Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

The 3 most common post-compromise tactics on network infrastructure

7 March 2024 at 15:00
The 3 most common post-compromise tactics on network infrastructure

We’ve been discussing networking devices quite a lot recently and how Advanced Persistent Threat actors (APTs) are using highly sophisticated tactics to target aging infrastructure for espionage purposes. Some of these attacks are also likely prepositioning the APTs for future disruptive or destructive attacks. 

Talos has also observed several ransomware groups gaining initial access to networking devices to extort their victims. We wrote about these attacks in our 2023 Year in Review report. 

The mechanisms and methodology behind these two groups are drastically different, but no less concerning. This is partly because networking devices offer a great deal of access to an attacker. If you can compromise a router, you are highly likely to have a point of ingress into that network.  

These attacks are largely being carried out on aging network infrastructure; devices that have long since gone end-of-life, and/or have critical unpatched vulnerabilities sitting on them. Many of these older devices weren’t designed with security in mind. Traditionally, network infrastructure has sat outside of security’s ecosystem, and this makes monitoring network access attempts increasingly difficult. 

Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals. 

Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts (credit to my colleague Martin Lee for that analogy). 

In this blog, we explore how we got here, and the different approaches of APTs vs ransomware actors. We also discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. These include modifying the device’s firmware, uploading customized/weaponized firmware, and bypassing security measures. 

How we got here

There is a rich history of threat actors targeting network infrastructure — the most notorious example being VPNFilter in 2018. The attack was staged, but potential disaster was averted when the attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from issuing the final command to take over the devices. 

At the time, we spoke about how VPNFilter was the “wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.” 

The techniques used in VPNFilter gives us plenty of clues as to possible current threat actor motivations. In the attack, the modular design of the malware allowed for many things to take place post compromise – one module even allowed the malware to create a giant Tor network of the 500,000 compromised devices.  

A recent attack which may have been inspired by this was the KV Botnet (Lumen released a blog about this in December 2023). The botnet was used to compromise devices including small and home office (SOHO) routers and firewalls and then chain them together, “to form a covert data transfer network supporting various Chinese state-sponsored actors including Volt Typhoon.”  

The Beers with Talos team recently spoke about the KV Botnet and Volt Typhoon, a group widely reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and other organizations to be a PRC-based state actor. They have been known to conduct long-term espionage activities and strategic operations that are potentially positioning them for future destructive/disruptive attacks. Listen to the episode below:

In 2019, we saw another type of modular malware that was designed to target network infrastructure: “Cyclops Blink.” This was dubbed the “Son of VPNFilter” because of the similarities to that campaign.

The Cyclops Blink malware was designed to run on Linux systems, specifically for 32-bit PowerPC architecture. It could be used in a variety of ways, including reconnaissance and espionage activity. It leveraged modules to facilitate various activities such as establishment of C2, file upload/download and data extraction capabilities.  

In 2022, Talos wrote about how we had detected compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on devices protected by multi-factor authentication. This continued the pattern we have seen since our investigation into VPNFilter involving actors using MikroTik routers. 

APTs and cyber criminals have different goals for attacking network infrastructure. APTs want to go in with stealth and hide for espionage purposes. Criminal groups use edge devices to an end for ransomware purposes. 
The 3 most common post-compromise tactics on network infrastructure

For more insights into the status of attacks on network infrastructure, here is Talos’ Matt Olney and Nick Biasini talking about what Talos has observed over the past 18 months: 

Post compromise tactics and techniques

Compromising the network for persistent access and intelligence capture is a multi-step process and requires a lot of work and expertise in targeted technologies which is why we typically only see the most sophisticated threat actors carry out these attacks.  

Below are some techniques that Talos has observed post compromise on out-of-date networking equipment, in order to maintain persistent access. We initially discussed these in our threat advisory in April, as well as our 2023 Year in Review, but due to the sophisticated nature of these attacks and the continued exploitation, we wanted to dive deeper into some of these tactics: 

1) Modifying the firmware

Talos has observed APTs modifying network device firmware on older devices to add certain pieces of functionality, which will allow them to gain a greater foothold on the network. This could be adding implants or modifying the way the device captures information.  

An example of this is the recent exploitation of Cisco IOS XE Software Web Management User Interface. One attack included the deployment of an implant we called “BadCandy” which consisted of a configuration file (“cisco_service.conf”). The configuration file defined the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters that allowed the actor to execute arbitrary commands at the system or IOS level.  

