Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to What Threats Kept Us Up in 2023, a year-end review and a look ahead webinar. I'm Mark [indiscernible] your WebEx producer today. In a moment, I'll turn the session over to Gio Tan, but first, I have a few housekeeping notes to cover. Please note, your microphone has been automatically muted. So feel free to ask your questions in the Q&A panel throughout the session. And to view the Q&A panel, click the 3 dots on the lower right corner of your WebEx window. At the end of the session, a survey will automatically pop up in your browser. Please click continue to complete the survey. We really appreciate your feedback. With that, we are ready so let's get started. Gio in a few seconds, it's all yours.

Okay. Hi, everyone. Thank you so much for coming to today's webinar. Today's Webinar is What Threats Kept Us Up in 2023. So you might have seen the latest report on the Talos year-end review. So we will leverage findings from there. And you can also expect to hear from the Talos team as well as the XDR team. So this webinar has been prerecorded ahead of time to ensure a good audio and webinar experience for all. So -- yes, with that [ Mark ] , would you be able to play the recording?

Hi, everyone. My name is Briana Farro. I'm a Director of Product Management for our Cisco XDR solution here at Cisco. And with me, I have Bill Largent. Bill why don't you introduce yourself?

Hello, everyone. Bill Largent. I'm a Threat Researcher here with Talos. That means I'm a nerd. That's why I'm here today. Sorry that it's not Amy, you guys would have benefited greatly from hearing her. She's my boss, so I got to say nice stuff. But she's amazing, so I'm going to try to step in and fill in her gargantuan shoes here. So I'm excited.

Thanks, Bill. And I have no worries at all. I'm super excited that we have Bill here to chat with us today. We're going to get overloaded on amazing information, which is super exciting. So Bill, I know that we have been talking -- or recently, excuse me, Talos released our year-end review for 2023 which is chockful of interesting information on what we saw happening from even a telemetry and an attack perspective, what sort of threat actors we saw, what sort of techniques we saw being most prevalent and relevant? And we're going to dig into those today. But it's interesting, when I look at these types of year-end reviews that our amazing Talos team produces, I just have such an appreciation for what was in the past, what lies behind us, really influencing what lies ahead. And I'm curious like how do you think about that as well?

I do the same. And it's always fun. I like to go back and check my notes and see what I was right or wrong about, which is pretty fun. I definitely don't think 5 years ago that I would consider the 2023 top -- a bunch of the top attacks came from CDEs with 2012 in the title. Like that's a weird deal that we saw so much of that kind of backwards facing stuff. So I definitely wouldn't have hit those in Vegas. But otherwise, I'd love to do the same kind of look at it in a backwards and forwards away. It's very fun.

Yes. And that's a great call out. We should be starting a pool on our predictions for what we're going to see in another couple of years. I like that plan and encourage everybody at home to do the same. If you can share with us on you're thinking and what you're predicting and we can start to see where we land with that. So let's talk about some of these. Actually, Bill brought up the old vulnerabilities. That's potentially a great place to start. I know that we saw exploitation of older vulnerabilities, specifically the top 10 exploited were over 5 to 10 years old, so to your point, something like [ '20 -- 2012 ]. And when we see that happening, I knew that partially that's related to some of the other topics you might talk about today, network device type attacks, the ability to leverage certain types of techniques or certain built-in and living off the land style tools. I mean what are we seeing? What types of old vulnerabilities are being exploited? And is it because they're not touched by this point in time? Is it because those devices aren't typically patched? Like what are we seeing there?

Yes, it's a little mix of both. So a couple of them that I thought were kind of crazy were like the remote code execution for Outlook. But they're like for older versions of Outlook. So I'm kind of interested to wrap my mind around that. But I did notice that in a lot of those sequences, it was the most known vector, but there were also vectors for it in terms of like Foxit Pro and SQL. And so I think probably what we're seeing is those elements at play. Yes, I thought some of those takeaways were really interesting. I was kind of fascinated by the fact that in the IR engagement space in the report, and I'm going to go off the top of my head here, so someone keep me honest here. But I think the verified accounts that were leveraged were like 23% of the -- 21%, 23% of the engagements that had that. And I thought that was a really interesting statistic because it speaks like you said, threat actors are trying to find easier avenues or better ways because we are getting better as a global community about security things. And so I do think we see like that step back to older exploits and vulnerabilities that are there. And we see things like trying to find and harvest verified accounts so they don't have to go and try to leverage yet another living off the land binary or something to do a privilege escalation, right? And so I think those things are really interesting in the way that, that has turned. Yes.

Yes, that's true. And you know what, Bill, I know we intended for this to be just be conversational, but I can't help myself now that you brought it up, right? This is what Bill was just referencing, personally got the 23%, right? But to that point, about older vulnerabilities, even in things like Outlook, [indiscernible] embedded software, we are still seeing the top initial access vector for multiple types of attacks is phishing. And so if we think through that, while the attachment that we're as an attacker that maybe somebody is attempting to have opened or downloaded or the link that they're trying to have somebody click on, may not be taking advantage of all of those vulnerabilities. It could be. It could totally be taking advantage of an older vulnerability and Outlook even in an embedded product or solution. And we still see that 19% of phishing attacks -- 19% of our access vectors are phishing. I mean that's mind blowing to me, Bill. But at the same time, it's the reason that as a vendor and as a threat intelligence org, we still talk to people about phishing, right? Because it's still legitimately a big concern.

