Full Report
What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how.
Analysis Summary
# Tool/Technique: Snort (Cisco Talos Network Intrusion Prevention system)
## Overview
Snort is Cisco Talos' best-known network intrusion prevention system (NIPS) service. It performs deep packet inspection on network traffic to identify known threats using advanced signature-based detection.
## Technical Details
- Type: Tool (Intrusion Prevention System/Detection System)
- Platform: Network Traffic
- Capabilities: Deep packet inspection, signature-based detection, machine learning integration (via SnortML) for zero-day exploitation detection.
- First Seen: (Not specified in the text, Snort is a mature, long-standing tool)
## MITRE ATT&CK Mapping
As an Intrusion Prevention System, Snort is primarily focused on **Defense Evasion** and **Impact** by blocking adversary techniques, but its detection capabilities map to various areas:
- **Defense Evasion**
- T1027 - Obfuscated Files or Information (Detection via analysis)
- **Impact**
- T1486 - Data Encrypted for Impact (Detection of ransomware over the network)
- **Command and Control**
- T1071 - Application Layer Protocol (Detection of C2 communication)
## Functionality
### Core Capabilities
- Deep packet inspection (DPI) on network traffic.
- Advanced signature-based detection to identify known threats.
### Advanced Features
- Integration with **SnortML** (machine learning component) to detect and block attempts to exploit zero-day vulnerabilities.
## Indicators of Compromise
*Note: Snort itself does not generate IOCs, but uses them for detection.*
- File Hashes: N/A (Focuses on network flows)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Signatures matching known malicious IP addresses or traffic patterns associated with exploitation attempts.
- Behavioral Indicators: Anomalous network traffic patterns indicative of known exploits or attacks.
## Associated Threat Actors
- All threat actors attempting to exploit vulnerabilities or utilize known malware over the network.
## Detection Methods
- Signature-based detection (primary method).
- Machine learning analysis (via SnortML) for emerging threats/zero-days.
## Mitigation Strategies
- Ensuring Snort rulesets and signatures are kept up-to-date.
- Keeping SnortML components active and tuned for environment.
## Related Tools/Techniques
- Cisco Talos Malware Protection (File/Behavioral focus)
- ClamAV (Open-source antivirus comparison mentioned)
***
# Tool/Technique: Cisco Talos Web Filtering Service
## Overview
The core service for securing web traffic by assessing the reputation and categorization of domains, IP addresses, and URL indicators. It proactively blocks access to malicious or policy-violating websites.
## Technical Details
- Type: Detection Service / Security Functionality
- Platform: Web Traffic / URLs
- Capabilities: Domain/IP reputation checking, URL categorization, proactive traffic blocking based on policy or poor reputation.
- First Seen: (Not specified)
## MITRE ATT&CK Mapping
This service primarily counters techniques related to initial access and command and control via the web.
- **Initial Access**
- T1189 - Drive-by Compromise (Preventing navigation to infected sites)
- T1566 - Phishing (Blocking malicious links)
- **Command and Control**
- T1105 - Ingress Tool Transfer (Blocking download sites)
## Functionality
### Core Capabilities
- Assessing reputation and categorization for domains, IP addresses, and URL indicators.
- Blocking web traffic based on customer web use policy compliance.
### Advanced Features
- Proactive blocking based on real-time reputation intelligence.
## Indicators of Compromise
- Network Indicators: Domains or IP addresses flagged with poor reputation or malicious categorization.
## Associated Threat Actors
- Threat actors utilizing compromised websites, malicious drop sites, or phishing infrastructure delivered via HTTP/HTTPS.
## Detection Methods
- Reputation scoring and categorization lookup against Talos intelligence feeds.
## Mitigation Strategies
- Enabling and maintaining the Web Filtering Service across the network infrastructure.
- Defining and enforcing strict web use policies.
## Related Tools/Techniques
- Cisco Talos DNS Security service (Detecting malicious domains at the DNS layer).
***
# Tool/Technique: Cisco Talos DNS Security service
## Overview
This service augments web filtering by focusing specifically on the DNS layer. It identifies and blocks domains used by threat actors for command and control (C2), data exfiltration, and phishing attacks by analyzing DNS traffic patterns.
## Technical Details
- Type: Detection Service / Security Functionality
- Platform: DNS Traffic
- Capabilities: Detecting malicious domains used for C2, exfiltration, and phishing; utilizing machine learning to identify new malicious domains.
- First Seen: (Not specified)
## MITRE ATT&CK Mapping
This directly counters Command and Control and Data Staging/Exfiltration activities that rely on DNS resolution.
- **Command and Control**
- T1071.004 - Application Layer Protocol: DNS (Detecting C2 over DNS)
- T1573 - Encrypted Channel (If DNS is monitored for tunneling)
- **Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (Detecting DNS exfiltration attempts)
## Functionality
### Core Capabilities
- Defending specific attacks occurring at the DNS layer.
- Detecting known malicious domains used for C2, data exfiltration, and phishing.
### Advanced Features
- Machine learning algorithms analyze DNS traffic patterns to identify and add novel malicious domains to intelligence feeds.
## Indicators of Compromise
- Network Indicators: Domains identified as malicious via pattern analysis or reputation lookup.
## Associated Threat Actors
- Threat actors employing DNS for C2 persistence or data staging/exfiltration.
## Detection Methods
- Pattern analysis of DNS queries against intelligence feeds.
- Machine learning analysis of DNS traffic behavior.
## Mitigation Strategies
- Enabling comprehensive DNS security monitoring and blocking based on Talos intelligence.
## Related Tools/Techniques
- Cisco Talos Web Filtering Service (Complements web security).
