Valerii Soloninka: 0:00

Activity of North Korean group Lazarus in the Middle East.

Rachael Tyrell: 0:06

Hello and welcome to episode 22, Season 1 of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season one, our host Pedro Kurtzman will chat with Valeri Soleninka, who is an experienced Russian-speaking cybersecurity professional with more than five years of experience in stock operations, incident response, and security engineering. Valeri is tracking threat actors to understand their tactics and turning that knowledge into practical defenses. He is currently based in the United Arab Emirates, where he works on protecting government entities from cyber threats. Over to you, Pedro.

Pedro Kertzman: 0:55

Valerie, thank you so much for coming to the show. I'm really happy to have you here.

Valerii Soloninka: 0:59

Yeah, thank you, Pedro, so much. Uh thank you for having me here today. Um, I'm glad to be with you and glad to talk about intelligence and cybersecurity in general, my journey, my experience shared with your listeners. And yeah, I think it's gonna be nice.

Pedro Kertzman: 1:12

That's awesome. Usually I start asking the guests about their journey into CTI. Would you mind walking us through that, please?

Valerii Soloninka: 1:20

Yeah, sure. That's that's basically why I'm here today. Uh so yeah, my journey started in in high school. That was the first time I was thinking about uh where to go, what to do with my life. Um, I was like 17 years old, and I was going through years through the different universities in my in my city, by the way. I'm um from Russia, from Moscow, and I thought where to go, what to do. So, and I found one university, so they have this type of classes about the computer security. I think, yeah, at the time it was called computer security, and I just thought, yeah, it sounds cool. Cybersecurity, computer security, yeah. Security, yes, in general it sounds pretty cool. It's it's all about viruses, that's cool stuff. So they basically promised us that we're gonna do a lot of cool stuff, writing viruses, different programs, hacking uh computers. So it was uh it was really cool. That's basically why I chose I chose this direction. Um this is where it's it's all started. So joined the university. Um the classes have started, but I was kinda a little bit disappointed uh because uh the study program itself it was a bit outdated. Yeah, the the topics was were completely different from what he we promised in the beginning. And then going forward, uh, I just realized that computer security, the direction that I chose I chose, it was uh kind of hard for me to handle because it had strong focus on the on the cryptography and the math itself. It wasn't my strongest site, I would say. Uh so that's why in the middle of uh studying the so the the whole the whole period of studying UCT in Russia usually takes uh five and a half years. So in the uh in the middle of my journey, I decided to slightly change the direction I was going for. And instead of uh continuing my study in computer security, I went for something called information security. So it was more kind of generic without that some focus um on the math. Yeah, it was more about like how to secure information, not like about cryptography itself. So, yeah, so this is a quick introduction in my computer security, uh, I mean my university uh experience. Then after I finished the university, um basically um even before I finish the university, uh, usually uh we start looking for a job to get initial experience on the third year, on fourth year, it depends. But yeah, my my uh at the time, my my girlfriend, so I had a girlfriend, now she's my wife, uh, she decided to start looking for a job as well. So that was a part of my motivation, I would say, because yeah, if my girlfriend started looking for a job, so I have to as well, because I need to go to cinema and uh yeah, to do restaurants with her, so that was a part of my motivation. Yeah, I got my first job as I was a junior cybersecurity engineer almost one year before finishing the university. Uh so again, some initial working experience, and it was a small company, it was a contractor. So uh my main responsibilities was uh is to go on site to the client location, deploy uh different kinds of software and hardware. If we talk about software, it was mostly antiviruses software, like uh yeah, different ones. If we talk about how hardware it was mostly network hardware, like switches and network routers. I had so before uh before starting my job, I was able to finish uh C Square C C NA courses. I guess for a lot of people and your listeners, it probably might was uh first step to become an IT in IT or in cybersecurity. Finishing these courses, it gave me a good experience about network. Um actually in I think in four months I was probably able to get more knowledge about the network, about not IT, but mostly about the network and cybersecurity, then for the uh in the last three uh three years studying in university. So it was very effective, I would say.

Pedro Kertzman: 5:20

Yeah, hands-on is always uh better. But that's awesome. Thanks for walking us through your uh journey into the IT and security. And w why you decided to pivot to to CTI after that, how that story played out for you.

