Cisco Talos, the value of proactive cybersecurity

The ongoing health crisis has uncovered a wide range of issues that businesses at global level, of all types and sizes, have had to face in order to follow up on their productivity. Just think of what happened with the various national lockdowns and the result of a boom in home access to company networks, given the impossibility of going to the office. Today’s technology has made it easy to do this, however with many doubts and criticisms about how to preserve security in a scenario that is distant from the concept of time and space, in the way of a liquid business.

Nowadays a side effect of the Covid-19, is an increase in the sense of dangerousness of the information in companies’ possession, to be defended not only inside company perimeters but also outside, in multiple contexts. If at one time we were talking about BYOD, referring to the opportunity for a worker to use the personal device also for professional purposes, today that concept is back in force, requiring IT departments to pay special attention to security issues.

Being proactive and resilient

Cybersecurity threat analysis is a changing industry, with companies focusing primarily on threat mitigation at endpoints. But we need to go one step further: we have to address not just the device itself, but the ecosystem in which it is embedded. One of the most important teams in the world, active in this field, is Cisco Talos, a group that includes world-class researchers, analysts and engineers, part of the Cisco System Corporation. From a cybersecurity perspective, Cisco Talos is a unique entity. Working inside one of the biggest IT organization in a global scene Talos provides superior protection to customers with products and services.

The company is focused on seven key areas: Threat Intelligence & Interdiction, Detection Research, Engineering & Development, Vulnerability Research & Discovery, Communities, Global Outreach and Incident Response, each of which is renewed periodically to keep pace with changing threats. More than 350 researchers, analysts, engineers, linguists, developers, and other operators work around the clock, worldwide for Cisco Talos, digging deep into threats, monitoring malicious actors, creating and distributing detection data, and adding deep and meaningful context to intelligence. The advanced analytics infrastructure automatically analyzes samples and quickly generates detection content to mitigate threats as they occur. The volume of coverage created by Talos and the speed with which information is shared is made possible by the technology deployed.

New challenges in the Covid-era

In response to the growing number of attacks since the outbreak of the Coronavirus pandemic, Cisco Talos experts have identified three categories of attacks that exploit Covid-19 via APT: Malware and phishing campaigns using Covid-themed decoys; attacks against organizations that carry out research and work related to Covid; and fraud attempts that exploit misinformation.

Talos detects and blocks malicious domains, spam and phishing attacks in cooperation with national law enforcement agencies. It has also intensified its information sharing activities with clients and partners through the AEGIS programme and collaboration with the Cyber Threat Alliance (CTA). In particular, the Awareness, Education, Guidance, and Intelligence Sharing program was created specifically to interact with Cisco customers and partners to help solve custom detection challenges in specialized environments.

One element that sets Cisco Talos apart from the competition is the work it does not so much to respond to existing threats as to protect against new and emerging ones. Talos is constantly looking for new vulnerabilities that may be of interest to companies. When they are discovered, the team strengthens coverage of zero-day vulnerabilities by contacting interested vendors who need to develop and test patches. During this time, Talos engineers control and monitor the spread of the threat, using global protections, while waiting for vendor-specific protections. Talos places malicious websites, botnets, command and control servers on blacklists shared with customers and partners in order to make the Internet a safer place.

Talos’ investigations take place in several stages, first examining email-based campaigns and then pivoting on open source intelligence sources for further samples. The most recent ones have brought to light a number of campaigns based on an Emotet malware strain, along with a number of other families using Covid-19-themed topics as bait. What struck Cisco Talos was the amount of messages containing Word documents and Excel spreadsheets related to the Coronavirus as a vehicle for infection. This underscores why the use of such techniques is still in vogue, after decades, as they focus on that moment in the lives of organizations and individuals. Lowering one’s guard just for a moment can be fatal.

Also on the subject of Emotet, for the fifth consecutive quarter, Cisco Talos Incident Response (CTIR) observed the rise of common malware alongside the race to launch many ransomware in the corporate world. Cisco Talos Incident Response is a comprehensive suite of proactive and emergency services, with 24-hour emergency response capability and direct access to advanced defence solutions. According to CTIR surveys published in September the main infections in the second half of 2020 were related to Ryuk, Maze, LockBit and Netwalker, all of them are ransomware. Interestingly, 66% of all ransomware attacks involved the Cobalt Strike framework, a platform typically used by security teams to anticipate so-called penetration tests. This suggests that criminals are increasingly relying on the same prevention tools used by security companies.

Companies must be safe

The work of Cisco Talos’ experts attempts to predict where malware will go instead of chasing them. It is no coincidence that in February 2020, before the global health crisis, the team presented new security solutions for the big industry. The goal was to provide visibility between IoT and OT environments, protecting industrial processes. A platform that aims to collect and extract data from the IoT edge so companies can be more efficient and make informed decisions. Innovations are focused on Cisco Cyber Vision, a security software solution that automatically detects industrial assets through Cisco Industrial IoT (a.k.a. IIoT). Vision analyzes traffic from connected devices, creates segmentation policies in Cisco ISE and DNA Center to prevent intrusion into operating environments, and is enhanced by updates from the entire Threat Intelligence team. Fully integrated with enterprise networking, Cisco Edge Intelligence simplifies data extraction at the edge of the network and optimizes transmission to multi-cloud and on-premise destinations to help companies become more competitive and better manage data across all critical aspects of their lifecycle.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.