Five defender priorities from the Talos Year in Review

With attackers moving faster than ever, it’s easy to feel overwhelmed. This blog breaks down five practical priorities from the Cisco Talos 2025 Year in Review to help defenders focus and prioritize, amidst all the noise.

A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures — all without code.   One such case was recently detailed in the latest  Cisco Talos Incident Response Quarterly Trends  report. Proof-of-concept code for exploiting new vulnerabilities used to take attackers months to create. Now they take hours. All of this is very concerning for defenders.

Yesterday, my colleague told me about a recent conference Q&A he hosted, where he was asked to provide some hope to those in the room who have faced an overwhelming amount of change in recent months.   His answer was to focus on the here and now. Focus on what you can control, and what you have influence over. We can’t change what may or may not happen in six months’ time, but we can prioritize what’s important now.   The other key thing for defenders to bear in mind is that even when attackers move fast, they still don’t behave like your normal users.

  At the end of the day, you’re still looking for anomalous behavior – whether that behavior is machine- or human-generated. As we come to the end of our  Year in Review  content release (if you haven’t seen it yet, we published videos, podcasts, and topic specific blog posts), we’d like to end by summarizing the key priorities for defenders.   Here are five of them that are worth considering when it comes to spotting malicious, unusual behaviour in your environment. 1.

Identity is the main battlefield  The Year in Review highlights how frequently attackers rely on valid accounts and credential abuse throughout the attack chain. We see this across multiple areas: MFA spray attacks targeting IAM platforms directly  Device compromise attacks increasing 178% year over year  Attackers registering their own devices as trusted multi-factor authentication (MFA) methods Ransomware  attack chains [L(1]   largely relying on valid accounts, credentialed tools, or both Network infrastructure is a key part of this.

VPNs, Active Directory Controllers (ADCs), and firewalls are being exploited to steal session tokens, bypass MFA, and impersonate users. However, when attackers successfully authenticate, where they go from there tends not to fall in line with normal user behavior. They start to access new systems outside of their role, move laterally using tools like PsExec, execute commands at unusual times, and overall operate at a scale that normal users don’t. Therefore, having a baseline understanding of normal user behavior is more important than ever.