In today’s world, cybersecurity incidents are not a matter of if, but when and how. From ransomware attacks to data breaches exposing sensitive information, organizations face a changing threat landscape. As a result of cybersecurity attacks, organizations can experience downtime, financial losses, reputational damage and regulatory penalties. That’s when it really helps to have a team like Cisco Talos Incident Response (Talos IR) by your side. But what exactly happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with?

This blog post takes you behind the scenes of engaging an incident response (IR) firm like Talos IR. We will walk through what really happens during an IR engagement, from the moment you pick up a phone and call for help in the middle of a crisis to the long-term changes that make your organization stronger and more secure.

Why engage an IR team? 

Before diving into the process, let’s address the fundamental question: Why engage an IR firm? Cybersecurity incidents are complex, often requiring specialized skills, tools and experience that internal teams may lack. The Talos Year In Review Report highlights the rising frequency and sophistication of attacks; as a result, many security teams are struggling to address emergencies due to resource constraints or the complexity of response at scale. 

Engaging an IR firm like Talos IR brings several key advantages: 

• Speed and availability: We provide 24/7 global support, with response times often under a few hours for remote engagements and on-site support wherever needed. Engaging an IR firm is like calling in a S.W.A.T. team for a cybersecurity crisis. We bring the tools, tactics and experience to contain the threat and minimize damage while guiding the organization toward recovery and increasing future resilience. 
• Expertise: With numerous incident responders and threat intelligence analysts, all of whom have access to industry-leading Talos threat intelligence, the team has deep experience handling diverse threats, from ransomware to business email compromise (BEC). We handle it all, from “small” attacks on a single organization to a country-level threats. We don’t focus just on typical IT environments — we work with ICS/OT, cloud or mobile forensic, as well.  
• Vendor-agnostic approach: Talos IR works with customers’ existing infrastructure and tooling, whether you use Cisco products or not. We simply don’t like to wait for deployment of tools before getting our hands dirty in all the logs, consoles and forensic artifacts. At a time when you are already resource-constrained, the last thing we want to do is make you replace an existing security solution, such as endpoint detection and response (EDR), on the endpoints. 
• Comprehensive services: Beyond emergency response, Talos IR provides proactive services like Threat Hunting and IR Planning to strengthen your security posture before an incident happens or after to build up resilience.

Overview of the IR lifecycle 

The IR process typically follows a structured lifecycle, based on frameworks such as NIST SP 800-61 or the SANS Institute’s model. Talos IR aligns with these best practices, tailoring its approach to organization’s unique needs at the time of crisis and beyond. Handling incidents day in and day out has given Talos IR a deep well of experience, and we’ve built that knowledge into processes to support every organization we work with. The lifecycle of our IR typically includes: 

1. Preparation 
2. Identification 
3. Containment 
4. Eradication 
5. Recovery 
6. Lessons learned 

When you engage Talos IR, we apply this lifecycle with a blend of technical prowess, threat intelligence and collaborative teamwork. Let’s walk through each phase in detail.

Phase 1: Preparation (before the incident) 

Preparation is the foundation of effective IR. While many organizations only engage IR firms during a crisis, proactive engagement with Talos IR can significantly reduce the impact of future incidents. With a Talos IR retainer, you secure an agreement that ensures rapid response during an emergency and access to proactive services tailored to your organization’s risk profile and needs, offering: 

• Emergency response: Guaranteed access to a global team within a short time of experiencing of an incident. During major global cybersecurity events like Wannacry, Heartbleed or Log4J or others, an existing retainer can be the difference between receiving immediate help and waiting days to weeks.
• Proactive services: Access to proactive services for Threat Hunting, Tabletop Exercises or Purple Teaming
• Relationship building: Familiarity with your environment, reducing response time during a crisis

These services build trust and familiarity, ensuring Talos IR can hit the ground running during an emergency.

Phase 2: Identification (beginning of incident) 

When a cybersecurity incident occurs, the first step is identifying and confirming the threat, whether it’s a ransomware attack, phishing campaign, or data breach. This is often when organizations reach out to Talos IR. Talos IR’s emergency response team is available 24/7 and can be reached via phone or email, but phone is the fastest and most direct way to reach our dedicated IR team.  