Another example is from September 2023, when CISA wrote about how BlackTech was observed modifying firmware to allow the installation of a modified bootloader which helps it to bypass certain security features (while creating a backdoor to the device). 

Detecting the modification of firmware is extremely difficult for defenders. Occasionally, there may be something in the logs to imply an upgrade and reboot, but turning off logging is usually one of the first steps attackers take once they are inside a network. 

This again highlights the need for organizations to sunset aging network infrastructure that isn’t secure by design, or, at the very least, increasing cybersecurity due diligence on older equipment such as configuration management. Performing configuration comparisons on firmware may help to highlight when it has been altered by an adversary.  

2) Uploading customized/weaponized firmware

If threat actors cannot modify the existing firmware, or they need additional levels of access that they don’t currently have, adversaries can upload customized or old firmware they know have working exploits against it (in effect, reverting to an older version of the firmware).  

Once the weaponized firmware has been uploaded, they reboot the device, and then exploit the vulnerability that is now unpatched. This now provides the threat actor with a box that can be modified with additional functionality, to exfiltrate data, for example. 

Again, as with the modification of firmware tactic, it’s important to check your network environment for unauthorized changes. These types of devices need to be watched very closely, as threat actors will want to try and prevent system administrators from seeing the activity by turning off logging. If you’re looking at your logs and it looks like someone has actually turned off logging, that is a huge red flag that your network has been infiltrated and potentially compromised. 

3) Bypassing or removing security measures

Talos has also seen threat actors take measures to remove anything blocking their access to fulfil their goals. If for example they want to exfiltrate data, but there’s an access control list (ACL) that blocks the actor from being able to access the host, they may modify the ACL or remove it from the interface. Or they may install operating software that knows to not apply ACLs against certain actor IP addresses, regardless of the configuration. 

Other security measures that APTs will attempt to subvert include disabling remote logging, adding user accounts with escalated privileges, and reconfiguring SNMP community strings. SNMP is often overlooked, so we recommend having good, complex community strings and upgrading to SNMPv3 where possible. Ensure that your management of SNMP is only permitted to be done from the inside and not from the outside.  

The BadCandy campaign is a good example of how an actor can remove certain security measures. The adversary was able to create miniature servers (virtualized computers) inside of compromised systems which created a base of operations for them. This allowed the threat actors to intercept and redirect traffic, as well as add and disable user accounts. This meant that even if the organization were to reboot the device and erase the active memory, the adversary would still have persistent accounts – effectively a consistent back door.  

Additional campaign objectives

In our original threat advisory, we also posted a non-exhaustive list of the type of activities Talos has observed threat actors take on network infrastructure devices. The point behind this is that threat actors are taking the type of steps that someone who wants to understand (and control) your environment.  

Examples we have observed include threat actors performing a “show config,” “show interface,” “show route,” “show arp table” and a “show CDP neighbor.” All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have. Other campaign objectives include: 

  • Creation of hub-and-spoke VPNs designed to allow the siphoning of targeted traffic from network segments of interest through the VPN. 
  • The capture of network traffic for future retrieval, frequently limited to specific IPs or protocols. 
  • The use of infrastructure devices to deliver attacks or maintain C2 in various campaigns. 
Read more about campaign objectives 

Recommendations

The first thing to say when it comes to recommendations is that if you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices.  

To combat the threat of aging network infrastructure as a target, Cisco became a founding member of the Network Resilience Coalition. Along with other vendors in this space and key governmental partners, the group is focussed on threat research and recommendations for defenders. The initial report from the Network Resilience Coalition was published at the end of January 2024 and contains a broad set of recommendations for both consumers of networking devices and product vendors. 

Earlier this month, Cisco’s Head of Trust Office Matt Fussa wrote about how organizations should view these recommendations, and the overall threat that end-of-life network infrastructure poses on a national security level.  

The report from the Network Resilience Coalition contains an in depth set of recommendations for network infrastructure defense. Here is a brief summary: 

Key recommendations from the report for network product vendors include: 

  • Align software development practices with the NIST Secure Software Development Framework (SSDF). 
  • Provide clear and concise details on product “end-of-life,” including specific date ranges and details on what support levels to expect for each. 
  • Separate critical security fixes for customers and not bundle those patches with new product features or functionality changes. 
  • Get involved in the OpenEoX effort in OASIS, a cross-industry effort to standardize how end-of-life information is communicated and provide it in a machine-readable format. 