***
# Tool/Technique: Cisco Talos Email Filtering / Email Threat Prevention
## Overview
A suite of services designed to analyze inbound email indicators (sender, URL, content, attachments) to classify messages as malicious, spam, or legitimate. Email Threat Prevention specifically uses AI to detect brand impersonation, exceeding standard DMARC validation.
## Technical Details
- Type: Detection Service / Security Functionality
- Platform: Email (SMTP) Traffic
- Capabilities: Sender/IP reputation analysis, content and attachment scanning, URL inspection, behavioral analysis for BEC/Phishing detection.
- First Seen: (Not specified)
## MITRE ATT&CK Mapping
These tools focus heavily on combating initial access via communication channels and protecting against social engineering.
- **Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment (Attachment scanning)
- T1566.002 - Phishing: Spearphishing Link (URL inspection)
- **Impersonation/Resource Development**
- T1595.002 - Impersonation (via Email Threat Prevention)
## Functionality
### Core Capabilities (Email Filtering)
- Assessing sender domain/IP reputation and behavior.
- Evaluating email content, headers, and associated URLs/attachments.
### Advanced Features (Email Threat Prevention)
- AI analysis of email traffic patterns to identify instances of brand impersonation.
- Detecting Business Email Compromise (BEC) attempts that might bypass standard DMARC checks.
## Indicators of Compromise
- Network Indicators: Malicious sender IPs, domains associated with phishing campaigns.
- Behavioral Indicators: Anomalous sender behavior, unusual reply-to addresses, specific wording patterns flagged by AI for impersonation.
## Associated Threat Actors
- Phishing groups, Business Email Compromise (BEC) actors, and spam distributors.
## Detection Methods
- Reputation checks.
- Signature and pattern analysis of files and content.
- AI/ML analysis of behavioral anomalies in email structure/headers.
## Mitigation Strategies
- Utilizing the combined Email Filtering and Threat Prevention layers.
- Ensuring DMARC standards are correctly implemented and supplemented by AI analysis.
## Related Tools/Techniques
- Standard DMARC validation (which Talos Email Threat Prevention augments).
***
# Tool/Technique: Cisco Talos Antivirus & Cisco Talos Malware Protection
## Overview
Two complementary technologies for malware detection. Antivirus handles signature and pattern detection for known malware (similar to ClamAV). Malware Protection checks unknown files and looks for suspicious behavior on the endpoint to catch emerging threats.
## Technical Details
- Type: Detection Tool / Endpoint Security Agent
- Platform: Endpoint (Files/System Behavior)
- Capabilities: Signature matching for known malware; behavioral analysis for unknown or zero-day malware; file disposition assessment.
- First Seen: (Not specified)
## MITRE ATT&CK Mapping
These tools block or detect techniques used for establishing persistence, execution, and privilege escalation.
- **Execution**
- T1059 - Command and Scripting Interpreter (Detecting execution attempts)
- T1204 - User Execution (Detecting the final stage of a malicious file execution)
- **Defense Evasion**
- T1027 - Obfuscated Files or Information (Signature matching)
- **Persistence**
- T1547 - Boot or Logon Autostart Execution (Detecting suspicious registry/file modifications)
## Functionality
### Core Capabilities (Antivirus)
- Signature and pattern detection to identify previously cataloged malware files.
### Advanced Features (Malware Protection)
- Checking the disposition of unknown files against intelligence systems.
- Monitoring and detecting suspicious on-machine behavior associated with malware activity.
## Indicators of Compromise
- File Hashes: MD5, SHA1, SHA256 for known malware binaries.
- File Names: Common names associated with dropped malware payloads.
- Behavioral Indicators: Suspicious process creation, unusual file writes, attempts to modify critical system areas.
## Associated Threat Actors
- All threat actors deploying payloads, ransomware, trojans, or backdoors.
## Detection Methods
- Signature matching (Antivirus).
- Behavioral monitoring and heuristic analysis (Malware Protection).
## Mitigation Strategies
- Maintaining active endpoint protection services.
- Utilizing advanced malware protection capabilities for unknown files.
## Related Tools/Techniques
- ClamAV (Mentioned as an open-source parallel).
***
# Tool/Technique: Orbital Queries and Scripts
## Overview
A platform provided by Talos that allows administrators to proactively hunt for threats. It enables the collection of information from networked devices using user-defined or Talos-provided queries to identify insecure configurations, policy violations, or compromise indicators.
## Technical Details
- Type: Tool / Endpoint Query/Hunting Platform
- Platform: Networked Devices (Endpoints)
- Capabilities: Information collection across devices, running custom or pre-defined security queries.
- First Seen: (Not specified)
## MITRE ATT&CK Mapping
Orbital directly facilitates hunting and discovery, mapping to reconnaissance and discovery phases.
- **Discovery**
- T1087 - Account Discovery
- T1018 - Remote System Discovery
- **Defense Evasion**
- T1036 - Masquerading (Hunting for unauthorized processes/files)
## Functionality
### Core Capabilities
- Collecting current state information from networked devices.
- Running proactive security hunting scripts/queries.
### Advanced Features
- Empowering administrators to hunt for specific security conditions (insecurity, policy violations, compromise).
## Indicators of Compromise
- Detection relies on IOCs discovered by the executed queries (e.g., specific registry keys, unauthorized processes running).
## Associated Threat Actors
- Detection methodology useful against *any* actor whose presence leaves artifacts on endpoints.
## Detection Methods
- Active querying and auditing of system state information requested by the administrator.
## Mitigation Strategies
- Regularly executing proactive Orbital queries to check baseline configuration and threat artifacts.
## Related Tools/Techniques
- Incident Response (Talos IR is mentioned to provide expert emergency response).