Talos view of Ukraine cyber conflict

A fascinating insight into the cyber conflict in Ukraine Livestream: Talos update on Ukraine Independence Day – YouTube. It’s an hour long so here are some sound bites plus my thoughts and conclusions from the video:

  • Stop ticking security boxes by installing tools without understanding tool capabilities, where they should be positioned and configuring them effectively
  • Use threat hunting to identify what the tools are not finding
  • Be prepared to aggressively shut down infrastructure or sections of infrastructure
  • Look for open source intelligence and analyse it for threats e.g. changes in local geopolitics, hacktivist operations, data leaks, VIP protection etc.
  • Cyber security is not a technology problem it’s a human problem
  • Train up skilled threat hunting and incident responders.
  • Be prepared to work late when hunting and responding but managers must not forget to sustain morale:
    • Protect against burnout by giving time-back breaks and early finishes to responders when threats are resolved or low
    • Find ways of raising the profile of good work done by team members to Exec management etc.
    • Reward and praise (even if under the covers) to successful team members
    • Automate where you can
    • Take care of your team, time out to talk one-to-one and actively listen, and if required offer counselling
    • It’s too easy for team members to become siloed or if overloaded become problem blind. Give time for reflection by offering alternate tasks away from threat hunting and response roles e.g. training, design work, process improvement etc. This takes a conscious effort from management to enable team members to wall off time and prevent further overload.
  • Biggest impact changes that were made:
    • Learning about the adversaries’ tools, techniques and tactics and making improvements based on these
    • Seek out and co-ordinate information sharing with
      • External partners e.g. government, police, private sector specialists etc.
      • Private sector co-operation amongst what maybe competitor organisations
    • Enable good actionable Cyber Threat intelligence by recognising the challenge in processing the huge volume of data when “looking for a needle in a haystack”
      • Where possible use automation to analyse data, identify threats, respond and recover
      • Recognising that automation only does so much. Managing big data sets requires data analytic and threat analysis skills.
      • Ensuring familiarity with the environment so that an understanding of what is normal vs abnormal can be gained.
      • Thin out the fog by prioritising the team to focus on the relevant high-impact events against the crown jewel targets.