Cisco Talos

Last updated
Cisco Talos
Company typePublic Company
IndustryComputer and Network Security
Headquarters
Fulton, Maryland
Parent Cisco Systems, Inc.
Website https://talosintelligence.com/

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. [1] It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure [2] products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV [3] anti-virus engine.

Contents

The company is known for its involvement in several high-profile cybersecurity investigations, including the VPNFilter wireless router malware attack [4] in 2018 and the widespread CCleaner supply chain attack [5] In 2017.

History

Sourcefire was founded in 2001 by Martin Roesch, the creator of the Snort intrusion prevention system. Sourcefire created an original commercial version of Snort known as the "Sourcefire 3D System," which eventually became the Firepower line of network security products. The company's headquarters were in Columbia, Maryland in the United States, with offices across the globe.

On July 23, 2013, Cisco Systems announced a definitive agreement to acquire Sourcefire for $2.7 billion. [6] After Cisco's acquisition of Sourcefire, the company combined the Sourcefire Vulnerability Research Team (Sourcefire VRT), Cisco's Threat Research, Analysis, and Communications (TRAC) team, and Security Applications (SecApps) to form Cisco Talos in August 2014. Today, Talos sits under the Cisco Secure umbrella and operates the Cisco Talos Incident Response (Talos IR) team. [7]  

In 2014, Cisco Talos helped co-found the Cyber Threat Alliance, a not-for-profit organization with the goal of improving cybersecurity "for the greater good" [8] by encouraging collaboration between cybersecurity organizations by sharing cyber threat intelligence [9] amongst members. As of 2022, the organization had more than 40 members, [10] including Fortinet, Checkpoint, Palo Alto Networks and Symantec.

In 2019, Cisco Security Incident Response Services group announced a new partnership with Talos, [11] becoming Cisco Talos Incident Response (Talos IR). [12] Since the creation of Talos IR, the group was named as a leader by IDC in the 2021 MarketScape for Worldwide Incident Readiness Services [13] (doc #US46741420, November 2021). Talos IR was also added to the approved vendor list on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list in May 2022.  

Threat research

Talos regularly collects data on the latest cybersecurity threats, malware, and threat actors through several avenues. That information then powers Cisco Secure's products, including Cisco Secure Cloud [14] and Cisco Secure Endpoint. [15]

The FBI and U.S. Cybersecurity and Infrastructure Security Agency has credited Talos with several major security research breakthroughs, including the VPNFilter malware that could take over home wireless routers, the BlackCat ransomware group, [16] the active exploitation of the PrintNightmare vulnerability [17] in Microsoft Windows and the router malware, a cousin of VPNFilter.

In 2017, Talos discovered a malware known as Nyetya [18] (or "NotPetya") disguising itself as an update for the Ukrainian tax software [19] MeDoc. Nyetya was originally believed to be a ransomware attack targeting multinational corporations. But Talos was amongst the first threat research groups to discover that the attack was deliberately designed to destroy data and target Ukraine.

In May 2018, Talos worked with the FBI in the U.S. to disclose the existence [20] of a widespread wireless router malware known as VPNFilter. At the time of their initial disclosure, Talos stated that as many as 500,000 networking devices, [21] mainly consumer-grade internet routers, were already infected with the malware across 54 countries. [22] VPNFilter essentially acted as a "kill switch" the threat actor could pull at any time to render the device useless. The FBI would go on to release a warning [23] telling users of the affected routers to factory reset their devices to protect against the malware. American law enforcement agencies would eventually go on to seize the botnet associated with VPNFilter and even backdoored some consumer routers. A variant of VPNFilter known as Cyclops Blink would arise again in 2022 [24] in Ukraine after Russia's invasion.

Later that year, Talos responded to a major cyber attack against the Winter Olympics in Pyeongchang, South Korea. Eventually dubbed "Olympic Destroyer," Talos found the actors wanted to completely wipe computers used on-site for the opening ceremony, rendering them unusable. The cyber attack disrupted the Olympics' official website the day before the opening ceremony, and attendees were unable to access the site or print their tickets to attend the Olympic events. The Wi-Fi in Pyeonchang Olympic Stadium also stopped working for several hours before returning to normal. Although many media outlets reported the attack came from a Russian threat actor, Talos stated there was too much doubt surrounding this assertion to attribute the attack confidently. Talos has since gone on to work on Olympic cybersecurity at other Games.  

