From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas

Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure.

He’s no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world.

“What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it’s really about putting a few solutions together at first and then hearing the customer’s feedback and building from there.”

Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar.

This means the businesses and networks in the country will face more traffic than ever and will no doubt draw the attention of bad actors looking to make a statement or make money off ransomware attacks.

“You have completely different angles in preparing different customers for defense during major global events depending on their role, technology and function,” Kramarz said.

In every major event, there were different devices, systems and networks interconnected to provide visitors and fans with various hospitality facilities that could be targeted in a cyber attack. Any country participating in the event needs to make sure they understand the risks associated with it and consider various adversary activities that might play out to secure these facilities.

Kramarz has worked in several different geographic areas in his roughly 12-year security career, including Asia, the Middle East, Europe and the U.S. He has experience leading red team engagements (simulating attacks against targets to find potential security weaknesses) in traditional IT and ICS/OT environments, vulnerability research and blue team defense. The incident response field has been the perfect place for him to put all these skills to use.

He joined Portcullis Security in 2011 as a security consultant and eventually moved throughout Cisco after it acquired Portcullis in 2015. As a red teamer, he had to develop exploits and think about the potential paper trail those exploits would leave behind — after all, it was his job to show where current security structures had failed.

“Every time I would try to design a payload, I’d have to forensically understand what fingerprints are left on the system,” he said. “So effectively I had to do incident response for a decade before I joined CTIR.”

That breadth of experience also helps because CTIR is platform-agnostic. He often must access and leverage other companies’ technology and software, such as during the Black Hat conference earlier this year when he was part of a Cisco team that set up and defended the on-site network in Las Vegas.

“We had to check all the different technology stacks to make sure we could stop adversaries before they became a problem,” he said. “From there, we moved to use those technologies to detect what’s happening in real-time … and then we used [Cisco] SecureX to unify some of the response capability. By default, you pretty much must learn about every piece of technology that’s out there to provide an effective incident response as we can’t wait days or weeks to deploy something during an emergency.”

Yuri is used to working in different time zones at different hours of the day, too. His favorite incident response to an engagement call came around midnight one night when he was on call — a large conglomerate was under attack and the adversaries deployed ransomware. He was part of the CTIR team who immediately responded to identify and eradicate the ransomware attack. CTIR eventually successfully brought systems back online.

“And from there, we built a great relationship with the customer that’s been ongoing since then,” he said.

Yuri enjoys golfing in his free time.

Although incident response can lead to these kinds of late nights, Yuri said he’s thankful that Cisco Talos offers him the flexibility to work different hours and take time off when he needs it. Golf is his current outlet for relaxation, and it gives him something mutual to talk to people about regardless of what country they’re in. While not out on the green he likes to contribute to several open-source projects.

Since coming into the incident response field, he’s had to flex his interpersonal skills more than ever because CTIR places such an emphasis on making IR a team sport.

“The way I try to carry myself is to be happy and to look at my reflection every morning and say, ‘I’m doing the best I can for my customer,’” Kramarz said. “If I put my signature on a report, I want to make sure I’m proud of it.”

Once the World Cup wraps up, Yuri said he will carry on focusing on securing critical infrastructure and operational technology. It’s a unique challenge, he said, because a lot of the technology can be more than 20 or 30 years old, and each customer is going to need a unique solution to their problems.

“One time during an incident in a different country, we had to look at physical manuals in binders from a decade before to figure out how the affected device actually worked and how someone could hack it, as only several of the devices had ever even been produced,” he said. “We know how to acquire evidence on the standard operating systems out there such as Unix or Windows, and we have the tools of the trade to help us with that. We often don’t get that in ICS/OT environment, so innovation is a key in this field.”

If your organization would like to work with Yuri or one of his fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.