Cisco Talos

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland.^[1] It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure^[2] products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV^[3] anti-virus engine.

Cisco Talos

Company type	Public Company
Industry	Computer and Network Security
Headquarters	Fulton, Maryland
Parent	Cisco Systems, Inc.
Website	https://talosintelligence.com/

The company is known for its involvement in several high-profile cybersecurity investigations, including the VPNFilter wireless router malware attack^[4] in 2018 and the widespread CCleaner supply chain attack^[5] In 2017.

History

Sourcefire was founded in 2001 by Martin Roesch, the creator of the Snort intrusion prevention system. Sourcefire created an original commercial version of Snort known as the "Sourcefire 3D System," which eventually became the Firepower line of network security products. The company's headquarters were in Columbia, Maryland in the United States, with offices across the globe.

On July 23, 2013, Cisco Systems announced a definitive agreement to acquire Sourcefire for $2.7 billion.^[6] After Cisco's acquisition of Sourcefire, the company combined the Sourcefire Vulnerability Research Team (Sourcefire VRT), Cisco's Threat Research, Analysis, and Communications (TRAC) team, and Security Applications (SecApps) to form Cisco Talos in August 2014. Today, Talos sits under the Cisco Secure umbrella and operates the Cisco Talos Incident Response (Talos IR) team.^[7]  

In 2014, Cisco Talos helped co-found the Cyber Threat Alliance, a not-for-profit organization with the goal of improving cybersecurity "for the greater good"^[8] by encouraging collaboration between cybersecurity organizations by sharing cyber threat intelligence^[9] amongst members. As of 2022, the organization had more than 40 members,^[10] including Fortinet, Checkpoint, Palo Alto Networks and Symantec.

In 2019, Cisco Security Incident Response Services group announced a new partnership with Talos,^[11] becoming Cisco Talos Incident Response (Talos IR).^[12] Since the creation of Talos IR, the group was named as a leader by IDC in the 2021 MarketScape for Worldwide Incident Readiness Services^[13] (doc #US46741420, November 2021). Talos IR was also added to the approved vendor list on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list in May 2022.  

Threat research

Talos regularly collects data on the latest cybersecurity threats, malware, and threat actors through several avenues. That information then powers Cisco Secure's products, including Cisco Secure Cloud^[14] and Cisco Secure Endpoint.^[15]

The FBI and U.S. Cybersecurity and Infrastructure Security Agency has credited Talos with several major security research breakthroughs, including the VPNFilter malware that could take over home wireless routers, the BlackCat ransomware group,^[16] the active exploitation of the PrintNightmare vulnerability^[17] in Microsoft Windows and the router malware, a cousin of VPNFilter.

In 2017, Talos discovered a malware known as Nyetya^[18] (or "NotPetya") disguising itself as an update for the Ukrainian tax software^[19] MeDoc. Nyetya was originally believed to be a ransomware attack targeting multinational corporations. But Talos was amongst the first threat research groups to discover that the attack was deliberately designed to destroy data and target Ukraine.

In May 2018, Talos worked with the FBI in the U.S. to disclose the existence^[20] of a widespread wireless router malware known as VPNFilter. At the time of their initial disclosure, Talos stated that as many as 500,000 networking devices,^[21] mainly consumer-grade internet routers, were already infected with the malware across 54 countries.^[22] VPNFilter essentially acted as a "kill switch" the threat actor could pull at any time to render the device useless. The FBI would go on to release a warning^[23] telling users of the affected routers to factory reset their devices to protect against the malware. American law enforcement agencies would eventually go on to seize the botnet associated with VPNFilter and even backdoored some consumer routers. A variant of VPNFilter known as Cyclops Blink would arise again in 2022^[24] in Ukraine after Russia's invasion.

Later that year, Talos responded to a major cyber attack against the Winter Olympics in Pyeongchang, South Korea. Eventually dubbed "Olympic Destroyer," Talos found the actors wanted to completely wipe computers used on-site for the opening ceremony, rendering them unusable. The cyber attack disrupted the Olympics' official website the day before the opening ceremony, and attendees were unable to access the site or print their tickets to attend the Olympic events. The Wi-Fi in Pyeonchang Olympic Stadium also stopped working for several hours before returning to normal. Although many media outlets reported the attack came from a Russian threat actor, Talos stated there was too much doubt surrounding this assertion to attribute the attack confidently. Talos has since gone on to work on Olympic cybersecurity at other Games.  