Initial call

During the first call, Talos IR gathers critical information to help us move onto analysis as soon as possible: 

• Nature of the incident: What symptoms were observed (e.g., encrypted files, suspicious emails, new files on the webserver that were committed outside of the development lifecycle)? 
• Affected systems: Which servers, endpoints, or networks are impacted? 
• Business impact: Is the incident disrupting operations or exposing sensitive data? 
• Existing actions: What steps have been taken so far? 
• Visibility: What existing systems and tools can we access to handle the incident? Would complimentary Cisco tools help close a current gap, such as no EDR solution on a specific network? 

Triage, scoping and analysis 

Talos IR deploys a team led by an Incident Commander, who coordinates efforts and communicates with the stakeholders. The Incident Commander is supported by a skilled team of responders, threat analysts and project managers who keep everything moving and progress analysis 24/7. We typically start our work with in-depth triage of your environment which often involves: 

• Log analysis: Reviewing logs from security information and event management (SIEM) systems, EDR tools, or network devices to identify indicators of compromise (IOCs)
• Threat intelligence: Leveraging Talos global telemetry to match IOCs against known adversary tactics, techniques and procedures (TTPs)
• Digital forensics: Collecting and analyzing evidence, such as memory dumps or disk images, to understand the attack’s scope

What makes IR truly effective is having access to as much relevant data as possible from the very beginning. The earlier our team can review endpoint telemetry, network traffic, identity logs and other critical data points, the faster we can determine what happened, how far the threat spread and what needs to be done to contain the threat. We often use the triage process to understand and search for: 

• Initial access vector: Common vectors include phishing, exploited vulnerabilities (e.g., Microsoft Exchange Server flaws), or misconfigured VPN servers. You can read all about the trends we see each quarter here. 
• Adversary goals: Is the attacker after data theft, ransomware deployment, or persistent access? 
• Scope: How many systems, users, or networks are affected? 
• Persistence mechanisms: Are there backdoors, scheduled tasks, or web shells that allow re-entry? 
• Data exfiltration: Was sensitive data stolen? 

Talos IR provides an initial assessment, outlining the incident’s severity and recommended next steps, and keeps you updated daily. This phase sets the stage for containment, where speed is critical to limit damage. This analysis goes on for a number of days and typically uncovers additional information that adds to the picture during each 24-hour cycle.

Phase 3: Containment (stopping the attack) 

Containment focuses on preventing the threat from spreading further while preserving evidence for analysis. Talos IR employs a technology-agnostic approach, working with existing tools to implement short-term and long-term containment strategies while simultaneously looking to minimize business impact. 

Short-term containment 

Immediate actions to isolate the threat typically include: 

• Network segmentation: Isolating affected systems or subnets to prevent lateral movement
• Account lockdown and/or password changes: Disabling compromised accounts, changing compromised passwords, or enforcing multi-factor authentication (MFA). Talos IR frequently observes incidents where the lack of MFA enables ransomware or business email compromise (BEC) attacks. 
• Process termination: Isolating malicious processes, such as ransomware encryptors or command-and-control (C2) beacons, when identified. Reimaging devices is often a recommended step, but it depends on the extent of the breach.
• Firewall rules: Blocking malicious IPs or domains identified through Talos’ threat intelligence

Long-term security hardening 

While short-term countermeasures stop immediate damage, long-term security hardening ensures the attacker can’t regain access. By working together with an organization on emergency response, Talos IR gains a great understanding of what needs to be applied to build long term resistance. Some of these recommendations would be: 

• Patching vulnerabilities: Addressing exploited flaws, such as unpatched servers or vulnerable web applications
• Endpoint protection: Extending EDR deployments to monitor for residual threats on systems that were previously unprotected
• Strengthening resilience: Taking a long-term, strategic approach to uncover and address weaknesses in your organization’s security posture to better prepared for future threats
• Improving efficiency and consistency: Developing clear policies and procedures, while automating routine tasks such system hardening to reduce risk

Phase 4: Eradication (removing the threat) 

Once the threat is contained, Talos IR focuses on recommendations for completely removing all remnants of the adversary from the environment. Eradication is a delicate process that needs to balance business needs with recovery operations. Eradication typically involves: 

• Account remediation: Resetting passwords and revoking compromised credentials. This may sound familiar from the containment phase, but often it is necessary to do two or more credential purges during a major incident. 
• System rebuilds: In severe cases, rebuilding affected systems from clean backups to eliminate hidden threats.
• Reverting adversary changes: Some sophisticated adversaries will do things like change firewall rules, embed fileless malware in the registry, or create future scheduled tasks as “sleeper agents.” Detecting, documenting and reverting these changes can be the most difficult and important part of eradication. 