Yes. It's funny because I do this hunt like 75% of the time and then like 25% of the time, I'm deemed worthy of letting out of the case to talk to normal humans about this step. And so it's kind of fun. But like one of the things that's interesting in the cyclical nature of all these things is phishing. And it kind of have a resurgence. And I think there's a lot of reasons for that. And we talk a lot about it, but part of it is everyone's busy all the time. And so even a really smart, and we've seen instances of this very good security researchers will occasionally get popped by clicking a link because you trust or verify and all those things are very difficult. The other thing, and this is one of those things that probably will excite some people on the call because someone is waiting to ask a question about AI or machine learning or any of these things. One of the things that I see a lot in phishing and one of the reasons why I definitely, it's on my 2024 predictions for us to talk about this next year is an increase in phishing because of the LLMs, right, the learning models and so it's like ChatGPT or Bard or any of those things. You can leverage those now to create a very sophisticated e-mail, not just good language skills, but you can even -- I don't know if you play with it at all, but I played with it quite a bit. And you can get in there and change the linguistics not only for the language, but like regionality within that language. And so you can really hit on people, check out what -- like check out what things they post on social media about the nonprofits they support or causes that they care about and then target them based on that and spoof an e-mail and, man, I mean, like that's a very, very enticing target. And so I think that -- so if anyone asked me what do I think about AI or machine learning, I think all that is not very relevant except in this particular gap, right, like where LLMs are really terrifying. Yes.

Yes. That's a great call out. To your point, that we're moving that language barrier for a lot of common threat groups that would be trying to attack potentially in an English-speaking mode. And that used to be one of the greatest ways to identify an e-mail, right? I mean when I taught kids even about cybersecurity, I'm like is this how you spell this word, right? No, you see a lower case when it should be upper case, a little things like that. But if AI is taking that away and large language learning models will make that natural language much easier. These will be very sophisticated. And actually, I'm with you, I would bet not only that we see phishing still on the top initial attack vector in 2024, but that we potentially see it go up percentage points because of things like that.

Yes, for sure. Yes. Like I said, I've been testing it and it's very interesting. I've done it with some -- couple of different Asian languages, in different versions of Spanish because you have like Portuguese Spanish and regular Spanish and then like Latin American has different flavors. And so I've tested with friends that are researchers in doing that and find that it's really -- you can write really compelling e-mails. And I'm not speaking -- I speak very little of any of these languages, right, like...

Yes. That's interesting. Very, very interesting. So when we talk about phishing, we talk about the use of these vulnerabilities. We talk a little bit about one of the key -- or I will talk a little bit about rather than pivot this one of the key points that was in the list as well. There was a call out about data extortion being on the rise. And I thought that, that was really interesting because in the Talos year-end review report, it's related to ransomware. And now we've essentially seen ransomware pivot to more of a data extortion model. And Bill, I'm not sure that all of our attendees today, and even myself really clearly understand what we mean when we're talking about data extortion versus encrypting my data and potentially exfiltrating it previously or the previous method. So I'd love for you to help us understand that a little bit better? Like what is data extortion in this context? And why should I be concerned about it?

Yes, sure. So what we're seeing a lot of, and I know you and I have talked about this in the past before, but like in the past kind of maybe [indiscernible] and that kind of like the Venn diagram now is like really crossing over and that's really interesting and challenging for us in terms of defending and all of us, I mean, at large. But one of the things we see with data extortion and stuff. In the past, we saw a rise in ransomware. And then we globally got really good at emergency backups and having off-site backups and good strategies in place for recovery and all of those things. And so we saw that rise of ransomware when we had that rise in cryptocurrency and kind of giving them an avenue where there weren't banks involved and all that stuff like that. And then we kind of saw that dip down and miners kind of tip up because you could make your money off of miners and before anyone says, "Yes, I know it doesn't make that much." But I've talked about this before, but if you -- a decent rig is going to get you like $0.25 of Monera a day or whatever, which sounds like not that much, except that if you can run a 2,000-host botnet, I think that's like $183,000, right? So that's it's pretty compelling. But as we saw some victimology in terms of stealing data and then encrypting -- and we saw that kind of rise again. And so what happened is the threat actors are getting in and they're selling PII and it can be anything. A lot of people think only about the single keys of the Kingdom, like or a particular source code or whatever. But it can be customer data, information, it could be genome sequencing, and it can be anything that you think of within whatever network. And so we see -- like you saw in the report, tons of health care, education is often hit in that same way. And so we see a lot of these vectors going towards things that have juicy PII, that personal information in there. And so what the attackers have found is that the encrypting piece of the pie is really not relevant. It's because getting paid off of that scaring you versus that data leak, that's really getting paid. And so what they do is they steal the data like we talked about, and they'll post a little leak on the dark web somewhere. And it's kind of terrifying when you see them clock is really big in this and stuff like that. And they'll post a leak say like, here's a gig of what we have of 700 gigs of this data or 500 gigs of this data, which is terrifying and you hope that someone had noticed 500 or 700 gigs, even a building, right? Like it's kind of a -- this is a [indiscernible] but yes, it's that process has driven a lot of people to drive, because you can see not only is it the core to public opinion in terms of losing that kind of value because people say, "Oh, you leak and you get popular, whatever. " But it's also losing the actual -- you think of 700 gigs of data off of your file shares and what all could be on there. And it's very compelling in terms of you can understand why it works, right. Yes.

