October 2, 2024 • 57 mins
Cisco Talos is Cisco's threat intelligence group. It's a team of security experts who monitor the global threat landscape, analyze cyberattacks, and provide threat intelligence to Cisco customers and the broader security community. Key responsibilities of Cisco Talos include: Threat research: Talos researchers investigate new and emerging threats, analyzing malware, vulnerabilities, and attack techniques. Threat intelligence: They collect, analyze, and distribute threat intelligence to Cisco customers and partners, helping them to stay informed about the latest threats and protect their networks. Vulnerability management: Talos tracks and manages vulnerabilities in Cisco products and provides patches and updates to address them. Security advisories: They issue security advisories to inform customers about known vulnerabilities and provide guidance on how to mitigate them. Incident response: Talos can provide incident response assistance to customers who have been affected by a cyberattack, helping them to contain and recover from the incident. Cisco Talos plays a crucial role in protecting Cisco customers and the broader security community by providing valuable threat intelligence, vulnerability management, and incident response services.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome everybody to the latest episode of Security in 45.
(00:03):
Today is Wednesday, February 21st.
Today's topic is Cisco Talos.
And Andres, I've been looking forward to this conversation
for many months.
The Talos organization is very intriguing.
In my simplistic mind, I kind of think of them
as like a bunch of like James Bond type people
all working together, doing all this cool stuff
(00:25):
that we just hear about.
You know, kind of the backbone for Cisco's security products
and is what definitely keeps so much of our industry secure
from businesses, the banks, governments, schools,
our home networks.
Yeah, yeah.
And very excited to be here actually do have a few notes.
(00:46):
So we know and from what we know is that
Talos is the largest commercial threat
intelligence team in the world.
So if guys, if I get any of this wrong, let me know.
What one of the largest in the world.
One of the, oh, okay, okay.
(01:07):
Yeah, I didn't read that one.
And we know it is full of world class data scientists,
researchers, analysts, engineers, and you know,
it's a very, very close group for, you know,
what we've seen so far.
So main idea of Talos is just to keep us safe
(01:28):
from both existing and emerging threats.
So that is super exciting to hear about.
And the other thing to mention is from a Cisco's perspective,
you guys are the underlying security intelligence
behind all Cisco security ecosystem.
So this is gonna be really exciting.
(01:48):
You know, it's a, you know,
we talk about multiple security products here in the show
and just ready to hear more about it, Mike.
Yeah, for me, you know,
a security solution is only gonna be as good
as the intelligence source that it's learning from.
Sound security solutions,
(02:10):
we need accurate threat identification.
We need patches and details about these threats.
And we need them before the attack happens
on our own network.
Now today we are super fortunate and excited
to have two Talos engineers on the show with us here,
Joe Marshall and Martin Lee.
Thank you so much for taking the time
(02:30):
to be here with us today.
We are very excited to have you guys on this conversation.
Now let's kick it off and Joe,
we'll go straight to you here.
Maybe I think the audience would love to hear
a little introduction about yourself,
maybe your background and what you do at Talos.
(02:51):
Yeah, I do wanna make an early clarification
with what Martin and Andre said.
We're one of the largest,
but we're for sure the most handsome security researchers
in all of the world.
We have no peers.
We're devastatingly attractive people, all of us.
All right, so my background,
how did I get started?
(03:11):
All that fun stuff.
So I've been with Talos eight and a half years now.
I originally came from the DOD contractor
and power utility space.
And I was brought in to build
the first hardware reverse engineering team inside of Talos
(03:33):
for taking apart smart meters and other things
that you would see on the side of a house
or on a truck or on a train.
And I would do that for about three years
and then I would transition
into sort of the current team that I am now
where I get to take that threat research
and continue to do threat research
to talk to our communities and our constituents
(03:55):
and our customers about what it is that we do
inside of Talos every single day,
which is fight the bad guys.
And it's such a vast swath of things.
It's not just any one individual thing
that it's almost really tough to zero in.
For instance, prior to this call,
I was talking to a community of interest
for transportation security.
(04:18):
Two days ago or a day ago,
I should say I was talking to a medical sector.
So like there's so many different areas
and all of these are related
to like a Cisco account team usually.
And so we're there to assist them,
make them look smart and give our customers,
constituents, communities,
whomever it happens to be that we're speaking to,
just, I don't know, a better security vocabulary,
(04:40):
understand the threats and what we're doing
to punch those bad guys right in the face.
My background and how I got started,
it's really weird with cybersecurity.
I come from an operations background.
So I was an IT guy, I had my MCSE.
I was just doing sort of run of the mill,
sys admin stuff.
And when you do it for a really
security conscious organization,
(05:01):
you really start to realize
you're really a cybersecurity practitioner,
even if it's not in your title.
So when I would separate from that
and I would go on to the more private sector stuff,
I was an all but native cybersecurity professional.
And then I just needed to get the title
to actually represent that,
which I think is that they're basically saying
(05:21):
everyone's in cybersecurity,
no matter where you are, where you work,
personal or professional,
we're all in this together.
So yeah, that's about it for me.
I kick it over to Martin,
who's got a much more interesting background than I do.
Yes, yeah.
So I'm in cybersecurity by accident,
(05:43):
really through no great design.
I started out my career as a human viral geneticist.
And then I discovered the early internet.
So I thought this,
this is what I'm gonna do with my life.
So I dropped all ambitions of finding a cure for cancer
(06:04):
and stuff like that.
And then jumped into the world of IT,
rose during the.com boom, which was awesome,
crashed during the.com crash.
And then this job came up writing spam filters.
And this was even before spam was a thing.
And I thought, well, hang on,
this is just a pattern matching thing.
(06:25):
And I knew how to do that through my work
working on virus DNA of how to identify patterns
and measure homology.
And so I got that job, which is now 21 years ago,
actually, I believe it's 21 years ago,
this very week that I started.
And then looking at these very, very early cyber attacks,
(06:49):
and we started distinguishing between,
we were getting lots of sort of normal attacks,
and then we'd start getting some really, really rare
and very, very interesting ones going against
some of our customers, not all of the customers,
only a small subset.
And then we're trying to work out,
(07:09):
well, what's going on here?
Why are we getting all these attacks over here?
And we're getting these things
that are really, really different over there.
And trying to work out what was happening,
who were the bad guys, what it is that they're doing.
And then over the years, spending more time at that,
how do we work out what's happening
(07:31):
in the threat landscape?
What kind of attacks are we seeing?
Why are we seeing them?
How do we detect and block those?
And then most important, talking to customers
about what it is that you need to do
to protect yourself against these.
So I've been now with Cisco for 10 years.
(07:54):
I wrote a book.
So when I started out in threat intelligence,
I didn't even know what I was doing
was called cyber threat intelligence.
And I tried to find a textbook
that would tell me how to do it.
Never found what it was that I wanted.
So last year, basically, I sat down
(08:16):
and I wrote that textbook, the book that I wanted to find
when I started out in the domain.
And ultimately, that's what brought me where I am today.
So basically, it's about working out
what the bad guys are up to,
what are the differences,
how the threat landscape is changing,
and then making sure that people are aware of that
(08:37):
and know how to protect themselves.
Hey, Martin, you've been doing this 21 years, dude.
That's crazy.
What was Moses like?
Was he cool?
Oh, yeah, no, he was a great guy.
He was really interested in cyber attacks.
I don't know if you've heard
about the burning bush malware, but wow.
Oh, no, that's wild, man.
Thought to be a false flag and an insider job,
but yeah, awesome.
(08:59):
Actually, interestingly, he was the guy,
the first guy, the VPN tunnel
that he managed to do the parting of the way VPN travel,
tunnel, so you could just tunnel through contested waters.
Awesome guy.
I knew VPNs were an older technology.
I knew it.
Wow, fascinating backgrounds, Martin.
(09:22):
I bet you find a lot of similarities
between the genetics part and honestly,
threat hunting, putting pieces of the puzzle together.
I find the similarities a lot in public health
and the analogy that I use,
we're living in another industrial revolution.
(09:42):
We're living in the digital revolution
in the same way that the industrial revolution
changed everything through the 18th and 19th centuries
and led to all sorts of problems like cholera and disease
and all these things that we didn't have before.
The physicians at the time developed models
to actually try and map all of these problems
(10:05):
and understand what was happening,
even though they didn't know
that germ theory of disease didn't exist,
they didn't know what they were dealing with,
but they could analyze it and start piecing together
bits of the puzzle to understand what's happening
and how do we protect people.
And I really feel that we've got to use the same approach now
that in this digital revolution that we're living in,
(10:27):
suddenly there's all these advantages
from digital technologies, but there's problems as well,
such as cyber insecurity and attacks.
And really it's for ourselves
and other similar organizations
to start piecing those bits together,
understanding what's happening, trying to work out
where do we need to act in order to stop these problems
(10:48):
and what information can we give to people
and organizations to actually protect themselves
and make sure they don't come down
with a breach or an incursion.
But yeah, there's a lot of similarities.
Interesting.
And Joe, with the meter,
I mean, talk about the ultimate BYOD device.
Like can Cisco Ice detect if you bring a meter on?
(11:14):
I don't know, actually.
My inclination is probably not
because they're in a really unique ecosystem
for what's called AMI, advanced mirroring infrastructure.
It's more cellular, to be honest.
So maybe if a product support specialist
could tell me otherwise,
I'd be kind of curious about that.
Yeah, well, the-
(11:35):
The question I have is how much do you pay on power
and electricity in your house
if you have a hack one already?
No, no.
So first, I'm legally required to say
that I pay all my power bills on time
with the diligence required
as a law-abiding citizen of this country.
(11:55):
When I first started working for the power company,
my mom asked me, she's like,
I mean, you get free power now?
And I went, no, mom, I still have to pay my power bills.
I don't get anything for free.
If anything, I'm paying myself now
because I pay my power bills.
So yeah.
I wrote a whole chapter on ethics in this damn book.
I've had people criticize on Amazon reviews
(12:18):
that I wasted a chapter writing about ethics.
No, no, no, no, no.
Ethics is a key part of cybersecurity.
Yeah, yeah, we all pay for our electricity
and utility bills.
Yeah, we use our powers for good.
That's my story I'm sticking to.
We have great responsibility.
Now, yeah, this is already off to a great start.
(12:41):
And I'll raise some love in this episode.
Now, Joe, I'll kick this over to you.
Can you give, describe Kalos to the audience,
maybe those who are not familiar
with what you guys generally do
and what the organization does?
Yeah, sure.
It's a lot.
We do a lot.
So I need to take you back to hallowed antiquity
if I really wanna get to the core nugget
(13:03):
of what it is we do.
So there was a company in the late 90s called Sourcefire
and they had written this TCP IP inspection tool
called Snort invented by a guy named Marty Resch.
And a company was sort of form around that core nuclei
of this tool called Snort.
