This blog is part of our series that focuses on the people behind Corporate Social Responsibility (CSR) at Cisco. Each blog highlights a different Cisco employee whose work makes a positive impact on people, communities, or the planet.
Cisco understands that the risks inherent in digital transformation must be constantly managed. As the war continues in Ukraine, Cisco is applying its core competency in security and privacy to the situation. Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams globally, comprised of world-class researchers, analysts, and engineers. The Cisco Talos team uses the latest technology, an employee base that wants to go above and beyond to protect people’s information, and our partner ecosystem to respond to cyberattacks threatening lives and livelihoods in that region.
Want to meet one of the employees leading these efforts at Cisco? JJ Cummings has worked actively in the security and intelligence community for over two decades. His expertise ranges from counterterrorism to threat intelligence and incident response. JJ always had a keen interest in working with computers and data, and he knew he wanted a career where he could help other people.
Today, JJ leads a group within the Cisco Talos Threat Intelligence & Interdiction team tasked with nation-state, critical infrastructure, law enforcement, and intelligence-based concerns. I sat down with him to learn more about what his team is doing to help people in Ukraine.
Can you tell us more about the Cisco Talos Threat Intelligence & Interdiction team?
JJ: We work with partners globally to share information back and forth for intelligence purposes.
In this context, the definition of ‘intelligence’ is an understanding of our adversaries. We try to understand what we believe they’re going to do next, whether they’re involved in an active campaign, or whether we’ve identified the beginning stages of what we think will become a more extensive campaign.
This is where the interdiction piece comes in. We want to stop them as quickly as we can. We work with various nation-state entities, from top-level government and military to intelligence and law enforcement organizations. We also work directly with key Cisco customers who have the resources and ability to participate in these efforts. Depending on the nature of the threat, if we want to affect a large-scale interdiction, we want to talk to as many people as we can to help stop the threat actor.
While we’re making this electronic response, we also like to involve law enforcement and others to make a bigger impression. Ideally, once we’ve gotten to this stage, we have identified players who might be involved. When we work with law enforcement, we pass that information over to them. Ideally, we’re stopping the threat electronically, and the law enforcement agencies can go down a legal path that may involve seizing assets, creating indictments, and making arrests.
I lead one of the teams within Threat Intelligence & Interdiction. We are tasked explicitly with nation-state security and intelligence matters, which means we are heavily involved in the ongoing Russia Ukraine war.
Cybersecurity is an invisible force behind protecting lives and livelihoods in various ways. Can you explain what this type of impact looks like in Ukraine?
JJ: We are actively defending critical infrastructure and key resource organizations in Ukraine, like Service Provider customers. They are getting these tools for free; they’re getting our time for free because it’s the right thing to do. For example, we can stop disruptive and destructive attacks which could result in power outages by identifying early adversary behavior and stopping it.
Maybe we are keeping the power on in hospitals where patients are being treated for critical care, whether from the battlefield or a standard medical emergency. Keeping the power on assists with other urgent needs, like people staying in touch with the rest of the world to get their message out so we can understand what is happening. There is a lot involved in critical infrastructure, and if something goes down, it has the risk and potential for loss of life and significant degradation of life. It is something to be concerned about, and it is something we take very seriously, which is why we’re working so aggressively to help defend this infrastructure alongside Ukrainians.
Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine. Can you tell me more about how we are supporting our partners there?
JJ: This is an unprecedented time for us. Products like Cisco Secure Endpoint, are always operating, what’s extraordinary is that we at Talos are the ones operating them in this case, alongside customer security teams. We are currently deploying threat hunters within critical networks inside Ukraine. These threat hunters are using the corpus of Talos intelligence to identify the first indications of threats and block attackers broadly to protect the critical systems and infrastructure in Ukraine. Some adversaries like to do certain things using specific tools or targeting a given industry, and we look for those patterns globally.
For customers who fall under critical infrastructure and key resources for Ukraine, we are actively hunting in their Secure Endpoint consoles. We have different groups of individuals separated into various teams. Each has access to a set of different customer consoles and is actively hunting and monitoring those consoles.
We’ve got nine teams actively hunting through these console telemetries, some of which certainly also include Cisco Umbrella, a security software. We’ve got several customers set up with Umbrella, and they’re all set up with Secure Endpoint. We’re making sure that policies are optimized, so we’re working with our deployment experts. My team does not consist of product experts; we’re just good at knowing what the bad guys do and how they do it. We’ve got disciplines from across Cisco Talos and Cisco that are helping us.
Over 660 Cisco employees from a variety of backgrounds and skillsets are helping your team as well. Do you mind sharing more about what contributions they made in Ukraine?
JJ: We established several different efforts at the onset of this war. One is open-source intelligence (OSINT). When Cisco employees browse the web, watch the news, and talk to people in various chats, they may come across something they believe is of interest to us. They can gather that information and provide a link to a tweet, telegram channel, or news article in our OSINT room for Cisco employees. What’s great is that any employee can get involved.
People are posting information, we are recording all the information they post, and it is being reviewed by other analysts on the back end to distill out the really important bits of information. We want to understand what type of contextual enrichment it might provide when it comes to our knowledge about the cyber or kinetic battlefront at this time.
We also have spun off different rooms that are more focused on specialization. We have key adversaries that are believed to be or confirmed to be from specific regions. So, we have people taking everything happening in those languages and providing updates across the board. I have seen people with intelligence backgrounds in this big channel, people with accounting backgrounds, and even astrophysicists. What’s remarkable is seeing everybody pull together. It’s an amazing and humbling thing to see.
Want to know more about Cisco’s intelligence efforts? Learn more about Cisco Talos.