Talos Takes

Jon doesn’t have any children. So he found someone who does — Beers with Talos’ own Craig Williams — to talk about remote learning. Children are back to school, and many of them are doing so online. Craig and Jon talk about DNS filters, parental controls, meeting passwords and more that are sure to help parents and teachers adjust to this new normal.

We’ve got another special XL episode this week, this time about Snort 3. This roundtable covers everything you could know about Snort 3’s life, going back as far as its inception in the early 2010s. We even went out of our way to get Marty Roesch, the creator of Snort.Marty, along with our other panelists, discusses the origins of Snort 3, what benefits you can gain by upgrading and what other features you can expect to see in the future.

We know we just talked about supply chain attacks and SolarWinds last week, but it’s still all anyone in security is talking about. Joe Marshall joins the show this time to approach the SolarWinds breach from an internet-of-things and operational security perspective. He recently co-wrote a blog for Cisco detailing how outsourcing OT over the past few years has made the SolarWinds compromise worse. Joe, a lifelong researcher and security practitioner in the OT and infrastructure space, discusses what we still don’t know about this attack, what you should do if you think you may be affected, and how we can learn from this going forward. For more on Talos’ coverage and defense against the SolarWinds campaign, check out our blog post here.

Welcome to the unofficial incident response week at Talos! As part of the RSA Conference, we’ve released two new case studies detailing some malware cases Cisco Talos Incident Response helped resolve. Brad Garnett, this week’s guest, also released a new blog post where he wrote about why incident response is “the ultimate team sport.” Brad joins host Jon Munshaw this week to take a deeper dive into one of these engagements, in which an attacker tried to use Cobalt Strike to infect a target with ransomware (hint: this would have been really bad!) Brad talks about how the strong personal relationships CTIR built with the customer in question set everyone up for success.

How much is ransomware-as-a-service like a McDonald’s franchise? More similar than you’d think! The RaaS model has entered the mainstream over the past few months with groups such as DarkSide attacking the Colonial Pipeline.In these transactions, what’s in it for the original ransomware creator? And what do the operators themselves get out of it? Nick Biasini joins Jon Munshaw this week to talk about this business model, what it means for the rise in ransomware attacks, and how you can stay protected.

We started out the COVID-19 pandemic by thinking we’d be away from the office for a month — maybe two. More than 12 months later, we’re still here, working from home (at least part-time).But some businesses are starting to reopen now and welcoming workers back into the office. After so much time working out of the office, what should security professionals do once they get back? In this week’s episode, Beers with Talos’ own Craig Williams joins the show to talk about triple-checking for patches, changing passwords and more. Plus, how should you handle the new hybrid worker?

For this week’s episode of Talos Takes, we’re switching back to Snort talk. For anyone who hasn’t been on security Twitter over the past month, you may not know that we released the Snort 3 GA last month — formally known as Snort 3.1.0. To celebrate, Nick Mavis joins the show again to discuss Snort 3’s new features and upgrades over 2.9.X. Nick, who regularly writes Snort rules for Cisco Talos and has been working hands-on with both versions of Snort for years, talks about how the rules improve with Snort 3, why detection and protection are better and everything else he loves about Snort 3. For more, check out the Snort 3 page on Snort.org.

Everyone is meeting virtually now. Whether it be important business or the average happy hour with friends and family, there’s no shortage of invites to chat rooms, presentations and software you’ve never heard of before you started working from home. And, of course, this software comes with its own set of security concerns and vulnerabilities. So Matt Valites joins Jon Munshaw this week to talk about the basics of securing your next friendly meetup or presentation to the board.

We’ve been covering several different generic types of malware over the past few weeks. Next up, we’ve got our overview of remote access trojans (or tools), also known as RATs. What goes into a RAT, and how is it different than other types of malware? What are some of their inherent capabiliites? We/ve got the rundown here.

With the RSA conference just days away, notable vendors such as IBM and AT&T have withdrawn from the annual event over coronavirus concerns. The fast-spreading disease has captured headlines across the globe, and adversaries are trying to strike quickly. Continuing our look at attackers’ use of current events to spread malware, Nick Biasini and Earl Carter sit down to discuss malware campaigns that are hoping to scare victims into opening malicious emails and documents on coronavirus.

We’ve all seen the supposed stories online that promise to give you “The one secret to weight loss doctors WON’T tell you about.” Or “You won’t believe who Kim Kardashian is talking about now.” So how harmful are these malicious ads? Why do some of them deliver malware, and others don’t? In this episode of Talos Takes, Nick Biasini and Earl Carter dive into the basics of malvertising.

Snort researcher and rule-writer Nick Mavis takes time out of his busy schedule to join us again this week. Nick recently published a research paper on the bevy of detection he wrote for Cobalt Strike, a tool attackers are increasingly using. Nick talks about his process of working on the paper, why Cobalt Strike has become so popular and what he learned during the research process.

Yes, this is the third time we’ve talked about Transparent Tribe on Talos Takes, you’re not going crazy. But they keep giving us reasons to bring them up! This time, Nick Biasini joins the show to discuss the latest evolution of this threat actor: The targeting of higher education institutions in India. Jon and Nick discuss why colleges are always a high-priority target and what this could mean for the evolution of the actor.

BlackCat, BlackMatter, DarkSide, BlackByte…it’s too hard to keep up with all these ransomware group names these days. So we’re here to break down one of these groups, BlackCat, for you so you can figure out what makes them actually memorable. Aliza Berk from our Talos Threat Intelligence & Interdiction team joins Jon Munshaw this week to talk about BlackCat and their ransomware that’s recently become a major player on the malware landscape. Aliza recently compiled our latest Threat Assessment Report on this group and assisted in our research around the group. Jon and Aliza discuss how the use of the Rust programming language and using triple extortion tactics make this group a threat.