Talos has been heavily involved in protecting Ukraine's network during the 2022 Russo-Ukrainian War. The company announced in early March 2022 that it was directly operating security products 24/7 for critical customers in Ukraine. More than 500 employees in Cisco were assisting at the time in collecting open-source intelligence for Talos to act on. Talos researchers also created Ukraine-specific protections based on the intelligence they received. The company also wrote about numerous cyberattacks targeting Ukraine during Russia's invasion, including countless spam campaigns and wiper malware families.

Vulnerability Research

Cisco Talos has a Vulnerability Research team that identifies high-priority security vulnerabilities [25] In computer operating systems, software and hardware, including platforms like ICS and IoT systems. This team works with vendors to disclose and patch more than 200 vulnerabilities a year.  

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">Snort (software)</span> Open-source intrusion prevention system

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

<span class="mw-page-title-main">Sourcefire</span> American computer security company

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cyber security incidents. It strengthens security-related defence of the Indian Internet domain.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

Cyclops Blink is malicious Linux ELF executable, compiled for the 32-bit PowerPC architecture. It targeted routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C). The malware is reported to be originated from the hacker group Sandworm.

References

  1. "Cisco Talos Intelligence Group | LinkedIn". www.linkedin.com. Retrieved 2024-01-10.
  2. "Cisco Secure Products and Solutions". Cisco. Retrieved 2022-08-10.
  3. "ClamAVNet". www.clamav.net. Retrieved 2022-08-10.
  4. Largent, William (23 May 2018). "New VPNFilter malware targets at least 500K networking devices worldwide" . Retrieved 2022-08-10.
  5. Brumaghin, Edmund (18 September 2017). "CCleanup: A Vast Number of Machines at Risk" . Retrieved 2022-08-10.
  6. "Cisco Agrees to Buy Sourcefire in $2.7 Billion Deal". Bloomberg.com. 2013-07-23. Retrieved 2022-08-10.
  7. "Cisco Talos Incident Response || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". talosintelligence.com. Retrieved 2022-08-10.
  8. Holseberg, Kate. "Home". Cyber Threat Alliance. Retrieved 2022-08-10.
  9. "Cyber Threat Alliance". Cyber Threat Alliance. Retrieved 2022-08-10.
  10. Holseberg, Kate. "Membership". Cyber Threat Alliance. Retrieved 2022-08-10.
  11. Munshaw, Jon (5 November 2019). "Talos, Cisco Incident Response team up to offer more protection than ever" . Retrieved 2022-08-10.
  12. "Cisco Talos Incident Response || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". talosintelligence.com. Retrieved 2022-08-10.
  13. idcdocserv.com https://idcdocserv.com/US46741420e_Cisco . Retrieved 2022-08-10.{{cite web}}: Missing or empty |title= (help)
  14. "Cisco Security Cloud: Open, Integrated Platform". Cisco. Retrieved 2022-08-10.
  15. "Cisco Secure Endpoint (Formerly AMP for Endpoints)". Cisco. Retrieved 2022-08-10.
  16. "FBI: This ransomware written in the Rust programming language has hit at least 60 targets". ZDNet. Retrieved 2022-08-10.
  17. "Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols | CISA". www.cisa.gov. 15 March 2022. Retrieved 2022-08-10.
  18. Alexander Chiu (27 June 2017). "New Ransomware Variant "Nyetya" Compromises Systems Worldwide" . Retrieved 2022-08-10.
  19. Biasini, Nick (5 July 2017). "The MeDoc Connection" . Retrieved 2022-08-10.
  20. "Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices". www.justice.gov. 2018-05-23. Retrieved 2022-08-10.
  21. Largent, William (23 May 2018). "New VPNFilter malware targets at least 500K networking devices worldwide" . Retrieved 2022-08-10.
  22. "Talos finds new VPNFilter malware hitting 500K IoT devices, mostly in Ukraine". ZDNet. Retrieved 2022-08-10.
  23. Limer, Eric (2018-05-30). "Reboot Your Router, But Don't Stop There". Popular Mechanics. Retrieved 2022-08-10.
  24. Malhotra, Asheer (24 March 2022). "Threat Advisory: DoubleZero" . Retrieved 2022-08-10.
  25. "Zero-Day Vulnerability & Disclosed Vulnerabilities Reports || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". www.talosintelligence.com. Retrieved 2022-08-10.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.