Talos Takes
Every two weeks, host Amy Ciminnisi brings on a new guest from Talos or the broader Cisco Security world to break down a complicated security topic. We cover everything from breaking news to attacker trends and emerging threats.
Talos Takes
Cybersecurity’s double-header: 2025 insights from Talos and Splunk
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos' original research, and Talos Incident Response engagements.
From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.
Talos 2025 Year in Review: https://blog.talosintelligence.com/2025yearinreview/
Splunk Top 50 Cybersecurity Threats: https://www.splunk.com/en_us/campaigns/top-50-security-threats.html
Welcome to The Talos Takes podcast, where we discuss Talos' latest research and security news. This podcast is for everyone from the C-suite to the frontlines.
Amy Ciminnisi:Hello everyone, and welcome to the show. I'm your host, Amy Ciminnisi and today we're bringing together insights from two of the industry's most influential annual reports. First, we've got the Cisco Talos 2025 Year in Review, which pulls from our own incident response data and global security telemetry. We have detailed analysis to show you exactly how attackers are breaking into networks. What that means for your defenses, and how to prepare. Next up we have Splunk Top 50 Cybersecurity Threats report. It acts as a real world field guide. It breaks down the most common attack tactics and gives strategies to get ahead of the next wave of threats. Both of these reports were just released on Monday. I've put links to them in the show notes, but today we will be diving into the biggest takeaways from both. We're exploring what defenders need to know as they plan their security strategies for the year ahead. Joining me today are two fantastic guests. We have William Largent from Cisco Talos and Lou Stella from Splunk. They're going to help me break down the findings, highlight some common themes, and discuss how you can use these reports as a practical roadmap. All right, let's dive right in. Talos observed that nearly a third of MFA spray attacks targeted identity and access management apps, or IAM and Splunk, and their report identifies valid account usage as the number one initial access technique. Bill, with identity now as the primary battleground. What measures should defenders be taking and prioritizing to protect their accounts and their authentication mechanisms?
William Largent:I mean, obviously we live in a world where, two factor is a demand and not just two factor, but ruled out properly. You know, we occasionally see them where it's in clear text still or, and it's ruled out in such a way that two factor fatigue is very real. There's not a single person listening to this, including you two, that are not tired of saying yes, yes, yet. Like it's just a fact of life. Yeah. Beyond that, I would say, the people get tired of me saying, know your network and and do the small things, but in this instance, ensure that when, when people leave, we live in this chaotic environment where people come and go in these job roles, make sure that those accounts are dead and make sure the default accounts are deadened. Right. Make sure that, you have some type of tooling in place that is checking for, those passwords that are in leaks that could be reused in your environment, ensure that your passwords are not reused from anything else. Right. So your core password should just be that one. Right. And really, you should just not know it. Well, let's be clear. Like that's one of those things. But those are like the simple things because and Lou's going to share with you exactly the facts. But like all these incident access brokers and groups are their entire business model is stealing identities and selling the access that they gain from those. Right. Like this. It's an entire business model, and it's very profitable. So. Yeah. Lou.
Lou Stella:Yeah. You know, you actually you said you said something that really hit with me knowing your network. And six years ago, you know, we all left our offices and the world changed. And simultaneously overnight, I think every single impossible traveler detection broke everywhere because no one had accounted for the way their VPN configurations were configured for split tunnels and remote access workers. And it's so incredibly important to know where your applications are, but where folks are accessing them from. You can't do a good job detecting threats if you don't understand what normal is.
William Largent:Yeah, that baseline is everything. If you don't have that, I don't know how you'd find the anomalous behaviors. Right. Like that's.
Lou Stella:Exactly.
Amy Ciminnisi:Yeah. You probably wouldn't. Yeah. So The Talos report talks about how vulnerabilities like React2Shell have been weaponized within hours or days, but 32% of the top 100 targeted vulnerabilities that we tracked are over a decade old at this point, and they're still actively being targeted. I guess I'm wondering what these statistics tell us about the vulnerability life cycle and how organizations should improve their patching strategies?
