Cisco Talos

Cisco Talos Intelligence Group is a cybersecurity technology and information security company based in Fulton, MD that’s a part of Cisco Systems Inc. Talos’ threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

The company is known for its involvement in several high-profile cybersecurity investigations, including the VPNFilter wireless router malware in 2018 and the widespread CCleaner supply chain attack in 2017.

History

Sourcefire was founded in 2001 by Martin Roesch, the creator of the Snort intrusion prevention system. Sourcefire created an original commercial version of Snort known as the “Sourcefire 3D System,” which eventually became the Firepower line of network security products. The company's headquarters was in Columbia, Maryland in the United States, with offices across the globe.

On July 23, 2013, Cisco Systems announced a definitive agreement to acquire Sourcefire for $2.7 billion. After Cisco’s acquisition of Sourcefire, the company combined the Sourcefire Vulnerability Research Team (Sourcefire VRT), Cisco’s Threat Research, Analysis, and Communications (TRAC) team and the Security Applications (SecApps) to form Cisco Talos in August 2014. Today, Talos sits under the Cisco Secure umbrella and operates the Cisco Talos Incident Response (Talos IR) team.  

In 2014, Cisco Talos helped co-found the Cyber Threat Alliance, a not-for-profit organization with the goal of improving cybersecurity "for the greater good" by encouraging collaboration between cybersecurity organizations by sharing cyber threat intelligence amongst members. As of 2022, the organization had more than 40 members, including Fortinet, Checkpoint, Palo Alto Networks and Symantec.

In 2019, Cisco Security Incident Response Services group announced a new partnership with Talos, becoming Cisco Talos Incident Response (Talos IR). Since the creation of Talos IR, the group was named as a leader by IDC in the 2021 MarketScape for Worldwide Incident Readiness Services (doc #US46741420, November 2021). Talos IR was also added to the approved vendor list on the Bundesamt für Sicherheit in der Informationstechnik (BSI) Advanced Persistent Threat (APT) response service providers list in May 2022.  

Threat research

Talos regularly collects data on the latest cybersecurity threats, malware and threat actors through several avenues. That information then powers Cisco Secure’s products, including Cisco Secure Cloud and Cisco Secure Endpoint.

The FBI and U.S. Cybersecurity and Infrastructure Security Agency has credited Talos with several major security research breakthroughs, including the VPNFilter malware that could take over home wireless routers, the BlackCat ransomware group, the active exploitation of the PrintNightmare vulnerability in Microsoft Windows and the router malware, a cousin of VPNFilter.

In 2017, Talos discovered a malware known as Nyetya (or “ NotPetya”) disguising itself as an update for the Ukrainian tax software MeDoc. Nyetya was originally believed to be a ransomware attack targeting multinational corporations. But Talos was among the first threat research groups to discover that the attack was deliberately designed to destroy data and target Ukraine.

In May 2018, Talos worked with the FBI in the U.S. to disclose the existence of a widespread wireless router malware known as VPNFilter. At the time of their initial disclosure, Talos stated that as many as 500,000 networking devices, mainly consumer-grade internet routers, were already infected with the malware across 54 countries. VPNFilter essentially acted as a “killswitch” the threat actor could pull at any time to render the device useless. The FBI would go on to release a warning telling users of the affected routers to factory reset their devices to protect against the malware. American law enforcement agencies would eventually go on to seize the botnet associated with VPNFilter and even backdoored some consumer routers. A variant of VPNFilter known as Cyclops Blink would arise again in 2022 in Ukraine after Russia’s invasion.

Later that year, Talos responded to a major cyber attack against the Winter Olympics in Pyeongchang, South Korea. Eventually dubbed “Olympic Destroyer,” Talos found the actors wanted to completely wipe computers used on-site for the opening ceremony, rendering them unusable. The cyber attack disrupted the Olympics' official website the day before the opening ceremony, and attendees were unable to access the site or print their tickets to attend the Olympic events. The Wi-Fi in Pyeonchang Olympic Stadium also stopped working for several hours before returning to normal. Although several media outlets reported the attack came from a Russian threat actor, Talos stated there was too much doubt surrounding this assertion to attribute the attack confidently. Talos has since gone on to work on Olympic cybersecurity at other Games.  

Talos has been heavily involved in protecting Ukraine’s network during the 2022 Russo-Ukrainian War. The company announced in early March 2022 that it was directly operating security products 24/7 for critical customers in Ukraine. More than 500 employees in Cisco were assisting at the time in collecting open-source intelligence for Talos to act on. Talos researchers also created Ukraine-specific protections based on the intelligence they received. The company also wrote about several different cyber attacks targeting Ukraine during Russia’s invasion, including several spam campaigns and wiper malware families.

Vulnerability Research

Cisco Talos has a Vulnerability Research team that identifies high-priority security vulnerabilities in computer operating systems, software and hardware, including platforms like ICS and IoT systems. This team works with vendors to disclose and patch more than 200 vulnerabilities a year.  

References

{{Reflist

Cisco Systems acquisitions