Article

Cisco Talos: advanced intelligence for global cyberthreats

Kendall McKay of Cisco Talos shares her thoughts on pinpoint detection, cutting-edge countermeasures, and what cybercriminals may be up to next.
Cisco Talos: advanced intelligence for global cyberthreats

Now celebrating its 10th anniversary, Cisco Talos is among the world’s preeminent threat intelligence detection and response groups. And given the relentless sophistication of today’s cyberthreats, it’s needed more than ever.

Combining cutting-edge technology with an elite team of analysts, Talos gives organizations a detailed picture of threats as they emerge built right into Cisco products — along with incident response to take fast action when needed.

Fresh off this year’s Black Hat conference in Las Vegas, we spoke with Kendall McKay, Cisco Talos senior intelligence analyst, for her thoughts on today’s top security challenges — and how organizations can meet them.

Thank you, Kendall! What were some key takeaways from Black Hat this year?

It’s incredible to have so many security experts and practitioners in the same place at once. This year, Black Hat was especially memorable because Talos celebrated its 10-year anniversary. Not many people probably know this, but the Talos brand was actually launched at Black Hat in August 2014. It was exciting to be at the conference this year with that backdrop, as we celebrated Talos’ history while also rolling out some new research and findings. 

Can you tell us about some of the most impactful trends Talos published in its quarterly Incident Response report ahead of the show?

Identity is a top concern — last quarter 60 percent of engagements could be tracked back to the use of compromised credentials as the initial access into a customer's environment. Actors are increasingly relying on social engineering attacks to establish trust with their victim and trick them into becoming an unwitting participant in their malicious operations. This includes tactics like business email compromise (BEC), multifactor authentication (MFA) fatigue, and phishing, to name a few. For any security team looking to prevent and detect identity-based attacks, the first step is knowing their current identity infrastructure. This means understanding the lifecycle of any given identity in the corporate environment to help anticipate and detect malicious behavior when it occurs. 

How has the threat landscape evolved over the past few years, particularly when it comes to ransomware?

We have seen a huge influx of novice actors into this space over the last couple years. This is due in large part to leaked source code and builders — essentially the building blocks of ransomware — becoming available online. Now, in many cases, less sophisticated actors are able to use these resources to enter the playing field when they wouldn’t have been able to otherwise. With that, though, comes new challenges, as security experts respond to an increasing number of ransomware variants emerging at a fast pace.

With the increasing frequency of high-profile breaches, what do you see as the most critical areas of focus for organizations looking to protect themselves?

The use of valid accounts is very common. This means that threat actors are obtaining legitimate credentials, logging into valid user accounts, and launching their attacks from there. Cybercriminals can buy stolen credentials on the dark web, and they can also compromise valid accounts by launching brute-force or password-spraying attacks against accounts with weak passwords. This is why it’s essential for organizations to have a strong password management policy in place. Secondly, organizations need to patchThreat actors still target known vulnerabilities, as much as 10 years old, so applying security updates to systems and applications is critical to preventing adversaries from gaining access to outdated software.

What advice would you give to security teams looking to prevent or detect identity-based attacks, and organizations looking to implement some best practices among their employees?

Multifactor authentication (MFA) is key. We see so many organizations fall victim to attacks that could have been prevented if MFA had been enabled throughout their organization. This is especially true for VPNs and other network devices that can provide a gateway into an organization’s environment. Additionally, it’s important to make sure employees are educated on the most common — and preventable — social engineering attacks. These include things like MFA fatigue, which is when an actor will flood a user’s mobile device with push notifications in hopes of getting them to approve an authentication attempt. Vishing is another technique we see, which is when an actor will impersonate a trusted individual — like an HR or IT representative—to trick the victim into divulging sensitive information over the phone. These types of attacks have a much better chance of being prevented if users are educated about what to look for.

Talos is celebrating its 10-year anniversary — can you reflect on some of the most significant achievements or milestones the team has reached during this time? What makes Talos one of the most trusted threat intelligence research teams on the globe?

It’s impressive to look back on the last decade of work and consider the impact that Talos has had on the cybersecurity community. We’ve done some really amazing work, from reporting on notorious ransomware gangs and high-profile state-sponsored actors, to capturing broader changes in the landscape in products like our quarterly Talos Incident Response blog and annual Year in Review report. One of the most meaningful projects I had the privilege to work on was “Project Powerup,” an effort we led to develop — and implement — a technical solution to fortify Ukraine’s power grid in the face of Russian attacks. It’s stories like these that underscore Talos’ commitment to helping our customers, keeping people safe, and doing the right thing.   

Can you share a particularly challenging or memorable threat that you’ve encountered and how your team managed it?

Volt Typhoon is the first one that comes to mind. This is a sophisticated state-sponsored actor that is intent on compromising U.S. critical infrastructure. They are very hard to detect because of the types of techniques they use, which makes them even more concerning. The U.S. government and private sector have been very concerned about Volt Typhoon, especially this year, and at Talos, we’ve adopted an all-hands-on-deck approach to tracking, monitoring, and reporting on this actor. This includes having a dedicated team of analysts working the issue, expanding our engagement with customers and partners, and learning as much as we can about the actor so that we can improve Cisco’s defenses.

How do you think the cybersecurity landscape will change over the next 3-5 years, and how will Talos’ strategy evolve to reflect those shifts?

It’s hard to say exactly how it will change because it’s such a dynamic space. As new technologies emerge, threat actors’ tactics will change too. This is especially true in the social engineering space. For example, threat actors are already using AI to create more believable phishing emails, and cybercriminals were also quick to adopt the use of QR codes in their malicious operations as well. On the flip side, adversaries continue to use older, well-known tactics that continue to work for them, like exploiting known vulnerabilities and leveraging tools and utilities that are already present on the victim endpoint, which helps them hide amongst legitimate activity. Talos’ strategy stays pretty consistent through all of this — with our breadth of threat-actor knowledge, we’re able to think strategically about the landscape and position ourselves to respond quickly when new changes emerge.