Yes, absolutely. And I think that's really important information that you just mentioned. There's like 3 different things that you had in my mind going on when you relate there: one is -- you mentioned -- you had a strategy previously for how you would recover data, how you would back up data? With Cisco XDR actually, we're looking at this ransomware recovery capability and strategy where we help integrate with data backup systems and solutions providers, but partly because of what you just mentioned, in a lot of countries now, and there is not only a frowned upon situation for paying a ransom. But in certain situations, it's gone past frowned upon and passively liable to potentially criminally liable, where governments are saying, "CEO, if you pay this ransom, you're going to jail because we don't want people to pay these ransoms". And when I think about that in my business continuity plan, I can't just say, "Oh well, my backup is, okay, " or I can't just say it's all good because it's not encrypted and I won't be paying a ransom for that. Now I have to think about maybe didn't bother encrypting it, I can restore it all day long, but they're leaking it and how do I go about that. So I go from not just this ransomware recovery, which I still want to maintain because the second we let as defenders, the second we let our foot off the brake on a certain method of detection and protection, it circles back again like [indiscernible] vulnerability, right? So I don't let my foot off that. I want to keep that as part of my business continuity and resiliency plan, but now I have to think about how is data protection factor in. And that's another key vector of telemetry and data and information and responsive and recovery and eradication steps that we think through from an XDR perspective as well, regardless of where that data protection is residing. We know that it's hard for customers and organizations many times to even implement a data categorization plan and strategy, but we want to be able to leverage information like that. So that, like you said, I can understand if large amounts of data are leaving my environment, potentially stop that from happening if so. And the key to putting that together is if an attacker smart, maybe that 500 to 700 gigs goes unnoticed because they're using different channels, they're dealing at difficult times, right? But I need to be able to put all that information together to understand that the 100 gigs that I loved yesterday and looked like they were going to my business partner, we're not.

Yes, for sure. Yes. And that's -- and like you said, and that's a good call out is we aren't seeing what we saw a few years ago, especially like with the SamSam are those things where they hit in like really smash and grab and so they pull the data. And what we're seeing instead, like you said, is leveraging goal-use tools, which I'm sure we'll get into more as we go through today. But built in Windows tooling and then spooked addresses and landing pages and stuff regionally. So that it very much looks like, "Hey, this is 100 gig" -- a few hundred megs that was just going to this file server, like it's very trickle. And so yes, it's a greater sophistication from the attacker side for sure.

Yeah, 100%. So lets actually take that as an opportunity to pivot to some of the networking attacks that you're seeing, right? I think there's a couple of ways that I'm going to take you down this path here. Before we get full on to the network telemetry that we've seen, there was a call out about ransomware and specifically actors around ransomware, how we see those Ransomware as a Service type models maybe being even more prolific and more prolific in the sense of the fact that because they were so well put together and supported, whether it's their code or an advanced ransomware gang's code being leaked, we see like start-ups, ransomware startups coming and taking that code and redoing it, right? But one of the things I really found interesting in that is not just that we're starting to see ransomware continue, but that we're seeing -- when we see ourselves or -- sorry, we're looking for is legal enforcement of the infrastructure of the architecture for ransomware being taken down. We're not necessarily seeing that causing a problem like dismantling their infrastructure does not mean the cyber criminal case. So why is that? Because I think that's important, again, when people are thinking about, I don't have to worry about its adversary or their techniques anymore. It sounds like we do.

Yes. So we saw that like across a couple of different actors where pieces were taken down. Hive, I think, was one of the actors, where they took down a bunch of their stuff. And so their folks not unlike what you see on the white hat side as like a startup folds or something, but their talent will leak off and be pulled and recruited into other groups, right? And so -- and so those members have high kind of jumped right away. And we saw -- to that statement, we saw other threat groups essentially recruit or steel talent to fill their gaps. So there -- I mean, these are big sophisticated organs and not just like some dudes in the grandmother's basement playing World of Warcraft and [ Town in the Code Red ], right, like that. We see those guys at DefCon and they smell really bad. But like -- but they're stealing talent in much the same way that the White Hat side of things do to fill the gaps where you don't have. So if we -- we don't really know how to tune the [indiscernible] loader that leaked to better -- I'm like, oh, well, this guy really knows how and we pull them across, and we're going to do that now. And so we see a lot of that kind of mirror White Hat strategies, right? And that's -- again, that speaks to the kind of the sophistication that we're seeing on the Black Hat side of things.

Okay. Understood. And are there any thoughts that you have -- I know you mentioned that mining, for example, may sound not very lucrative, but when you're able to get a bunch of automation, it kind of bought in place to do it for you, you can yield a pretty penny in. I guess in our kind of sense terms, we would call it passive income.