And they would go on to sell firewalls
and intrusion detection and prevention systems.
(13:26):
And they would form this core hacker collective
called the VRT, the vulnerability research team.
And both understanding adversary behaviors
and then how their tools and products can protect.
Cisco would acquire Sourcefire in 2014.
So the VRT, which was about a core 50 people,
(13:49):
migrated over and we rebranded as Talos.
I came in right after the acquisition
and I think I was like number 70 or 80
or something like that of like the people
that had been added.
And if you take sort of the two separate areas of Talos
as they exist now, we're about 50% of the people
450 to 500 people globally.
(14:10):
We're on four different continents.
We speak well over 30 languages amongst all of us.
And we keep just about every security specialization
you can think of under the sun is something
somewhere that we do inside of Cisco Talos
from malware analysis, reverse engineering of hardware,
software vulnerabilities, threat intelligence
(14:32):
in a more pure sense, like we've got trained linguists
or they speak that language as a other English
as a second language, they speak their native languages
and they surf the dark web looking for malicious activity
and for any kind of tips that we can get.
We've got a small platoon of just data scientists.
(14:52):
We ingest about six petabytes of threat telemetry a day.
So we have to think about how we are able to scrape
that data then automate it to our customers
to keep them protected.
You know, the old Cisco saying, you know,
see once protect everywhere is kind of like our mantra
because if we see malicious URL in email,
I need to know that our XDR solution is gonna catch that.
(15:14):
So on and so on.
So we work tightly with our engineering folks.
There's so much that I'm leaving out,
like just to deliver threat intelligence products
to our customers, like here's a report that we wrote.
And I wanna note that we're not fee for service.
So Martin and myself and the majority of my colleagues
were OPEX, we don't bill our time to anything.
They want us focused on stopping bad people.
(15:36):
So we're given the luxury of,
in runway and to Cisco's credit to be able to go,
let's just go find evil and stop it today,
or let's go find evil and then help make everyone smarter
and safer about knowing what's going on.
I have to say, it just me speaking about my past experiences
and this crazy career I've had,
(15:56):
it's been a privilege to really work here
because you get exposed to things at such a high strata
of importance that you're just sometimes you're flummoxed
at just the enormity of the impact that your organization has,
but the growth and the experiences you're gonna crew
as a cybersecurity professional are very profound.
(16:19):
And yeah.
Yeah, truly a great cause, the organization as a whole.
I mean, just the concept of finding these threats,
stopping bad things that are occurring, amazing.
And like you said, see, yeah, the same see it once,
(16:39):
stop it everywhere.
So as a general example, seeing malware somewhere
and then I guess pushing it out
so that everybody's protected from that point
is a large part of it.
Yeah, so like, I mean,
we're talking about six petabytes of data.
So we're talking URL dispositions,
reputation lookups, talking about emails.
(17:02):
We're talking about binaries, malware.
We're talking about what I call pre-perimeter.
So like DNS resolutions, a record resolutions
like umbrella, our product umbrella.
It's kind of stem to stern and then all the way down
to our firewalls where we have IDS or IDP running.
So sort, right?
(17:23):
And that permeates, we're applicable
because not every product uses every security Intel feed
ingest to be able to say, and to give what I think
the most important thing that any security operations
center analyst, any director of a SOC wants,
which is context, we stopped the bad thing.
Here's why you should care about this bad thing.
(17:45):
If you care to know, right?
And that context, like tying it to the MITRE framework,
we stopped access was a prereconcerns
or a lateral movement activity.
Here's something to help you better understand this threat
is really the core of what it is
because six petabytes is a lot of data.
Our data lake is massive
because we're a very big organization, Cisco and Talos.
(18:08):
But I'll give you a story.
I was at RSA, gosh, five years ago, I guess.
And our Cisco, I had the pleasure of working
at Cisco booths, anyone who's coming by
and talk about security, but across from us
was another vendor's booth.
And they had this marquee going around
the edge of their booth saying,
we see one trillion signals a day.
(18:29):
And I was like, A, that's a big number,
but B, also, what is a signal?
And like, how do you even get to that number, right?
Like, did you just pick a number out of a hat?
Like, what kind of marketing razzle dazzle
did you just sprinkle on that?
And the context that I really took away from that
was when I went back to think about how we talk about it,
numbers are just numbers.
(18:50):
It's what I get from, if it's one or one trillion,
if I can't contextually tell you why that matters,
then I'm not doing my job.
And we're not giving you a quality product.
So that's just kind of like what we think about a lot
inside of Talos, how we interface with our customers
and our communities and things like that.
I'm kind of rambled a little bit,
you see where I'm going?
(19:10):
Yep.
That was great.
That actually, I was thinking about Batman when you said,
just be the good guy and find the bad guys
and punch them in the face.
So I don't know if any of you guys are Marvel or DC Comics
fans just throwing out there.
Yeah, no, it's what we do, man.
(19:31):
I love it.
That's awesome.
Awesome.
So I do have the next question, and this was for you, Martin.
And it goes a lot with the book and everything
that you were just showing to us a few minutes ago.
But how does Talos, what's the process,
if you don't mind going over, how do we detect threats
(19:53):
and how do we identify those, if you don't mind going over that?
The key thing to think about is in this data lake,
with all the visibility that we have as part of Cisco
across the entire internet, it's really, really difficult
for the bad guys to do anything malicious that we
(20:13):
don't have a trace of somewhere.
We will have somewhere in our telemetry the trace
of the bad stuff that they're doing.
And really, our game, if you wish,
is to find what is actually happening in the threat
(20:33):
landscape at the moment that's really important.
So we've got loads and loads of bad stuff in our data,
traces of bad guys doing bad things.
And the question is more, it's not so much finding a needle
in a haystack, it's finding a needle in a pile of needles.
We've got all of these traces.
(20:55):
The vast, vast majority of these traces
are processed automatically.
There's no way that we can analyze the data manually.
But within all of that bad stuff that we find,
the trick really becomes identifying
what's different, what's new, what
is actually significant that we're seeing now
(21:16):
that's different from yesterday or different from last week.
And it's that triage of identifying, OK, this thing here
is different.
And that's the stuff that we'll then pass to an analyst
to go and take apart in great detail
to really understand what's happening.
And then from that, we can look at, OK,
(21:38):
what do we need to change in order to detect this better?
Do we just need a couple more signatures,
or do we need to augment or change our protection
in another way?
So yeah, largely it's about data analysis.
It's about treating large numbers of things
(22:00):
automatically and getting the machines to do the heavy work.
But then also identifying what's new, what's important,
what's special, taking the time to understand that
in detail.
And then moving that security posture forward.
Actually, one of the things that I hear sometimes
and where I sort of see organizations going wrong
(22:22):
is they have alerts on their firewall
when they come through to their SOC.
And then what they're trying to do
is resolve every single one of these alerts.
And their best analyst is the one
that closes the most tickets in a day.
And they'll be ever so proud to say, my best analyst,
he can close a ticket in 30 seconds.
Wow, what a guy, what a guy.
(22:43):
And it's like, do you know what?
Don't bother.
Don't bother.
Find the most important alert that you've had today.
Spend a week working out what really, really happened here,
what's really going on.
Learn from that and move your security posture forward
so you never ever get that alert again,
(23:04):
or you never have to worry about it.
It's really not a numbers game.
It's about identifying what's important
and then responding to that appropriately
and moving the security posture forward,
making the world a safer place,
most importantly, making our customers safer,
which is ultimately what we're about.
The prioritization was one of the questions I had,
(23:26):
and you just touched on that, because everyone listening here
has huge amounts of, you know...
Yeah, we're all just flooded with alerts,
with bad stuff, with bad stuff happening.
You know, we're up to our necks in bad stuff.
Pick one thing.
Prioritize.
(23:47):
Find that one thing that's actually the worst thing
or the most important thing or the most pressing thing.
Fix it.
And then you move forward a little bit,
and it's like you're inching yourself
out of that flood of threats,
and little by little, you can move yourself forward.
Ultimately, we've got to make life difficult for the bad guys.
(24:09):
You know, most of the bad stuff out there,
it isn't that difficult to detect
if you've got the right protections in place.
You know, make the easy stuff easy,
and then the difficult stuff, the stuff that's complex,
where we've got a sophisticated threat act,
and make life difficult for them.
Make them have to work that little bit harder
(24:30):
in the hope that either they'll go
and attack your competitors rather than you
because they'll think that you're difficult,
whereas maybe your competition are an easier target.
And also make it noisy so that you've got a better chance
of actually noticing when something is going wrong,
when there is an incursion.
You know, making it difficult, making it noisy for the bad guys,
(24:54):
reducing their return on investment.
Make it a less profitable activity for them.
But I imagine the behavioral base, like you were saying,
what's different today than there was yesterday,
is that more difficult to detect
than something signature-based where it's like,
this is just a known bad hash and we're, you know...
(25:16):
If someone's using the same malicious tools
time and time and time again without any changing,
wonderful, we can just write a signature
and then we can consign those to history.
In the real world, it doesn't happen like that.
Our best case scenario is they're subtly changing
their tools every single time, so it's got a different hash value.
(25:39):
So we have to look for indicators within a file,
either in the static analysis or the dynamic analysis.
So something that... a test that we can ask it to distinguish
between is this legitimate or is this illegitimate software?
And ultimately, none of those tests can give you...
Well, we're very, very lucky if we find one that says,
(26:01):
yes, absolutely, 100%, this is definitely bad,
or yes, absolutely, 100%, this is definitely good,
which basically becomes a signature.
Mostly we're like, yeah, this is more likely to be bad than good,
or yeah, it kind of looks a bit good, but...
And then ultimately, you have to put all of those different tests
together and look in the context to then decide,
(26:22):
OK, this thing here, we've never seen it before,
but all of the tests we've been able to ask it
are saying, yeah, it really is looking pretty bad.
No single test can give you that response, but many can.
And then we can convict that and declare it bad.
Life becomes a little bit more difficult when the bad guys
(26:44):
are using what's called living off the land binary.
So using the tools, which are an integral part of your operating
system to do bad stuff.
And that really is where the sport is.
How do we detect when someone is using an entirely legitimate tool
maliciously every time?
(27:07):
There are fingerprints.
The analogy I use, at the scene of every crime,
there are big, sticky fingerprints.
It's the same in cybercrime as well.
Those fingerprints are there.
You just have to look for them.
You have to know what they look like, know where you might find it,
and know how you show them up.
But this is what we do.
(27:28):
And if you know how to do it, fingerprints are there every time.
Excellent.
Excellent.
Thank you, Martin.
I'm learning so much on this one.
I know.
Martin, I'm buying your book after this call.
I'm buying the book.
Yeah, absolutely.
Yeah, mate, go for it.
It's on Amazon.
Joe, I think it would be interesting to hear
if you could walk us through just kind of high level the process,
(27:53):
just so I can have it straight in my mind from discovering
what Martin just said, discovering a threat,
to getting something published for that threat on like a Cisco
firewall, for example.
