This report represents an unprecedented effort within Cisco to tell a comprehensive story of our work in the past year, relying on a wide variety of data and expertise.

As a large security organization with global reach, the data we use as the basis for our research presents us with both a gift and a curse. The gift lies in the diversity of inputs, ranging from endpoint detections, incident response engagements, network traffic, email corpus, data from our sandboxes and honeypots, and much, much more from customers all over the world. The curse is that with the multitude of telemetry we have access to and the urgency of some of the work we do, it can be difficult to take a step back and look at the bigger picture, like trying to make sense of a Monet with your nose up against the frame.

This is what inspired us to create the Cisco Talos Year in Review. We wanted to get insight from dozens of subject matter experts all throughout Cisco, including our reverse engineers, detection specialists, data scientists, linguists, managed hunt providers, incident responders, and threat intelligence analysts. To this diverse group, we posed a few key questions:

1. What were the major security events Cisco responded to in 2022 and what is their current status and impact?
2. What are the major trends in the threat landscape and what do we think may change?
3. What are the top threats we observed in 2022 and what is their current state?

This report tells a story based on responses to these questions from our experts and their year-long data. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversaries’ use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior in order to maintain resilience.

We expect this data-driven story will shed some insight into Cisco’s and the security community’s most notable successes and remaining challenges. In addition, as these Year in Review reports continue in the future, we aim to provide data and narratives that help explain how the threat landscape changes from one year to the next. We hope you find this report as elucidating to read as it was to research and write, and that it arms the security community with the information and context needed to continue fighting the good fight.