Yes, yes.

I don't know want to enable the normalization of this type of behavior, but basically be passive income while they do something else. But from ransomware in general, what makes it so lucrative that we see is perpetuating and continuing. I mean it has to be one of the most persistent types of overall attacks for a long time now in cybersecurity.

Yes. So I think it's varied a few different ways. So I think where they make money where miners and ransomware make money split a little like you pointed out a little bit. But like you can take a really a person whose skill set isn't even like, say, Metasploit-capable, which is not a great -- huge lot, but I mean everyone on here has kids to play a bunch of games, and they probably have way more than that skills that right away. So they can take something like a dark utilities. We had a blog post about that one, which is really interesting, or the AvosLocker ransomware gang, which is essentially almost like an MLM. But instead of tights or makeup or something, they're selling, they're selling ransomware kits, right? And so you can kind of easily go about it. But like with miners, you kind of get that low and slow. The thing I always point out when I talk to people about them because the different things about it is when you're running a miner, when do you know you have ransomware generally the end user? It's generally not until something pops up and says, "Hey, you've got -- you're going to be encryptable". But if it never pops up, and they install a minor instead, the only thing you'll notice is the fan running a little more often, the computer is a little slower. Is it running windows, you wouldn't even notice, right? Like who would ever notice, right? And so those things matter. I think the reason we see so much proliferation with ransomware is really more than anything that's chasing the dollars. It's super profitable. And part of it lies, like you said, in terms of how they're getting paid. And sometimes, it lies in the fact that to kind of keep face and to not lose public opinion and stuff they're paying quietly. Like so we see all the reports of what has been paid out over time via the triple-letter agencies, whether it's [ My Hiber ] or FBI or whoever is making -- whoever makes these statements, but those are all the known or quantifiable payments. We know there's a lot of money that's paid quietly, right? And sometimes, it can really like change the outcome of what things feel like to the public. And so I think that is the biggest factor.

That's super fair. That's a great call out, Bill. Okay. So I promise that's going to bring us around to the networking stuff. And this is where it comes in, right? We think about how dismantling of ransomware attackers architecture that they're using on the back end to grab you to orchestrate their attack probably is the best term, doesn't necessarily pin them down. Now a lot of ransomware. I asked why it's so lucrative. Some people are doing it for money, other ransomware attacks are not for money. They may be around the geopolitical landscape that we see right now. They may be that nation-state style attack that you talked about. And I know a lot of where we saw in the last year, networking attacks was also related to that geopolitical landscape. So we'll ask you a couple of questions on that. I mean first off, is the increase on the attacks on networking style devices more on mass? Do you believe in this last year, primarily that politically or geopolitically driven nature? Or is it financial gain from what we're seeing?

No. I mean I think that's predominantly a nation state activity. And I think more than anything is because it's a more difficult way, if you would term it, in terms of finding a lucrative behavior to it. You could and we could all theorize about all the ways that you could and kind of gets interesting and stuff like that. But really, a lot of that is more disruption and then truly the overarching spying like in an actual sense. And so that is a very much a nation state activity, yes, for sure.

Okay. And I raised that because for attendees, depending on what your business is, who you do business with, what type of data you have, what type of data you may not. I don't think you would ever hear from Bill or I as practitioners and cyber stewards to, again, take your foot off the pedal of whatever you might drive or that someone might drive for you in not thinking that you can be attacked. But the context of how or why you might be attacked as an organization is always important. So I think that, that may take -- impact on some of our organizations may look at this, right? At the same time, Bill, when we think about these networking devices, so we're seeing a lot of post-compromise capabilities that it introduced is my understanding. I know that it's really relevant these networking devices, I think you mentioned it earlier, they might be older devices. They might be devices that are not subject to upgrading often. If we think of not just devices that help support power grids and support different types of infrastructure from a nation or a national level for organizations and countries but also even things like medical devices where they are intended to have 20-, 30-year life usages and taking them out could mean canceling surgeries in a day for an organization to replace them. Those types of devices don't have the same monitoring consistently, they may be older running on older infrastructure. They may also be restricted in their access. But as we get more and more smart devices, that is changing as well. when we think through that, like what the networking attacks on these types of devices allow an attacker to do?

Yes. So there's a bunch of different steps. One of the more interesting aspects of those kind of things is that it gets you an ingress into like a lot of things that fall behind those -- in terms of architecturally speaking, right? Like so you're getting instead of owning like, say, an edge device that has 100 devices or whatever behind it or whatever, you're getting something that's much bigger, especially if you're talking about like a smaller carrier or someone like that where you're owning a routing device that kind of isn't just the typical kind of midsize or SOHOs that you see exploited a lot in these things. And that kind of gets into the ability to change and mask things. The other thing I thought was really interesting is the way that a couple of the Chinese APT groups were leveraging them into an anonymizer network. So kind of standing up a -- basically like a tour copycat by leveraging these bigger. And so now you're talking about pipeline issues. And then like you said before, you're talking about like the geopolitical ramifications but also things like data privacy because if you take over routes and can control traffic where user data privacy laws are very strict. You can get into some really scary legal territory as well, right? And so I think a lot of those things come into play there, for sure. And again, that's one of those sophistication levels that's really interesting. It's not exactly new, but it's exploding currently, right? Like we talked about it with VPN filter and you and I have talked about VPN filter in the past, and that was like a really cool write-up that we did -- but that was -- and that was hundreds of thousands of devices, but they had a large REIT, but not as large as like these core routing and switching devices that are kind of falling in line with this.