Purchasers of network products should: 

  • Favor vendors that are aligned with the SSDF, provide you with clear end-of-life information, and provide you with separate critical security fixes. 
  • Increase cybersecurity diligence (vulnerability scanning, configuration management) on older products that are outside of their support period. 
  • Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age, and ensure implementation of timely updates and patches. 

As the report says, “These recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure and help better protect the critical infrastructure that people rely on for their livelihood and well-being.”  

From a Talos perspective, we are keen to re-emphasize this point and help our customers transition from equipment that has become end-of-life. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered. 

Proactive threat hunting is also one of the ways that organizations can root out visibility gaps and hints of incursion. Look for things like VPN tunnels, or persistent connections that you don't recognise. This is the type of thing that will be left in an attack of this nature.  

And finally, the definition of post compromise means that the attacker had gained some form of credentials to get them to the place where they could then launch the exploit and get deeper access to the device.  

Our recommendations are to select complex passwords and community strings, use SNMPv3 or subsequent versions, utilize MFA where possible, and require encryption when configuring and monitoring devices. Finally, we recommend locking down and aggressively monitoring credential systems like TACACS+ and any jump hosts. 

Additional resources

State-sponsored campaigns target global network infrastructure (Talos blog)  

Network Resilience: Accelerating Efforts to Protect Critical Infrastructure (Cisco blog) 

Network Resilience Coalition: Full report 

Securing Network Infrastructure Devices (CISA) 

The VPN Filter catastrophe that wasn’t 

Cisco Trust Center: Network Resilience 

How are user credentials stolen and used by threat actors?

6 February 2024 at 08:30
How are user credentials stolen and used by threat actors?

You’ve no doubt heard the phrase, “Attackers don’t hack anyone these days. They log on.” 

By obtaining (or stealing) valid user account details, an attacker can gain access to a system, remain hidden, and then elevate their privileges to “log in” to more areas of the network.  

Unfortunately, the use of valid accounts is prevalent across the threat landscape. It was the second-most common MITRE ATT&CK technique that Talos observed in our threat telemetry in 2023. 26% of all Cisco Talos Incident Response engagements last year involved the use of valid accounts. 

In figures from Incident Response engagements from the fourth quarter of 2023 , the top means of gaining initial access was a tie between the use of compromised credentials on valid accounts and exploiting public-facing web applications. 36% of malicious tooling was also focused on accessing and collecting credentials. You can read more about this in our Incident Response Quarterly Trends report. 

The pervasiveness of these types of attacks is driven by a few key reasons: 

  1. Most companies think that cyber attacks will come from “the outside in.”   

Attacks that use valid accounts to log on take more of an “inside-out” approach. Once the initial access is gained, they are stealthily inside the network and there is more of a chance that the attacker will evade detection as they are trying to move laterally. Especially if the network is unsegmented. Long story short — exploiting a vulnerability can certainly lead to initial access, but authorized credentials help the adversary navigate laterally under the radar. 

  1. Stolen credentials are for sale on the dark web.  

Effectively, some threat actors are in the market of stealing credentials simply to sell them to the highest bidder. Actors who purchase them may well use them for a larger targeted ransomware campaign and/or for espionage purposes. For account details that come with high privileges (for example, those who work in finance or have access to networking devices), the bigger the price.  

  1. Attackers are following the trends of how we work today.  

We’re accessing more systems remotely, we’re accessing company systems on our own devices, and cloud solutions are becoming increasingly commonplace. From a threat actor perspective, their mindset is shifting. “Why force my way into a system when I can just log in?” 

Speaking to those remote working trends, across the broader Cisco organization, we now see 1.5 billion multi-factor authentication requests every month (via Cisco Duo). For each authentication request, Duo evaluates what is a request from a trusted user, compared to a bad request from an attacker.  

The lack of MFA (or poorly installed MFA) is frequently the No. 1 security weakness in our Talos Incident Response Quarterly Trends report (as was the case in Q4 2023). According to Oort, whom Cisco acquired in 2023, 40% of enterprise customers have no MFA, or use weak MFA (for example, clear text SMS). This appears to be contributing to the challenge of bad actors using valid accounts as a key initial access tactic. 

