Feature Story

Cisco Talos: On the front lines of an ever-changing cyberthreat landscape

Talos leader Vanja Svajcer shares what a “day in the life” of a Cisco threat researcher is like.

A great cybersecurity portfolio demands relentless innovation, with products and solutions that meet the challenges of a constantly evolving threat landscape. But it also requires deep research, with up-to-the minute insights derived from a vast breadth of data on current and emerging threats.

Cisco Talos is one of the largest and most trusted security research organizations in the world. It uses advanced machine learning algorithms to plumb reams of data from Cisco’s networks, customers, and partners around the world. And it employs some of the most sophisticated and experienced analysts and researchers of any such team.

To find out more about Talos’ talent, innovations, and impact in the global security community, we spoke with Vanja Svajcer, a Talos threat research leader based in Zagreb, Croatia.

Q. Can you tell us about your role and describe what a “day in the life” of a Cisco threat researcher is like?

A. The role of a threat researcher in a world-class cyberthreat intelligence organization such as Cisco Talos is challenging but exciting and rewarding.

My mission, together with all my colleagues from Talos, is to protect users of Cisco products from all existing and emerging security threats. I start my day with an overview of threats and threat actor activities that have been caught in our wide-spread network of sensors and rules we use for tracking

Attackers typically execute their attacks using multiple stages in an attack chain. This provides us with an opportunity to protect our users by breaking this chain at any stage before the final malicious payload is delivered.

For successful protection and discovery of new threats, we need to look at all the available data on all levels and platforms, starting from the network traffic, such as DNS requests, HTTP(S) traffic, and email messages all the way to the suspicious command lines executing on endpoints. These may indicate that the attackers are attempting to execute the final attack payload.

Most of the systems for hunting are built by Cisco teams, such as the Cisco Secure Endpoint Telemetry Platform, but we also use community threat intelligence sources such as Virus Total. 

Most of the newly discovered threats and attacks will already be detected by our products, and no intervention will be required. However, it’s impossible to achieve 100 percent protection against all emerging threats. It’s these new threats that are the focus of my personal research and that of my team within Talos.

Q. How do you respond to those emerging threats?

A. When we find an unknown threat — or an existing threat actor significantly changes its tactics, techniques, and procedures to evade detection — we analyze the threat and the threat actor to understand their objectives and to create new roles to protect our customers, such as Snort rules that are deployed into Cisco Secure Firewall, or behavioral detections that can identify suspected malicious behavior in our Cisco Secure Endpoint products.

At the same time, we dive into the details of the threat and document its functionality. We publish our findings to the global-threat research community and the public in blog posts, conference papers, and lists of so-called indicators of compromises. IoCs allow everyone in the community to find those threats and develop detection for their own organizations. A successful fight against sophisticated threat actors requires coordination of the global threat research community, even if we sometimes compete with different products.

Q. How does your work with Talos directly impact customers?

A. A direct impact to our customers can be seen in the level of protection provided by Cisco Secure products, which is second to none. From endpoints, over network, and out to the cloud platforms, our threat intelligence data is shipped together with Cisco security products and constantly updated. 

We create the detection rules that identify malicious behavior on the network, block suspicious inbound and outbound traffic based on the latest IP, URL, and domain information, as well as stop malware files from downloading and infecting your environment.

The Talos Vulnerability Research team conducts research to find security vulnerabilities in the most popular open and closed software and hardware products. When we discover a new vulnerability, we work with the product vendor on patching the vulnerability and responsibly disclosing information about it to the public.

At the end of a day, we feel very happy knowing that our work is directly responsible for stopping thousands of new threats, while allowing our customers to continue with their day-to-day operations without a security breach.

Q. What if a security breach does occur, how can you help then?

A. During a security incident, the Talos Incident Response team is ready to assist, no matter if you use Cisco or third-party products. We combine the latest methodologies with world-class expertise to successfully resolve incidents when they happen. The Talos Incident Response team works closely with other teams within Talos to provide threat intelligence and contextual information to affected organizations. That allows them to quickly assess the impact of the breach and take the right steps to restore their operations.

Q. And how does Talos benefit the wider security community?

A. Talos is committed to maintaining some of the most popular open-source security engines such as ClamAV and Snort. Both of those engines have a large user community that also contributes to their development. This is the beauty of open-source software.

In addition, we regularly use our website talosintelligence.com to provide free information to the wider community.

Q. How has threat research evolved in recent years?

A. Most of the work is automated these days, so researchers can focus on the most important and relevant threats that require human analysis. And the tools have significantly improved. We have internally developed tools that help us with analysis, especially in the areas of big-data correlation, contextual awareness, and machine learning.

There are also tools that are available to all researchers free of charge. Probably the best example of this is Ghidra, a software reverse-engineering platform open sourced by the U.S. National Security Agency. It has given thousands of individual researcher access to a top-quality analysis platform free of charge.

Q. How is Cisco’s approach to threat research and intelligence continuing to evolve?

A. We are constantly reevaluating our toolset, processes, and organization so we can continue to keep the efficacy of our products on the highest possible level and keep all Cisco Secure customers protected and happy.

This includes adding more contextual data to our threat intelligence, spotting trends and staying on top of new threats, like supply chain vulnerabilities. We also look forward to new strategies around dealing with encrypted traffic and threat actor evolutions, like ransomware actors who encrypt and extract for extortion purposes.

We constantly investigate new ways of making our work more effective. It may sound as a cliché, but I have never worked with a more talented group of people and never had more confidence in a leadership team.

Q. There are plenty of new threats and challenges on the horizon, especially as hackers continue to grow more sophisticated. What is your best-case scenario for security in the next few years?

A. We often hear about the increased sophistication of threats and the lack of qualified experts working in cybersecurity. But it’s also good to ask why do the attacks keep getting more complex?

The answer is that we are getting much better in defending against those attacks. From more security-aware software developers and security features in operating systems to increasingly effective protection platforms, processes, and, yes, better equipped experts.

Unfortunately, the threats will not go away, and we will have to constantly address new attacks as they emerge. But my hope is that in the future we will only be concerned with the most advanced attackers, because our defenses will be too difficult for the commodity and cybercrime threat groups that are operating today.