William Largent:I love that report. It stuns me every single year. The number of old vulnerabilities that still hang around, made worse now, which we see with React to Shell, which is brand new. Right. But we saw that explode and take up a year's worth of, exploitation in a three month cycle. Right? Like it's insane. But what's really interesting about that is that's just showing, like, the leverage and, use of AI tooling by adversaries, whether it's nation, state or cyber, they're going to do the things that are easy work, that, repetitive work, just like when we started scripting and using. Net Saint and saying, you know, all of these things to help us with our tooling. Metasploit. Right. Like, all of these tools are just tools that smart people can leverage to do smart things, and dumb people do dumb things with them. Right? Like that's how it works. We see that with the react show, but we also see those ten year old vulnerabilities are going to be leveraged in a bunch of new ways. You know, like I show in my in a slide deck that probably a lot of people that have seen me are tired of this. But I showed that, like in a couple of minutes, I can take an exploit, pull it in, change the language that it's in, then repack it with a packer. And now I've got a completely different exploit. And if the protections that are in place are written for the exploit and not the vulnerability bypassed, I mean, it's eight years old. It doesn't matter, right? And again, if you don't know your network, you can't know what is and isn't patched. It sounds crazy, but like, hey, let's make sure that we know another thing. And Lou kind of touched on a little bit with, with, when the world changed for all of us. Right. The other thing that happened, tons of mergers and acquisitions and stuff. Right. And those networks complete mystery, right? Like. And the people who set them up long gone. Right. So here we are trying to still combat that element as well, as well as learning and keeping our environment safe. And then when something does come alive, the timelines have shrunk dramatically.
Lou Stella:You know, I think when we we look at like vulnerability, age and stuff, it's important to to think about application vulnerabilities versus vulnerabilities in software libraries that then everyone get uses in different ways and maybe vulnerable ways, maybe not vulnerable ways. If you have so much organizational inertia that you can't patch a seven year old file sharing appliance that's sitting in a closet somewhere, that's a really big issue, but very different than your all in on a gentle guy coding and and your agent of choice has as the side that you're going to build an application with AA2 year old library that there are plenty of newer versions, but if you don't know and you don't have the tooling that looks at your dependencies in your applications and tells you, hey, this library is out of date, and here's all the CVS. If you're not running those scans, you're not going to know until it's too late.
William Largent:And to our folks that are defenders out there in the world, it's very difficult to know sometimes when there's those library volumes, right? Especially like you think about Unix or Linux or something, where maybe someone finds that maybe it might be seven year old vulnerability, but it wasn't in these particular packages because this version of Python didn't leverage this library. But now this one does. All of these things happen kind of so quietly and in the background. And then we're excluding the idea that nation state actors putting things into this GitHub or that library, you know, like all of these different things, we see it happen all the time. And those are like edge cases to what we're talking about. But having this old piece of hardware that only three people know how it's working and what it's doing, that's knowing your environment. You got to move off of that. You just do.
Amy Ciminnisi:Yeah. So, Bill going back to what you just said, I mean, to me, it sounds like it might be a stupid question, but I know there are no stupid questions. So then how do you like, how do you find those vulnerabilities in that seven year old library that you were referencing? Like, what is the mechanism for that?
William Largent:One thing I'd say is, is having, regular testing inside your environment have experts if you don't have those experts in-house, and it's very expensive to have these kind of people on staff, right. Like, so in, in a lot of places have an expert come and do that. Someone like the Talos AI team, right. Like where you have a purple teaming, where they use some red teaming and blue team and see both sides of the equation. Test your physical security as well as the network security. Right. Like all of these things matter, but there's also some detections that you can run in your environment so that it pulls it, say, into your SIM, into your Splunk instance. And it shows like platform and stuff like that. Right. So you can see what platform things are on. But beyond that, I think having smart people do the smart people thing is always the best choice. And and it's one of those things where it sounds really expensive upfront, but I think it's an easy sell to take to someone to say, hey, we really need to do this because the average cost of, ransoms are only going up, right? Like, it's as simple as that. And then self-assessment again, if you can self-assess and you look in Active Directory and you see there's, you know, Windows 10, Windows 7 machines or, you know, Xbox is like and that sounds funny until you watch, look at the dark web and see all the leaks and you're like, the bad guys are mapping everyone's network. And here's these Windows 7 hosts, and here's these 2008 server R2. Right. Like it's 2026.
