Experience and expertise dictate the efficacy of cybersecurity measures. Ana Mikhailov, a seasoned professional with over 18 years in threat intelligence and network security, currently working at RST Cloud as a Director of Business Development. Her robust background in securing networks, threat intelligence and managing complex security challenges has safeguarded numerous organizations against evolving cyber threats.
This interview offers a deep dive into Ana’s strategic methodologies and firsthand experiences, shedding light on her pivotal role in shaping cybersecurity protocols. Join us as we explore her journey and insights, preparing you with knowledge directly from a leader in the field.
Q1: Given your experience in Cyber Threat Intelligence GAP Assessments, could you describe a complex threat landscape you once faced and the innovative strategies you employed to mitigate gaps effectively?
Ans: Every organization now faces a complex threat landscape, including sophisticated cyber threats from multiple advanced persistent threat (APT) groups, phishing campaigns, zero-day exploits, ransomware, data exfiltration attempts, and more.
The methods of attackers are constantly evolving, with tactics, techniques, and procedures (TTPs) shifting towards more covert behavior. Tracking trends to prioritize and protect effectively is crucial. Attackers are increasingly targeting small businesses and new industries; practically no one with a digital presence is beyond their interest, whether it’s a bank, industry giant, small farm, or individual entrepreneur.
To effectively counter these threats, it’s important to have broad visibility of the threat landscape by aggregating and analyzing threat data from multiple sources, including open-source intelligence (OSINT), dark web monitoring, and various threat intelligence feeds. Clearly defining Priority Intelligence Requirements (PIRs) enables organizations to prioritize and act upon the most relevant threats, providing focus to the management of threat intelligence.
Organizations should not limit themselves to threats typical for their country or industry but should also understand who and how attacks are targeting their “neighbors.” Attackers can easily pivot to new types of targets, treating their operations like a business where they seek to diversify.
Improving detection rates and raising awareness about attacks are crucial, both for analysts and users. Often, threat analyst teams are isolated, feedback from consumers is poor, and processes lack maturity. Defining measurable and understandable KPIs that cover all stages of the Cyber Threat Intelligence (CTI) lifecycle is important.
Q2: Over your career, you have witnessed the evolution of network security technologies. How do you foresee the integration of AI and machine learning influencing the future of network security frameworks, particularly in areas like NGFW and IPS?
Ans: The integration of AI (Artificial Intelligence) and machine learning is poised to impact network security frameworks, including Next-Generation Firewalls (NGFW) and Intrusion Prevention Systems (IPS), in my opinion in several key areas:
Through the evolution of threat detection, behavioral analysis, and anomaly detection mechanisms. Modern NGFW/IPS solutions can leverage AI-driven threat intelligence from both external and internal sources to better analyze network and user traffic patterns. This helps to efficiently detect and respond to threats. By leveraging historical data and trend analysis, AI can predict potential future threats and proactively adjust security measures.
In terms of Firewall Management, traditional rule-based security systems can be complex and hard to manage. AI can optimize rule sets by analyzing network traffic and suggesting rule modifications or efficiently adjusting security policies based on network context, such as peak traffic hours.
As well as for Zero-Day detection, AI/ML models can identify previously unknown threats (and threats for zero-day vulnerabilities) by analyzing behavior patterns and deviations from normal network behavior, thereby performing virtual patching more effectively.
In general, NGFWs and IPS could become more efficient and accurate, resulting in more resilient networks against evolving cyber threats.
Q3: Reflecting on your role in incident response and forensics, can you share a particularly challenging incident you managed? What were the key lessons learned, and how did it influence your approach to future cybersecurity challenges?
Ans: Once, there was an incident at a large oil refinery company related to NotPetya. Systems were shut down en masse, and the paths of lateral movement and the specific malware’s were not initially clear, while impact quickly grew and spread. It took about 6-8 hours to fully investigate the cause and vector of the attack. We had to disconnect the facility from the intranet network to stop the spread and contain the incident within one site.
The investigation showed that it was NotPetya. Network and host signatures were prepared to block the spread, and the infected machines were restored from backup. The incident was contained.
