011111100010010000100111000100100011110001101001010101001110010001100 111100100010010000111111000100100001001110001001000111100011010010101010011100100011001111 00100010010000111111000100100001001110001001000111100011010010101010011100100011001111001 00010010000111111000100100001001110001001000111100011010010101010011100100011001111001000 100100001111110001001000010011100010010001111000110100101010100111001000110011110010001001
There’s no typical day in the threat hunting unit. But we often start with analyzing samples. Sometimes we’ll conduct some advanced reverse engineering to tear the samples apart and understand its real origins and capabilities.
The adversaries behind these attacks always look to conceal their actions. So our hunt team comes in and looks for evidence of attackers’ fingerprints. We look for signs of adversaries infiltrating systems, in order to carry out a targeted attack.

We also created an automated early warning indicator system. We built this system to specifically monitor critical infrastructure in Ukraine.

This system flags highly suspicious activity for further task unit review and analysis. This helps to reduce screen-time for our analysts and helps to keep them fresh and aggressive.

it's really been interesting in terms of leveraging skill sets outside of traditional hunting. You don't necessarily need to have a traditional hunting background to be successful as a threat hunter, which has been a really nice thing to see.
The technology can do anything we ask it to do. And it's fully capable. We're just asking it to do new and different things. It’s the people that make the difference. I'm enormously thankful to the people of Cisco. For everything.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.