Amy Ciminnisi:Yeah. So we're going to be shifting over to the Splunk report. So the report shows that cloud misconfiguration and insecure APIs are very frequently at entry points for attackers. This often results in silent breaches that are very hard to detect through shadow IT and permissive IAM roles. What are some of the most effective ways for defenders to better their visibility? Reduce those blind spots, reduce risk and these often really opaque, difficult to see through environments.
Lou Stella:It's tricky because there's not like a magic bullet or an easy button for this. Unfortunately, when you're trying to reduce the surface area for this, you first need to understand what your surface area even is. And there's tools out there. Or, you know, you just hire people to actually do the work to figure out what are all the applications you're using. What where are your AWS accounts? Where are the root keys for those AWS accounts? Do you have all of the out of the box configuration set up to set you up for success, or are things maybe a little more lax? We've spent years in this shared responsibility model with the cloud providers. It's something people still need to be reminded about that you know, AWS gives you a lot of the control over whether or not you're secure. And all of the hyperscalers, it's the same situation. Everywhere is that you need to understand that the toggles when you're setting things up and which dials to turn. But at the end of the day, it's still your responsibility. And so it's not the the beautiful, sexy, fun security work, but it's the hard work that keeps things safe. At the end of the day, you gotta put in the work.
Amy Ciminnisi:Yes, 100%. And one of the things that both reports highlight are when attackers are using legitimate tools like PowerShell, RDP and native drivers to remain invisible. So how does this shift complicate finding these threat actors? Can you both talk a little bit about, you know, advanced threat hunting, behavioral analytics, things like that? How can they help surface these tactics?
Lou Stella:Sure. And this is one of those another unfortunately, another one of those things where you really have to actually put in some work, you know, if you just run a search in, in your Splunk instance or in your, your SIM of choice for all the instances of PowerShell running a, base64 encoded command, there's probably going to be a lot. And unfortunately, it's not all necessarily malicious. It things are baked into line of business applications, scripts that get passed around from sysadmin to sysadmin that do one thing or another that are always, you know, sometimes very legitimate uses for, for that. But, you know, maybe Tom from accounting isn't really a PowerShell user. And so when Tom from accounting starts running, encoded PowerShell commands, that should set off some flags. And so, you know, assets and identities, understanding the the devices that you have in your network and the people and the accounts that work in your organization. And what they all do is like such a fundamental, foundational part of setting yourself up for success. And, hey, you know, if nothing else, having a cmdb or, of a database, essentially of all of the devices you have, if nothing else, it can save you a lot of hours on an ER engagement when the ER folks don't have to build it off from scratch and know where the things are.
Amy Ciminnisi:Yeah. Yeah, 100%. We talk about that a lot with Talos incident response. You know, either having a retainer with them or with whatever er provider you choose. Having that relationship saves so much time when it comes to an incident that occurred either in your environment specifically or in the world. You know, when the next big thing happens in the world, for example, Log4j back in 2021, you are the first priority when these things happen. And you know, they already have a lot of familiarity with your environment. So yeah, 100%.