So how are attackers effectively ‘logging on’ with valid account credentials? Here are some tactics that we frequently encounter within Talos threat telemetry and Incident Response engagements: 

Credentials stolen from password stores 

Stolen credentials from password stores took the No. 4 spot in the top 20 list of the most common MITRE ATT&CK techniques Talos saw in 2023. This is when users store passwords on various applications or web browsers. Adversaries search across common password storage locations to look for passwords that have been stored there. This technique has been used by threat actors for many years, but the rate at which this is still happening highlights the need for why organizations and individuals should be using password managers and not the built-in ones in web browsers. 

Credentials stolen from fake login portals via phishing campaigns 

Attackers will often try and replicate common login portals, such as Microsoft Office 365, and may send the user a phishing email asking them to log in due to some issue with their account. On the surface, the web page looks legitimate, but it’s a fake copy with malicious software behind it which is designed to capture user account details. 

Input capture 

Input capture was seventh on the top 20 MITRE ATT&CK list. This is a technique where threat actors will deploy methods to capture login data that is inputted by the user. The most prevalent type of input capture is keylogging, where adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging usually occurs after a user is the unwitting victim of stolen credentials via a phishing campaign or other means of access. 

Stealing or Forging Kerberos Tickets 

The stealing of Kerberos tickets was the ninth most common MITRE ATT&CK technique Talos observed in 2023. Kerberos is a network authentication protocol that authenticates service requests and grants a ticket for a secure connection. In the case of bad actors, they will try and steal these tickets (or forge them) to enable unauthorized access.  

Targeting dormant accounts 

According to Oort data from 2022, dormant accounts represent almost a quarter of the average company’s total accounts, and these accounts are regularly targeted (over 500 times per month on average). Attackers will look for accounts that are not used regularly but still have network access (for example, an employee or a temporary contractor who left the company, but their access was never removed).  

Infostealers 

Infostealers, or information-stealing malware, appear frequently in Talos IR engagements. Infostealers can be used to gain access to any kind of sensitive information including financial details and even intellectual property. Most commonly, we see infostealers being used to access and collect user credentials. 

Brute force attacks 

If an attacker has part of the login details, they may try brute force techniques to try and repetitively guess the password. These may not necessarily be entirely random guesses, as attackers may use knowledge that has been gained from other attacks or leaks, such as the ones listed above. This highlights the need for organizations to limit the amount of consecutive failed logon attempts. 

Password spraying 

Password spraying is a specific kind of brute force attack, but instead of brute forcing a password on a single system, the actors will use passwords from information leaks. They will try them on popular web services in the hope that users will reuse their passwords. This highly reduces the chance of detection and password blocking. 

QR code phishing 

According to public reporting, there has been a recent rise in QR code phishing to gain user credentials. The Cisco Talos Incident Response team were recently called in to help with a such an incident where credentials were stolen. A phishing email was sent to the company email of several employees and the email contained a PDF with a malicious QR code. Some employees used their smartphone to scan the code which paved the way for the attacker to gain their credentials and log in to the organisation’s system. The exact reason as to why the attacker was able to obtain the credentials is unknown due to a lack of logs in the smartphone, but one reason could be that passwords were saved in an unpatched browser. 

Going after the users 

Some of the above techniques can be addressed by defender tools and configurations within the organization’s network environment which allow for the detection of unauthorized access. But since there are many identity-type attacks that seek to manipulate or coerce the user themselves, we also need to talk about how users are being targeted today.  

I asked Talos’ Head of Outreach Nick Biasini about what his main recommendations were for the coming year. He spoke about the increased targeting of users and how adversaries are getting more relentless in their attempts to gain valid credential-based access to a system. 

He mentioned that whilst the malware itself used to gain these credentials won’t necessarily be very sophisticated, it is more about the intensity of the attacks. Here’s his insights in full:  

Phishing emails are one of the most common ways adversaries compromise victims (it was No. 3 in Talos’ list of initial access vectors for 2023 and has consistently been a top-ranked threat in Talos Incident Response findings for years). In the last year alone, 25% of the initial access vectors identified in Talos Incident Response engagements were comprised of phishing. This observation is consistent with U.S. government findings, with the FBI noting that phishing was the top incident reported to its Internet Crime Complaint Center (IC3) in 2022.  

Most people think of phishing/social engineering as clicking on a malicious link and triggering malware. But there are deeper aspects to these attacks that can involve the manipulation of users to do bidding on behalf of threat actors. These are known as insider attacks. 