I would highlight these crucial aspects of the incident response and forensics process: visibility across infrastructure and well-collected context for Indicators of Compromise (IoCs). Achieving comprehensive visibility across all parts of an organization’s infrastructure is indeed a challenge. It involves monitoring not only all network activity but also host-level events and activities from all internal systems. Having good visibility allows security teams to identify the attack vector, detect the initial compromise, track the lateral movement of attackers within the network, and identify the systems they accessed.
It is also important to have quick access to the context behind detected IoCs. Without context, it’s challenging to assess the severity and impact quickly. Linking incidents to specific threat actors helps track their presence in the infrastructure. Efficient investigation leads to faster response and containment.
Q4: Leading the Network Security Group must have presented unique leadership challenges, especially in such a dynamic field. Can you discuss a situation where you had to align diverse team views towards a common security goal?
Ans: I would mention, that there is always some competition in terms of vendor commitment. Despite the overall relative standardization of network security solutions, there are fundamental differences in approaches and views on their architecture among different vendors. Depending on where an expert began their development, slightly different attitudes and perspectives towards the technical aspects of implementing network security are formed, resulting in varying perspectives on priorities and approaches to achieving security objectives.
This often fosters healthy competition within the team, which can be directed towards finding the most effective solution to the problem. However, to achieve this, it is necessary to facilitate collaborative discussions where team members can share their ideas, challenge assumptions, and explore alternative approaches.
Articulating clear security objectives and communicating the rationale behind them to the team, encouraging constructive debate, and allowing for the leverage of the collective intelligence of the team are crucial. And of course, Continuous Learning is key.
Q5: You have led numerous secure network design and implementation projects. Could you walk us through your approach to designing a secure network for a client with high compliance demands, such as those needing GDPR or PCI DSS adherence?
Ans: When designing a secure network for a client with high compliance demands, such as those needing GDPR or PCI DSS compliance, here are some key steps to consider:
Understand the scope of the network and identify systems that need to be protected, analyze data flow. Implement network segmentation to isolate sensitive data (e.g., cardholder data) from other parts of the network. Proper segmentation reduces the attack surface and simplifies compliance efforts. Consider an adequate approach to micro-segmentation; you should not route internal traffic of high-load systems through a firewall only for the principles of linear separation of segments. This will raise both the project cost bar and the business continuity risks. Policies should always be built as adequately as possible and taking into account real risks. Consider incorporating Software-Defined Networking (SDN) principles. SDN allows centralized control of network behavior through programmable software, enhancing flexibility and security.
Restrict access based on job roles and least privilege principles. Implement access controls to limit who can access sensitive data. Use firewalls to protect network boundaries and segment internal networks. Encrypt data during transmission if necessary.
Q6: With your background in conducting security audits using tools like Tufin and Algosec, what advancements do you believe are most critical for the next generation of security audit tools? How should they adapt to the changing security landscape?
Ans: The next generation of security audit tools must adapt to the evolving security landscape by addressing the expanding attack surface due to the proliferation of Internet of Things (IoT) and Operational Technology (OT) devices, as well as wider integration with cloud environments.
Consider the business context when assessing risks. Next-gen audit tools should leverage advanced threat intelligence feeds to provide real-time insights into emerging threats and vulnerabilities. By integrating with threat intelligence platforms, these tools can proactively identify potential risks and prioritize remediation efforts accordingly.
Understand the impact of vulnerabilities on critical assets and prioritize remediation efforts accordingly. Take into account the real risks of the found vulnerabilities and prioritize them in the context of real-world usage (in-the-wild). This is where threat intelligence comes into account and should be considered as a source of knowledge.
Q7: As a solution architect, you have managed integration projects across various security solutions. Could you describe a project where the integration of disparate technologies (like SIEM, anti-APT, and EDR) presented significant challenges, and how you overcame them?
Ans: One of the most challenging integration projects I managed involved unifying disparate security technologies within a heterogeneous environment. This was particularly challenging due to the organization’s diverse information systems and protection tools of various vendors and versions.
Each system used different formats for logging events and alerts. To address this, we developed custom parsers within the SIEM to handle these diverse log formats. We worked closely with vendors to understand their logging mechanisms and implemented standardized schemas for security events. This ensured that the SIEM could correlate data from all sources effectively.
