Forward-looking features on the issues and trends that Talos feels is affecting the current cybersecurity landscape.
Insights into the clustering and reuse of phone numbers in scam emails
Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.
Do not get high(jacked) off your own supply (chain)
In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. If we are all building on such shaky foundation, what can we do to keep safe?
New in Snort3: Enhanced rule grouping for greater flexibility and control
Today, Cisco Talos is introducing new capabilities for Snort3 users within Cisco Secure Firewall to give you greater flexibility in how you manage, organize, and prioritize detection rules.
Spy vs. spy: How GenAI is powering defenders and attackers
Generative AI is rapidly transforming cybersecurity for both defenders and attackers. This blog highlights current uses, emerging threats, and the evolving landscape as capabilities advance.
Think passwordless is too complicated? Let's clear that up
We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Cisco Duo helps clear up some of the biggest passwordless myths.
Reducing abuse of Microsoft 365 Exchange Online’s Direct Send
Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses.
Using LLMs as a reverse engineering sidekick
LLMs may serve as powerful assistants to malware analysts to streamline workflows, enhance efficiency, and provide actionable insights during malware analysis.
Cybercriminal abuse of large language models
Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.
State-of-the-art phishing: MFA bypass
Threat actors are bypassing MFA with adversary-in-the-middle attacks via reverse proxies. Phishing-as-a-Service tools like Evilproxy make these threats harder to detect.
The evolution and abuse of proxy networks
Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.
Malicious QR Codes: How big of a problem is it, really?
QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.
How LLMs could help defenders write better and faster detection
Can LLM tools actually help defenders in the cybersecurity industry write more effective detection content? Read the full research
A refresher on Talos’ open-source tools and the importance of the open-source community
Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity s
Impact of data breaches is fueling scam campaigns
Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time.
Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling
Talos is releasing a new list of CyberChef recipes that enable faster and easier reversal of encoded JavaScript code contained in the observed HTML attachments.
Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
Snowflake isn’t an outlier, it’s the canary in the coal mine
By Nick Biasini with contributions from Kendall McKay and Guilherme Venere Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. Adversaries obtained stolen login
How are attackers trying to bypass MFA?
Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their 'push-spray' MFA attacks
Adversaries are leveraging remote access tools now more than ever — here’s how to stop them
While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
Threat actors leverage document publishing sites for ongoing credential and session token theft
Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks.
The 3 most common post-compromise tactics on network infrastructure
We discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. These include modifying the device’s firmware, uploading customized/weaponized firmware, and bypassing security measures.
Stop running security in passive mode
As we begin a new year, we wanted to address one of the biggest issues we consistently see in our investigations: passive security. Incident response engagements are an important part of our work and the intelligence-gathering process and their associated reports can be a treas
How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity
While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.
How are user credentials stolen and used by threat actors?
You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can 'log on' with valid account details, and outline our recommendations for defense.
7 common mistakes companies make when creating an incident response plan and how to avoid them
Avoiding some of these common mistakes ensures your organization’s plan will be updated faster and is more thorough, so you are ready to act when, not if, an incident happens.
The rise of AI-powered criminals: Identifying threats and opportunities
A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations.
Code leaks are causing an influx of new ransomware actors
Cisco Talos is seeing an increasing number of ransomware variants emerge, since 2021, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.
What might authentication attacks look like in a phishing-resistant future?
Even if the internet at large adopts passkeys, attackers can still find a way in.
Implementing an ISO-compliant threat intelligence program
The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented.
The growth of commercial spyware based intelligence providers without legal or ethical supervision
Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.
".Zip" top-level domains draw potential for information leaks
As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server
Adversaries increasingly using vendor and contractor accounts to infiltrate networks
The software supply chain has become a key security focus for many organizations, but the risks associated with supply chain attacks are often misunderstood.
How threat actors are using AI and other modern tools to enhance their phishing attempts
Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.
How an incident response retainer can drive proactive security
Whether it be threat hunting, an active defense posture or just improving security instrumentation alerts and logs an organization keeps, it’s best for every user — no matter the size — to be prepared for when a cybersecurity incident or breach occurs.
Beyond the basics: Implementing an active defense
An active defense posture, where the defenders actively use threat intelligence and their own telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt threat actors.
State Sponsored Attacks in 2023 and Beyond
As 2023 begins I wanted to look forward on the future of state sponsored aggression and how we can see it change and evolve over the next year and beyond.
The Company You Keep – Preparing for supply chain attacks with Talos IR
Organizations must proactively limit supply chain risks through careful selection of the company they keep while preparing to respond to an incident that will invariably originate from the supply chain.
The benefits of taking an intent-based approach to detecting Business Email Compromise
There are many ways to approach this growing threat, but here's why Talos feels intent-based protection is the best.
Developer account body snatchers pose risks to the software supply chain
Cisco Talos examined several frequently used code repositories. We looked specifically at the security afforded to developer accounts, and how difficult it would be for an attacker to take over a developer account.
Insider Threats: Your employees are being used against you
Over the past six months to a year, we have seen an increasing amount of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering.
Our current world, health care apps and your personal data
In the wake of the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization that reversed previous interpretations of the 14th amendment on privacy from Roe v. Wade, users of sensitive health apps need to be mindful of the kinds of data these apps keep, sell and share.
Small-time cybercrime is about to explode — We aren’t ready
The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because that’s what domin
Ukraine war spotlights agriculture sector's vulnerability to cyber attack
The war in Ukraine has caused massive problems for global food supplies, underscoring the high impact of disruptive events to agriculture entities and related organizations. * The challenges to the Ukrainian agriculture sector imposed by the war--and global ripple effects--have
Small-time cybercrime is about to explode — We aren't ready
The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because that's what d
On the Radar: Is 2022 the year encryption is doomed?
Senior managers responsible for information security should take stock of the encryption algorithms in use within their systems and plan their move to quantum-secure algorithms.
On the Radar: Securing Web 3.0, the Metaverse and beyond
Internet technology evolves rapidly, and the World Wide Web (WWW or Web) is currently experiencing a transition into what many are calling "Web 3.0". Web 3.0 is a nebulous term. If you spend enough time Googling it, you'll find many interpretations regarding what We