Strings in the maze: Finding hidden strengths and gaps in your team

Strings in the maze: Finding hidden strengths and gaps in your team

/in

Strings in the maze: Finding hidden strengths and gaps in your team

Welcome to this week’s edition of the Threat Source newsletter. 

“The truth about the world, he said, is that anything is possible… For existence has its own order and that no man’s mind can compass, that mind itself being but a fact among others.” ― Cormac McCarthy, “Blood Meridian”

Earlier this week, I spent a few days off to take a reading retreat with my wife. Diving into several books from various genres and sitting on several quiet acres in the Texas hill country was a wonderful way to refuel. While reading a completely different book, I was reminded of this quoted section from Cormac and it gave me pause.  

We, as security practitioners, often move forward with the knowledge and expertise we’ve acquired along the various paths that led us to this point. It’s easy to fall into the trap of assuming that, because we’ve shared similar experiences, we all possess the same skillsets — each of us following our own string in the maze. In the end, the gaps between what we assume about each other and the reality can be tremendous. How do we ensure these aren’t the very gaps adversaries exploit, and that our perceived strengths don’t become our weaknesses? 

It comes down to communication and community. Talking openly about our skillsets can feel unnecessary among seasoned practitioners—we often assume that everyone has followed a similar path through the maze of their careers. But in practice, conversations quickly reveal this isn’t the case. One of the best ways to build the soft skills that help your career grow is by meeting with your team and discussing the technical skills that got you here and how you apply them now, which skills still benefit your daily routine, and which have fallen to the wayside via obsolescence. If you can create a meeting focused on this topic — rotating among your direct team and involving the team or leader above — you’ll start to pinpoint the skillsets that have the greatest impact on your day-to-day work.  

This process will help you identify specific technical skills needed for hiring or training new team members. It also gives junior analysts a clear view of what senior analysts rely on in their expanded roles, helping to guide their own education. Furthermore, when everyone understands the technical and soft skills that leadership uses, it can help remove the distance between technical and people leaders — and can leave a “string” for those early in their careers to follow as they navigate their own path through the maze 

Know your environment. This is always my first answer whenever I’m asked what to do next or how to proceed. Knowing with extreme clarity both the skillsets on your team and the foundation they’re built upon will allow your team to thrive and grow. It also makes it easier to identify opportunities for cross-training and to provide targeted mentorship where it’s needed most. 

“War was always here. Before man was, war waited for him. The ultimate trade awaiting its ultimate practitioner.” ― Cormac McCarthy, “Blood Meridian”

The one big thing 

According to the Cisco Talos IR Trends Q3 2025 report, over 60% of our incident response cases involved attackers exploiting public-facing applications, mainly through the ToolShell attack chain against unpatched Microsoft SharePoint servers. This is a huge jump from under 10% last quarter. About 20% of cases were ransomware-related (down from 50%), but new ransomware variants and tactics, like using legitimate tools for persistence, were seen. Attackers also increased their use of compromised internal accounts for phishing, and public administration became the top targeted sector for the first time since we began these reports in 2021. 

Why do I care? 

Attackers are going after anyone with exposed or outdated systems, including local governments and public services. With attackers exploiting new vulnerabilities almost immediately (especially in widely used software like SharePoint), even small delays in patching or weak internal defenses can put your organization and its data at serious risk. 

So now what? 

Prioritize rapid patching of public-facing applications, especially after new vulnerabilities are disclosed, and implement strong network segmentation to limit attackers’ lateral movement. Additionally, enhancing multi-factor authentication, improving centralized logging, and educating your users can help detect and block attacks earlier. 

Top security headlines of the week 

Vulnerability in Dolby Decoder can allow zero-click attacks 
Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution. On Android, the vulnerability can be exploited remotely without user interaction. (SecurityWeek

131 Chrome extensions caught hijacking WhatsApp Web for massive spam campaign 
Researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. (The Hacker News

Prosper data breach impacts 17.6 million accounts 
Hackers stole personal and financial details belonging to 17.6 million users of the Prosper lending platform, including Social Security numbers and government IDs. (SecurityWeek

“PassiveNeuron” cyber spies target orgs with custom malware 
A threat campaign is targeting high-profile organizations in the government, industrial, and financial sectors across Asia, Africa, and Latin America, with two custom malware implants designed for cyber espionage. (Dark Reading

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
MD5: 1f7e01a3355b52cbc92c908a61abf643 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a  
Example Filename: cleanup.bat  
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe 
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a 
MD5: 6692f8df8616472715273203b42e754d  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a  
Example Filename: EasyAsVPNgo.exe 
Detection Name: W32.Proxy.27e2.1201

Cisco Talos Blog – ​Read More