How does TALOS find a threat in the wild
and get us through the update patch?
And if you have an example of a real threat,
that'd be really cool, I think.
(28:13):
But I think that'd be interesting to hear.
Yeah, so this is both science and an art.
We actually, I think last year, maybe the year before,
we published the art and science of detecting
Cobalt Strike, which is an attack framework that exists,
written by one of the most brilliant analysts
(28:35):
that I know, a guy named Nick Mabus, who really, really chewed
down to the bone the nuances of detecting beaconing
and detecting things that our adversaries are going
to utilize inside of a network.
And first and foremost, the thing
that has to happen for like a snort signature,
or one of our IDS or IDP signatures to work is, well,
(28:56):
it has to traverse the network, right?
So it has to move non-encrypted across the network,
which a lot of stuff does.
Then the thing we're going to need is a proof of concept.
So what is this bad thing trying to do?
So like, is it an SMB-based exploit?
Is this a stack-based buffer overflow
that we can catch traversing the network?
(29:17):
Is this a weird URI that is a very, very specific thing
that we can key on?
And then we have to figure out how
we're going to craft the most optimal detection for it.
Snort's open source.
Anyone can learn snort.
Anyone can write a signature if they want.
(29:38):
The levels of finesse and care and quality assurance
we put into our detection is unreal.
Because A, we're the experts in it.
We invented it.
But B, because it's such a popular framework
and such an easy, I think, ingest and use,
and there's great documentation for it,
we actually spent a lot of our time looking at community rules.
(30:00):
And maybe there's something there we can abstract.
And maybe there's something we can give them.
To say you cannot reverse engineer a snort
will learn exactly what the exploit is
doesn't quite work that way.
But it's built upon a community that I
shared knowledge over 2 and 1 half decades now, I guess,
or three decades early.
(30:20):
So once we have the proof of concept,
then we need to figure out that optimal way to detection.
And there's a lot of ways to write detection in snort.
But we want to write the most efficient thing that
triggers on the most precise element of that exploit
that we're trying to catch going across the wire.
And the reason for it is real simple
that we're working in a finite state of resources,
(30:42):
say for a firewall or whatever is doing that detection.
And if it has the inspectors turned on
for a specific protocol, and it's
doing the process of parsing as a HTTP
or whatever is traversing across that firewall,
well, we need to be conscious of the resources
inside that machine.
So if you were to turn on, and I don't ever recommend
you do this, if you were to turn on every snort
(31:04):
rule we've ever given you inside of our firewalls,
congratulations, you've just got a very hot paperweight
inside of you that you've just racked.
Because it's a fine example of shooting yourself in the foot,
but also demonstrating that turning all your inspectors
and then looking at every single packet in a gazillion ways
(31:24):
is just not efficient.
So what you really want to do here
is we want to just be the best we
can be while utilizing the most effective way.
And it really is an art.
It absolutely is an art.
I'll give you a specific example like you asked for.
I was at a conference and a really nasty vulnerability
dropped, and I was with one of the guys
(31:45):
that I had hired, a brilliant reverse engineer named Jared.
And we didn't have much to go on.
We knew that it was a thing.
We knew the researcher who had announced the vulnerability.
But what you typically see in this space
is people will announce the bad thing
and then give you no technical or forensic details around it.
And you're like, I can't do anything
(32:05):
with without forensic details, right?
Well, we found a presentation this guy gave,
and he didn't list the entire attack chain,
but he did list the hex string he used to exploit this device.
I found it on a Slido competitor from five years prior.
I took that string out, that hex string.
I gave it to my guy.
(32:26):
He was actually able to write a Python environment
and script it where that hex string would then
pass across the wire unencrypted.
And then we would get a snort word for that
if anyone attempted to exploit that.
It was a Siemens PLC, programmable logic controller.
We're actually able to catch that.
But to do that, find it, quasi-weaponize it
(32:47):
so we can detect it was just the ridiculous layers
of reverse engineering we had to do to be able to craft that
and to detect it.
Detection, mind you.
We were working completely separate.
And this is an example of what an analyst, they
might be given an absolute rotten potato of a proof
of concept and very little data to go off of.
(33:10):
And they'll have to figure out how to recreate that,
get that into an environment, and then test the heck out
of it.
If it's going to false positive a lot,
so it's going to trigger illegitimate traffic,
it just might not be a good signature.
And we're going to have to bend it.
We can't keep it, right?
So we have to think about how do we do all of these things
in the most sane way?
We don't err always on the side of detection
(33:32):
because we have to think about our customers, the customer
experience.
And are they getting the best possible product
for our detection every single time they enable a signature?
Yeah.
That was crazy.
A lot of detail on that one.
Yes.
Yeah.
(33:53):
Actually, hold on.
Hold on.
Hold on.
I have my notes here.
So that was crazy detail.
I just want to say that the process that goes behind it,
I think, doesn't get talked too much about.
And that was really good.
I appreciate the level of detail.
I know the people that come to our webinar
(34:16):
is highly technical.
And this is something that they will appreciate as well.
It's wild, the example, just finding that hex string.
And what you said is from like five years ago
on some PowerPoint slide, man.
Dude, we got so lucky that I found that.
Because I looked at it, and I'm like, this is Greek to me.
And the guy that I brought with me for this conference
(34:38):
looks at me and goes, I think I can do this.
And because we hire just some smart, smart hackers
inside of Talos, he had that thing literally
in a Python script simulating network traffic
and a signature written within an hour.
And I'm like, that was one of those hires
(34:59):
when I hired the guy.
I'm like, high five, Joe.
You did a good job.
Yes.
Yeah.
So I was like, yeah, this was awesome.
But we just got very lucky.
So a good example would be, let's
say, the manufacturer of this meter.
Who made this meter?
I don't remember.
I don't want to out anybody.
Landis Gear.
Landis Gear makes this meter.
(35:20):
Let's say a bad vulnerability, a zero day, something really
nasty drops.
They're not going to give you the complete forensic details,
but they will say, you should probably
go patch your device because this is bad.
That doesn't help us in Talos because we
need technical specificity to make sure our customers,
our communities, our open source communities, and our customers
(35:41):
are protected.
So there's sometimes you're just going to catch an L
and you're going to be like, without any details,
I can't do this.
We do have information sharing agreements all enshrined
legally in NDAs that lets us swap information with others
to make sure that we can get the technical details.
Sometimes you just strike out.
There's no guarantees you're going
(36:01):
to find that information.
And it can be pretty frustrating, unfortunately.
But that's basically how it kind of works.
Yeah.
Fascinating.
Yeah.
And I'm going to jump right into another question
that I have right here.
And this one's for you, Martin.
NCN response.
(36:22):
This is in the minds of all our customers and everybody
that is in the show.
And more likely into the reactive scenarios,
let's take, for example, a quick example about what
do we see in NCN response, reactive services.
(36:44):
What do we do from the Talos perspective?
And if you don't mind talking a little bit about that,
that would be awesome.
The Talos incident response retainer
is basically where the customers buy a certain number
of our analysts' hours.
And you can save up these hours for a rainy day
(37:06):
when you have an incident, when you have an emergency.
The trick, really, and I'll bypass your question
a little bit, the best thing that can happen
is that you don't ever have an incident.
And what you can do is you can use these hours
for our proactive services, where
you can talk to our analysts who will help you or test
(37:31):
your systems to make sure that you're in a very, very good
position and you're less likely to experience an incident.
If you do experience an incident,
you've got those hours on hand that you
can use to talk with our analysts.
They can take charge of the incident
because for the customers experiencing the incident,
(37:53):
ideally, this should be a once in a career event.
You're having a breach, having something go wrong.
This is going to happen to you once in your career.
For our analysts, for our incident response analysts,
this is what we do every day of the year.
So our analysts know exactly what to do,
exactly how to respond, exactly where to find the bad guy,
(38:16):
exactly how to kick them out.
So for the reactive services, you
call on the help of our analysts.
They will come in.
They'll resolve the incident, find where the bad guy is,
kick them out, tell you what happened,
and then also harden the system so the bad guy can't come in.
(38:38):
We're used to working with any kind of environment.
I mean, it would be lovely if everyone bought only Cisco gear.
The reality is, no, people are buying from other vendors.
But that's absolutely fine.
We're used to working in these heterogeneous environments
where there's all sorts of tools, all sorts of systems,
(38:59):
for all sorts of different vendors.
We'll come in, resolve the situation,
identify what's happened, kick the bad guy out,
and remediate your systems, and then harden them
so the bad guy doesn't come back.
This is what our responsive services are all about.
But I think, I mean, to anyone on the call,
(39:19):
really the ones to look for are the proactive services.
You know, you want to minimize the number of emergencies
you have, and you can use the hours
that you're buying for the retainer
for those proactive services, which
is going to make those emergencies less likely.
That's awesome.
(39:40):
That's good.
I mean, we see customers call every day, Mike, right?
That they have questions about this.
This really helps understand what really is
that we're talking about.
That's so true about the proactive services, Martin.
You can prevent getting to the point of the emergency.
Like I said, that's great.
(40:02):
And I guess, Martin, would that be
some of the tabletop exercises and the telestill?
Yeah, absolutely.
Yeah, the tabletop, so working through what a bad guy's
likely to do and how you would respond to that.
We can also check your playbooks,
so the procedures that you have ready for a bad day.
(40:25):
You know, how are you going to detect if there's a breach?
You know, the bad guy's not necessarily going to tell you.
How are you going to detect if there's a breach or you
have an incursion?
What are you going to do when that happens?
How do you respond?
What other groups do you need to do to involve?
For our instant response analysts,
(40:45):
this is what they do.
They've seen it all.
So they can help the customers.
One, I mean, it might really help to say, actually,
do you know what?
These instant response procedures that you got here,
this is as good as it gets.
You know, you guys are doing really, really well.
Or working through it and say, OK, you know,
all of your coordination is built around email.
This is great.
What happens if the bad guy hits your email server?
(41:08):
And you can no longer send and receive email?
Do you have a backup?
What else are you going to do?
This is the kind of scenarios that we've come across.
We can use that knowledge of real world examples,
helping the customers, working it through,
improving their posture.
I think a very good way to think of it is like the fire service.
(41:29):
You know, if you've got a fire actually happening now
in your office, of course, here, you're going to call the fire
service.
They're going to rush around.
They're going to put the fire out.
What you really want to do is talk to your fire prevention
services before then and start talking about, you know,
do you have the fire extinguishers?
Where are the fire extinguishers?
Have you tested them?
(41:50):
You know, are they suitable fire extinguishers for all the stuff
that you're working with?
Do you have a fire alarm?
Do you practice?
Do you have rehearsals?
Do you have a smoke detector?
It's these questions that actually you
want to resolve early so that if there is an incident, one,
you're detecting it early.
