Cisco Talos Threat Research Summit at Cisco Live – Orlando 2018



During this year’s Cisco Live – Orlando, amongst many of the topics discussed was Security.  With the current climate of data breaches happening on what seems like a daily basis and the constant threat to our data, there has never been a more poignant time to look at Cyber security.

In a world of IoT where increasingly devices are popping up on networks with Wireless ability, how we keep our networks secure and protected has never been such of paramount importance.

For the first time ever, Cisco’s Talos held a Threat Summit, with the idea that it was a conference from Defenders for Defenders.

Among the audience were Network Engineers, Security experts, CIO’s and CTO’s who had attended with the thirst to learn more about the threat landscape and how to defend their Enterprise Networks against it.


Matt Watchinski, Vice President at Cisco Talos said that the no 1 priority they had to do as a company was to invest in their people.  Matt explained that he spent a lot of time building a diverse set and tight culture inside the Talos organisation – “It’s how we train our people to look at threats, how they look at the world and how they interpret that back into practical things that our customers can use to defend their networks.”

Lurene Grenier – Researcher at Immunity Inc says “The breaches that they know about are not the breaches they need to be concerned about as business people.  The breaches they need to be concerned about are the ones they don’t know about, that are prolonged attacks from nation states supporting companies in that space”.


VPNFilter is a giant-sized IoT botnet. More than 500,000 devices around the world are said to be infected with this malware – most of them are consumer internet routers from a range of different vendors, with some consumer NAS (network attached storage) devices known to have been hit as well.

IoT refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.

As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed.

A ‘botnet’ refers to a robot network, also known as a ‘zombie network’. That’s where hackers implant malware on thousands, or even hundreds of thousands of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.

How Bots work

Typically, each bot in the botnet regularly calls ‘home’, using some sort of network request, to one or more servers operated by the hackers. On calling ‘home’, each zombie computer fetches instructions on what to do next, instructions that often include commands such as “here is a new software module to install and add to your menagerie.”

In other words, zombie networks are not only able to mount large-scale simultaneous attacks all across the globe, they can also adapt and update themselves to include malware capabilities that the hackers feel like adding later on. In some cases – and VPNFilter malware is one – zombies include a special command to deliberately kill itself and sometimes the device on which it’s running.

The VPNFilter malware also includes an auto-update component, allowing its functionality to be updated at will; one of the add-on malware modules found so far is a so-called packet sniffer.

Sniffers tap into the network software inside the operating system so that they can monitor network packets, looking out for data of interest in any network traffic that isn’t encrypted.

VPNFilter looks out for various data patterns, including web requests associated with known vulnerabilities, login requests that indicate password-protected web pages where the password is blank, and unencrypted web traffic that might contain usernames and passwords.


Craig Williams – Director of Outreach, Cisco Talos went on to talk about VPNFilter

He expressed that VPNFilter really was a worst-case scenario of effects to our intelligence that the team had found so far. He said “We’d been looking at this for months. It appeared to be a really advanced hacker, a really well funded hacker, which a lot of people thought was state sponsored, which we think…was accurate. After all the disclosures, after advising the public who we thought were behind it, no attack ever took place.”

Lurene also went on to say, “when I talk to companies about nation state hackers, they say, there’s nothing they can do about it and that they won’t be held responsible anyway because it’s an impossible task.  I want the people who saw the presentation to be able to go back to their ‘higher uppers’ and make an argument for defending their network from nation state hackers!”

 The Top Take-Aways


Craig Williams and Lurene Grenier gave some final words of how they hoped the summit would empower Networking Security professionals and what they would take away with them.

  • Don’t Neglect the Security Basics.

Some of our best practices are really the basics.  The very first thing is patch what you can and turn to automatically patching and that means everything from your router to your web browsers to your main operating system.

  • Build the right team.

Build a team that understands your network top to bottom.  You have to empower them to handle these threats and then you’ll have the clout within your organisation to be able to say, when we tell everyone this is serious, and they need to jump… they’ll jump!

  • Security Community Collaboration is Key!

Craig Williams went on to finish with “I’d like to bring in even more speakers from the defence community because no matter how big you are, or how smart your people are, there’s always going to be someone else who has a good idea and if you don’t bring those people together, you’re never going to share those ideas and use them.”







Leave a Reply

Your email address will not be published. Required fields are marked *