Cisco Talos is one of the largest and most effective threat intelligence organizations in the world. And their Talos Year in Review speaks volumes about the current trends and future threats defenders can expect to see in the coming year.
To learn more about this year’s report, and what organizations can do to counter what’s coming, we spoke with David Liebenberg, head of Strategic Analysis for Cisco Talos.
Thank you, Dave! Maybe we could start with a quick overview of Cisco Talos, and your role there.
Thanks, Kevin. As part of Talos, I contribute to Cisco's threat intelligence work. Talos’s work includes protecting customers from threats, discovering vulnerabilities, and going out and interdicting adversaries. Within Talos, I run a group called Strategic Analysis. We analyze the most impactful adversaries and trends in the threat landscape. And we produce a number of internal and external intelligence products, Including the Year in Review.
What are the goals of the Talos Year in Review?
Cybersecurity is a very fast-moving field. So, taking the time to conduct retrospective analysis helps put those changes in context and can also help anticipate future developments. My team reviews the vast treasure trove of telemetry and expertise we have here at Cisco to tell a comprehensive story of the major adversaries we dealt with in 2023, and the key themes and trends that will define the coming year as well.
Once again, ransomware emerged as a major threat this year. What are some key trends in ransomware?
Yeah, so ransomware is truly an evergreen threat, as this report illustrates. In terms of adversaries, LockBit remains the most active group, which was the same as last year. And they are up there with ALPHV, Clop, and BianLian. Those are the four main groups that we saw. One interesting trend, Clop showed how well-resourced they are. They exploited several Zero Day vulnerabilities in a variety of different platforms. That’s something we typically associate with an APT, advanced persistent threat.
Extortion emerged as a bigger threat in 2023. Could you explain that trend?
Yes, a lot of well-established ransomware groups, Babuk, BianLian, and Clop to name a few, are moving into these pure extortion plays. So, they’re not actually encrypting anything; they're just stealing data and threatening to leak it. In Q2 2023, these type of pure extortion events comprised nearly a third of everything we saw in incident response and surpassed even ransomware for that quarter. Also, these big ransomware groups have had their builders and their payloads leaked, which has allowed less sophisticated adversaries to take that, modify it, and then create and deploy their own ransomware payloads.
Which initial access vectors were exploited most in 2023?
It can sometimes be difficult to pinpoint with 100 percent accuracy what the initial access actually was. But according to our incident-response data, the top three initial access vectors included the exploitation of vulnerabilities in public-facing applications; the use of compromised credentials or valid accounts; and phishing.
To what extent are older infrastructures being targeted and exploited?
We found in this report that threat actors are consistently exploiting older software vulnerabilities in common applications. And some of the most popular vulnerabilities we saw targeted were more than 10 years old. It basically underscores that organizations must implement a healthy and effective patching program.
They like to exploit low-hanging fruit, don’t they?
Yes, adversaries are only going to innovate as much as they need to. So, you're going to continue to see older vulnerabilities and older infrastructure targeted and used as a pivot point to get into the network. Obviously, a modernized network is the best response. But again, even older equipment, if you patch it correctly, you’ll have a better chance.
What responsibility do individual workers or company cultures have?
Individual workers and company culture can definitely contribute to a healthier cybersecurity ecosystem. For individuals, it means complying with company security policies, avoiding password reuse and simplistic passwords, taking proper precautions when working remotely, and remaining very vigilant against social-engineering attacks. For company culture, it means conducting frequent training and testing. And it’s very important that people who are in charge of internal security and security operations are able to effectively influence company policy.
What are some key measures that those security experts should recommend?
Well, for example, they should institute things like multifactor authentication and network segmentation. Segmentation is essential. You want to block off your high-value assets as much as possible. And you want to really make sure that access and credential management and all those pieces are secure. Also, an incident response plan is essential — so that you can effectively respond to an incident without coming up with a plan on the spot.
Gen AI is playing in increasing role in things like social engineering attacks. And it’s also enabling new defenses. What is the state of the AI arms race?
It’s a burgeoning development that we're definitely continuing to monitor. It’s adding new complexities and dimensions to those classic security issues that we already respond to. You mentioned social engineering. That's absolutely top of mind for me when I’m thinking of AI, because it can enable threat actors to craft really sophisticated, compelling and targeted lures. On the other hand, as you mentioned, there are applications for AI in cybersecurity as well. At Talos, we’ve researched machine-learning models that can help detect business email compromise. And we’ve used machine learning to help detect online disinformation. So, there's big opportunities for the defenders as well.
Any additional predictions for 2024?
Ransomware continuing is a safe bet. So, I'll start with that. And commodity loaders, they’re not going anywhere. That’s a type of tool that can be bought on the dark web or open markets. They were on the rise in 2023, and that should continue.
One of the most popular commodity loaders that we've seen is Qakbot, which was actually disrupted this year. And typically, when this happens, a new variant will step in. With Qakbot’s disruption, we could see new commodity loaders emerge. And then for advanced persistent threats, we’re going to continue to see Ukraine being targeted by Russia-affiliated actors and China-affiliated actors improving their skills and targeting entities related to critical infrastructure and critical services in areas of strategic importance.
Given all that, are you optimistic about 2024?
Actually, I am. There are bright points in 2023 that gave me optimism. The intensity and increase in skills in advanced actors is being completely matched by the innovation and collaborative spirit of defenders. There’s just so much collaboration happening across the industry. Things like the Cyber Threat Alliance where we connect Talos and Cisco with other cybersecurity companies to tackle threats together. And we have the Network Resilience Coalition. We’ve discovered new threat actors and helped defend a bunch of different organizations from attacks, including in Ukraine. We’ve achieved a ton of success, stopping bad guys wherever we can.