The story of Talos’ Ukraine Task Unit
JJ Cummings, National Security PrincipalIt's been a long and interesting road. We went to Ukraine, roughly Seven years ago.Matt Olney, Director of Threat Intelligence and Interdiction
Right after the Black Energy attacks, we reached out to the sales team there and said that we'd like to come over and establish some partnerships, and figure out ways that we could help in that region.
We've built relationships and partnerships with various government agencies and individuals in Ukraine, and hired Ukraine researchers, as well.
this did not start for us in February. in terms of contingency planning for our employees, we began in late November.
It was a really emotional time. not only have we spent Seven years in ukraine, but I had employees that I was worried about evacuating, and I had partners that we had worked with who were in harm's way. I had a country that we'd, quite frankly, fallen in love with too which was not ever going to be the same as when we left last time.
One of the first things we did was to extend an offer to government and critical infrastructure in Ukraine. We offered our security software and services free of charge, as well as providing them with dedicated threat hunters.
We were all talking about what we could do, and how could we best help? That’s how we created the Ukraine Task Unit.
There was a supply chain from the Fulton, Maryland Talos offices to Krakow, Poland, and then into Lviv, to get whatever people needed.
What we're looking for in threat hunting is evidence of a very targeted attacks against Ukraine.
The task unit is filled with people who can help from a geopolitical perspective, and have insights into why certain actions are being taken. There are also people who look for disinformation campaigns, as well as vital information that can help us best protect Ukraine from cybersecurity attacks.
Benge, Lead, Data Unification and Strategic IntelligenceWe have about 45 threat hunters who are dedicated to identifying new behaviors that might be targeting Ukrainian organizations. I believe, right now we are at about 45,000 endpoint deployments, which is representative of 45,000 things that we're protecting.
AshleeWe got the nod from the Ukrainian authorities to be much more aggressive in terms of our blocking. We were able to do things that you wouldn’t normally do in a day to day threat hunting environment.
There’s no typical day in the threat hunting unit. But we often start with analyzing samples. Sometimes we’ll conduct some advanced reverse engineering to tear the samples apart and understand its real origins and capabilities.
The adversaries behind these attacks always look to conceal their actions. So our hunt team comes in and looks for evidence of attackers’ fingerprints. We look for signs of adversaries infiltrating systems, in order to carry out a targeted attack.
We also created an automated early warning indicator system. We built this system to specifically monitor critical infrastructure in Ukraine.
This system flags highly suspicious activity for further task unit review and analysis. This helps to reduce screen-time for our analysts and helps to keep them fresh and aggressive.
it's really been interesting in terms of leveraging skill sets outside of traditional hunting. You don't necessarily need to have a traditional hunting background to be successful as a threat hunter, which has been a really nice thing to see.
The technology can do anything we ask it to do. And it's fully capable. We're just asking it to do new and different things. It’s the people that make the difference. I'm enormously thankful to the people of Cisco. For everything.