Yes, that's a great call out. I mean if I can get in on even a slightly more edge networking system and then work my way backwards through to things, that would be more internal. And then I do things like change ACLs so that block traffic going in certain ways or in route at certain ways. And if I'm crafty enough, I can avoid proxies, I can avoid network analysis, internal and extremely IDSs, IPSs, maybe I'm routing it to my own proxy that I find a place to install internally through and then I'm evading a lot of that. And that's really important to understand. I know again, when we look at it from the types of telemetry that are important, we work at Cisco, Bill, right. We think that [indiscernible] is golden. And we're starting to see that other people think that too. It's not that the network has been abandoned for years in ways that people identify attacks in their environment or that attacks occur. But as it starts to really get to the hardware of these devices, we're seeing that from a detection perspective, we need to be able to incorporate those things as well. We need to be able to have logging information from those. And that those are key critical telemetry sources for that visibility and detection is needed.

Yes. Absolutely agreed. Yes.

Amazing. Okay. So there's some that I wanted to talk about since we mentioned nation states. I wanted to talk about this really just at a high level. I happen to think it's a super cool thing that if our attendees haven't heard about today after we talk about it briefly. I definitely encourage you to go and Google it. But I wanted to talk about it more from a technical level. I know that we recently announced an engagement in something called Project PowerUp. And my understanding is this is something where our Talos Ukrainian task force and overall Talos team was hearing some challenges as the geopolitical events that are going on from [indiscernible] Ukrainian energy [indiscernible] came to cover ways to do it with cover with [indiscernible]

Yes, yes. So it's really interesting that one of the drivers of that [indiscernible] as super, super [indiscernible]. But yes, so essentially what happened [indiscernible] a lot of that [indiscernible] Field and space of admin [indiscernible] a bunch of guys. But what we found or what they had struggles with there were some struggles around GPS and getting knocked down, the Russian attacks on those things and keeping their power grid big. Based on all of these is something as simple as atomic clocks, right? And so Joe took it back to Matt Watchinski, our VP and who runs Talos here and he's a great dude and said, hey, is there some way we can make it an atomic clock and figure this out for them so that there's not this point of failure, right, because keeping the lights on. And I don't know if you all know, but it's pretty cold there. I would think given some heat as well as lights would be in my playbook, but I'm also from Texas, so I would probably die instantly anyway. But -- but yes, so essentially, what happened is they worked with the Cisco [ Emergency ] team and found a hardware work around and provided essentially some devices for them to get in. They did some testing and stuff here. And then there's -- the blog post is really cool. It talks about how the device has got over there because it's not just -- you can't just drop it in the middle of the war zone. And like this like a lot of their infrastructure, I don't if you know this, but working with it, we have tons of us that don't tell us that volunteer all the time to do these things, but they'll have -- they'll send pictures of like whole networks are on the back of trucks. And it's like wired in for a while and then it moves because it's the nature of war. And so getting them over there was a really unique thing. But yes, essentially, we provide these devices that kind of make complex things, simple solutions, which is the greatest way. And yes, and so the ability for them to get the power grid up and keep it up is phenomenal, and I couldn't be more proud of that, right? Yes.

I agree. And for those on our call, just to be clear, that's not in the Talos year-end review, but it is very much related to attacks and the type of attacks on things like network devices or devices that are related to infrastructure. And that's why I read it and again, I encourage you to go take a look, regardless of your political feelings on everything. Anybody, I think, from a humanitarian perspective can agree that it's -- when war occurs and these types of conflicts occur, you have civilians that are in theory, not related to the conflict in any way other than their own opinions and having them not have light and not have heat, as Bill just mentioned, is terrifying and not cool. So it was really -- I mean, again, read the article like Bill said, we'll run it for you, but I remember thinking of it out like I feel like I'm talking about a CMOS battery, but [indiscernible] to think about how this noncomplex in the sense of the technical aspect the ability to deliver a solution for this is something Talos thought through. I think to your point, the supply chain delivery issue was probably more complicated than the actual technical device itself. So the fact that we were able to continue to contribute to that just at overall humanitarian level. And that's awesome. Thanks for...

Yes. I'll take it back to the team, too. It was just -- yes, it's amazing. Plus it's a really fun read, like I don't know, is really interesting to me, yes.

It is. I agree. For people on the line, it's a very fun read. Okay. Maybe before we head over to a few questions from our audience, I have 1 more question around this networking space. And again, it's all kind of connected in what we saw this year. So we saw networking attacks, we saw networking attacks that were related to geopolitical situations. We know that geopolitical situations also increase ransomware. And we saw that we had a lot of very persistent actors, right? We have a lot of persistence in that situation by these threat actors and these criminals. But one of the things I thought was really interesting is there was a call out as well in the report around changes to commodity loaders. So we were seeing that because of some -- the way that living in the life type -- living off the land, excuse me, tools and commodity loaders and things of that nature have been used in the past can typically be tied to operating systems. And specifically, Microsoft did a lot of different changes like disabling of macros and things that have caused these commodity loaders to adapt. And one of the call outs is that they were adapting to be tailored to support ransomware more. So I'm really curious like is that helping the maintenance of the persistence of ransomware? Is that helping the delivery of ransomware? What are we seeing with that?