You're also responding early, so you're
(42:12):
minimizing the consequences.
But then when you are bringing in that response,
it's not a major problem and everything's on fire
and nobody knows what to do.
It's like, OK, we've got a problem,
but we think we've contained it.
And we think that we're on top of this.
You know, so much in any form of engineering,
it's about thinking what can possibly go wrong?
(42:34):
How can I minimize the chances of this happening
and minimize the consequences if it does happen?
And really, this is what our incident response
services are all about.
Excellent.
And I know it's got to save so much more money investing
in some fire extinguishers, talking to the fire safety
teams, opposed to rebuilding your office,
(42:55):
paying for all the fire truck service.
So great point there, Martin.
Yeah, and rehearse.
Have those rehearsals so that when a bad day happens,
and it does happen, it will happen,
everyone knows what to do.
And it's just, yeah, yeah, yeah, we practiced it.
We practiced this last month.
We practiced this six months ago.
And it's just a simple something that you go through.
(43:19):
Everyone knows what to do.
Everyone knows how to respond.
And it just becomes, yeah, it's something
that somebody didn't want to happen,
but we dealt with it rather than, oh, my god,
this is an absolute disaster.
Everything's falling down.
We don't know what to do.
Great.
So let's see.
Andres, what do we got here?
I could talk with you guys all day.
(43:41):
This is awesome.
We got one more question for each of you.
Maybe we'll have time for the dad jokes one or two.
We'll see.
Joe, maybe quickly, for the audience listening in,
this is all very fascinating.
And we're talking about fingerprints
and being proactive versus reactive as possible.
(44:02):
What do you guys in Talo see as some of the most common ways
our customers are getting attacked?
Is there any low hanging fruit?
Someone in the audience listening,
like, I need to be a little more invested in my own security.
Any high level recommendations about what you guys see
would be a good place to start?
(44:22):
Yeah, tough question, actually, because the threat risk model
is different for personal versus corporate, right?
So if you're a professional, if you're a security practitioner
in that corporate environment, there's a number of ways.
Phishing is always going to be great,
primarily because it's cheap.
(44:44):
The adversaries can do it.
It's spend fractions of a penny, blast out emails.
Someone will open the email and click something they should not.
If it's dumb and it works, it is not dumb.
What I kind of see, there's a pivot there.
They're going more to QR code based attacks
and so those emails.
And we can detect the QR codes,
(45:05):
but there's evasion tactics around that as well,
because what if I access it on my mobile device?
How do I protect myself yet again?
So the threat vectors are always changing from a corporate way,
so like with phishing, but also like we have unpatched,
unmanaged devices on my perimeter.
And I've got a firewall.
I haven't patched in three years.
(45:26):
Will an adversary, a nation state,
can exploit that to gain a foothold
and then pivot either intercept traffic
or pivot deeper into your network and do damage, right?
And whether you're a nation state or what I call like, you know,
crimeware or commodity based,
like ransomware attacks or cartel,
like these things truly don't change
because they're going to throw the kitchen sink at you
(45:47):
to find a way to get in.
What might change is the level of noise they want to make
once they're inside of your network.
I would say those are two of the most common ways,
high level, what we see, and I could drill down into both,
but I'm not going to for the time.
I will say this, like if we want to talk about low hanging fruit
(46:08):
and sort of tacking onto what Martin was saying earlier
about our incident response stuff that we do is,
30% of all our emergency response cases,
like so something's on fire and we're coming to help you put out,
the victim did not have MFA solutions installed.
So having a multifactor authentication solution,
(46:28):
both personally and from a professional perspective
is absolutely invaluable.
Having a password manager, a password vault,
I'm like one pass, last pass, I don't care who you use,
is also an A plus way to protect yourself.
Don't reuse your passwords
because data breaches are multiplicative.
(46:50):
If I get breached here, I can read those credentials
perhaps somewhere else and create more damage for you
or attack your environment, your corporate environment.
So like those two things to me are low hanging fruit,
low investment dollars, high return on value
that I would highly recommend to help prevent and mitigate
some of those attacks, but of course there's no fantasy,
(47:12):
there's no silver bullet.
Yeah.
Read our Year in Review report.
This is where we talk about everything that we see,
we talk about the vulnerabilities,
we talk about the attack techniques.
Yeah, read our reports.
This is where we talk about this.
And the vulnerability reports, Mark,
those would be posted on the...
(47:33):
So yeah, on our blog, so blog.talosintelligence.com,
read the Year in Review report
and also the quarterly threat reports that we make.
This is exactly what we do and what we talk about.
Great.
That's awesome.
You heard it folks, that's a good place to spend some dollars
(47:56):
to have that high return on security.
So the MFA and then a simple password manager.
You said roughly 30%.
Great, thank you.
Yeah, and we'll make sure we update on the page.
Yeah, we're going to list all that for sure.
That's great.
That's great, that's great.
(48:17):
I think I do have the last question for you, Martin,
and this one's going to be super simple, I hope.
But where can we learn more about Talos Intelligence?
So www.talosintelligence.com is the simple answer.
On our blog, which you'll find a tab on the website,
(48:41):
or just go to blog.talosintelligence.com,
this is where we publish everything that we think
that you need to know.
So we've got our various reports.
We've got our newsletter, which is a very, very good place to start.
Some of the reports go into more detail than others.
Some stuff is sort of written for an audience of security researchers,
(49:05):
but very simply the Year in Review and the quarterly reports
and the newsletter are the places to start.
But everything that we think you need to know is published on our blog.
Excellent.
That's awesome.
Those last two questions, one kind of quick.
(49:27):
We're a little bit over, but do you guys want to run through the Dad Joke contest?
Hey, yeah, let's go through the Dad Jokes.
I'm happy, bro.
So happy to hear that, Martin.
Some of these are pretty good.
So what we'll do is I'll just start it at 90 seconds here.
You each are going to get asked four Valentine's Day specific Dad Jokes.
(49:48):
Just see if you can come up with the correct answer.
If you say skip, we can always come back to it.
Let's see, Andres, I think you're asking to Martin first.
Let's do it.
I'll start it.
When he gets about 10 seconds, I'll say 10.
All right.
Ready, set, go.
(50:10):
All right.
So I'll go first.
Go ahead.
I'm already eating your time.
So here's the one.
If the letters Q and T were dating, what would be their celebrity name?
OK, what I would do, I would have a good hard talk with T,
because everyone knows you've got to mind your P's and Q's.
(50:35):
No point for that one, Mike.
That was great.
Oh, love it.
Let's do the next one.
This one is we thought it was super fun.
How did the telephone propose to his girlfriend?
So initially, my thoughts are something to do with rotary dial action and finger
(50:55):
strength, but I think we probably don't want to go there.
So I would imagine it's more to do with could it be giving her a ring?
Oh.
That was good.
That's actually the answer.
It's killing it.
All right.
And the answer for the previous one was cutie.
(51:20):
All right, the next one.
What did the paper clip say to the magnet?
OK, this is another red flag for dating, because magnets are attracted to anything
ferrous.
They are never going to be faithful to you.
A magnet is not going to be a faithful partner.
And if you do get into that relationship, it's going to be very, very difficult to pull
(51:40):
it apart.
They're very clingy.
Never data magnet.
That's actually the answer.
All right, the next one.
What did the what did one cat say to the other cat on Valentine's Day?
I can't believe that you forgot again.
(52:01):
No, no, said you're perfect.
No, it would be definitely you've forgotten again.
These are awesome.
That was great.
I would get Martin extra points for coming up with the Ps and Qs and then the meow one.
Oh my gosh, that is great.
(52:21):
I'm trying not to turn red over here laughing.
All right, Joe, are you ready?
I suck at these.
Come at me, man.
Let's just get the bandaid off.
Shall we?
Here we go.
Time is starting now.
What did the dark closet say to the light bulb?
(52:43):
How much is this power bill going to cost me?
I don't know.
I've got nothing.
All right, we could skip that one.
Come back to it.
What what is Cupid's favorite rock band?
Heart.
Good one.
That okay, that's not it.
But that would count.
That's amazing.
What what did the puzzle say on Valentine's Day?
(53:04):
You complete me.
Got it.
Knock.
What's that?
Knock knock.
Oh, you're thankful.
This is a PG.
Who's there?
Olive.
I hate olives.
(53:27):
You got to say London food.
All of who all of who sorry.
And then could you complete the rest?
I love all of you.
I don't know.
I don't know.
Oh Joe, all of you all of who to.
Okay, there you go.
You got it.
So little help from a friend.
(53:47):
You got it.
Let's go quick.
It's back to the first one.
What did the dark closet say to the light bulb?
You still got 15 seconds.
And the honor and I'll come out of the closet.
Light me up.
I don't know.
I got you.
You light up my world.
Ding ding ding.
I was well guys.
Well, I was I was I.
(54:08):
Oh, I bring you shut down.
That was good.
You guys got more than I would have and when we were coming up
these questions, we were like we know these guys are going to
be smart.
You know, we knew you guys are going to do a great job.
So, well, that was fun.
I'm glad we got some got those in.
Andres, how about we summarize this and let's close it out.
(54:30):
Let's do it.
Let's do it.
I know we went a little bit over.
So we're going to slide through through this quick section on
the summary.
So a few things that stuck in my mind and I'm thinking about,
you know, is understand what Talos is doing as an organization.
What do they do?
How they help our customers and how they help us also just,
(54:54):
you know, understanding how we detect threats.
A lot of information right now in in the Talos blog.
I see, you know, there's a lot of information, indications of
compromise, any tool that you're using for threat hunting.
It's going to be it's going to leverage that information as well.
We learn also discovery and publishing for new rules.
(55:17):
That was actually awesome doubt that, you know, I probably have
to go back and recheck some of that information.
And, you know, we're here to fight the good fight.
I know, you know, that's one of the things that Talos says a lot.
So that's that's my takeaway, I guess.
Right for me, the proactive security and the reactive security
(55:39):
huge components Martin you were talking about vesting and things
like it about days going to happen.
Let's try and fine-tune that as much as we can and prepare for
it.
Stop making the bad day worse.
Yes.
Yes.
And then that reactive portion of it to hate when that bad day
(55:59):
does happen.
We can step in and help incident response as an example as opposed
to this tabletop exercises for the proactive Joey covered that
low-hanging fruit, you know, we talked about the MFA and then
the the simple password managers like cost-effective ways to
decrease the chances of us being attacked and then Martin, what
(56:21):
is the website again?
So blog.talosintelligence.com.
Okay, great.
And then I know you guys and Talos have the beers with Talos
podcast, which is super cool as well as Talos takes.
Andres and I are huge promoters of what you guys do for the
(56:41):
good in the world.
So thank you for having jobs that are so meaningful to the
point that you're truly out stopping bad guys and keeping us
all safe.
So and of course, thank you so much for your time on the show
Joe and Martin.