William Largent:Yeah. I'm going to tack on real quick to both of those things. So, Lou brought up some great points. I was going to say, it's interesting how we've seen the dynamic move, like even in the threat actor world, like so few years ago, we saw a magic rat that had all this, like, cool tooling that they built and all that stuff. And then as they as it went on, they actually removed all of this really cool tooling that had all of these features because they create anomalous behaviors within the environment. You have to install them and all this stuff. And so they are tools got much dumber, quite literally. They're just leveraging Windows and Linux tools now instead to do lesser versions of the tooling that they had, because they can live longer and quieter. And Looper, I have a great point about identity, right? Like clearly the finance guy shouldn't have shouldn't be kicking off PowerShell things in a new Docker. And like all of these things, it sounds silly, but it happens every day. The other thing that it highlights and, and I was going to get tired of is banging the drum, but this highlights why segmentation and micro segmentation are so important, right? Yeah. Even if it does start taking off, he still shouldn't have access to this version of the databases within this DMZ. And this payroll and not this executive branch network. Right. Like all of these things matter. And then having a tool like Splunk in your arsenal, is really important because you have like the living off the land binaries. And that's very true. But say you have commands that like this user is leveraging, say, Http access to go out and pull down a file. That's kind of an unusual behavior, even though there there may be legitimate scripts for those things. Right. But if you have a baseline, it's going to show you an anomalous behavior like that. Like if we're leveraging, you know, one of these tools in a kind of an unusual way, if you see IMP command run, go and grab a binary like an executable from somewhere in Morocco. Like that's not really like what it's built for. It's not really what it does. Right. Like those things matter. And and so having your junior analysts up to date on what living off the land binaries and track the lore bins project and make sure that you have those things set up to be dashboards within Splunk. Right. So that you can pull up a dashboard and say, hey, what do my law bean activity look like today? Well, everything's normal, except this one is now has three times as much traffic as normal on Tuesdays at this time. And it's the dashboard. I mean, the dashboard doesn't lie. It shows you. Right. And so those kind of things that we see an upticks it's could it be benign. Absolutely. Is it going to be I mean I don't think so. Not when you see those dramatic leaps. And so those things again that's a knowing your network. And then leveraging what you have to do those things. Don't set it and forget it. That's the last thing I'm gonna say about this, is that one of the things that I always love from the interview, and we see it again and it's just mind boggling, is what is it more than it's still more than 20% of the engagements had no logging or very little logging in place. So they had these devices and they just set it and forget it.
Amy Ciminnisi:Makes my heart hurt. Yeah. Yes. So speaking of Year in Review, let's get into the ransomware section a little bit yet again. I'm sure people are not surprised manufacturing is the most impacted in 2025. We have Qilin, Akira and Play being very dominant groups and Splunk, in their report noted the rise of ransomware as a service. Can we talk a little bit more about these patterns
Lou Stella:and what we might expect to see in 2026? One of the things that I think is undersold is how professional some of these organizations operate. Generally, it more and more we're talking about financially motivated actors like this. And the ransomware as a service ecosystem. There's a lot of money at play, like an incredible amount of money. And so they're financially motivated to run things in a somewhat professional manner, according to their idea of professional. But, you know, these are organizations that are using the same Kanban boards and issue tracking software that software engineers are using to to track their engagements. And we're seeing referral networks. And, you know, this is an entire industry that has a level of maturity to it that I think is not commonly understood, especially with the idea that financially motivated crime, where is just a couple people in a third world country trying to skim pennies off the top because it goes so far there, it's it's just not like that.
William Largent:I've been saying this for years with Intel, but when you think of it, you don't think of, you know, some dude in his grandmother's basement playing World of Warcraft and pounding out some code Red Mountain Dew and then hacking us. That's not. That's not what this is. It's not someone in a third world country doing this to skim pennies, right? It's the yakuza. It's the drug mafias. It's the cartels. It's the same base. It's organized crime. Because this is billions with a B and a lot of billions you lose, right? Like I have we have screenshots that we've taken from Tei that cracked me up there in their confluence pages. Right. Like so they have confluence tickets open for the ransomware service. Right. And then we also see the other things that are kind of white hat side mirrored on the black hat side, where they have third party vendors that do this and that. Right. Like so you talked about Akira and Qilin and all those, those people are leveraging Shawna to do a lot of their packing because they're very good at it, and it's faster and cheaper to pay them to do that than to do it in-house. And sometimes they recruit and steal people just like the white hat side of things. But there's all these things, right? Like third party service providers for the landing pages or this or that. And they've gone they've gotten very good at at Siloing up what can be to make profit margins. Right. And it is big business. It is not, little things. And so the sophistication absolutely is no surprise.
