Cisco Talos Publishes 2025 “Year in Review” to Guide Incident Responders on Emerging Threat Trends
What Happened — Cisco Talos released its 2025 Year in Review, a data‑driven analysis of the previous year’s threat landscape derived from endpoint detections, network traffic, email logs, and hands‑on incident‑response engagements. The report highlights shifting attacker tactics—especially the rise of MFA‑spray attacks and the continued dominance of ransomware groups like Qilin.
Why It Matters for TPRM —
- Provides concrete, real‑world TTPs that third‑party vendors may be exposed to, enabling risk‑based prioritization.
- Highlights systemic weaknesses (e.g., MFA mis‑configurations) that can affect any downstream service provider.
- Supplies actionable intelligence that can be fed into vendor security assessments, tabletop exercises, and continuous monitoring programs.
Who Is Affected — Enterprises across all sectors that rely on third‑party SaaS, cloud, and managed services; particularly organizations with extensive Active Directory or IAM integrations.
Recommended Actions —
- Incorporate the Year in Review findings into your vendor risk assessment templates.
- Validate that critical vendors enforce MFA correctly and have robust push‑fatigue mitigation.
- Use the documented TTPs to design tabletop scenarios that test vendor incident‑response capabilities.
Technical Notes — The report is based on aggregated telemetry and IR casework, not on a single CVE. Key observations include:
- Identity‑based attacks accounted for ~60 % of Talos IR cases in 2024, with AD involvement in 44 %.
- MFA‑spray attacks doubled in 2025, exploiting weak enrollment and policy mis‑configurations.
- No zero‑day exploits were the primary driver; credential theft and mis‑use of legitimate accounts prevailed.