Mandiant Perspectives from the Munich Cyber Security Conference 2023

Written by: Jamie Collier

Cyber capabilities are an increasingly important tool of statecraft with today’s operations increasingly reflecting the strategic and geopolitical ambitions of government sponsors. This makes it essential to connect network defenders and policymakers.

The Munich Cyber Security Conference (MCSC), therefore, provides a welcome exchange to discuss nascent challenges facing the cyber security community. Both Mandiant Intelligence VP Sandra Joyce, and Google Cloud CISO Phil Venables spoke at this year’s event.

This blog post outlines key takeaways from MCSC 2023 and how Mandiant, now a part of Google Cloud, is playing a leading role in addressing burgeoning cyber policy issues.

Blurring of Lines

Cyber operations stemming from Russia’s invasion were an inevitable focus at MCSC 23. This was for good reason: Mandiant observed more destructive cyberattacks in Ukraine during the first four months of 2022 than in the previous eight years.

One of the main challenges since the invasion began has been defending against such a wide spectrum of Russian campaigns. Even more significant than the variety of cyber operations, however, has been the way they have fused together.

This is reflected in Google’s and Mandiant’s jointly published Fog of War report, which explores how the Ukraine conflict has transformed the cyber threat landscape. The report outlines several ways in which the lines are blurring in cyber conflict. For example:

• Mandiant assesses with moderate confidence that threat actors operating the hacktivist Telegram channels of XakNet Team, Infoccentr, and CyberArmyofRussia are coordinating their operations with GRU-sponsored FROZENLAKE/APT28.
• The cyber criminal ecosystem has been disrupted, with some groups declaring political allegiances, others splitting on geopolitical lines, and prominent operators shutting down. The taboo against attacking Russia has also softened.
• Russian information operations have regularly been deployed in tandem with destructive cyber operations in Ukraine.

Network defenders are now facing multifaceted threats in the face of increased coordination across cyber espionage, destructive operations, information operations, hacktivism, and cybercrime.

We must address these challenges by doubling down on our own collaboration within the security community. We are doing this at Google already. As the Fog of War report highlights, while Google’s Threat Analysis Group (TAG) is actively protecting Google users impacted by the conflict, Mandiant is delivering incident response services in Ukraine, and Google Trust and Safety teams are taking decisive action to demonetize and block outlets of Russian information operations.

Check out Phil's blog post for more on what business leaders can learn from our Fog of War report.

Responsible Players

The importance of responsible players was a common theme during MCSC 23. Several government speakers called on industry to play an active role in response to today's challenges throughout the conference. Google and Mandiant remain committed to being responsible players.

For instance, Google Cloud services operate a shared-fate model for risk management in conjunction with our customers. We believe that it's our responsibility to be active partners as our customers deploy securely on our platform, not delineators of where our responsibility ends. We're committed to building security into all of our platforms and products by default in an effort to address the root causes of cyber insecurity globally.

Mandiant has long had deep insight into adversary activity that will be further complemented by Google’s own insights. Responsibility for us means building a collective view of the threat landscape across Google, but doing so in a way that protects privacy and sensitive data. As Google Cloud CEO, Thomas Kurian, outlined when Google completed the acquisition of Mandiant, our joint vision is to democratize security operations with access to the best threat intelligence. Google Cloud and Mandiant, therefore, intend to play an active role in equipping the security community with useful insight into the threats that really matter.

The Role of Regulation

Within Europe, the conversations around cyber security and regulation are often discussed in tandem. This year’s MCSC was no exception, given the dynamic regulatory environment within Europe. The Network and Information Security Directive 2.0 (NIS2) is now adopted in the EU, while the Cyber Resilience Act (CRA) has recently been published.

Google Cloud is committed to ensuring that our platform and security tools support the highest standard of compliance. We’ve spent more than a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey.

NIS2 means a comprehensive incident response plan and clear reporting are now more important than ever. Mandiant intends to play an active role in remediating incidents and equipping organizations with a clear understanding of their vulnerabilities and the roadmap to building secure networks through our incident response, advisory, and intelligence services.

Meanwhile, the CRA focus on bolstering supply chain security makes it increasingly important to use threat intelligence to focus on the supply chain threats that really matter. The Russian-backed SolarWinds supply chain compromise has instigated a wide conversation around supply chain security among security leaders in recent years. However, there is a broader context that also requires urgent attention.

For instance, our intelligence reporting shows almost 40% of software supply chain compromise in the same year as the SolarWinds compromise involved developer tools and open source libraries. Since then, China has been highly active in conducting software supply chain attacks while Mandiant has observed a sharp uptick in financially-motivated supply chain compromise incidents.

All of this highlights the important role of threat intelligence in responding to supply chain threats and the CRA. Supply chain threat intelligence can be utilized by regulators themselves to identify prominent threats and design well-informed policy. Network defenders can also leverage supply chain threat intelligence to build a clear protection plan that focuses on key threats.

Google and Mandiant welcome the opportunity to work with European cyber security regulation to think through these issues. There also remain clear opportunities to build on the baseline provided by regulation through a more proactive approach. Ultimately, Mandiant conducts a significant number of incident response engagements every week with organizations that are technically compliant, yet remain highly vulnerable to today’s threats.

Embracing the Challenges Ahead

MCSC 2023 outlined a variety of challenges across the cyber policy and network defense community. However, we should always remember that the security community possesses the agency and capability to tackle these head on. By scaling our security functions through a combination of threat intelligence and automation, we can remove toil and focus on the threats that matter most. This vision underpins a variety of initiatives across Google’s security teams.

Building a deeper understanding of the threat landscape across Google through a responsible, careful, and considered approach will be devastating for today’s cyber adversaries. When network defenders are up against well-resourced government backed attackers, the situation can easily feel hopeless. However, threat intelligence can empower security functions. Better visibility into threats leads to faster and deeper actionable insight. This allowed defenders to quickly react to nascent threats and thereby impose greater costs on threat actors.

Rather than a lofty ambition, building a resilient and proactive security posture should be embraced as eminently achievable.