Talos has been heavily involved in protecting Ukraine's network during the 2022 Russo-Ukrainian War. The company announced in early March 2022 that it was directly operating security products 24/7 for critical customers in Ukraine. More than 500 employees in Cisco were assisting at the time in collecting open-source intelligence for Talos to act on. Talos researchers also created Ukraine-specific protections based on the intelligence they received. The company also wrote about numerous cyberattacks targeting Ukraine during Russia's invasion, including countless spam campaigns and wiper malware families.

Vulnerability Research

Cisco Talos has a Vulnerability Research team that identifies high-priority security vulnerabilities^[25] In computer operating systems, software and hardware, including platforms like ICS and IoT systems. This team works with vendors to disclose and patch more than 200 vulnerabilities a year.  

References

1. "Cisco Talos Intelligence Group | LinkedIn". www.linkedin.com. Retrieved 2024-01-10.
2. "Cisco Secure Products and Solutions". Cisco. Retrieved 2022-08-10.
3. "ClamAVNet". www.clamav.net. Retrieved 2022-08-10.
4. Largent, William (23 May 2018). "New VPNFilter malware targets at least 500K networking devices worldwide". Retrieved 2022-08-10.
5. Brumaghin, Edmund (18 September 2017). "CCleanup: A Vast Number of Machines at Risk". Retrieved 2022-08-10.
6. "Cisco Agrees to Buy Sourcefire in $2.7 Billion Deal". Bloomberg.com. 2013-07-23. Retrieved 2022-08-10.
7. "Cisco Talos Incident Response || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". talosintelligence.com. Retrieved 2022-08-10.
8. Holseberg, Kate. "Home". Cyber Threat Alliance. Retrieved 2022-08-10.
9. "Cyber Threat Alliance". Cyber Threat Alliance. Retrieved 2022-08-10.
10. Holseberg, Kate. "Membership". Cyber Threat Alliance. Retrieved 2022-08-10.
11. Munshaw, Jon (5 November 2019). "Talos, Cisco Incident Response team up to offer more protection than ever". Retrieved 2022-08-10.
12. "Cisco Talos Incident Response || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". talosintelligence.com. Retrieved 2022-08-10.
13. idcdocserv.com https://idcdocserv.com/US46741420e_Cisco. Retrieved 2022-08-10. {{cite web}}: Missing or empty |title= (help)
14. "Cisco Security Cloud: Open, Integrated Platform". Cisco. Retrieved 2022-08-10.
15. "Cisco Secure Endpoint (Formerly AMP for Endpoints)". Cisco. Retrieved 2022-08-10.
16. "FBI: This ransomware written in the Rust programming language has hit at least 60 targets". ZDNet. Retrieved 2022-08-10.
17. "Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols | CISA". www.cisa.gov. 15 March 2022. Retrieved 2022-08-10.
18. Alexander Chiu (27 June 2017). "New Ransomware Variant "Nyetya" Compromises Systems Worldwide". Retrieved 2022-08-10.
19. Biasini, Nick (5 July 2017). "The MeDoc Connection". Retrieved 2022-08-10.
20. "Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices". www.justice.gov. 2018-05-23. Retrieved 2022-08-10.
21. Largent, William (23 May 2018). "New VPNFilter malware targets at least 500K networking devices worldwide". Retrieved 2022-08-10.
22. "Talos finds new VPNFilter malware hitting 500K IoT devices, mostly in Ukraine". ZDNet. Retrieved 2022-08-10.
23. Limer, Eric (2018-05-30). "Reboot Your Router, But Don't Stop There". Popular Mechanics. Retrieved 2022-08-10.
24. Malhotra, Asheer (24 March 2022). "Threat Advisory: DoubleZero". Retrieved 2022-08-10.
25. "Zero-Day Vulnerability & Disclosed Vulnerabilities Reports || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence". www.talosintelligence.com. Retrieved 2022-08-10.