Andres our next call March 19th.
We're going to be talking about a brand-new Cisco security
(57:01):
solution called secure access.
That's a sassy solution, which is meshing security with connectivity.
I have thoroughly enjoyed today's show something.
I've been looking forward to a long time Martin Joe.
We hope I hope everybody else out there enjoy this show as much
as we have we will see everyone on the next show.
(57:22):
Have a fantastic day Martin Joe.
Thank you again.
Thank you.
Thank you.
It's right guys.
Take care.
Welcome everybody to the latest episode of Security in 45.
(00:03):
Today is Wednesday, February 21st.
Today's topic is Cisco Talos.
And Andres, I've been looking forward to this conversation
for many months.
The Talos organization is very intriguing.
In my simplistic mind, I kind of think of them
as like a bunch of like James Bond type people
all working together, doing all this cool stuff
(00:25):
that we just hear about.
You know, kind of the backbone for Cisco's security products
and is what definitely keeps so much of our industry secure
from businesses, the banks, governments, schools,
our home networks.
Yeah, yeah.
And very excited to be here actually do have a few notes.
(00:46):
So we know and from what we know is that
Talos is the largest commercial threat
intelligence team in the world.
So if guys, if I get any of this wrong, let me know.
What one of the largest in the world.
One of the, oh, okay, okay.
(01:07):
Yeah, I didn't read that one.
And we know it is full of world class data scientists,
researchers, analysts, engineers, and you know,
it's a very, very close group for, you know,
what we've seen so far.
So main idea of Talos is just to keep us safe
(01:28):
from both existing and emerging threats.
So that is super exciting to hear about.
And the other thing to mention is from a Cisco's perspective,
you guys are the underlying security intelligence
behind all Cisco security ecosystem.
So this is gonna be really exciting.
(01:48):
You know, it's a, you know,
we talk about multiple security products here in the show
and just ready to hear more about it, Mike.
Yeah, for me, you know,
a security solution is only gonna be as good
as the intelligence source that it's learning from.
Sound security solutions,
(02:10):
we need accurate threat identification.
We need patches and details about these threats.
And we need them before the attack happens
on our own network.
Now today we are super fortunate and excited
to have two Talos engineers on the show with us here,
Joe Marshall and Martin Lee.
Thank you so much for taking the time
(02:30):
to be here with us today.
We are very excited to have you guys on this conversation.
Now let's kick it off and Joe,
we'll go straight to you here.
Maybe I think the audience would love to hear
a little introduction about yourself,
maybe your background and what you do at Talos.
(02:51):
Yeah, I do wanna make an early clarification
with what Martin and Andre said.
We're one of the largest,
but we're for sure the most handsome security researchers
in all of the world.
We have no peers.
We're devastatingly attractive people, all of us.
All right, so my background,
how did I get started?
(03:11):
All that fun stuff.
So I've been with Talos eight and a half years now.
I originally came from the DOD contractor
and power utility space.
And I was brought in to build
the first hardware reverse engineering team inside of Talos
(03:33):
for taking apart smart meters and other things
that you would see on the side of a house
or on a truck or on a train.
And I would do that for about three years
and then I would transition
into sort of the current team that I am now
where I get to take that threat research
and continue to do threat research
to talk to our communities and our constituents
(03:55):
and our customers about what it is that we do
inside of Talos every single day,
which is fight the bad guys.
And it's such a vast swath of things.
It's not just any one individual thing
that it's almost really tough to zero in.
For instance, prior to this call,
I was talking to a community of interest
for transportation security.
(04:18):
Two days ago or a day ago,
I should say I was talking to a medical sector.
So like there's so many different areas
and all of these are related
to like a Cisco account team usually.
And so we're there to assist them,
make them look smart and give our customers,
constituents, communities,
whomever it happens to be that we're speaking to,
just, I don't know, a better security vocabulary,
(04:40):
understand the threats and what we're doing
to punch those bad guys right in the face.
My background and how I got started,
it's really weird with cybersecurity.
I come from an operations background.
So I was an IT guy, I had my MCSE.
I was just doing sort of run of the mill,
sys admin stuff.
And when you do it for a really
security conscious organization,
(05:01):
you really start to realize
you're really a cybersecurity practitioner,
even if it's not in your title.
So when I would separate from that
and I would go on to the more private sector stuff,
I was an all but native cybersecurity professional.
And then I just needed to get the title
to actually represent that,
which I think is that they're basically saying
(05:21):
everyone's in cybersecurity,
no matter where you are, where you work,
personal or professional,
we're all in this together.
So yeah, that's about it for me.
I kick it over to Martin,
who's got a much more interesting background than I do.
Yes, yeah.
So I'm in cybersecurity by accident,
(05:43):
really through no great design.
I started out my career as a human viral geneticist.
And then I discovered the early internet.
So I thought this,
this is what I'm gonna do with my life.
So I dropped all ambitions of finding a cure for cancer
(06:04):
and stuff like that.
And then jumped into the world of IT,
rose during the.com boom, which was awesome,
crashed during the.com crash.
And then this job came up writing spam filters.
And this was even before spam was a thing.
And I thought, well, hang on,
this is just a pattern matching thing.
(06:25):
And I knew how to do that through my work
working on virus DNA of how to identify patterns
and measure homology.
And so I got that job, which is now 21 years ago,
actually, I believe it's 21 years ago,
this very week that I started.
And then looking at these very, very early cyber attacks,
(06:49):
and we started distinguishing between,
we were getting lots of sort of normal attacks,
and then we'd start getting some really, really rare
and very, very interesting ones going against
some of our customers, not all of the customers,
only a small subset.
And then we're trying to work out,
(07:09):
well, what's going on here?
Why are we getting all these attacks over here?
And we're getting these things
that are really, really different over there.
And trying to work out what was happening,
who were the bad guys, what it is that they're doing.
And then over the years, spending more time at that,
how do we work out what's happening
(07:31):
in the threat landscape?
What kind of attacks are we seeing?
Why are we seeing them?
How do we detect and block those?
And then most important, talking to customers
about what it is that you need to do
to protect yourself against these.
So I've been now with Cisco for 10 years.
(07:54):
I wrote a book.
So when I started out in threat intelligence,
I didn't even know what I was doing
was called cyber threat intelligence.
And I tried to find a textbook
that would tell me how to do it.
Never found what it was that I wanted.
So last year, basically, I sat down
(08:16):
and I wrote that textbook, the book that I wanted to find
when I started out in the domain.
And ultimately, that's what brought me where I am today.
So basically, it's about working out
what the bad guys are up to,
what are the differences,
how the threat landscape is changing,
and then making sure that people are aware of that
(08:37):
and know how to protect themselves.
Hey, Martin, you've been doing this 21 years, dude.
That's crazy.
What was Moses like?
Was he cool?
Oh, yeah, no, he was a great guy.
He was really interested in cyber attacks.
I don't know if you've heard
about the burning bush malware, but wow.
Oh, no, that's wild, man.
Thought to be a false flag and an insider job,
but yeah, awesome.
(08:59):
Actually, interestingly, he was the guy,
the first guy, the VPN tunnel
that he managed to do the parting of the way VPN travel,
tunnel, so you could just tunnel through contested waters.
Awesome guy.
I knew VPNs were an older technology.
I knew it.
Wow, fascinating backgrounds, Martin.
(09:22):
I bet you find a lot of similarities
between the genetics part and honestly,
threat hunting, putting pieces of the puzzle together.
I find the similarities a lot in public health
and the analogy that I use,
we're living in another industrial revolution.
(09:42):
We're living in the digital revolution
in the same way that the industrial revolution
changed everything through the 18th and 19th centuries
and led to all sorts of problems like cholera and disease
and all these things that we didn't have before.
The physicians at the time developed models
to actually try and map all of these problems
(10:05):
and understand what was happening,
even though they didn't know
that germ theory of disease didn't exist,
they didn't know what they were dealing with,
but they could analyze it and start piecing together
bits of the puzzle to understand what's happening
and how do we protect people.
And I really feel that we've got to use the same approach now
that in this digital revolution that we're living in,
(10:27):
suddenly there's all these advantages
from digital technologies, but there's problems as well,
such as cyber insecurity and attacks.
And really it's for ourselves
and other similar organizations
to start piecing those bits together,
understanding what's happening, trying to work out
where do we need to act in order to stop these problems
(10:48):
and what information can we give to people
and organizations to actually protect themselves
and make sure they don't come down
with a breach or an incursion.
But yeah, there's a lot of similarities.
Interesting.
And Joe, with the meter,
I mean, talk about the ultimate BYOD device.
Like can Cisco Ice detect if you bring a meter on?
(11:14):
I don't know, actually.
My inclination is probably not
because they're in a really unique ecosystem
for what's called AMI, advanced mirroring infrastructure.
It's more cellular, to be honest.
So maybe if a product support specialist
could tell me otherwise,
I'd be kind of curious about that.
Yeah, well, the-
(11:35):
The question I have is how much do you pay on power
and electricity in your house
if you have a hack one already?
No, no.
So first, I'm legally required to say
that I pay all my power bills on time
with the diligence required
as a law-abiding citizen of this country.
(11:55):
When I first started working for the power company,
my mom asked me, she's like,
I mean, you get free power now?
And I went, no, mom, I still have to pay my power bills.
I don't get anything for free.
If anything, I'm paying myself now
because I pay my power bills.
So yeah.
I wrote a whole chapter on ethics in this damn book.
I've had people criticize on Amazon reviews
(12:18):
that I wasted a chapter writing about ethics.
No, no, no, no, no.
Ethics is a key part of cybersecurity.
Yeah, yeah, we all pay for our electricity
and utility bills.
Yeah, we use our powers for good.
That's my story I'm sticking to.
We have great responsibility.
Now, yeah, this is already off to a great start.
(12:41):
And I'll raise some love in this episode.
Now, Joe, I'll kick this over to you.
Can you give, describe Kalos to the audience,
maybe those who are not familiar
with what you guys generally do
and what the organization does?
Yeah, sure.
It's a lot.
We do a lot.
So I need to take you back to hallowed antiquity
if I really wanna get to the core nugget
(13:03):
of what it is we do.
So there was a company in the late 90s called Sourcefire
and they had written this TCP IP inspection tool
called Snort invented by a guy named Marty Resch.
And a company was sort of form around that core nuclei
of this tool called Snort.
And they would go on to sell firewalls
and intrusion detection and prevention systems.
(13:26):
And they would form this core hacker collective
called the VRT, the vulnerability research team.
And both understanding adversary behaviors
and then how their tools and products can protect.
Cisco would acquire Sourcefire in 2014.
So the VRT, which was about a core 50 people,
(13:49):
migrated over and we rebranded as Talos.
I came in right after the acquisition
and I think I was like number 70 or 80
or something like that of like the people
that had been added.