Yes. So I think there's a little bit of all the above. But I think one of the things that's really interesting, and we've seen it. And again, this is one of those things where they're kind of adopting some of the nation state type activities, is in the past, we saw a lot of smash and grab. We saw a lot of things where they're just trying to profit quickly and move on to the next hit. And we still see all that, right? And especially from the lower side copycat gangs that are pulling copies of ID is it's -- I don't know if you've seen, but it's like fork several times now, which is crazy that we have these commodity loaders and you're like, which fork it is like it's legitimate, which is crazy. But like one of the things that we see a lot with that stuff now is the copycatting of the nation state activity of achieving persistence and then laying quiet within an environment. Moving laterally, like you said, using living off the land binaries, which for those of you who don't know, it's basically like using the built-in windows tools, right? So you leverage -- missed [indiscernible] or one of those things. And to do it, you can leverage it to move laterally -- move files laterally, do privilege escalation, go download more malicious binaries, right? Like so...

And Bill sorry to interrupt you, but just before you finish that thought, -- it's things that are not only common in the operating system or the infrastructure, but things that because they're used to do normal operations are -- can't like be blocked, right?

Yes, I mean, these are things that are used thousands and thousands and thousands of times a day by systems, both with the automation and via administration tools and stuff like that. And so figuring out the anomalous behaviors in those and filtering them versus the benign and been in turn, turning that into actionable things for your junior analysts and senior analysts to follow up with is very challenging. That's why we saw -- like we saw MagicRAT, Korean actor -- North Korean actor, they actually pulled some of their port forwarding capability out of their malware systems because it was being flagged by AI machine learning and behaviors, heuristics, right? And so they made a little less capable and then just moated over to Windows built-in tools for the same thing. And this is the same reason kind of hiding in plain sight, so to speak, right? But yes, to that end, all these -- even the cyber criminals now are living a little longer, achieving that persistence so they can survive reboots within the environment, get an anchor hold and then eventually find that DII and seal it and then run your ransom. And so there -- the cons are a little longer, so to speak, right? Like so we still have that short smash and grab snowshoe style spam, but the spear phishing is bigger, right? Like we still have the smash and grab, but the long run ransomware is bigger, right? And so I think the profit margins are enough that they're allowing them the risk of living longer in an environment where, yes, you might lose a couple of weeks of work that you did in this environment, but you know, the big payouts in the -- and pay make it worth it.

Interesting. Thanks, Bill. All right. I think before we close out with any final thoughts, we'll pivot to see if you have any questions. [indiscernible], do we have questions from our audience? And by the way, if you have questions, feel free to drop them in Q&A even right now. Happy to take on.

Yes. Yes and that was a great discussion Briana and Bill. I feel like I learned a lot, and I already -- I work at [indiscernible] with you all so I'm like, this is really interesting. So I appreciate that. So there was 1 question. There was a couple of questions that came in online. One is a question about ransomware, which I think we talked about a little bit. But the question is, has Talos team studied the blast radius of a black swan-type event ransomware/cyber event measured in time to recover or the overall financial impact when the client is down and struggling to recover from a cyber event?

Well, I mean I can take a little bit of that one and Briana may know as well. So that's a question that I could get a much better, more robust answer from someone like Pierre or someone who's the boots on the ground [indiscernible] who I believe is that in the APJC right now for a conference, but one of the IR folks who is doing a lot of boots on the ground. But yes, because we do it every day, right? That team does that -- the boots on the ground for those types of events all the time. And so being prepared for different levels of those events that they do see and what they may see going forward as part of their role on a day-to-day basis. The TII guys from my team as well would know a lot of that as well. But to answer the question, do we do that? Yes, and those folks would be a better answer and we can probably get one off-line -- to you as well. But to answer your question, yes, we focus on that a lot. Yes.