Valerii Soloninka: 5:35

Uh yeah, so after working one year as yeah, I think it was one one year and three months uh working as engineer, uh, like going on site and deploying software hardware as it as it told, uh, I thought that something related to operations like cybersecurity and cyber operations would be more interesting for me. That's how I pivoted into the soccer role in the security operations center. It was the biggest bank in Russia. Gained plenty of experience. I think that was one of the most important steps in my career because I mean when you work in such a big organization, um, it's you working in enterprise. So working in enterprise gives you an idea how about about how big companies operate, uh how they interact uh with other companies and inside the organization as well. So, and I think logical step after you work in uh in a soccer role is to pivot into different domains in cybersecurity, I would say. Get a specialized yeah, specialized domain, exactly. It could be uh uh incident response or digital forensic or um cybersecurity engineering or threat hunting, for example, um, or threat intelligence. So I thought it would be nice to be more preventive, I think, more than reactive, and to get more information information and knowledge about the threat actors in the wild. Because at the time when I joined the SOC uh the SOC, I started perioding different reports by different cybersecurity vendors, and yeah, I thought it's really cool. I want I want to be the that guy who uh make this impact, uh, who write those cool reports. Yeah, the reality is different, but yeah, at the time I thought, yeah, it would be it would be it would be it would be really really cool to write those reports and make such a big impact for uh for for other people who who read those reports. Yeah, that's how I thought that I need to to go to CTI.

Pedro Kertzman: 7:25

That's awesome. And uh so you mentioned your first experiences at home in Russia, and uh any particular because I think especially for people in the West side of the map, they sometimes are not super aware of the Russian, let's say, legitimate cybersecurity market, the industry. People often hear stories about threat actors and stuff, but there's a like a big market, right? It's like a really big industry in Russia. Any thoughts around that?

Valerii Soloninka: 7:52

Yeah, exactly. Uh actually, I think Russian cybersecurity market is something similar to Chinese, Chinese security market because they kind of isolated uh from the West. Big uh Western vendors, they obviously they won't work. Uh I mean some of them do, but not in the cybersecurity, I mean in cybersecurity consulting, I would say. So they still supply software, they used to supply software before the war in 2022 emerge between Russia and Ukraine. Uh they used to supply different kinds of software. Like I had a chance to work with uh some of EDR vendors uh and consultancy companies, and the market itself is very huge because it's uh it's it was driven and it's been driven by uh by authorities because there are laws that uh make different companies so it's basically mandatory to have cybersecurity in your organization. Uh, there are certain ways and uh loops that you can avoid it, like like uh everywhere else, I guess. Yeah, but yeah, it's still big market and it's been driven by mostly by by the government. It's very similar to China because it's yes, as I mentioned, it's very close, but very sort of talented people who work who still work there. And from CTI standpoint, it's uh quite interesting because, for example, if you work in Russian organization and you need to gain knowledge about track uh trade actors that may attack you or you may give may become a target for them, it's not that easy, like for example, if you work in um in Western organization, because there are very, very, very few Russian organizations that actually publish their report and knowledge about threat actors or attacks in public, like compared to the Western market. Because uh, like if we uh draw a threat landscape, for example, for Russia, it's probably gonna be West, right? But for West, it's gonna be we we all know for big players in the threat actors nexuses, it's Iran, Russia, China, and North Korea. There is like plenty, plenty, plenty of different public reports that you can read, and at least you can get an idea about the threats that may attack you, or you may become a target for them. But in Russia, it's it's a bit it's a bit different, I guess. In Russia, you have to rely on the partnership between uh organizations and rely on the vendors that uh work for the Russian market itself. Yeah, I guess that's the biggest the biggest difference and the big challenge for for organizations and for players who uh currently work in the Russian market.

Pedro Kertzman: 10:25

No, that's awesome. And I think that it's interesting the way you you you put it because a lot of people might think that uh attacks in general might be flowing always from like the east to the west. But you mentioned that even the cybersecurity is mandatory for uh Russian companies to have that because like anybody else in the world, somebody can get infected with something or be attacked from other parts of the world and targeting Russian companies, so they also gotta have like a security, reasonable security apparatus, right?