And if you take sort of the two separate areas of Talos
as they exist now, we're about 50% of the people
450 to 500 people globally.
(14:10):
We're on four different continents.
We speak well over 30 languages amongst all of us.
And we keep just about every security specialization
you can think of under the sun is something
somewhere that we do inside of Cisco Talos
from malware analysis, reverse engineering of hardware,
software vulnerabilities, threat intelligence
(14:32):
in a more pure sense, like we've got trained linguists
or they speak that language as a other English
as a second language, they speak their native languages
and they surf the dark web looking for malicious activity
and for any kind of tips that we can get.
We've got a small platoon of just data scientists.
(14:52):
We ingest about six petabytes of threat telemetry a day.
So we have to think about how we are able to scrape
that data then automate it to our customers
to keep them protected.
You know, the old Cisco saying, you know,
see once protect everywhere is kind of like our mantra
because if we see malicious URL in email,
I need to know that our XDR solution is gonna catch that.
(15:14):
So on and so on.
So we work tightly with our engineering folks.
There's so much that I'm leaving out,
like just to deliver threat intelligence products
to our customers, like here's a report that we wrote.
And I wanna note that we're not fee for service.
So Martin and myself and the majority of my colleagues
were OPEX, we don't bill our time to anything.
They want us focused on stopping bad people.
(15:36):
So we're given the luxury of,
in runway and to Cisco's credit to be able to go,
let's just go find evil and stop it today,
or let's go find evil and then help make everyone smarter
and safer about knowing what's going on.
I have to say, it just me speaking about my past experiences
and this crazy career I've had,
(15:56):
it's been a privilege to really work here
because you get exposed to things at such a high strata
of importance that you're just sometimes you're flummoxed
at just the enormity of the impact that your organization has,
but the growth and the experiences you're gonna crew
as a cybersecurity professional are very profound.
(16:19):
And yeah.
Yeah, truly a great cause, the organization as a whole.
I mean, just the concept of finding these threats,
stopping bad things that are occurring, amazing.
And like you said, see, yeah, the same see it once,
(16:39):
stop it everywhere.
So as a general example, seeing malware somewhere
and then I guess pushing it out
so that everybody's protected from that point
is a large part of it.
Yeah, so like, I mean,
we're talking about six petabytes of data.
So we're talking URL dispositions,
reputation lookups, talking about emails.
(17:02):
We're talking about binaries, malware.
We're talking about what I call pre-perimeter.
So like DNS resolutions, a record resolutions
like umbrella, our product umbrella.
It's kind of stem to stern and then all the way down
to our firewalls where we have IDS or IDP running.
So sort, right?
(17:23):
And that permeates, we're applicable
because not every product uses every security Intel feed
ingest to be able to say, and to give what I think
the most important thing that any security operations
center analyst, any director of a SOC wants,
which is context, we stopped the bad thing.
Here's why you should care about this bad thing.
(17:45):
If you care to know, right?
And that context, like tying it to the MITRE framework,
we stopped access was a prereconcerns
or a lateral movement activity.
Here's something to help you better understand this threat
is really the core of what it is
because six petabytes is a lot of data.
Our data lake is massive
because we're a very big organization, Cisco and Talos.
(18:08):
But I'll give you a story.
I was at RSA, gosh, five years ago, I guess.
And our Cisco, I had the pleasure of working
at Cisco booths, anyone who's coming by
and talk about security, but across from us
was another vendor's booth.
And they had this marquee going around
the edge of their booth saying,
we see one trillion signals a day.
(18:29):
And I was like, A, that's a big number,
but B, also, what is a signal?
And like, how do you even get to that number, right?
Like, did you just pick a number out of a hat?
Like, what kind of marketing razzle dazzle
did you just sprinkle on that?
And the context that I really took away from that
was when I went back to think about how we talk about it,
numbers are just numbers.
(18:50):
It's what I get from, if it's one or one trillion,
if I can't contextually tell you why that matters,
then I'm not doing my job.
And we're not giving you a quality product.
So that's just kind of like what we think about a lot
inside of Talos, how we interface with our customers
and our communities and things like that.
I'm kind of rambled a little bit,
you see where I'm going?
(19:10):
Yep.
That was great.
That actually, I was thinking about Batman when you said,
just be the good guy and find the bad guys
and punch them in the face.
So I don't know if any of you guys are Marvel or DC Comics
fans just throwing out there.
Yeah, no, it's what we do, man.
(19:31):
I love it.
That's awesome.
Awesome.
So I do have the next question, and this was for you, Martin.
And it goes a lot with the book and everything
that you were just showing to us a few minutes ago.
But how does Talos, what's the process,
if you don't mind going over, how do we detect threats
(19:53):
and how do we identify those, if you don't mind going over that?
The key thing to think about is in this data lake,
with all the visibility that we have as part of Cisco
across the entire internet, it's really, really difficult
for the bad guys to do anything malicious that we
(20:13):
don't have a trace of somewhere.
We will have somewhere in our telemetry the trace
of the bad stuff that they're doing.
And really, our game, if you wish,
is to find what is actually happening in the threat
(20:33):
landscape at the moment that's really important.
So we've got loads and loads of bad stuff in our data,
traces of bad guys doing bad things.
And the question is more, it's not so much finding a needle
in a haystack, it's finding a needle in a pile of needles.
We've got all of these traces.
(20:55):
The vast, vast majority of these traces
are processed automatically.
There's no way that we can analyze the data manually.
But within all of that bad stuff that we find,
the trick really becomes identifying
what's different, what's new, what
is actually significant that we're seeing now
(21:16):
that's different from yesterday or different from last week.
And it's that triage of identifying, OK, this thing here
is different.
And that's the stuff that we'll then pass to an analyst
to go and take apart in great detail
to really understand what's happening.
And then from that, we can look at, OK,
(21:38):
what do we need to change in order to detect this better?
Do we just need a couple more signatures,
or do we need to augment or change our protection
in another way?
So yeah, largely it's about data analysis.
It's about treating large numbers of things
(22:00):
automatically and getting the machines to do the heavy work.
But then also identifying what's new, what's important,
what's special, taking the time to understand that
in detail.
And then moving that security posture forward.
Actually, one of the things that I hear sometimes
and where I sort of see organizations going wrong
(22:22):
is they have alerts on their firewall
when they come through to their SOC.
And then what they're trying to do
is resolve every single one of these alerts.
And their best analyst is the one
that closes the most tickets in a day.
And they'll be ever so proud to say, my best analyst,
he can close a ticket in 30 seconds.
Wow, what a guy, what a guy.
(22:43):
And it's like, do you know what?
Don't bother.
Don't bother.
Find the most important alert that you've had today.
Spend a week working out what really, really happened here,
what's really going on.
Learn from that and move your security posture forward
so you never ever get that alert again,
(23:04):
or you never have to worry about it.
It's really not a numbers game.
It's about identifying what's important
and then responding to that appropriately
and moving the security posture forward,
making the world a safer place,
most importantly, making our customers safer,
which is ultimately what we're about.
The prioritization was one of the questions I had,
(23:26):
and you just touched on that, because everyone listening here
has huge amounts of, you know...
Yeah, we're all just flooded with alerts,
with bad stuff, with bad stuff happening.
You know, we're up to our necks in bad stuff.
Pick one thing.
Prioritize.
(23:47):
Find that one thing that's actually the worst thing
or the most important thing or the most pressing thing.
Fix it.
And then you move forward a little bit,
and it's like you're inching yourself
out of that flood of threats,
and little by little, you can move yourself forward.
Ultimately, we've got to make life difficult for the bad guys.
(24:09):
You know, most of the bad stuff out there,
it isn't that difficult to detect
if you've got the right protections in place.
You know, make the easy stuff easy,
and then the difficult stuff, the stuff that's complex,
where we've got a sophisticated threat act,
and make life difficult for them.
Make them have to work that little bit harder
(24:30):
in the hope that either they'll go
and attack your competitors rather than you
because they'll think that you're difficult,
whereas maybe your competition are an easier target.
And also make it noisy so that you've got a better chance
of actually noticing when something is going wrong,
when there is an incursion.
You know, making it difficult, making it noisy for the bad guys,
(24:54):
reducing their return on investment.
Make it a less profitable activity for them.
But I imagine the behavioral base, like you were saying,
what's different today than there was yesterday,
is that more difficult to detect
than something signature-based where it's like,
this is just a known bad hash and we're, you know...
(25:16):
If someone's using the same malicious tools
time and time and time again without any changing,
wonderful, we can just write a signature
and then we can consign those to history.
In the real world, it doesn't happen like that.
Our best case scenario is they're subtly changing
their tools every single time, so it's got a different hash value.
(25:39):
So we have to look for indicators within a file,
either in the static analysis or the dynamic analysis.
So something that... a test that we can ask it to distinguish
between is this legitimate or is this illegitimate software?
And ultimately, none of those tests can give you...
Well, we're very, very lucky if we find one that says,
(26:01):
yes, absolutely, 100%, this is definitely bad,
or yes, absolutely, 100%, this is definitely good,
which basically becomes a signature.
Mostly we're like, yeah, this is more likely to be bad than good,
or yeah, it kind of looks a bit good, but...
And then ultimately, you have to put all of those different tests
together and look in the context to then decide,
(26:22):
OK, this thing here, we've never seen it before,
but all of the tests we've been able to ask it
are saying, yeah, it really is looking pretty bad.
No single test can give you that response, but many can.
And then we can convict that and declare it bad.
Life becomes a little bit more difficult when the bad guys
(26:44):
are using what's called living off the land binary.
So using the tools, which are an integral part of your operating
system to do bad stuff.
And that really is where the sport is.
How do we detect when someone is using an entirely legitimate tool
maliciously every time?
(27:07):
There are fingerprints.
The analogy I use, at the scene of every crime,
there are big, sticky fingerprints.
It's the same in cybercrime as well.
Those fingerprints are there.
You just have to look for them.
You have to know what they look like, know where you might find it,
and know how you show them up.
But this is what we do.
(27:28):
And if you know how to do it, fingerprints are there every time.
Excellent.
Excellent.
Thank you, Martin.
I'm learning so much on this one.
I know.
Martin, I'm buying your book after this call.
I'm buying the book.
Yeah, absolutely.
Yeah, mate, go for it.
It's on Amazon.
Joe, I think it would be interesting to hear
if you could walk us through just kind of high level the process,
(27:53):
just so I can have it straight in my mind from discovering
what Martin just said, discovering a threat,
to getting something published for that threat on like a Cisco
firewall, for example.
How does TALOS find a threat in the wild
and get us through the update patch?
And if you have an example of a real threat,
that'd be really cool, I think.
(28:13):
But I think that'd be interesting to hear.
Yeah, so this is both science and an art.
