When Dave Liebenberg started his first day at Talos, he had never even opened Terminal on a Mac before — let alone written a Snort rule or infiltrated a dark web forum.
He jokes that he was a trendsetter at Talos, becoming the first of many to break into security without having any prior cybersecurity experience. (For example, his teammate, Azim Khodjibaev, would be hired a few years after him after spending most of his career working on real-world military intelligence.)
Liebenberg originally went to college to study Chinese culture and language, and international relations. After spending several years in China teaching English and analyzing traditional Chinese security issues at think tanks back in the US, he decided to make the jump to information security when he was offered an opportunity to work on Talos’ threat intelligence and interdiction organization as a translator.
Seven years later, he is overseeing an entire team of threat intelligence analysts and hunters monitoring some of the largest threat actors in the world. And he’s since learned what a Terminal is and how to write Python code.
“At first, it was here’s a problem — go try to solve it and ask us if you have questions,” Liebenberg said. “It took a lot of self-study, a lot of mentorship and training, but I was able to pick up coding, and was able to develop my threat intelligence skills so that I could analyze different types of threats and conduct technical analysis.”
As Talos’ Head of Strategic Analysis, Liebenberg and his team have developed their own method of threat hunting and analysis and specialize in looking at the bigger picture of the threat landscape. For example, they compiled Talos’ first-ever Year in Review report in 2022, recapping major threat actor trends and malware families from the past year.
That intelligence eventually makes its way into white papers, Talos blog posts, newsletters, and bulletins for government and sector partners.
“We like to do long-term threat actor tracking, trend analysis and comprehensive threat analysis,” he said. “We’re taking a wholistic approach and asking, ‘How can we arrange, analyze and compare our data so we can say something in general about the threat landscape?’”
His fluency in the Chinese language and culture still helps, though, as China-backed APTs continue to be some of the most active on the threat landscape. Liebenberg uses his background to provide translation and add political or cultural context to usually complicated international matters that play into cyber attacks.
While the day-to-day activities of these actors haven’t changed much over the past few years, Liebenberg said it’s vastly different from a decade ago when U.S.-China relations were in a far more positive place than they are today.
“The way things are right now is incredibly tense,” he said. “But like most threat activity that’s originating from a country, it’s an incredibly complex ecosystem. You have cyber criminal actors, actors who are directly aligned with the state, and there are all sorts of intermingling. It’s difficult to identify the prototypical type of attack coming from China. In terms of APT activity, it’s a lot of espionage-focused, more theft-focused, maybe a little less brash than you might think.”
It wasn’t always his plan to study China, though. Liebenberg thought he’d attend college and take French as a language requirement, something he studied in high school. Looking to pass out of the class, Liebenberg now fondly remembers outright failing the entrance exam, and his collegiate advisor suggested he take Chinese, instead.
Liebenberg has built out a team of writers and researchers who also have unconventional cybersecurity backgrounds, many of them coming from outside the industry or bringing in several years of government experience. He himself has worked on U.S-China relations at the Council of Foreign Relations and the Center for Naval Analysis.
The team digs through telemetry, partner shares, honeypots, and dark web forum posts, always consulting with Talos’ diverse collection of subject matter experts and keeping abreast of current events. Their threat hunting also assists in actor tracking and blocking malicious infrastructure, payloads, and tools in Cisco Security’s product suite. They also work very closely with Talos’ incident response team and publish a quarterly report on IR trends. Oftentimes, this leads to the “traditional” Talos detection content like Snort rules, ClamAV signatures and blocks on IPs and URLs.
“We’re this niche group of people who have backgrounds in analysis who maybe weren’t strictly cyber analysis, but now we’re taking a multi-disciplinary approach,” he said. His first two hires as a manager, Kendall McKay and Caitlin Huey, were key to the team’s growth and broadening portfolio.
This can certainly become a grind — as much of the cybersecurity field can be — so Liebenberg makes sure to carve out time with his wife Kathleen and dog Garth to unwind. He also loves reading and watching movies, though despite his interest in real-world politics and international relations, Liebenberg jokes that almost never reads non-fiction books.
Back at work, Liebenberg says he most looks forward to dealing with active, ongoing security incidents and trying to solve a problem in real time.
“When I’m able to help a customer who is dealing with an active, serious issue, and we do something that’ll have a huge impact — that real-world effect is what makes me most proud,” he said.