Amy Ciminnisi:So why is manufacturing consistently the most impacted sector. We talk about this in more detail in the year in review. But can you give a little bit of a tease as to you know what what makes it so attractive for ransomware actors.
William Largent:Well I mean I think first and foremost is that there's like a, a return on investment for production. Right? Like, not unlike when hospitals are ransom and there's human lives at stake. And so the leveraging the, the wish to pay goes dramatically up. Right. Like, you know, like, oh, I can't do my B2B for two days. That's one thing I can't the the machines aren't going to work anymore. These people will all die. You know, and I think much the same way we see with manufacturing and stuff, that it's like there is an incentive, like every minute, an hour is a massive cost and infrastructure and and when they lose that minute, they don't just lose that minute, they lose the exponential minute because of that. And then beyond that, we see a lot of strange tooling and IoT devices, some of which, you know, are bit older and being leveraged and then there's a lot of times where the networks aren't, as normally visible and aren't as kind of standard as kind of the more windows, Linux, Unix environment where you have a lot of admins that know a lot about those things, and they can catch things that are anomalous really quickly. In a lot of that world, the the traffic is very unique in and of itself, right. The way that some of those IoT devices handle their RF season stuff is very different. And so, having expertise in seeing that stuff is also a challenge. So I think some of all of that is wrapped together.
Amy Ciminnisi:For organizations who are in these high risk sectors, how should they be preparing other than the things that we've talked about in this episode so far? And, you know, obviously having playbooks in order, other than that, what should they be doing?
Lou Stella:There's an untold number of things that can go wrong when you have an incident, and it's a matter of when, not if. For, for some definition of incident, you know, you gotta have your ducks in a row in advance. You gotta know, who are you calling? Who are the systems experts for? For each area of your organization? How are you communicating this? We could spend an hour talking about crisis comms. You really got to figure that out in advance. Because when you're under pressure and whether you're manufacturing line has ground to a halt or all of the ventilators just went offline, or even if it's just, you know, no one can get in the doors to the office because they were on the network and now everyone's locked out. You got to figure out the plan in advance so that you don't make the wrong choices under pressure. In the heat of the moment.
William Largent:I get asked the question often about, you know, like how to what do I defend? What do I do? You've scared me. Now what do I do going forward? You know, all those things, the so the things I say always to people is remember, there's always the 80/20 rule. First, make sure that you're above the 80% of the noise of your networks, of of your competitors or whatever, right? Be in the top 20% of the noise because, the attackers are going to go to the easiest path. They're the water flowing to the, to the easiest path. Right? They definitely are when we're all lazy. But also we just want our work to be accomplished. And if there's a faster path, we're going to take that. And number two, one of the things I think is really important, as you look at the Splunk report, you look at The Talos Year in Review. There's a bunch of stuff that mirrors in both of them and and it's mirrored and it's exponential year over year. If you keep looking back, look at the year in review for the past 2 or 3 years in a row. Look at the Splunk report for 2 or 3 years in a row and understand got to know my environment, got to patch things and get them up to date. Got to kill dead accounts. Got to kill, system accounts that are default all of those things. So all of these like little building blocks. You do those things so that now you smart people, your analysts, junior and senior, are looking at their Splunk dashboard and they're like, okay, this anomalous behavior happened and this and this, right? They have the time and the inclination to know their network and know the environment. Now they know this is anomalous behavior. So now when they do see lateral movement leveraging a lob in, but it's at a weird time of day or a weird account or it's downloading a binary or it's trying to move a large file size or copy an entire Docker or whatever. Right. Like any of those things that we see escalated privileges. Again, you're going to see that. But if you're not used to that, you're not going to see it as well. But if you do have good hygiene, good segmentation, you're going to see those things. You're going to be above the board. These aren't like theoretical things like we're looking at the Splunk reports and the Talis reports. And these are things that happen to people. Right. Like this is happening all over the world. And so leverage that information to to do the needful.