We actually, I think last year, maybe the year before,
we published the art and science of detecting
Cobalt Strike, which is an attack framework that exists,
written by one of the most brilliant analysts
(28:35):
that I know, a guy named Nick Mabus, who really, really chewed
down to the bone the nuances of detecting beaconing
and detecting things that our adversaries are going
to utilize inside of a network.
And first and foremost, the thing
that has to happen for like a snort signature,
or one of our IDS or IDP signatures to work is, well,
(28:56):
it has to traverse the network, right?
So it has to move non-encrypted across the network,
which a lot of stuff does.
Then the thing we're going to need is a proof of concept.
So what is this bad thing trying to do?
So like, is it an SMB-based exploit?
Is this a stack-based buffer overflow
that we can catch traversing the network?
(29:17):
Is this a weird URI that is a very, very specific thing
that we can key on?
And then we have to figure out how
we're going to craft the most optimal detection for it.
Snort's open source.
Anyone can learn snort.
Anyone can write a signature if they want.
(29:38):
The levels of finesse and care and quality assurance
we put into our detection is unreal.
Because A, we're the experts in it.
We invented it.
But B, because it's such a popular framework
and such an easy, I think, ingest and use,
and there's great documentation for it,
we actually spent a lot of our time looking at community rules.
(30:00):
And maybe there's something there we can abstract.
And maybe there's something we can give them.
To say you cannot reverse engineer a snort
will learn exactly what the exploit is
doesn't quite work that way.
But it's built upon a community that I
shared knowledge over 2 and 1 half decades now, I guess,
or three decades early.
(30:20):
So once we have the proof of concept,
then we need to figure out that optimal way to detection.
And there's a lot of ways to write detection in snort.
But we want to write the most efficient thing that
triggers on the most precise element of that exploit
that we're trying to catch going across the wire.
And the reason for it is real simple
that we're working in a finite state of resources,
(30:42):
say for a firewall or whatever is doing that detection.
And if it has the inspectors turned on
for a specific protocol, and it's
doing the process of parsing as a HTTP
or whatever is traversing across that firewall,
well, we need to be conscious of the resources
inside that machine.
So if you were to turn on, and I don't ever recommend
you do this, if you were to turn on every snort
(31:04):
rule we've ever given you inside of our firewalls,
congratulations, you've just got a very hot paperweight
inside of you that you've just racked.
Because it's a fine example of shooting yourself in the foot,
but also demonstrating that turning all your inspectors
and then looking at every single packet in a gazillion ways
(31:24):
is just not efficient.
So what you really want to do here
is we want to just be the best we
can be while utilizing the most effective way.
And it really is an art.
It absolutely is an art.
I'll give you a specific example like you asked for.
I was at a conference and a really nasty vulnerability
dropped, and I was with one of the guys
(31:45):
that I had hired, a brilliant reverse engineer named Jared.
And we didn't have much to go on.
We knew that it was a thing.
We knew the researcher who had announced the vulnerability.
But what you typically see in this space
is people will announce the bad thing
and then give you no technical or forensic details around it.
And you're like, I can't do anything
(32:05):
with without forensic details, right?
Well, we found a presentation this guy gave,
and he didn't list the entire attack chain,
but he did list the hex string he used to exploit this device.
I found it on a Slido competitor from five years prior.
I took that string out, that hex string.
I gave it to my guy.
(32:26):
He was actually able to write a Python environment
and script it where that hex string would then
pass across the wire unencrypted.
And then we would get a snort word for that
if anyone attempted to exploit that.
It was a Siemens PLC, programmable logic controller.
We're actually able to catch that.
But to do that, find it, quasi-weaponize it
(32:47):
so we can detect it was just the ridiculous layers
of reverse engineering we had to do to be able to craft that
and to detect it.
Detection, mind you.
We were working completely separate.
And this is an example of what an analyst, they
might be given an absolute rotten potato of a proof
of concept and very little data to go off of.
(33:10):
And they'll have to figure out how to recreate that,
get that into an environment, and then test the heck out
of it.
If it's going to false positive a lot,
so it's going to trigger illegitimate traffic,
it just might not be a good signature.
And we're going to have to bend it.
We can't keep it, right?
So we have to think about how do we do all of these things
in the most sane way?
We don't err always on the side of detection
(33:32):
because we have to think about our customers, the customer
experience.
And are they getting the best possible product
for our detection every single time they enable a signature?
Yeah.
That was crazy.
A lot of detail on that one.
Yes.
Yeah.
(33:53):
Actually, hold on.
Hold on.
Hold on.
I have my notes here.
So that was crazy detail.
I just want to say that the process that goes behind it,
I think, doesn't get talked too much about.
And that was really good.
I appreciate the level of detail.
I know the people that come to our webinar
(34:16):
is highly technical.
And this is something that they will appreciate as well.
It's wild, the example, just finding that hex string.
And what you said is from like five years ago
on some PowerPoint slide, man.
Dude, we got so lucky that I found that.
Because I looked at it, and I'm like, this is Greek to me.
And the guy that I brought with me for this conference
(34:38):
looks at me and goes, I think I can do this.
And because we hire just some smart, smart hackers
inside of Talos, he had that thing literally
in a Python script simulating network traffic
and a signature written within an hour.
And I'm like, that was one of those hires
(34:59):
when I hired the guy.
I'm like, high five, Joe.
You did a good job.
Yes.
Yeah.
So I was like, yeah, this was awesome.
But we just got very lucky.
So a good example would be, let's
say, the manufacturer of this meter.
Who made this meter?
I don't remember.
I don't want to out anybody.
Landis Gear.
Landis Gear makes this meter.
(35:20):
Let's say a bad vulnerability, a zero day, something really
nasty drops.
They're not going to give you the complete forensic details,
but they will say, you should probably
go patch your device because this is bad.
That doesn't help us in Talos because we
need technical specificity to make sure our customers,
our communities, our open source communities, and our customers
(35:41):
are protected.
So there's sometimes you're just going to catch an L
and you're going to be like, without any details,
I can't do this.
We do have information sharing agreements all enshrined
legally in NDAs that lets us swap information with others
to make sure that we can get the technical details.
Sometimes you just strike out.
There's no guarantees you're going
(36:01):
to find that information.
And it can be pretty frustrating, unfortunately.
But that's basically how it kind of works.
Yeah.
Fascinating.
Yeah.
And I'm going to jump right into another question
that I have right here.
And this one's for you, Martin.
NCN response.
(36:22):
This is in the minds of all our customers and everybody
that is in the show.
And more likely into the reactive scenarios,
let's take, for example, a quick example about what
do we see in NCN response, reactive services.
(36:44):
What do we do from the Talos perspective?
And if you don't mind talking a little bit about that,
that would be awesome.
The Talos incident response retainer
is basically where the customers buy a certain number
of our analysts' hours.
And you can save up these hours for a rainy day
(37:06):
when you have an incident, when you have an emergency.
The trick, really, and I'll bypass your question
a little bit, the best thing that can happen
is that you don't ever have an incident.
And what you can do is you can use these hours
for our proactive services, where
you can talk to our analysts who will help you or test
(37:31):
your systems to make sure that you're in a very, very good
position and you're less likely to experience an incident.
If you do experience an incident,
you've got those hours on hand that you
can use to talk with our analysts.
They can take charge of the incident
because for the customers experiencing the incident,
(37:53):
ideally, this should be a once in a career event.
You're having a breach, having something go wrong.
This is going to happen to you once in your career.
For our analysts, for our incident response analysts,
this is what we do every day of the year.
So our analysts know exactly what to do,
exactly how to respond, exactly where to find the bad guy,
(38:16):
exactly how to kick them out.
So for the reactive services, you
call on the help of our analysts.
They will come in.
They'll resolve the incident, find where the bad guy is,
kick them out, tell you what happened,
and then also harden the system so the bad guy can't come in.
(38:38):
We're used to working with any kind of environment.
I mean, it would be lovely if everyone bought only Cisco gear.
The reality is, no, people are buying from other vendors.
But that's absolutely fine.
We're used to working in these heterogeneous environments
where there's all sorts of tools, all sorts of systems,
(38:59):
for all sorts of different vendors.
We'll come in, resolve the situation,
identify what's happened, kick the bad guy out,
and remediate your systems, and then harden them
so the bad guy doesn't come back.
This is what our responsive services are all about.
But I think, I mean, to anyone on the call,
(39:19):
really the ones to look for are the proactive services.
You know, you want to minimize the number of emergencies
you have, and you can use the hours
that you're buying for the retainer
for those proactive services, which
is going to make those emergencies less likely.
That's awesome.
(39:40):
That's good.
I mean, we see customers call every day, Mike, right?
That they have questions about this.
This really helps understand what really is
that we're talking about.
That's so true about the proactive services, Martin.
You can prevent getting to the point of the emergency.
Like I said, that's great.
(40:02):
And I guess, Martin, would that be
some of the tabletop exercises and the telestill?
Yeah, absolutely.
Yeah, the tabletop, so working through what a bad guy's
likely to do and how you would respond to that.
We can also check your playbooks,
so the procedures that you have ready for a bad day.
(40:25):
You know, how are you going to detect if there's a breach?
You know, the bad guy's not necessarily going to tell you.
How are you going to detect if there's a breach or you
have an incursion?
What are you going to do when that happens?
How do you respond?
What other groups do you need to do to involve?
For our instant response analysts,
(40:45):
this is what they do.
They've seen it all.
So they can help the customers.
One, I mean, it might really help to say, actually,
do you know what?
These instant response procedures that you got here,
this is as good as it gets.
You know, you guys are doing really, really well.
Or working through it and say, OK, you know,
all of your coordination is built around email.
This is great.
What happens if the bad guy hits your email server?
(41:08):
And you can no longer send and receive email?
Do you have a backup?
What else are you going to do?
This is the kind of scenarios that we've come across.
We can use that knowledge of real world examples,
helping the customers, working it through,
improving their posture.
I think a very good way to think of it is like the fire service.
(41:29):
You know, if you've got a fire actually happening now
in your office, of course, here, you're going to call the fire
service.
They're going to rush around.
They're going to put the fire out.
What you really want to do is talk to your fire prevention
services before then and start talking about, you know,
do you have the fire extinguishers?
Where are the fire extinguishers?
Have you tested them?
(41:50):
You know, are they suitable fire extinguishers for all the stuff
that you're working with?
Do you have a fire alarm?
Do you practice?
Do you have rehearsals?
Do you have a smoke detector?
It's these questions that actually you
want to resolve early so that if there is an incident, one,
you're detecting it early.
You're also responding early, so you're
(42:12):
minimizing the consequences.
But then when you are bringing in that response,
it's not a major problem and everything's on fire
and nobody knows what to do.
It's like, OK, we've got a problem,
but we think we've contained it.
And we think that we're on top of this.
You know, so much in any form of engineering,
it's about thinking what can possibly go wrong?
(42:34):
How can I minimize the chances of this happening
and minimize the consequences if it does happen?
And really, this is what our incident response
services are all about.
Excellent.