Valerii Soloninka: 11:00

Yeah, so they there was one interesting case. I think one of the company Western player, so uh big vendor, they published a report on the North Korean traductas. Uh yeah, it sounds weird because uh Russia and North Korea kind of allies, but still uh one of the vendors they published, they they found uh I think a sample on the virus total uh that was pretty basically it was uh word document uh infected with the embedded manual, uh written in Russian language. Uh and they were able to identify the target in the organization and they attributed this attack back to the North Korean traductors. Uh so yeah, it means uh it means still you kind of allies, but in um in the same way you still need to gather intelligence about your ally to to understand what they want to do or to collect some uh information that might be required to develop your, for example, uh strategical rockets program. Yeah, and I think uh somehow it might be related. I mean, the the fact that Russian companies they don't publish that much information about the attacks or doctors they know it's it's it's something related to couching, maybe, and to to the point uh uh that Russian market itself is quite closed, so you cannot just you know throw everything in and start selling new stuff for Russian government or Russian companies.

Pedro Kertzman: 12:23

Yeah, no, absolutely. And um from Moscow to Abu Dhabi, how that happened? How does the move from a career standpoint and life standpoint as well all happened?

Valerii Soloninka: 12:36

Yeah, first of all, it's it's quite hot here in summer. Uh but yeah, it was totally unexpected for me when I started my career. I thought, yeah, maybe, maybe someday, maybe someday I can I want to move abroad, I want to work in the West or apparently in the Middle East. Uh, but I never actually it it it never was my goal to do that. But I think uh after almost eight months after I finished my university, uh I thought uh I I just I had the LinkedIn profile at the time. LinkedIn was quite useful at the time, not as now. Yeah, I had just my LinkedIn profile with some basic information, and uh one day, I think it was August, I got a message like uh we have an opportunity for you in Abu Dhabi in in the UE. I thought like Abu Dhabi? What is Abu Dhabi? I know only about Dubai, but what is Abu Dhabi? But yeah, yeah, I got to know that Abu Dhabi is actually a capital of UAE, so I was surprised. Yeah, first of all, I thought it was scam or some sort of prank, but I thought, yeah, why not to give it a go? Just give it a try. Yeah, and uh apparently for four months, I think it was five months. Yeah, the the hiring process took some time, but after five months, um I took my flight. I I mean I got my tickets and I landed in December, so it was August, and I in December landed landed in in Dubai. Yeah.

Pedro Kertzman: 14:00

That's awesome. And how is the security mark cybersecurity market in WWE overall?

Valerii Soloninka: 14:05

So I'm gonna talk about the UE, I think, in in and Middle East itself in general, uh, because more or less, like if you take the Middle East countries, I mean biggest uh Middle East countries like uh Saudi Arabia, Qatar, and UE, uh market more or less similar in all those countries. I mean it depends uh the the amount of opportunities might be different in each country, more or less the market itself, similar. I mean in in terms of the culture, for example, and in terms of the salary as well, and in terms of the taxes. In the UE, income tax is zero, uh zero percent. Um I think it's Audi and Qatar as well. I'm not really sure about that, but I think it's zero as well. I think in uh the uh the market was the strongest back in 2016. I think between 2016 and maybe between 2021-22, basically the market was in the best shape it's ever been. Uh nowadays market is quite tough just because of the I think recession in the whole world after the COVID, after we're hiring, so it also impacts the Middle East the same way. There is a yeah, big S discrepancy, I would say, from company to company. Um depends on the organization that you're supposed to join. For example, is it a semi-government company, is it government company, or is it a multinational company? It depends. But yeah, market staff, a lot of people want to move to the UAE, they want to work here, um, not only to move to the UE, of course, but uh to the Middle East in general, because they feel they they feel that uh it might be a safe harbor for them. Uh zero taxes, good weather most of the year. Yeah, very good services as well. Like compare okay, not to compare. Uh just uh very comfortable life, I would say. And it's quite safe in all those countries. Um, Qatar, UV, Saudi, Kuwait, Oman, so all those countries you can easily walk out in in one 1 a.m. in the night, middle of the street, nothing will happen to you ever.

Pedro Kertzman: 16:17

On that journey, just maybe going back a little bit from a SOC analyst to a more specialized CTI expert, any lessons learned for people that are potentially doing like a similar move from SOC to a more dedicated CTI position?