Yes. And I think it's best to look at some of the reports that come out without any allegiance to any of those some examples in the industry, like there's a Verizon data breach report every year, and that data breach report is not just around data breaches and data exfiltration, but it can talk about what caused that. And if there was a need to recover that data in a non-ideal way, like paying a ransom or understanding how long somebody was down, which is where that financial impact comes in. And so I would encourage folks that are interested in that data to go look at some of those industry reports. Many of those are not required to have a subscription or some sort of licensing to access. And when you think about it, if you're thinking about it from your own organization, depending on your organization size, it's not always feasible to have these 16 layers of business impact analysis and business continuity plans and recovery and all of those things. But -- not just because I'm on the product side, because I used to be on the customer side, I would say that [indiscernible] 2023 and beyond, we're looking to where I was going to put my budget in year, and I had minimal budget for information technology because it wasn't my primary business. I would very much look at how I use services backed by -- maybe my solution of choice. We'd love for you to look at a solution service that's supported by something like Cisco XDR, but whatever works for you. So a service that helps me with the things that I need from a operational day-to-day security operations for even my incident response like the IR that it was looking at, so that I can focus the rest of my spend on things like running through an example of that scenario. Those are actually not superexpensive engagements all of the time. And with that, you get a practice of what that [indiscernible] have a template for your understanding of what your continuity plans are. So you start to understand things that go back [indiscernible] that many of us may have had the opportunity to take. Like when I took my CISSP, that's actually part of where I learned a lot of those things. Even though I had already been working on the customer side, working on them, but the concept of saying that, for example, your payroll system is one of the most important systems that you need to get online critically because if you expect people to continue working for you. Recovering your data is important, but those people need to get paid, they're not going to sit around and wait for that. And in some countries, you could have liability if you're not paying people in the time frame that you're expected. So things like that were actually eye-opening for me. So this is all to come around and say, but sometimes your best way to understand what your financial impact would be, would be to do even like a tabletop exercise where you walk through what would be impacted, how long would it be impacted for? Do you have recovery? Is it a SaaS-based solution? So are you relying on somebody else for recovery? And again, where you might be a smaller organization relying on those types of services where recovery is intended to be built in or at least you can look for a service that has that helps you with some of those resiliency options which could reduce financial impact.

Yes. The other thing that people often forget in terms of that because they think of all the technical side of things, one of the most complicated aspects of that and one of the things that I find really interesting is the actual knowing who is going to do the communication, who's going to be in that circle of communication right that's going for back? And then what we've also found over time is that the threat actors are analyzing the language that you use because they can tell when legal has been engaged because the language changes, right? And so those things and knowing those things in advance are really important. So again, even if you're a smaller shop, like you said, those things are easily found in the tabletop exercise where you can really identify gaps in your problems. And the other thing that I'm going to piggyback a little bit on Briana is that things have changed a bit in that in, let's say, 2018, right, per way, pre-COVID or anything like that. A lot of these smaller businesses wouldn't have ever fallen under the scope of something that a nation state would be interested in, right? Now completely different ball game. If they can leverage you and you're a small company without the resources necessary to be the ingress point into a state and government official agency, a big corporation that you are a secondary or tertiary partner with or anything like that, they're going to leverage you to be the ingress point into their environment. And we see that a lot, right?

Yes. That's a great call out, Bill. And it goes back to what I was saying before, where as an organization, we want you to think about these things, even if you're a smaller company because you may not think about the fact that you could be the attacker, but they could be looking at you, as Bill just said, to really be an entry point into a larger scale of events, especially, I would say, Bill, and correct me if I'm wrong, but especially if we're talking about somebody from a threat actor perspective that's looking at espionage -- or supply chain, right...

Right. The supply chain, right. Yes, and I'll actually piggyback that because there was a question from William on there about do we see attacks focused on specific sectors -- and we see attackers attacking everywhere. It's a little of both, honestly, William. And so sometimes that's a motivation. Right? Like so there are some motivations where attacking specific areas are important, not just sociopolitical like we've talked about. But also some of those vectors are much more profitable, right? So the reason you're seeing health care hit is because just think of health care in general in terms of not just hospitals, but in research and all that stuff. And think about what an hour being down is to health care or research or hospitals or you take 1 hour of your MRI machines being down, 1 hour of this or that like these people die, right? And so it's very compelling, right? And same with education because people think about education is just the classroom, but it's also genome research and its research into Alzheimer's and cancer. And all of these things that are happening constantly, right, and is jet propulsion and we could steal that. we see that in terms of focused attack. Now the other side of the thing, everywhere across the vector, the other side of the attackers are the ones that are like water flowing downstream finding the path of least resistance. And so if you fall in the group of path of least resistance, that's going to be the other vector. And so it's just different types of attackers there. But we'll see a little of both, William, to answer the question.

Yes. Thanks, Bill. And honestly, not to keep piggybacking back and forth, but obviously, you can see Bill and I have common thoughts about this. When you bring up like medical organizations, again, not being political with thoughts in anyway, but one of the things we saw with the COVID pandemic is even without cyber-influence when they had the limit what resources were available to patients, people die. They still don't have full counts on how many people died necessarily because it was COVID or because of a nonrelated COVID situation because they couldn't get medical care because they weren't allowing nonurgent situations or at least what they thought was nonurgent is. So to Bill's point, if I'm a medical organization, I am concerned about my MRI machine being up for my primary goal, which is to give people great health care and best outcomes on their health. But honestly, I'm also concerned about the fact that I am a business, even though I'm not for profit, and that helps bring in my money to support my primary goal of delivering great health care -- yes, if my machine is down for an hour, there's a cascading effect of that, not only did I not reach my primary goal, but I have to reschedule all of those appointments, which pushes everybody else back, right, and it's nonrecoverable to a degree. So it's a great call out, Bill. Okay. I know we're coming up on time, but I think we have 1 more question here [ Rob ] that we wanted to talk about.

Yes. There's 1 question I just came in. What is the network resilience coalition? [indiscernible] what does that mean for [indiscernible] customers?

