Imagine downloading a PDF Editor tool from the internet that works great...until nearly two months later, when it quietly steals your credentials. That’s the reality of “Tampered Chef,” a malvertising campaign that preyed on users searching for everyday software. In this episode, Nick Biasini explains how cybercriminals are investing in "malvertising", why enterprises are prime targets, and why there are additional challenges when it comes to defending against time-delayed attacks.
How do you build and defend a network where attacks are not just expected-they're part of the curriculum? In this episode, Hazel talks with Jessica Oppenheimer, Director of Security Operations at Cisco, about the ten years she's spent in the Black Hat Network Operations Center (NOC). Explore the technical challenges of segmenting and monitoring a network designed for experimentation, live hacking, and hands-on training, including how malicious and benign behaviors are distinguished in real ti...
Hazel is joined by threat intelligence researcher James Nutland to discuss Cisco Talos’ latest findings on the newly emerged Chaos ransomware group. Based on real-world incident response engagements, James breaks down Chaos’ fast, multi-threaded encryption, their use of social engineering and remote access tools like Quick Assist, and the group’s likely connections to former BlackSuit operators. James also shares what defenders should be watching for and how to stay ahead of evolving ransomwa...
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries. Pierre explains how the flexibility, legitimacy, and built-in capabilities of remote access management tools make them ideal for attackers who want to stay under the radar. They discuss trends Talos Incident Response is seeing in ...
Hazel welcomes back Ryan Fetterman from the SURGe team to explore his new research on how large language models (LLMs) can assist those who work in security operations centers to identify malicious PowerShell scripts. From teaching LLMs through examples, to using retrieval-augmented generation and fine-tuning specialized models, Ryan walks us through three distinct approaches, with surprising performance gains. For the full research, head to https://www.splunk.com/en_us/blog/security/gui...
Chetan Raghuprasad joins Hazel to discuss his threat hunting research into fake AI tool installers, which criminals are using to distribute ransomware, RATS, stealers and other destructive malware. He discusses the attack chain of three different campaigns, including one which even tries to justify its ransom as "humanitarian aid." For the full research, read Chetan's blog at https://blog.talosintelligence.com/fake-ai-tool-installers/
Edmund Brumaghin joins Hazel to discuss how threat actors (including state sponsored attackers), are increasingly compartmentalizing their attacks i.e they're bringing in specialist skillsets from other groups to handle different aspects of the attack chain. Edmund discusses why this is happening, and the challenges this poses for defenders when it comes to attribution and reporting. He then discusses several solutions which seek to evolve traditional threat modelling, and help provide clarit...
In this episode, Hazel welcomes Talos researcher Ashley Shen to discuss the evolution of initial access brokers (IABs) and the importance of distinguishing between different types of IABs. We talk about the need for a new taxonomy to categorize IABs into three types: financially motivated (FIA), state-sponsored (SIA), and opportunistic (OIA) initial access groups. This taxonomy aims to improve threat modeling and defense strategies by providing a clearer understanding of the motivations and b...
A jam packed episode of guests means a slightly longer Talos Takes for your feed today! We welcome Amy Chang and Omar Santos from Cisco, Vitor Ventura from Talos, and Ryan Fetterman from Splunk. Together, we discuss how AI isn't rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side. We also touch on threat actor-built LLMs and where things may be headed. We then talk about how defensive strategies can leverage AI, parti...
Steven Leung from Cisco Duo joins Hazel to discuss the prevalence of identity-based attacks, why they're happening, and the various methods attackers are using to circumvent MFA (Multi-Factor Authentication), based on data in Talos' 2024 Year in Review. Topics we touch on include phishing, push spray attacks, and Adversary-in-the Middle campaigns, and throughout the episode Steven provides best practice recommendations for implementing MFA at scale, without increasing user friction. For...
Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024). They also discuss the dominant techniques of ransomware actors, where low-profile tactics led to high-impact consequences. For the full analysis, download Talos' 2024 Year in Review at https://blog.talosintelligence.com/2024yearinreview/
Talos researchers Martin Lee and Thorsten Rosendahl join Hazel for the first of our dedicated episodes on the top findings from Talos' 2024 Year in Review. We discuss the vulnerabilities that attackers most targeted, how this compares with CISA's list, and how to protect network devices. Given how email lures are evolving, we spend some time chatting about how the current world news cycle may play into adversary's campaign cycles. And finally we touch on how to spot signs that your own sysadm...
Have you ever wondered what it takes to put on a major event like a World Cup or the Olympics, and all the cybersecurity and threat intelligence that needs to be done beforehand? Today’s episode is all about that. Hazel is joined by one of our global Cisco Talos Incident Response leaders, Yuri Kramarz, who has helped some of the biggest events around the world take place securely. We chat about risk factors, focus areas such as endpoint protection, threat hunting and incident response, and wh...
In this episode Hazel chats with Omid Mirzaei, a security research lead in the email threat research team at Cisco Talos. Omid and several Talos teammates recently released a blog on hidden text salting (or poisoning) within emails and how attackers are increasingly using this technique to evade detection, confuse email scanners, and essentially try and get phishing emails to land in people’s inboxes. Hidden text salting is a simple yet effective technique for bypassing email pars...
It's an European takeover this week, as Hazel sits down with Talos EMEA threat researchers Martin Lee and Thorsten Rosendahl. They're heading to Cisco Live EMEA next week (February 9-14) to deliver a four hour session on how to establish a threat intelligence program. If you can't make it - here's a 15 minute version! Thorsten and Martin provide best practices for threat intelligence, the different flavors of it (tactical, operational, and strategic), and the significance of curiosity and lea...
Joe Marshall and Craig Jackson join Hazel to discuss the biggest takeaways from Cisco Talos Incident Response's latest Quarterly Trends report. This time the spotlight is on web shells and targeted web applications – both have seen large increases. There’s a brand new ransomware actor on the scene – we’ll talk about the new Interlock ransomware and how we’ve seen this group show up this quarter. Plus, Talos IR observed threat actors using remote tooling in 100% of ransomware incidents this qu...
Hazel sits down with Vanja Svajcer from Talos' threat research team. Vanja is a prolific malware hunter and this time he's here to talk about vulnerable Windows drivers. We've been covering these drivers quite a bit on the Talos blog over the last year, and during our research we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vulnerabl...
Ransomware is 35 years old this month, which isn't exactly something to celebrate. But in any case, do join Hazel and special guest Martin Lee to discuss what happened in the very first ransomware incident in December 1989 and why IT "wasn't ready". They then discuss how ransomware evolved to become the criminal entity it is today, which involves looking back on the likes of SamSam, Maze and the emergence of crypto currencies. Plus, learn why Martin says we shouldn't feel powerless in ...
Chetan Raghuprasad is our guest today as he breaks down the relatively new Interlock ransomware attack. Cisco Talos Incident Response recently observed this attacker conducting big-game hunting and double extortion attacks. Chetan talks about the initial access tactics, deployment of the ransomware encryptor, and how Interlock communicates with its victims using their “Worldwide Secrets Blog”. For the full analysis, head to https://blog.talosintelligence.com/emerging-interlock-ra...
What happens when two sets of threat researchers from Talos and Splunk's SURGe team meet? Aside from some highly controversial opinions and omissions about the best horror movie, the team discuss what security trends are FUD, and what's actually fearful/ most challenging at the moment. Also, what is the security industry not aware of enough, and also too aware of? Plus some thoughts on cybersecurity awareness training and how we can do better. This is a great conversation facilitated by SUR...