Before wrapping up this phase, Talos IR verifies eradication through: 

• Threat hunting: Scanning for residual IOCs or anomalous behavior
• Log reviews: Confirming no further malicious activity

This process minimizes the risk of the adversary returning, as seen in cases where adversaries used tools like Cobalt Strike to maintain persistence. A single overlooked persistence mechanism is enough to let the adversary back in at a later date, which is why a thorough forensic review by an experienced IR team is critical. 

Phase 5: Recovery (restoring operations) 

Recovery aims to restore systems and operations to normal while enhancing security to prevent recurrence. Talos IR collaborates with IT and business teams to ensure a smooth transition. If it is necessary to accept some risk in order to get business operations back online, the Talos IR Incident Commander will work with your organizational leadership to ensure that the risk is minimized and understood, and that compensating controls are applied.  

Key recovery recommendations often include: 

• Restoring from backups: Deploying clean backups to affected systems, ensuring they’re free of malware
• Application testing: Verifying critical applications (e.g., ERP systems) function correctly post-recovery
• User access: Gradually restoring user access with strengthened controls, such as MFA
• Alternative processes: Implementing manual or temporary workflows if systems remain offline
• Stakeholder communication: Coordinating with PR and legal teams to manage external messaging and regulatory notifications
• Employee training: Educating staff on phishing awareness or secure practices to prevent future incidents
• Logging improvements: Enhancing visibility to overcome the logging deficiencies
• Patch management: Establishing processes to prevent exploitation of known vulnerabilities

Phase 6: Lessons learned (building resilience) 

The final phase of IR involves analyzing the incident to extract lessons and improve future preparedness. Talos IR’s approach ensures that insights translate into actionable strategies. Talos IR delivers a comprehensive incident report, including: 

• Incident summary: A timeline of events, from initial detection to resolution 
• Findings: Details on the attacker’s TTPs, entry points and impact
• Recommendations: Specific actions to ensure long-term and short-term improvements

Ongoing partnership 

At Talos IR, we believe IR isn’t only a service we provide; it’s a relationship and the ultimate team sport. We’re not here just for the crisis; we’re here to support before, during and long after the incident is resolved. As many of our long-term retainer customers like Veradigm have observed, those multi-year relationships pay great dividends during incidents:  

“With the [Talos IR] retainer service we really appreciate established and met Service Level Agreements (SLAs). Plus, the knowledge of Cisco’s IR team on our unique environment, prior incidents, and their intelligence on the latest threats ensure we smoothly navigate, and balance preparation exercises and incidents based on our unique needs. Time to response in our SLA along with the unique knowledge, there isn’t a delay as one would expect. They are ready and we have ‘muscle memory’ from both tabletop scenarios and real-life situations. As a result of being in the highly regulated world of healthcare and with the constant need to consider patient safety, our circumstances can be tense from the start. They know how we need to react based on both exercises and incidents and can navigate smoothly in delicate situations/balances with our unique needs in mind,” Jeremy Maxwell, Veradigm CISO. 

This is one of many stories we observe during our engagements with different organizations. For Talos IR, once the immediate threat is handled, the real work begins. We help to strengthen your defenses through ongoing support, so your organization is better prepared for the future. We keep the defenders in the loop with up-to-date threat intelligence, and we run regular training and drills to make sure that various teams know exactly what to do if something happens again. 

It’s a partnership built on trust, experience and a shared goal: keeping your organization resilient in a constantly evolving threat landscape.

Cisco Talos Blog – ​Read More

A team of researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has published a research paper demonstrating how a Spectre v2 attack can be used for a sandbox escape in a virtualized environment. With access to only a single isolated virtual machine, the researchers were able to steal valuable data normally accessible only to the server administrator. Servers based on AMD CPUs (including AMD’s newest – with Zen 5 architecture) or Intel’s Coffee Lake are susceptible to the attack.

The danger of Spectre attacks for virtual environments

We regularly write about CPU vulnerabilities that employ speculative execution, where standard hardware features are exploited to steal secrets. You can read our previous posts on this subject, which describe the general principles of these attacks in detail, here, here, and here.