Sure. So I can talk a little about that one. So we started that as this go and it came from, yes, kind of like how we were founders of Cyber [indiscernible] alliance to like, so we kind of keep doing these things. And so one of the things, again, I'm kind of proud of our strategy here, learn from different mistakes and things that are happening globally in the world. So this is an answer to the network stuff that we spoke extensively about today, right? Like we kind of harped on it, but it's very important. So what this is, is a coalition of a bunch of the different huge vendors, right? Like so it's us and what people deem our competitors. But in the security space, we all work together, a lot of the time, I mean like it's just how the only way it works, right? And so essentially, what it's doing and what we hope that you guys, especially on this call are kind of people that will really benefit from this is helping to get actionable content right away for these types of events because it's not one of those if it's a win, right? And we all know that. And so delivering actionable information so that people can make changes and respond right away is critical because as we've talked about here, minutes, hours, these things make a huge momentous difference, especially in something like the routing world where one of these things could really run with it. And that's kind of my takeaway is that I love the kind of drive towards actionable deliverables. I'm a former stock guy, so I don't care about all the noise. I want actionable content, right? And so that's really what I care about.

That's awesome. Thank you so much, Bill. So before I pass it back over to Emma, I just wanted to call out one other thing. And I'm just going to bring this slide up while we kind of talk through it. One of the really cool things in the year-end report, was actually not just about the attackers being very persistent and consistently persistent and not just the advanced attackers being persistent. But it's without defenders taking a standstill, The defenders saying, I have to be able to react quickly and have actionable, especially differential data in front of them, right? I need to bring all this together and I need to focus on this. And again, that's near and dear to our heart. Not trying to promote the product, but that's why Cisco's broad extended detection and response to bear so that we can help people do that. But I love to hear that our defenders are thinking red, acting blue as much as possible and that they're really looking at how can I consistently be hopefully in step with the same thoughts that my attackers are having at me, and I love that we can contribute to that. So I brought up -- first of all, thanks to Talos for calling that out. It's good to see that when you feel like you're always behind because your attackers are always ahead that we're not necessarily seeing that, that we're seeing defenders holding their ground and trying their best to keep up and being successful. And on the screen for all of our attendees, they brought this up just so you can see, believe it or not, we didn't talk about everything in the year. So we encourage you to go and take a look at it. You can just Google it. It's also available on a lot of our blogs and a lot of our spaces and the links that I dropped into the Q&A where you can get subscribed to consistent new letters that are coming out from Talos and blog details. But please take a look at the year-end review. It's got a lot of helpful threat intelligence that can help you be more actionable. And with that, I think -- sorry, 1 more quick question. Speaking on financial impact analysis, are there standardized formulas and estimates that brings in such factors as customer PI exposure business continuity, disaster recovery IT impact on a company to determine the proper level of cyber insurance coverage. Or are companies relying on insurers to provide that analysis? What a great [ chokehold ] question. Probably more detailed than we can get into on this call, but I will say to the party you asked it and for all of you. Yes, there are standard formulas. There is usually some level of -- I don't want to say the formula or access to it, but guidance that you can receive from a cyber insurance provider directly on that. And I would even say, again, having been on the other side of the fence to many of you, depending on the guidance you're giving, you want to ask questions about that, too. Like if you're being suggested to have certain types of tool sets or potentially specific tool sets -- why is that the case? Instead, what is it the cyber insurer is asking of you in order to achieve a certain price point or a certain level of coverage or even coverage at all. But yes, they will have like actuaries that go through those statistics. And just as an awareness, it's actually something in the Cisco tool set that we use. We use the information coming from cyber insurance companies that's obviously not -- it's not your information if you've been attacked, but we use the data points to understand how certain miner attack enterprise framework tactics, techniques and procedures, those TTPs, influence risk and the things that you should prioritize looking at. So that can be part of how you factor in your business continuity. So the short answer is yes, cyber insurers can provide a piece of that. I would expect that there are likely consultants that are doing something like this as a service for you as well so that you can prepare for an understanding of what level of coverage you may need, especially if some of that coverage doesn't always cover things that you do like ransomware attacks.

Yes. Yes, for sure. Yes. And then you pointed out like also you have to be a little wary of when they're asking for specific things. And sometimes it's simply checking a box in terms of your compliances and stuff like that. So I understand when those regulatory things are in place, but also the one thing I always harp on in these moments is that sometimes even the different companies or different cyber groups aren't as global as your actual corporate region. So there are times when that's -- for me, a factor where I would really take a step back and have and talk with -- find someone who has a bit more expertise on that because your data privacy and how that is handled in terms of insurance is vastly different in America than it is in some of the other locales. And so often that Americentric or Eurocentric stance changes this paradigm a lot. And so that's an important factor as well.

That's a great call out, Bill. There's more and more legal representation that is -- that has expertise on the cyberspace we've seen so that's another option. Okay. With that, we appreciate all the time that you've taken with us depending on if and what you celebrate any to have a happy holiday, Happy New Year. We're really excited to continue in these conversations. And Bill and I, I hope I get to have a session with you moving forward. And Emma, I'll pass it back to you.

All right. Thank you, Briana and Bill for a fantastic conversation today, and thank you to all of our attendees for joining us. With that, we'll close things out, and we hope to see you at a future Cisco Webinar.