Insider attacks 

We still see cases of the traditional malicious insiders i.e. employees who deliberately want to cause damage to their organization’s network, either for financial gain, or frustrations with the organization itself. But increasingly we are seeing another category of insider attacks – the “unwitting assets.”  

In the case of the unwitting asset, threat actors use social engineering to leverage the user to act on their behalf, typically through some form of manipulation. 

A common example is when an adversary concocts a story that implicates the user in some way, or there’s a problem that needs solving quickly. Adversaries, especially more sophisticated ones, will often ask for the target to get on a phone call to discuss the issue further.  

Once the attacker has someone on the phone, they unfortunately stand more of a chance of persuading the user to do the adversary’s bidding. This could include logging into devices and reconfiguring something or revealing important account details. 

Recommendations 

Identity related attacks are challenging to defend against. You’re dealing with the misuse of valid credentials. Finding the genuine source of them is especially difficult if users are being coerced to share their account details or conduct malicious activities. However, there are some practices we recommend that can help: 

  • Limit the amount of access a user has – no more than is required for them to perform their job.  
  • Limit the amount of consecutive failed login attempts to prevent possible brute force access. 
  • Ensure you are using MFA across your network. 
  • For IT administrators, ensure you are set up to inspect laterally across the network. Not just inspecting traffic going north/south. This will help prevent attackers who are trying to move laterally. 
  • Have a defense-in-depth approach, so that if a portion of your defense fails, other defenses can detect anomalies and intrusions. 
  • Conduct routine auditing and ensure dormant accounts are deleted from the network. This will help prevent attackers using dormant accounts to try to gain access undetected. It’s also common for accounts to be set up to test new systems, so ensure these test accounts are only temporary. Set up an automated procedure for test accounts to be disabled at the end of the project. 
  • Additionally, disable the accounts of those who have left your organization and ensure you remove their remote access (i.e., through the VPN).  
  • Have a checks and balances system in place for dealing with financial transactions so that no single person can initiate and complete a wire transfer without additional approval. This can help mitigate social engineering attacks against users who deal with payments. 
  • Addressing the abuse of valid credentials involves a comprehensive set of security measures. Consider a zero-trust architecture approach which validates every user connection to every device and every application. This will help prevent threat actors operating under the radar and across your network with stolen credentials. 

And finally, we would recommend organizations to consider actively hunting for evidence of incursion. As well as finding possible breaches, you may also detect areas where your overall network security could be improved. You can read more about this in our blog “Beyond the basics: Implementing an active defense.” 

Video series discussing the major threat actor trends from 2023

8 January 2024 at 10:30
Video series discussing the major threat actor trends from 2023

In this video series, Talos’ Director of Threat Intelligence and Interdiction Matt Olney and Head of Outreach Nick Biasini share their insights on the most significant cybersecurity threats from the past year.

From attacks on network infrastructure to the latest APT activities, as well as an update on our Ukraine Task Force, these short videos provide some great insights into the current cybersecurity threat environment.

You can learn more in the 2023 Talos Year in Review.

The increased targeting of networking devices

Ransomware and extortion

The activities of Advanced Persistent Threat actors (APTs)

Ukraine Task Force update

Recommendations for defenders

Video series discussing the major threat actor trends from 2023

Read the 2023 Cisco Talos Year in Review

Download Now

Recommendations that defenders can use from Talos’ Year in Review Report

14 December 2023 at 12:21
Recommendations that defenders can use from Talos’ Year in Review Report

The Talos Year in Review is available now and contains a wealth of insights about how the threat landscape has shifted in 2023. With new ransomware strains emerging from leaked source code, commodity loaders adding more reconnaissance measures to their belts, and geopolitical events influencing APT activity, there’s a lot to dissect.

From a defender’s point of view, what does that mean heading into 2024? Do you need to consistently shift tactics too, to stay one threat ahead? 

The thing is, we will never be “done” with cybersecurity. There will always be new threat actor groups. New strains. New tactics. And even if the defender community dismantles a botnet, like for example the takedown of Qakbot in August, it doesn’t mean the group behind it will cease to operate. We’ll never reach that scenario in the game of Battleship when you’ve found the final target and smugly mutter, “This is your last boat.”