Although this type of vulnerability was first discovered back in 2018, up until this paper researchers haven’t demonstrated a single realistic attack. All their efforts have culminated in the notion that, theoretically, a sophisticated and targeted Spectre-like attack is feasible. Furthermore, in most of these papers, the researchers restricted themselves to the most basic attack scenario: they’d take a computer, install malware on it, and then use the CPU hardware vulnerability to steal secrets. The drawback of this approach is that if an attacker successfully installs malware on a PC, they can steal data in numerous other, significantly simpler methods. Because of this, Spectre and similar attacks are unlikely to ever pose a threat to end-user devices. However, when it comes to cloud environments, one shouldn’t dismiss Spectre.

Imagine a provider that rents virtual servers to organizations or individuals. Each client is assigned their own virtual machine, which allows them to run any software they want. Other clients’ virtual systems can be running on the same server. Separating data-access privileges is crucial in this situation. You must prevent an attacker who has gained access to one virtual machine from reading the confidential data of an adjacent client, or compromising the provider’s infrastructure by gaining access to the host’s data. It is precisely in this scenario that Spectre attacks start appearing as a significantly more perilous threat.

VMScape: a practical look at a Spectre v2 attack

In previous research papers on the feasibility of the Spectre attack, researchers didn’t delve into a realistic attack scenario. For an academic paper, this is normal. A theoretical proof of concept for a data leak is typically enough to get CPU makers and software developers to beef up their defenses and develop countermeasures.

The authors of the new paper from ETH Zurich directly address this gap, pointing out that previously examined scenarios for attacks on virtualized environments – such as those in this paper, also by ETH Zurich – made an extremely broad assumption: that the attackers had already managed to install malware on the host. Just like with attacks on regular desktop computers, this doesn’t make much practical sense. If the server is already compromised, the damage is already done.

The new attack proposed in their paper – dubbed VMScape – uses the same branch target injection mechanism as the one found in all attacks since Spectre v2. We’ve talked about it several times before, but here’s a quick summary.

Branch target injection is a way to train a CPU’s branch prediction system, which speeds up programs by using speculative execution. This means the CPU tries to run the next set of commands before it even knows the results of the previous computations. If it guesses the right direction (branch) the software will take, the performance significantly increases. If it guesses wrong, the results are simply discarded.

Branch target injection is an attack during which an attacker can trick the CPU into accessing secret data and move it into the cache during speculative execution. The attacker then retrieves this data indirectly through a side channel.

The researchers discovered that the privilege separation between the host and guest operating systems during speculative execution is imperfect. This allows for a new version of the branch target injection attack, which they’ve named “Virtualization-based Spectre-BTI” or vBTI.

As a result, the researchers were able to read arbitrary data from the host’s memory while only having access to a virtual machine with default settings. The data reading speed was 32 bytes per second on an AMD Zen 4 CPU, with nearly 100% reliability. That’s fast enough to steal things like data encryption keys, which opens a direct path to stealing information from adjacent virtual machines.

Is VMScape a threat in the real world?

AMD CPUs with Zen architecture from the first through the latest fifth generation have proved vulnerable to this attack. This is because of the subtle differences in how these CPUs implement Spectre attack protections, as well as the unique way the authors’ vBTI primitives operate. For Intel CPUs, this attack is only possible on servers with older Coffee Lake CPUs from 2017. Newer Intel architectures have improved protections that make the current version of the VMScape attack impossible.

The researchers’ achievement was designing the first-ever Spectre v2 attack in a virtual environment that’s close to real-world conditions. It doesn’t rely on overly permissive assumptions or crutches like malicious hypervisor-level software. The VMScape attack is effective; it bypasses many standard security measures, including KASLR, and successfully steals a valuable secret: an encryption key.

Fortunately, immediately after designing the attack, the researchers also proposed a fix. The issue was assigned the vulnerability identifier CVE-2025-40300, and it was patched in the Linux kernel. This particular patch doesn’t significantly reduce computational performance, which is often a concern with software-based protections against Spectre attacks.

Methods for protecting confidential data in virtual environments have existed for a while. AMD has a technology named “Secure Encrypted Virtualization” and its subtype, SEV-SNP, while Intel has Trusted Domain Extensions (TDX). These technologies encrypt secrets, making it pointless to try to steal them directly. The researchers confirmed that SEV provides additional protection against the VMScape attack on AMD CPUs. In other words, a real-world VMScape attack against modern servers is unlikely. However, with each new study, Spectre attacks look more and more realistic.

