A jam packed episode of guests means a slightly longer Talos Takes for your feed today! We welcome Amy Chang and Omar Santos from Cisco, Vitor Ventura from Talos, and Ryan Fetterman from Splunk. Together, we discuss how AI isn't rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side. We also touch on threat actor-built LLMs and where things may be headed. We then talk about how defensive strategies can leverage AI, particularly in the SOC, to increase visibility and make determinations a lot quicker.

Resources mentioned in the episode:

Talos' 2024 Year in Review

Cisco's State of AI Security report

Defending at machine speed, by Splunk

Steven Leung from Cisco Duo joins Hazel to discuss the prevalence of identity-based attacks, why they're happening, and the various methods attackers are using to circumvent MFA (Multi-Factor Authentication), based on data in Talos' 2024 Year in Review.

Topics we touch on include phishing, push spray attacks, and Adversary-in-the Middle campaigns, and throughout the episode Steven provides best practice recommendations for implementing MFA at scale, without increasing user friction.

For more resources, check out the Duo blog, and Talos' 2024 Year in Review.

Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024). They also discuss the dominant techniques of ransomware actors, where low-profile tactics led to high-impact consequences.

For the full analysis, download Talos' 2024 Year in Review at https://blog.talosintelligence.com/2024yearinreview/

Talos researchers Martin Lee and Thorsten Rosendahl join Hazel for the first of our dedicated episodes on the top findings from Talos' 2024 Year in Review. We discuss the vulnerabilities that attackers most targeted, how this compares with CISA's list, and how to protect network devices. Given how email lures are evolving, we spend some time chatting about how the current world news cycle may play into adversary's campaign cycles. And finally we touch on how to spot signs that your own sysadmin tools may be being used against you.

For the full report, head to https://blog.talosintelligence.com/2024yearinreview/

Have you ever wondered what it takes to put on a major event like a World Cup or the Olympics, and all the cybersecurity and threat intelligence that needs to be done beforehand? Today’s episode is all about that. Hazel is joined by one of our global Cisco Talos Incident Response leaders, Yuri Kramarz, who has helped some of the biggest events around the world take place securely.

We chat about risk factors, focus areas such as endpoint protection, threat hunting and incident response, and what to do in the hours and minutes leading up to the event.

Check out the document we mention - a full blueprint on how to protect major events:

https://blog.talosintelligence.com/protecting-major-events-blueprint-october-2024-update/

In this episode Hazel chats with Omid Mirzaei, a security research lead in the email threat research team at Cisco Talos.

Omid and several Talos teammates recently released a blog on hidden text salting (or poisoning) within emails and how attackers are increasingly using this technique to evade detection, confuse email scanners, and essentially try and get phishing emails to land in people’s inboxes.

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.

For more, head to the Talos blog

It's an European takeover this week, as Hazel sits down with Talos EMEA threat researchers Martin Lee and Thorsten Rosendahl. They're heading to Cisco Live EMEA next week (February 9-14) to deliver a four hour session on how to establish a threat intelligence program. If you can't make it - here's a 15 minute version! Thorsten and Martin provide best practices for threat intelligence, the different flavors of it (tactical, operational, and strategic), and the significance of curiosity and learning from failures.

If you haven't already, check out Martin's introductory course to threat intelligence in collaboration with Cisco’s Networking Academy. This course is free for all, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

Joe Marshall and Craig Jackson join Hazel to discuss the biggest takeaways from Cisco Talos Incident Response's latest Quarterly Trends report. This time the spotlight is on web shells and targeted web applications – both have seen large increases. There’s a brand new ransomware actor on the scene – we’ll talk about the new Interlock ransomware and how we’ve seen this group show up this quarter. Plus, Talos IR observed threat actors using remote tooling in 100% of ransomware incidents this quarter – that’s a significant uptick. For the full report head to blog.talosintelligence.com/talos-ir-trends-q4-2024/