Everything about the modern workplace is different now from the start of the COVID-19 pandemic. Many companies are embracing the remote work lifestyle, while others are stuck in a hybrid model or pushing employees to come back to the office. With that in mind, we felt like it was a good time to check in on the incident response process for companies who have to deal with working remotely and those who prefer to conduct business in person. Yuri Kramarz and Gergana Karadzhova-Dangela from Cisco Talos Incident Response join the show this week to discuss how they handle onsite incident response versus engagements that need to be done remotely. There are drawbacks and benefits of both models, so it's up to the individual customer and specific circumstances to determine how a responder can best approach the event in question.
The stereotypical "hacker" who looks to do good in the world probably involves a Guy Fawkes mask and black hoodie. But hacktivism has become much more than that, especially since Russia invaded Ukraine. On the heels of a newly released overview on hacktivism, Lexi DiScola from the Talos Threat Intelligence and Interdiction team joins Talos Takes this week to discuss these actors. While not just anyone is likely a target for hacktivists, Talos has seen groups become more brazen and start looking to make money off their operations.
Cisco Talos Incident Response observed data theft extortion more than any other type of cyber attack last quarter. So why has it become so popular? And what makes it different from ransomware? Jacob Finn from the Talos Threat Intelligence and Interdiction Team joins Jon this week to discuss the basics of data theft extortion. He just worked on an overview of this threat for Talos researchers and works closely with Talos IR on their quarterly trends reports. Jacob discusses why threat actors are choosing data theft extortion over ransomware and how this makes defense and detection more difficult. For more on this topic, read our one-page overview here.
Hazel Burton and Jon Munshaw use this week to look back on the top threats and cybersecurity trends so far in 2023 and the rest of the year. Hazel recently compiled Talos' Half-Year in Review, recapping the top stories that Talos has been following so far this year. She and Jon talk about what stood out from the report, what our researchers have been thinking about up to this point, and what we'll be discussing come December.
We're back with the audio version of our quarterly Cisco Talos Incident Response On Air stream. Join the Talos IR team as they recap the past quarter's top trends, including talking about malware they're seeing in the wild, tactics that attackers are using most often to break into networks, and much more. They discuss why healthcare continues to be a popular target for bad actors, and how adversaries are pivoting away from ransomware and instead opting for data theft and extortion. If you prefer a video version, watch it over on YouTube here.
When Martin Lee first told Jon about ISO 27001 and 27002, Jon had to immediately Google whatever this combination of letters and numbers meant. Turns out there are international standards for cybersecurity, just like they have for selling lightbulbs and installing electrical outlets — who knew? Martin recently wrote about these standards for the Talos blog, outlining a list of recommendations for any organization looking to build a threat intelligence program from the ground up. Jon interviewed him about what these standards are, exactly, what they mean for companies looking to implement these standards, and why they recently included threat intelligence.
Asheer Malhotra is back to talk to Jon Munshaw about spyware and mercenary groups. Asheer recently helped publish Talos research on Mercenary Groups and why they're so dangerous in particular. We briefly touched on this topic in a past episode on the Predator/Alien spyware tag team, but this time we're getting into the broader field of what Mercenary groups are, exactly, and what makes them so dangerous. Asheer talks about recent steps governments have taken to curb the sale of spyware and why the "average" user should care about this topic, even though they're unlikely to ever be a target.
We decided to have a web navigation extravaganza this week! Guilherme Venere and Jaeson Schultz from Talos Outreach have both long been researching the ways in which bad actors try to damage users' inherent trust in the internet. Most internet users interact with the web by typing in a URL or domain name into their web browser (i.e., google.com) expecting that will take them to the right place. But attackers have found various ways to mess with that series of handshakes that must take place. Guilherme and Jaeson talk to Jon about their past years of research into typosquatting domains, new TLDs that open up the door to data leaks, DNS manipulation and more.
Additional reading:
Aliza Johnson from Talos Threat Intelligence and Interdiction team joins Jon Munshaw this week for a Talos Takes episode on the MOVEit zero-day vulnerability (that's since been patched) making headlines recently. Talos published an advisory last week on everything we know so far about the exploitation of this vulnerability and the group behind it, Clop. Aliza discusses where things stand right now, what Clop is doing once they gain access via this vulnerability and what Talos recommends for mitigation strategies for potentially affected customers.
Cisco Talos Incident Response recently discovered an uptick in malicious actors compromising vendor and third-party accounts to sneak into targeted networks. Many enterprises have vendor and contractor accounts that need to access their network for a variety of things — IT support, cybersecurity, etc. — but these accounts are often monitored less than those belonging to full-time employees. Craig Jackson, who recently co-authored a blog post on this threat, joins Talos Takes this week to talk about vendor and contractor account (VCA) takeover and how they fit into the broader threat of supply chain attacks.