Amy Ciminnisi:Bill, you are reading my mind. We have a blog coming out at the beginning of April. It is from Yuri Kramarz, over in Talos Incident Response. It'll be on our Talos blog and it's discussing. Okay, great. Now that we have these reports, what do we actually do with them in practice? Like you're not just going to read them and then throw them away. You're going to take a look. You're going to see what those recurring patterns are year after year. And, you know, he gives some ideas for how to prioritize, you know, what your organization needs. And then one of the things that I was also thinking about was like, don't just plan... practice. Like, get a tabletop exercise going, get your, backdoors and breaches. You. Know, together, like, get your security team together as much as you can and actually run through a realistic scenario of, like what a similar organization in your industry either has gone through or may have gone through again, you can use these year in review reports, and the top 50 report to actually create those.
William Largent:Can I pick back one thing before you wrap up? Have to talk. First of all, if any time you're out there and if you can hear Yuri talk or read what Yuri has to say, do it. He knows what he's about. Like, for real. The second thing, I want to throw this out to all the practitioners out there, right? Like the operational people, SoC managers, analyst, all of those things, these two reports are absolutely fantastic for you to take up the latter two decision makers who may or may not be like pulling the budgets, right? And they're like, hey, blah, blah, and you're like, look, man, the cost of one ransomware event is eclipses this by miles. This is the real world. This is how it looks. This is what's happening out there. This isn't a theoretical. This isn't a, you know, marketing or, you know, anything like that. This is applicable actual real world intelligence.
Amy Ciminnisi:I think that's absolutely brilliant. And like, yeah, take these. I mean, put the fear of the board in your leadership and like, okay, your board cares about whether or not you are impacted by a huge event like this. Like you can you can put the fear of cybercrime in them. But we've been talking for a while. We've given a lot of recommendations. But as we wrap up, what is one piece of advice that you would give defenders that they might not think of at first? But that actually really make a difference in the defense posture of an organization?
William Largent:I would think that everyone out there and then operational environment should, weaponize intellectual curiosity. So what I mean by that is make sure that your team has the time to do things that interests them. You know as well as I do, Amy, that it tell us it doesn't matter where you came from. Intellectual curiosity is number one. If you don't have, that will never make it right. And so we can teach the intellectually curious person this language or that coding or what any of the things. Finding anomalous behavior takes an intellectual curiosity. And the only way to really protect yourself is to find those anomalous behaviors. And I think the way to do that is to ensure that you have intellectual curiosity on your team, and you're giving those team members education and resources and time away. And I know that we're all overworked and understaffed, but try to find a way to make sure that those junior analysts bite into something that really interests them. Right? Like, hey, do you want to take this class in this kind of shell, or do you want to try to break this environment just to see if you can do it? And all of these things are outside of their scope, so that they will be more excited to be working and be challenged into finding those things. Because when you do pivoting and threat hunting, the intellectual curiosity is going to be the piece that gets and finds the behaviors.
Lou Stella:Before you know your environment, you have to know thyself. I don't mean like Delphic wisdom, which was actually volcanic, gases. I mean, you need to understand the business you work for. What are the actually important things that you need to protect? And do you know where your data centers are? Where? Where's your domain controller? Do you have a domain controller? Identify what your crown jewels are. Figure out what's important. What's the way that you as a security department or a SoC analyst or a manager in a SoC, how can you tie what you're protecting to the actual goals of the business that you're working for?
Amy Ciminnisi:Wow. Okay. So my brain is now fully mush. Having listened to all of this, this was incredible. Thank you so much, William and Lou. And thank you, everyone for tuning into this episode of Talos Takes. I will put the two reports in the show notes. We will have a fresh new episode for you in two weeks. We are going to be diving into the Year in Review on a deeper level over the next two episodes, so please take a listen. In the meantime, have a fantastic week and stay safe out there.