Valerii Soloninka: 16:34

So, yeah, I think so. If you want to make a move from SOC to CTI, uh the the biggest uh ability you you you must have for that is curiosity. I mean it's not only for CTI to be honest, but for CI CTI I think it's one of the main points that one one of the main things you you need to have to be successful. Uh yeah, you need to be successful in cybersecurity uh in general. I mean you need to have curiosity just to be successful in general, but in CTI, I think it's especially important. Because if you don't know something, or if you encounter something that is unknown to you, or you don't know how to solve any problem, uh please Google. Google it, try to find the solution. Uh use chat GPT, but try I mean I I follow the routine. If I if I don't know something and or I don't understand, first of all, trying to Google it and find the the answer myself if I if I can, then yeah, of course I usually use um any kind of LLM just to help me out and but understand the problem. And while the soft skills is uh uh while soft skills are are important, it's also important to do not forget about the technical skills. So even it it's well known that CTI is um is also about the reports, but to be successful again in CTI because uh with the LLMs, LLM basically can write reports for you if you if you provide uh uh uh if you provide provide correct data. So the LLM basically can write ideal report like your native speaker. So it actually helps me a lot when I don't know how to how to put the certain things on the paper. Don't forget about your technical skills because uh programming languages, uh part of incident response, how exactly certain things happening, like how memory works in the computers, for example, or how how the network works, how DNS works, HTTP, HTTPS, all this stuff is very important to better understand cybersecurity and the CTI. Because luckily or unluckily, I don't know, cybersecurity is one of the domains uh I think where you need to be expert in in certain niches, but in the same time you have to understand a lot of things. Like even if you work in CTI, it would be nice if you can understand how uh computer works and how the I don't know, DevOps for example, the DevOps or programming like uh or programming languages. So you need to know everything, but you need to be expert in some sort of niches that you want to be expert in.

Pedro Kertzman: 19:12

100%. And uh from uh you know you were mentioning the sever the the various uh CTI domains or areas of expertise as well. Anyone like is your favorite within the whole CTI umbrella?

Valerii Soloninka: 19:25

So yeah, the CTI itself is quite huge, so you can specialize in different aspects of CTI. So there's uh as we as we know, there are usually three types of CTI uh products that you deliver on the three different levels operational, tactical, and strategical. Uh I don't like uh what I can say that uh is I don't like strategical. Uh I don't think that is my the strong my strongest area. I think I can make uh the biggest impact on the tactical and operational levels. Uh I really enjoy uh working with uh good IR people, incident response teams, uh helping them out and figuring out what is the best way just to help them uh during the incident response, um, to guide them, to direct them, uh, look for any signs of attribution or uh deep dive into the certain indicators of compromise, uh investigate the infrastructure or uh details that they share with you because it helps you to attribute a certain traductor. So there is always like a puzzle. So they share different findings with you, and based on those findings, you're supposed to uh find a tractor that might be might might be behind this attack. So this is one of the aspects. And the other one is uh talking to the SOC teams, uh talking to vulnerability management teams, for example, uh, to understand the ways uh how exactly I can help them to solve their problems. Because CTI, if you work in CTI, CTI is generally industry that and domain that's supposed to help other teams, so you cannot have CTI if you cannot help other teams, because CTI itself is is not independent function, it's usually a function that's supposed to help uh other functions to act more effectively, to do the things more in the more efficient way.

Pedro Kertzman: 21:11

Any uh you know particular interesting stories uh from your favorite in interactions with either one of those teams that you mentioned that you really like to work with?

Valerii Soloninka: 21:23

Yeah, I think uh the uh there is one case that I can mention. Uh usually my favorite things, I mean when you work in CTI, is uh experience something that you don't expect to see at all. Exappo in in one of the cases uh we noticed uh activity of uh North Korean group Lazarus uh in the Middle East, which uh nobody actually expected during the incident response. Yeah, it was it was basically part of one of the campaigns. It was yeah, it was very exciting. And it actually was my first time, I think I uh I experienced working with IR team uh on the APT intrusion. And yeah, it was it was very exciting. My first time was with North Korean Trickless. It was even more excited.