Despite the academic nature of the research, attacks that exploit speculative execution in modern CPUs remain relevant. Operators of virtualized environments should continue to consider these vulnerabilities and potential attacks in their threat models.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is always a breach happening somewhere, your company is always under attack, there is always a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1. Learn and enforce boundaries. You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2. Peer support. Whether it’s a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3. Unplugged self-care. This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4. Mandatory decompression/vacation. After an incident, be it VPN Filter or a breach, leaders: look after your people. Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

The one big thing 

In Talos’ latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

Why do I care? 

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

So now what? 

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

Top security headlines of the week 

New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts 
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit 
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

Google nukes 224 Android malware apps behind massive ad fraud campaign 
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

Former FinWise employee may have accessed nearly 700K customer records 
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

Can’t get enough Talos? 

• Alex Ryan: From zero chill to quiet confidence 
  Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
• Beers with Talos: How to ruin an APT’s day 
  The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
• Tampered Chef: When malvertising serves up infostealers 
  Imagine downloading a PDF Editor tool from the internet that works great… until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in “malvertising” and challenges in defense.

Upcoming events where you can find Talos 

• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany 
• Wild West Hackin’ Fest (Oct. 8 – 10) Deadwood, SD

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: executable.exe 
Claimed Product: N/A   
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Typical Filename: nwx3hgsl.exe 
Claimed Product: Self-extracting archive 
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe  
Typical Filename: werrx01USAHTML 
Claimed Product: N/A 
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Typical Filename: ~3B6A.tmp 
Claimed Product: N/A 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: img001.exe 
Claimed Product: 
Detection Name: Win.Dropper.Miner::95.sbx.tg

Cisco Talos Blog – ​Read More

Welcome to another episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe.

This time, we sit down with Alex Ryan, a seasoned Incident Commander from Cisco Talos Incident Response. Read (or watch) on to hear her candid reflections on the emotional intensity of incident response, the critical role of a supportive team in preventing burnout, and invaluable advice for aspiring cybersecurity professionals.

Amy Ciminnisi: Alex, you were recently on the Beers with Talos podcast, and during that, we learned that you have two liberal arts degrees, but you found yourself really loving how machines and systems worked, and then you work your way through the cybersecurity ranks. I’d love to know: What brought you to Talos?

Alex Ryan: During my career inside companies doing incident response, vulnerability management, and risk management, Talos Intelligence was often one of my sources. I often looked at intelligence from vendors who were using their own datasets to generate the finished intelligence, rather than those who just took whatever intelligence was already out there, re-mashed it, and enriched it a bit. I have a lot of respect for Talos from using them as a source for guiding how I would do incident response and prioritize my defenses and things like that. When the opportunity came up to join Cisco Talos Incident Response as an Incident Commander, it was that reputation (and having used their material for so long which showed that there was really good quality people and research being done) that put this job at the top of my list of choices.

AC: You have a very difficult job as an Incident Commander, acting as the point person in situations where people are possibly going through the worst days of their careers. What’s something about your day-to-day role that people might be surprised by or interested in?

AR: Incident response is a very high pressure situation to be in. You need to exude quiet confidence and build a trust relationships quickly with your customer. But on the back end, things can be chaotic: trying to get access to machines, trying to find the right machines. “Do we have the right IOCs?” “What is this thing? Let me reverse engineer it.” Trying to distill all of that activity into larger topics and give progress to the customer on it is critical.

It’s also high risk for the business being impacted. I think that there was a statistic at one point that about 70% of small to medium businesses that paid the ransom after being compromised went out of business within a year, because the ransom was such a financial hit that they just couldn’t absorb that kind of impact. So while the customer is trying to not freak out, I’m trying to exude quiet confidence while managing the forensics analysis activity. Trying to balance all of that is quite difficult, so incident response has a very high burnout rate.

After I came back from raising my children, it took me about two years to detox completely from incident response. I was really high strung, and I had no chill. Zero chill. I had to learn how to say no and how to prioritize my family over this hero complex that I was having at work. I would say I’m a much more well-rounded person now, and perhaps I’m better at my job because of that.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!

Cisco Talos Blog – ​Read More

In today’s hyper-connected world, cyber attacks are not a matter of if but when. Ransomware, phishing and data breaches dominate headlines. For any organization, the stakes are high and the impact can be wide. A cybersecurity breach can impact your organization’s ability to conduct normal business, damaging its reputation, reducing revenue, and disrupting operations. 

A Cisco Talos Incident Response (Talos IR) Retainer is a strategic investment that empowers your entire organization to stay resilient and ahead of tomorrow’s threats. Here’s how a Talos IR Retainer can strengthen your organization’s security and ensure peace of mind.