We’re kicking off a new series of episodes called “Kenna 101” highlighting Cisco’s newest partner, Kenna Security. Kenna is a risk management platform for vulnerabilities that allows users to view what vulnerabilities exist in their environment and helps them create a plan for patching and mitigation. We’re starting things off with the CTO of Kenna, Ed Bellis, to talk about the basics of Kenna and its risk scores.

As the Ukraine situation evolves, we figured it was an important time to check in with the specific threats government agencies across the globe have started to warn us about. Joe Marshall, Talos’ resident industrial control systems expert, joins this week’s episode of Talos Takes to talk about potential threats to Ukraine’s power grid should kinetic warfare break out in the area. We also touch on what potential threats America’s infrastructure faces if our government leaders were to oppose any Russian actions in the region. It’s admittedly a tangled web currently — but for the most current information on this, check out the Talos blog on the topic.

We are from the first (or last) people to say this, but 2021 is the year of ransomware. It’s by far the biggest story on the security landscape right now. And everything from oil pipelines, to grain co-ops, to hospitals and schools have been targeted by ransomware this year. Azim Khodjibaev joins the show for National Cybersecurity Awareness Month to wrap up everything we’ve seen on the ransomware landscape this year. Azim reflects on his interview with a LockBit operator, the research he’s done into “double extortion campaigns,” and discusses the lessons defenders can learn from the past 10 months.

As more people around the world start to get vaccinated against COVID-19, travel is becoming easier, especially during these summer months. But as much as you may be excited to travel, so are threat actors. Asheer Malhotra was part of a team that looked into a series of campaigns targeting users in Latin America, specifically using social engineering tactics centered around travel. Some of the lure documents, in this case, include fake travel itineraries, coupons for flights and hotel reservation confirmations. Asheer joins the show this week to discuss the throughline between all these attacks and their potential connections to the Aggah crimeware group.

Honeypots are an important part of threat research and detection. In this episode of Talos Takes, we talk to Christopher Evans, who is our resident honeypot expert at Talos. Chris talks about how he uses them every day, why they’re important to Talos’ overall mission and balancing the use of them with the potential for making attackers smarter.

Students are starting to go back to school across the U.S. There are plenty of things to worry about with the “new normal” while the world still combats COVID-19, and while we can’t help students, teachers and admins with everything, we can at least provide a little security advice. Nick Biasini joins the show once again to discuss the best cybersecurity practices as schools spin back up. What should parents tell their kids about electronic devices they bring home? What will IT admins have learned over the past year and a half plus? And how should we deal with the new norm of hybrid learning?

This week’s episode is actually an excerpt from our recently released roundtable on disinformation and American election security. This is a small part of our larger discussion on fake news, state-sponsored actors using fake social media accounts, and what can be done to combat the spread of disinformation. To see the whole thing, click here.

The dark web sounds scary — and it is. But what exactly does this dark web consist of? Despite what the name may suggest, it’s actually not people selling organs or stolen video games that happened to fall off the back of a truck. But what is actually on these forums? Azim Khodjibaev joins Jon Munshaw this week to discuss his experience with the dark web.

We use the term “APT” in cyber security a lot. But what does it mean, exactly? Does a group have to break a certain threshold to become an APT? Does the term refer to a specific malware family or a group of actors? On this week’s Talos Takes, Jon Munshaw talks to Azim from Talos’ Threat Intelligence team about this very topic.

The value of cryptocurrencies is nowhere near where it was just two years ago. So does that mean cryptominers have gone away as a threat? Jon Munshaw and Nick Biasini sit down in this episode of Talos Takes to discuss where cryptominers stand in 2020. Why aren’t we reading about them as much? And why is being hit with one a sign of worse things to come?

Threat researchers like to throw around the acronym “FUD” a lot. But is FUD, exactly? Why should you look out for it? And why do attackers win when they sow FUD? Joe Marshall and Jon Munshaw walk you through fear, uncertainty and doubt and discuss why panic and misinformation play right into attackers’ hands.

We published our findings on a ransomware family known as MedusaLocker last week. On its surface, it’s just like any other ransomware family — steals your stuff, encrypts it, and asks for some money to get it back. But there are some secret tricks hidden beneath the surface, and Edmund Brumaghin is here to talk about them.

Don’t attackers know we need a break right now? Alas, they’re doing everything they can to capitalize on the COVID-19 pandemic. This includes spreading fear, uncertainty and doubt with fake news, malicious advertisements and misleading information. In this Talos Takes episode, former journalist Jon Munshaw and researcher Nick Biasini discuss best practices for fact-checking, avoiding fake news and intaking the correct information during this trying time.

Yes, adversaries are always looking for new ways to make money. But what’s their No. 2 priority? Information. In this episode of Talos Takes, Nick Biasini and Earl Carter break down the basics of information-stealers and why they’re so important to keep out.

Talos Takes is finally back with its own feed and a new episode. Nick Biasini and Earl Carter discuss the best password practices. Should you use a password manager? What are some best practices? And what does all of this have to do with Disney Plus?

2019 was a huge year for ransomware. Cities across the U.S. had their government services attacked, and adversaries changed up their techniques in the hopes of making a larger profit and infecting more users. What other changes do we see coming to the ransomware space? Are adversaries’ motivations changing at all? And will defense techniques change along with them?

The holidays have come and gone, and so have the sales. Maybe you got a new drone, or a home AI assistant. So what should you do to make sure those new toys don’t turn against you? Nick Biasini and Earl Carter have some tips for you.

We first brought you this episode in the Beers with Talos feedback in December. We’re uploading this to the Talos Takes feed for posterity now, and let’s face it, these holiday shopping reminders can apply to any time you’re shopping online.