Skip to content
.ca
sign in
4 mininfo

Intelligence Center

The Cisco Talos Year in Review highlights a shifting threat landscape where attackers leverage AI and rapid exploit development to target identity infrastructure and exposed vulnerabilities. Defenders are urged to prioritize identity protection, remediate internet-facing vulnerabilities, address legacy system risks, secure trust-brokering platforms, and focus on behavioral anomaly detection to identify post-compromise activity.

Conf:highAnalyzed:2026-04-28reports

Authors: Hazel Burton

Behavioral DetectionTalosVulnerability ManagementIdentity Security

Source:Cisco Talos

What Happened

Cyber attackers are using new tools like AI to launch attacks faster than ever, often targeting user identities and passwords. They frequently exploit older, outdated systems and internet-facing applications to break into networks. Because attackers do not behave like normal employees once inside, it is crucial to monitor for unusual activity. Organizations should focus on securing their login systems, updating exposed software, and learning what normal network behavior looks like to spot intruders.

Key Takeaways

  • Identity infrastructure is a primary target, with device compromise attacks increasing 178% year over year and attackers frequently registering rogue MFA devices.
  • Attackers are rapidly weaponizing new vulnerabilities (e.g., React2Shell, ToolShell) while continuing to exploit legacy flaws like Log4Shell.
  • Nearly 40% of the top 100 most targeted vulnerabilities impact End-of-Life (EOL) systems or deeply embedded components.
  • Systems that broker trust, such as Application Delivery Controllers (ADCs) and network management platforms, are increasingly targeted for maximum operational leverage.
  • Defenders must focus on detecting anomalous behavioral patterns, as attackers inevitably deviate from normal user activity post-compromise.

Affected Systems

  • IAM platforms
  • VPNs
  • Active Directory Controllers
  • Firewalls
  • Application Delivery Controllers (ADCs)
  • PHP frameworks
  • ColdFusion
  • Network management platforms

Vulnerabilities (CVEs)

  • Log4Shell
  • React2Shell
  • ToolShell

Attack Chain

Attackers gain initial access by exploiting public-facing vulnerabilities (such as Log4Shell or React2Shell) or by abusing valid accounts via MFA spray attacks. Once authenticated, they may register rogue devices to bypass future MFA prompts. Post-compromise, adversaries move laterally using tools like PsExec, access systems outside their normal roles, and execute commands at unusual times, generating detectable behavioral anomalies.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article, as it focuses on strategic defense priorities and behavioral baselining.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-compromise lateral movement (e.g., PsExec) and unusual command execution, but lacks visibility into initial identity-based attacks on IAM platforms. Network Visibility: Medium — Network monitoring can identify exploitation attempts against public-facing applications and anomalous traffic directed at management planes. Detection Difficulty: Moderate — Detecting these threats relies heavily on establishing accurate baselines for normal user behavior to identify anomalies, which is more complex than static signature matching.

Required Log Sources

  • IAM logs
  • MFA logs
  • Active Directory logs
  • VPN logs
  • EDR telemetry

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Attackers are registering rogue devices to compromised accounts to bypass MFA.IAM/MFA logsPersistenceMedium
Compromised accounts are using PsExec to move laterally to systems outside their normal scope or at unusual times.EDR/Windows Event LogsLateral MovementLow

Control Gaps

  • Lack of visibility into embedded components and legacy systems
  • Insufficient monitoring of management-plane and control-plane systems

Key Behavioral Indicators

  • Unusual authentication flows
  • Abnormal system access patterns
  • Anomalous device registration events
  • Commands executed at unusual times

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Treat identity infrastructure as Tier 1 critical assets.
  • Secure MFA device registration workflows with strict verification procedures and limited administrative approval rights.
  • Remediate vulnerabilities based on internet exposure and access impact rather than just CVSS scores.

Infrastructure Hardening

  • Harden authentication systems with rate limiting, anomaly detection, and strong conditional access policies.
  • Improve visibility into software dependencies and embedded components.
  • Establish clear strategies for isolating or retiring legacy and EOL systems.
  • Apply enhanced monitoring, access controls, and strong segmentation to management-plane systems.

User Protection

  • Build baseline detections around normal user behavior to spot anomalies post-authentication.

Security Awareness

  • Ensure teams are equipped to investigate patterns of behavior rather than just isolated alerts.
  • Reduce alert fatigue by prioritizing a smaller number of high-confidence, meaningful detections.

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1190 - Exploit Public-Facing Application
  • T1098.005 - Account Manipulation: Device Registration
  • T1021.002 - Remote Services: SMB/Windows Admin Shares
  • T1556 - Modify Authentication Process

Related