What is a Cisco Talos IR Retainer? 

A Talos IR Retainer offers a direct line to Cisco’s top cybersecurity specialists, ensuring both proactive protection and swift response to cyber threats. Backed by Cisco Talos global threat intelligence and hundreds of threat intelligence researchers, it equips organizations to prevent, respond to, and recover from cyber incidents efficiently. From tailored incident response plans to 24/7 emergency support, the retainer is a lifeline in a threat landscape that never sleeps.

We have just released a series of short videos that explain the full range of Talos IR services. Check out the playlist here, or start by watching the Emergency Response video below:

Benefits to the entire organization 

A Cisco Talos IR Retainer is not only designed to benefit your IT teams, but it’s a catalyst for building organization-wide resilience. Here is how Talos IR delivers value to clients’ stakeholders:  

1. Risk mitigation and cost savings 
   Talos IR enables customers to respond swiftly to cyber threats and supports them through recovery efforts, minimizing downtime, costs, and regulatory risks 
2. Reputation protection 
   A retainer equips leadership with strategic response plans and expert guidance, ensuring preparedness, demonstrating due diligence, and preserving stakeholder confidence during critical incidents. 
3. Organization-wide alignment 
   A cybersecurity retainer ensures that your legal, human resources, information technology, and leadership teams are aligned before a threat strikes. Defined responsibilities and structured playbooks, plans, and tabletop exercises eliminate ambiguity and drive faster, more efficient incident response and recovery. Talos IR is there to create and review existing policies and make sure you are prepared at various levels.

Bolstering organizational security 

A Talos IR Retainer transforms your organization’s security posture from reactive to proactive. Our job is to take you though the lifecycle of an incident and build up long-term resilience to cybersecurity attacks. We do this by delivering various engagements, such as: 

• Proactive Threat Hunting 
  Using the PEAK Framework (Prepare, Execute, Act with Knowledge), Talos IR specialists proactively hunt for threats before they escalate, leveraging real-time intelligence to stay ahead of adversaries. 
• Customized preparedness 
  Tailored IR plans, playbooks, and readiness assessments address your organization’s unique risks and evaluates the current state of its cybersecurity preparations.  
• Continuous improvement 
  Post-incident reports and ongoing collaboration identify gaps and recommend long-term strategies, ensuring that security evolves with the threat landscape. 
• Vendor-agnostic integration 
  Talos IR works with existing security tools, maximizing investments and enhancing detection and response capabilities in place. If needed, we can always deploy additional Cisco technology to help with an investigation. 
• Intelligence-driven defense 
  Access to Talos’ global threat intelligence, updated in real time, ensures your organization is armed with the latest insights on adversary tactics, techniques, and procedures (TTPs). 

What it means to have IR specialists on speed dial 

Having Talos IR specialists on call is like having an elite SWAT team for cybersecurity. Here is what Talos IR provides for your organization: 

• Rapid response, 24/7 
  With a retainer, Cisco Talos IR specialists mobilize within hours of an incident, isolating threats and minimizing damage. This speed is critical, as every minute counts when containing ransomware or a data breach. 
• Expert guidance 
  The Talos IR team brings unmatched expertise, analyzing adversary TTPs and providing actionable recommendations across many verticals and industries. 
• Tailored support 
  Specialists collaborate with your teams, aligning response efforts with your business priorities. Whether coordinating with legal or PR, they ensure a cohesive strategy. 
• Peace of mind 
  Knowing experts are a call away reduces stress for your executives and IT teams. Priority access means your organization is never left waiting during a crisis. 
• Post-Incident Review 
  Talos IR delivers comprehensive reports that detail root causes, remediation steps, and preventive measures, turning incidents into opportunities for increased cybersecurity and prevention of future incidents.

Real-world impact 

Our customers trust us to bring the expertise and knowledge they need to navigate their most challenging days with confidence.  Read about our work with Veradigm and how we made a difference during a Qakbot attack here. 

Take the next step 

A Cisco Talos IR Retainer is a shield against cyber chaos. It strengthens your cybersecurity and ensures rapid recovery with specialists just a call away. Here’s how to get started: 

• Secure a Retainer: Lock in priority access to proactive and emergency services. 
• Schedule a Tabletop Exercise: Test your preparedness with tailored scenarios to fit your environment. 
• Explore our website: Access quarterly trends and learn more about Talos and what we do to secure our clients. 

Cisco Talos Blog – ​Read More