And I know it's got to save so much more money investing
in some fire extinguishers, talking to the fire safety
teams, opposed to rebuilding your office,
(42:55):
paying for all the fire truck service.
So great point there, Martin.
Yeah, and rehearse.
Have those rehearsals so that when a bad day happens,
and it does happen, it will happen,
everyone knows what to do.
And it's just, yeah, yeah, yeah, we practiced it.
We practiced this last month.
We practiced this six months ago.
And it's just a simple something that you go through.
(43:19):
Everyone knows what to do.
Everyone knows how to respond.
And it just becomes, yeah, it's something
that somebody didn't want to happen,
but we dealt with it rather than, oh, my god,
this is an absolute disaster.
Everything's falling down.
We don't know what to do.
Great.
So let's see.
Andres, what do we got here?
I could talk with you guys all day.
(43:41):
This is awesome.
We got one more question for each of you.
Maybe we'll have time for the dad jokes one or two.
We'll see.
Joe, maybe quickly, for the audience listening in,
this is all very fascinating.
And we're talking about fingerprints
and being proactive versus reactive as possible.
(44:02):
What do you guys in Talo see as some of the most common ways
our customers are getting attacked?
Is there any low hanging fruit?
Someone in the audience listening,
like, I need to be a little more invested in my own security.
Any high level recommendations about what you guys see
would be a good place to start?
(44:22):
Yeah, tough question, actually, because the threat risk model
is different for personal versus corporate, right?
So if you're a professional, if you're a security practitioner
in that corporate environment, there's a number of ways.
Phishing is always going to be great,
primarily because it's cheap.
(44:44):
The adversaries can do it.
It's spend fractions of a penny, blast out emails.
Someone will open the email and click something they should not.
If it's dumb and it works, it is not dumb.
What I kind of see, there's a pivot there.
They're going more to QR code based attacks
and so those emails.
And we can detect the QR codes,
(45:05):
but there's evasion tactics around that as well,
because what if I access it on my mobile device?
How do I protect myself yet again?
So the threat vectors are always changing from a corporate way,
so like with phishing, but also like we have unpatched,
unmanaged devices on my perimeter.
And I've got a firewall.
I haven't patched in three years.
(45:26):
Will an adversary, a nation state,
can exploit that to gain a foothold
and then pivot either intercept traffic
or pivot deeper into your network and do damage, right?
And whether you're a nation state or what I call like, you know,
crimeware or commodity based,
like ransomware attacks or cartel,
like these things truly don't change
because they're going to throw the kitchen sink at you
(45:47):
to find a way to get in.
What might change is the level of noise they want to make
once they're inside of your network.
I would say those are two of the most common ways,
high level, what we see, and I could drill down into both,
but I'm not going to for the time.
I will say this, like if we want to talk about low hanging fruit
(46:08):
and sort of tacking onto what Martin was saying earlier
about our incident response stuff that we do is,
30% of all our emergency response cases,
like so something's on fire and we're coming to help you put out,
the victim did not have MFA solutions installed.
So having a multifactor authentication solution,
(46:28):
both personally and from a professional perspective
is absolutely invaluable.
Having a password manager, a password vault,
I'm like one pass, last pass, I don't care who you use,
is also an A plus way to protect yourself.
Don't reuse your passwords
because data breaches are multiplicative.
(46:50):
If I get breached here, I can read those credentials
perhaps somewhere else and create more damage for you
or attack your environment, your corporate environment.
So like those two things to me are low hanging fruit,
low investment dollars, high return on value
that I would highly recommend to help prevent and mitigate
some of those attacks, but of course there's no fantasy,
(47:12):
there's no silver bullet.
Yeah.
Read our Year in Review report.
This is where we talk about everything that we see,
we talk about the vulnerabilities,
we talk about the attack techniques.
Yeah, read our reports.
This is where we talk about this.
And the vulnerability reports, Mark,
those would be posted on the...
(47:33):
So yeah, on our blog, so blog.talosintelligence.com,
read the Year in Review report
and also the quarterly threat reports that we make.
This is exactly what we do and what we talk about.
Great.
That's awesome.
You heard it folks, that's a good place to spend some dollars
(47:56):
to have that high return on security.
So the MFA and then a simple password manager.
You said roughly 30%.
Great, thank you.
Yeah, and we'll make sure we update on the page.
Yeah, we're going to list all that for sure.
That's great.
That's great, that's great.
(48:17):
I think I do have the last question for you, Martin,
and this one's going to be super simple, I hope.
But where can we learn more about Talos Intelligence?
So www.talosintelligence.com is the simple answer.
On our blog, which you'll find a tab on the website,
(48:41):
or just go to blog.talosintelligence.com,
this is where we publish everything that we think
that you need to know.
So we've got our various reports.
We've got our newsletter, which is a very, very good place to start.
Some of the reports go into more detail than others.
Some stuff is sort of written for an audience of security researchers,
(49:05):
but very simply the Year in Review and the quarterly reports
and the newsletter are the places to start.
But everything that we think you need to know is published on our blog.
Excellent.
That's awesome.
Those last two questions, one kind of quick.
(49:27):
We're a little bit over, but do you guys want to run through the Dad Joke contest?
Hey, yeah, let's go through the Dad Jokes.
I'm happy, bro.
So happy to hear that, Martin.
Some of these are pretty good.
So what we'll do is I'll just start it at 90 seconds here.
You each are going to get asked four Valentine's Day specific Dad Jokes.
(49:48):
Just see if you can come up with the correct answer.
If you say skip, we can always come back to it.
Let's see, Andres, I think you're asking to Martin first.
Let's do it.
I'll start it.
When he gets about 10 seconds, I'll say 10.
All right.
Ready, set, go.
(50:10):
All right.
So I'll go first.
Go ahead.
I'm already eating your time.
So here's the one.
If the letters Q and T were dating, what would be their celebrity name?
OK, what I would do, I would have a good hard talk with T,
because everyone knows you've got to mind your P's and Q's.
(50:35):
No point for that one, Mike.
That was great.
Oh, love it.
Let's do the next one.
This one is we thought it was super fun.
How did the telephone propose to his girlfriend?
So initially, my thoughts are something to do with rotary dial action and finger
(50:55):
strength, but I think we probably don't want to go there.
So I would imagine it's more to do with could it be giving her a ring?
Oh.
That was good.
That's actually the answer.
It's killing it.
All right.
And the answer for the previous one was cutie.
(51:20):
All right, the next one.
What did the paper clip say to the magnet?
OK, this is another red flag for dating, because magnets are attracted to anything
ferrous.
They are never going to be faithful to you.
A magnet is not going to be a faithful partner.
And if you do get into that relationship, it's going to be very, very difficult to pull
(51:40):
it apart.
They're very clingy.
Never data magnet.
That's actually the answer.
All right, the next one.
What did the what did one cat say to the other cat on Valentine's Day?
I can't believe that you forgot again.
(52:01):
No, no, said you're perfect.
No, it would be definitely you've forgotten again.
These are awesome.
That was great.
I would get Martin extra points for coming up with the Ps and Qs and then the meow one.
Oh my gosh, that is great.
(52:21):
I'm trying not to turn red over here laughing.
All right, Joe, are you ready?
I suck at these.
Come at me, man.
Let's just get the bandaid off.
Shall we?
Here we go.
Time is starting now.
What did the dark closet say to the light bulb?
(52:43):
How much is this power bill going to cost me?
I don't know.
I've got nothing.
All right, we could skip that one.
Come back to it.
What what is Cupid's favorite rock band?
Heart.
Good one.
That okay, that's not it.
But that would count.
That's amazing.
What what did the puzzle say on Valentine's Day?
(53:04):
You complete me.
Got it.
Knock.
What's that?
Knock knock.
Oh, you're thankful.
This is a PG.
Who's there?
Olive.
I hate olives.
(53:27):
You got to say London food.
All of who all of who sorry.
And then could you complete the rest?
I love all of you.
I don't know.
I don't know.
Oh Joe, all of you all of who to.
Okay, there you go.
You got it.
So little help from a friend.
(53:47):
You got it.
Let's go quick.
It's back to the first one.
What did the dark closet say to the light bulb?
You still got 15 seconds.
And the honor and I'll come out of the closet.
Light me up.
I don't know.
I got you.
You light up my world.
Ding ding ding.
I was well guys.
Well, I was I was I.
(54:08):
Oh, I bring you shut down.
That was good.
You guys got more than I would have and when we were coming up
these questions, we were like we know these guys are going to
be smart.
You know, we knew you guys are going to do a great job.
So, well, that was fun.
I'm glad we got some got those in.
Andres, how about we summarize this and let's close it out.
(54:30):
Let's do it.
Let's do it.
I know we went a little bit over.
So we're going to slide through through this quick section on
the summary.
So a few things that stuck in my mind and I'm thinking about,
you know, is understand what Talos is doing as an organization.
What do they do?
How they help our customers and how they help us also just,
(54:54):
you know, understanding how we detect threats.
A lot of information right now in in the Talos blog.
I see, you know, there's a lot of information, indications of
compromise, any tool that you're using for threat hunting.
It's going to be it's going to leverage that information as well.
We learn also discovery and publishing for new rules.
(55:17):
That was actually awesome doubt that, you know, I probably have
to go back and recheck some of that information.
And, you know, we're here to fight the good fight.
I know, you know, that's one of the things that Talos says a lot.
So that's that's my takeaway, I guess.
Right for me, the proactive security and the reactive security
(55:39):
huge components Martin you were talking about vesting and things
like it about days going to happen.
Let's try and fine-tune that as much as we can and prepare for
it.
Stop making the bad day worse.
Yes.
Yes.
And then that reactive portion of it to hate when that bad day
(55:59):
does happen.
We can step in and help incident response as an example as opposed
to this tabletop exercises for the proactive Joey covered that
low-hanging fruit, you know, we talked about the MFA and then
the the simple password managers like cost-effective ways to
decrease the chances of us being attacked and then Martin, what
(56:21):
is the website again?
So blog.talosintelligence.com.
Okay, great.
And then I know you guys and Talos have the beers with Talos
podcast, which is super cool as well as Talos takes.
Andres and I are huge promoters of what you guys do for the
(56:41):
good in the world.
So thank you for having jobs that are so meaningful to the
point that you're truly out stopping bad guys and keeping us
all safe.
So and of course, thank you so much for your time on the show
Joe and Martin.
Andres our next call March 19th.
We're going to be talking about a brand-new Cisco security
(57:01):
solution called secure access.
That's a sassy solution, which is meshing security with connectivity.
I have thoroughly enjoyed today's show something.
I've been looking forward to a long time Martin Joe.
We hope I hope everybody else out there enjoy this show as much
as we have we will see everyone on the next show.
(57:22):
Have a fantastic day Martin Joe.
Thank you again.
Thank you.
Thank you.
It's right guys.
Take care.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com