Additionally, managing and filtering the massive volume of information without losing quality was crucial. We implemented efficient data processing and filtering mechanisms to ensure that critical alerts were not overlooked. This involved optimizing data flows and fine-tuning our SIEM’s data processing capabilities to handle large volumes of data in real-time.
When working with EDR solutions, one of the challenges we encountered related to user interaction. It was essential to create user-friendly processes. Installation processes in a heterogeneous environment were often unpredictable, which posed significant inconveniences. We addressed these issues by meticulous planning, close collaboration with vendors, and a strong focus on user training and support. This project significantly enhanced the organization’s threat detection and response capabilities, ensuring a more secure and resilient security infrastructure.
Q8: Considering your involvement in technical marketing and public relations, what strategies have you found most effective in conveying complex cybersecurity concepts to a non-technical audience?
Ans: In my experience with technical marketing and public relations, effectively conveying complex cybersecurity concepts to a non-technical audience involves a few key strategies. Cyber awareness is crucial. Simplifying complex ideas with clear, engaging examples helps make these concepts accessible. If you understand data flows deeply, you can explain them in simple terms, even to children.
Real-life examples that resonate with the audience are very effective. For instance, comparing strong passwords to locking the front door makes digital security relatable. Focusing on relevant pain points, like the financial and reputational damage of data breaches, also drives the message home.
Storytelling is another powerful tool. Sharing narratives about companies facing cyberattacks captures attention and illustrates the importance of cybersecurity in a memorable way. By making cybersecurity concepts relatable and relevant, we can educate and inspire people to protect their digital lives.
Q9: In your view, what are the most pressing current threats in cyber threat intelligence, and how should companies adapt their strategies to address these evolving threats?
Ans:
In my view, one of the most pressing current threats in cyber threat intelligence is the speed and ease with which modern frameworks for hackers are being developed. These advancements enable even less technically trained individuals to create working exploits, malware, C2 servers, and other malicious attack elements. This increased accessibility to sophisticated tools leads to a rise in the number of attackers.
The development of AI technologies, in addition to the risk of developing specialized AI networks (like wormGPT), carries the risk of effective deepfakes. We are already seeing an increase in Business Email Compromise (BEC) attacks, where even video calls can be falsified and are difficult to counter, despite the fact that the attack itself does not require a high technical level from the attacker.
Supply chain attacks are also rapidly spreading. When some package is supported by enthusiasts on a voluntary basis it can be great for community, but it can introduce vulnerabilities into a large number of software applications worldwide. Supply chain attacks can have widespread impact due to the prevalence of popular packages; good examples are the XZ Utils backdoor, NPM, MOVEit supply chain attack, and others.
To counter these evolving threats, cyber defenders must actively stay ahead in this race. It’s crucial to stay up-to-date with the latest technology and thoroughly explore available tools. Adopting new protection technologies and continuously expanding and improving threat intelligence knowledge is essential. Additionally, actively sharing knowledge within the cybersecurity community strengthens our collective defense. Only by working together and maintaining a proactive position can we effectively combat these growing threats.
Q:10: Looking back at your 18+ years in the industry, what do you consider your most significant achievement in IT security? How has this shaped your perspective on your work and the industry at large?
Ans: Looking back at my 18+ years in the IT security industry, I consider my most significant achievement to be the realization and implementation of security strategies that are directly informed by an awareness of real cyber threats. This realization fundamentally shaped my approach to forming information security architecture, developing network policies, and creating comprehensive security strategies.
One key insight I gained was understanding the importance of threat intelligence. While intelligence in various forms has always existed, its formal development into a structured and sophisticated technical area is relatively recent. This has become the cornerstone of modern information security. The ability to utilize a vast, constantly growing body of unstructured knowledge about current real-world threats in an accessible and understandable format is a game-changer.
Thanks to the collaborative efforts of the information security community and emerging IT technologies, we now have the tools and methodologies to leverage threat intelligence effectively. This impacts all levels of security operations, from high-level strategic planning to incident response and network threat filtering and more.
This achievement has significantly shaped my perspective on the industry. It has underscored the importance of continuously evolving our understanding of threats and integrating this knowledge into practical, actionable security measures. It has also highlighted the need for ongoing collaboration and information sharing within the cybersecurity community to stay ahead of emerging threats.
Anas Hasan
May 27, 2024
1 year ago