There’s two ways of looking at that. You can either say, “What’s the point?” Or “We know we’ll probably get hit at some point. What can we do to ensure we eradicate the threat as quickly as possible?” So much of cybersecurity is about balancing and reducing risk. Knowing what risks you can accept, and what risks you absolutely can’t. 

That base visibility is key. As we at Talos commonly say, whomever knows the network best, owns the network.

For example, Veradigm, a healthcare IT organization that the Cisco Talos Incident Response (Talos IR) team has been working alongside for many years to proactively assess and constantly improve their security posture, recently detected an intrusion and potential information-stealing attack. Luckily, their preparedness coupled with their Talos IR partnership enabled them to swiftly pinpoint the issues before bad actors could execute their plan.

The key to Veradigm’s successful response? Visibility across the network, having a clear plan, and being able to answer these four questions as quickly as possible:

·      How did they get in?

·      Are they still in?

·      What did they do?

·      How could they get in again?

Veradigm has also participated in multiple Talos IR tabletop exercises to stress test processes and adjust as needed to respond and succeed more quickly.

Aligned to that, experts from across Cisco recently sat down to discuss proactive threat hunting in general, and the benefits this type of activity can have to help organizations find vulnerabilities and weak points that hadn't been spotted before. Check out the discussion below:

One of the newer cross-regional trends we observed this year (and wrote about in the 2023 Year in Review) is an increase in the targeting of network devices, from both APTs and cybercriminals. The intent can differ between these disparate adversaries: the former is more driven by espionage and secondary target selection while the latter aims more for financial gain.

Both groups rely on exploiting recently disclosed vulnerabilities as well as weak/default credentials. This is one of the reasons why use of valid accounts was a top MITRE ATT&CK technique observed this year, and consistently a top weakness in Talos Incident Response engagements.

Patching isn't easy, and isn't necessarily without risk. It all comes back to that balance again.

We got a question on the Reddit AMA thread that we ran earlier this week, about the difficulties of patching network infrastructure. I thought my colleague Lexi DiScola's response was such a good one I wanted to highlighted it here.

The question was, "Eventually these [networking] devices may get patched, but not without a significant planned downtime, ranting from org leaders, and/or hesitation from the networking team (if there is one). Especially in larger orgs, where the number of devices may be in the hundreds or thousands. What have you observed to be the biggest barriers to patch management that you see regarding network devices?"

Here was Lexi's answer:

"One of the biggest barriers in securing these devices is that they are often not prioritized by security teams - whether that be for the reasons you listed, and/or because there is a lack of awareness around the significant level of access they can enable. As there is often limited monitoring of these devices, security teams may not even realize they are being leveraged as initial access vectors during large scale intrusions. This lack of awareness is further highlighted by the fact that many of these devices are vulnerable due to organizations using default passwords and configurations, vulnerabilities that are often quickly remediated in other network infrastructure. We recommend organizations improve monitoring and defensive measures for these devices, patch security flaws, remediate insecure default configurations, and improve employee awareness."

In terms of other recommendations based on the trends in the Year in Review Report? Well, if you thought you were about to read a blog about security recommendations without the mention of multi-factor authentication, I’m sorry to break it to you, because that’s about to happen. MFA really is one of the best things you can do to limit your threat surface.

In this episode of the Talos Takes podcast, we address the basics of implementing MFA in any environment, why any type of MFA is better than no MFA, the pitfalls of certain types of authentication, and whether going passwordless is the future. 

Read the full Year in Review below (no form filling necessary!):

Recommendations that defenders can use from Talos’ Year in Review Report

Read the 2023 Cisco Talos Year in Review

Download Now

Video: Talos 2023 Year in Review highlights

11 December 2023 at 10:48
Video: Talos 2023 Year in Review highlights

In this video, experts from across Cisco Talos came together to discuss the 2023 Talos Year in Review. We chat about what’s new, what’s stayed the same, and how the geopolitical environment has affected the threat landscape.

This video was recorded live on social media:

Video: Talos 2023 Year in Review highlights

Read the 2023 Cisco Talos Year in Review

Download Now

We also discussed Project PowerUp, the story of how Cisco helped to keep the lights on in Ukraine. Read the full story here.

What is threat hunting?

28 November 2023 at 13:00
What is threat hunting?

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

  • The core principles of threat hunting. 
  • What are attackers looking for? And therefore, what should defenders be putting in place? 
  • Stories and experiences of threat hunting. 
  • How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with. 

❌
❌