Pedro Kertzman: 22:14

That's awesome. And uh any particular you know learning source sources that you like, YouTube channels, podcasts, blogs, books, conferences, you name it, reports, feeds, you name it. Any any any favorite learning sources for CTI?

Valerii Soloninka: 22:32

Yeah, the problem, I mean it's not a problem, it's also an opportunity nowadays that we have too many learning sources, so it's podcasts, books, uh courses, uh I mean yeah, report speeds, etc. etc. So you don't need you I think you don't actually need to spread too much. So if you choose uh your speciality, so just try to focus on it, but don't forget about other things as well. So I actually prefer listening to your podcast, and I have a few other podcasts as well that I listen to, usually when I drive my car to the office or when I cook, for example, or when I go on to walk. Yeah, it's really nice just to listen to podcasts because you may have you may receive you and you may understand the different angles on the problems that you you thought about or you have ideas about, and it it helps you to to see it from different angles and maybe come out uh with uh some different solution for for the same problem. It's quite nice. Uh I enjoy watching YouTube when I, for example, when I eat. So there's a couple of YouTubers that I prefer to watch. And I think people sort of underestimate Reddit as one of the sources of knowledge because there are plenty, plenty of subreddits that actually can uh can teach you a lot of different things. One of the biggest ones is of course cybersecurity uh subreddit. Um, and there are a couple of others, for example, if you're taking OCP or planning to take OCP, so it's uh also the dedicated subreddit for OCP where the people share their thoughts and etc. etc. So it's quite cool. Uh yeah, I think Reddit is one of the very good sources of knowledge, and of course, I cannot uh not to mention books. I think if uh there is a certain topic that you want to dive in, books is one of the best sources of knowledge for the for this particular topic. I think there are plenty of books for for different kinds of topics, right? For CTI, for incident response, for the even detection engine, normal analysis. Uh, some of them could be outdated, but still they may have this basic knowledge. This is this baseline that you need to establish before you actually go um deep dive in into this topic. So I guess yeah, this is my favorite types of uh source of knowledge that I use daily.

Pedro Kertzman: 24:57

And any like closing thoughts for the listeners that you would like to share?

Valerii Soloninka: 25:02

Yeah, I think mostly I was I I want uh to share my few thoughts on uh and give some suggestions for people who just starting their cybersecurity career or they want to pivot from IT or from different domains to other domains in cybersecurity. I think it's very important to write and block about your progress. I think plenty of us uh yeah, started some my small blog recently, and plenty of other people they probably have this registered domain that I I don't know, just uh staying inactive for the last five years, but it's still there. So just start blog about what you do, how you do like your different kind of things, uh how where you're heading, what is your favorite things, and yeah, I think that's quite important because it's usually a part of your portfolio. If you block something, it's very really really nice, and we it would be really nice to attach it to your portfolio. Yeah, uh second thing is networking. I don't know how to network with that with other people, it's not my best site. Uh I just it just happened this way that uh I I know a lot of good people in the in the in the industry from my region. So I just got lucky in some way. Uh but yeah, I think networking is very good, very important aspects because if you're looking for a job and you have a big network of the people who trust you and who knows you, so they usually can give you a good idea about opening uh open positions because the best positions in the industry they not advertised on the LinkedIn. They've usually been shared among the other people who is who is a network. Like if someone knows someone who is a good fit for the position, so I think yeah, that's probably they they will prefer this person instead of hiring someone from somewhere they don't know. Uh yeah, and don't forget about the fundamentals. So if you work in any kind of industry in cybersecurity, you you need to know how operating systems work, for example, and how the network works. Yeah, that's just a couple of things that I suggest people to actually learn about and follow those advices.

Pedro Kertzman: 27:19

That's awesome. Valerie, thank you so much for your insights on the podcast. I'm so happy to hear that you also listen to the podcast, so that's super nice to have you here, especially because of it. And I hope also you're around. Thank you so much.

Valerii Soloninka: 27:32

Yeah, thank you, Pedro, so much for your for your time. And yeah, just do what you do. You're doing a great job for other people in the NDC. Thank you so much.

Pedro Kertzman: 27:41

Thank you. I really appreciate it. Take care.

Rachael Tyrell: 27:45

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay started and stay secured.