Cisco’s Cyber Threat Trends Report offers a comprehensive and overview of the evolving cyber security landscape, leveraging its vast global reach through the analysis of DNS traffic. With visibility into over 715 billion DNS requests daily, Cisco provides a unique perspective into malicious activity across the internet. The report draws on eight months of DNS-layer data from August 2023 to March 2024 collected via Cisco Umbrella, and presents a detailed analysis of trends across various categories of threats.
The findings reveal that information stealers were the most frequently detected threat type throughout the reporting period. These are tools and malware designed to exfiltrate data such as documents, video and audio from compromised systems. Their activity was not constant but followed a wave-like pattern, with periods of intense detection followed by relative quiet. Cisco suggests that this lull may reflect operational pauses, during which attackers analyse and monetise stolen data before launching new campaigns.
In contrast, Trojan activity showed a notable decline over the same time span. Trojans, often used to gain an initial foothold in a network, started off strong but decreased significantly in later months. However, this did not signal an overall drop in cyber threats. Instead, ransomware activity surged dramatically in January 2024 and remained high into March. Cisco theorises that this shift reflects a tactical relationship between Trojans and ransomware. Frequently, threat actors deploy a Trojan first to establish access and later use that access to deliver ransomware payloads, encrypting data and extorting victims for payment.
The report also observed fluctuating activity in other threat categories, including remote access Trojans (RATs), advanced persistent threats (APTs), botnets, droppers and backdoors. Each showed distinct patterns of DNS behaviour and seasonal variation. RATs and APTs, in particular, represented more targeted and stealthy attack strategies that are harder to detect through traditional security tools but still leave traces at the DNS layer.
A central theme in the report is the critical role of DNS in modern cyber attacks. Almost all malware needs to make a DNS request to reach a command-and-control server, download payloads or exfiltrate data. By monitoring DNS queries, defenders can identify suspicious behaviours early, often before the actual attack fully unfolds. Cisco Umbrella, for example, blocks more than one million malicious domains every hour by detecting these behaviours in real time. DNS-layer protection can therefore act as a crucial frontline defense, stopping threats before they reach internal systems.
In addition to DNS protection, Cisco emphasises the importance of a layered security approach. This involves combining DNS-level filtering with endpoint security technologies such as antivirus, endpoint detection and response tools. A defense-in-depth strategy is essential because even if one control fails, others can catch the threat before it causes damage. Cisco compares this to having multiple bouncers at a club. If one misses an intruder, another can intervene. Their broader security stack, including Cisco Secure Access, integrates services such as secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), remote browser isolation, data loss prevention (DLP) and malware detection to cover a range of attack vectors and user environments.
Cisco Talos, the company’s threat intelligence team, contributed further insight into the threat landscape. Their research highlighted identity-based attacks as the most common vector for breaches. Phishing, credential theft and misuse of legitimate accounts were involved in 60% of incident response cases, underscoring the need for strong identity protection such as multi-factor authentication (MFA) and Zero Trust architectures.
The report warns that threats are highly dynamic, often appearing in waves. For instance, when Trojan activity recedes, ransomware may rise. This ebb and flow suggests attackers regroup and shift tactics rapidly, sometimes even repurposing existing access or tools for new campaigns. This kind of fluidity requires defenders to remain agile, adapting their strategies based on threat intelligence and real-time visibility into network behaviour.
Organisations that deploy DNS-layer security in conjunction with endpoint and identity-based defenses are better positioned to detect and prevent threats. DNS filtering catches malicious domains before connections are made; endpoint tools stop payload execution and lateral movement; and identity safeguards limit attackers’ ability to exploit user accounts.
Cisco’s report aligns with broader industry trends. Other analysts, such as those from Deloitte and Gartner, have identified ransomware, social engineering and increasingly sophisticated threat actors as top challenges. Gartner, in particular, recommends a layered, AI-augmented defense model, echoing Cisco’s approach to integrating DNS intelligence with other security technologies.
The report delivers a clear message: defenders must combine deep visibility with multi-layered defenses to keep pace with rapidly evolving threats. DNS-layer protection offers a unique early-warning capability but it is most effective when part of a broader strategy that includes endpoint protection, cloud security, identity management and robust incident response. As attackers continue to shift tactics from data theft to ransomware to stealthy persistence, defenders must stay informed, proactive and flexible in their security architecture. The digital threat landscape is constantly changing and only by integrating intelligence, technology and strategy can organisations stay one step ahead.
To read the full report visit www.instrumentation.co.za/ex/cisco_cyberthreat_trends.pdf
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version