Craig Williams


Talos Outreach

Craig Williams has always had a passion for learning how things operate – and circumvent security measures. His deep interest in security technology led to a career at Cisco, which began with research into vulnerabilities, threats, and network detection techniques. His research over the past decade has included running the Cisco malware lab and trying to outwit the very security products he has helped Cisco to design.

New areas of network protection, including the utilization of new evasion techniques and threats, have emerged directly from Mr. Williams’ work. Today, as a Director of the Talos Outreach team, Mr. Williams is focused on building next-generation security products covering web and email security, threat defense systems, and security management systems. Through his work and involvement with Cisco Talos – Outreach, he looks to give back to the Internet and security community by helping to bring attention to the breadth and depth of Cisco’s threat research.

Mr. Williams is also working to extend Cisco’s threat defense technologies to a wider range of networking products, broadening the controls and countermeasures that are utilized by existing technologies, and extending coverage across more protocols. His expertise includes designing IPS/IDS signatures, penetration testing, reverse engineering, vulnerability research, botnets, and attack obfuscation.

As Director of the Talos – Outreach team, Craig helps to guide some of the most experienced and knowledgeable threat researchers and analysts at Cisco – and in the industry. Their collaborative research and analysis work is intended not only to continually enhance the quality and efficacy of Cisco’s security products, but also, provide actionable intelligence that helps all Internet users defend against both known and emerging network threats.

Previous roles

Before joining the Cisco Talos – Outreach team, Mr. Williams was Technical Leader for Signature Engineering at Cisco Security Research and Operations (SRO) at Cisco Security Intelligence Operations (SIO), a role he held for two years. He examined trends for research projects, and provided guidance regarding vulnerability research, inspection enhancements, and areas for future development. From 2008-2011, he was a founding member of Cisco’s Applied Security Research team, where he focused on botnets and botnet mitigation.

More about Craig Williams

Among Mr. Williams’ significant contributions to Cisco is an issued patent, “enhanced server to client session inspection,” which involves obfuscated traffic inspection.

He is also the proud recipient of a Google “Bug Bounty,” which he earned by figuring out how to download paid digital content for free from the Google Play Store – and swiftly alerting Google to the problem. (A very tired but elated Mr. Williams made the discovery around 3 a.m., just hours after bringing home his newborn daughter from the hospital.) He earned a subsequent Google bug bounty for discovering an issue around whois information for google apps customers. This is documented here.

Mr. Williams holds a Bachelor’s degree in Computer Science from The University of Texas at Austin.

Cisco Talos – Outreach

Through research projects, publications, presentations, and other front-facing activities, the expert threat researchers and analysts on the Cisco Talos – Outreach team help Cisco customers, the security community, industry, and the public understand the value of Cisco CSI and the early-warning intelligence, threat, and vulnerability analysis its researchers provide.

Additionally, the Cisco Talos – Outreach team, works with media outlets to provide timely, in-depth insight and analysis on major web security incidents. Cisco Talos – Outreach team members are also regular contributors to Cisco Security Reports and the Cisco Security Blog.


August 2, 2017


The Real IoT Opportunity for Enterprises? A Chance to Address Security Risks Head On

2 min read

IoT and IoT-related threats are very real. A massive compromise of IoT devices can severely disrupt not only organizations, but also the Internet itself. Fortunately, we are still in the early days of the IoT, which means there’s still time for defenders to do their part to help secure it.

January 20, 2016


The Value of Collaboration in Weakening Attackers

2 min read

Today’s attackers deploy complex and clever threats that are difficult to combat with just one method of defense. In some cases, defenders must go beyond tools for detecting attacks and devise a different approach for obstructing our adversaries’ ability to operate. As detailed in the Cisco 2016 Annual Security Report...

July 29, 2015


Midyear Security Report: Exploit Kits and Ransomware Get Creative

3 min read

The modern online adversary is out to make money, not simply hack networks for the fun of it. In the Cisco 2015 Midyear Security Report, there’s yet more evidence that criminals are using tools with ever-increasing sophistication to steal valuable personal or financial data and sell it, coerce users into paying ransoms for their own […]

July 8, 2014


Threat Spotlight: “A String of Paerls”, Part 2, Deep Dive

1 min read

This post has been coauthored by Joel Esler, Craig Williams, Richard Harman, Jaeson Schultz, and Douglas Goddard  In part one of our two part blog series on the “String of Paerls” threat, we showed an attack involving a spearphish message containing an attached malicious Word doc. We also described our methodology in grouping similar samples based on Indicators of Compromise: static and […]

June 30, 2014


Threat Spotlight: A String of ‘Paerls’, Part One

5 min read

This post was co-authored by Jaeson Schultz, Joel Esler, and Richard Harman.  Update 7-8-14: Part 2 can be found here This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this […]

January 9, 2014


Fake German Bill Spam Campaign Spreads Malware

2 min read

Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English […]

December 4, 2013


The Internet of Everything, Including Malware

3 min read

We are witnessing the growth of the Internet of Everything (IoE), the network of embedded physical objects accessed through the Internet, and it’s connecting new devices to the Internet which may not traditionally have been there before. Unfortunately, some of these devices may be deployed with a security posture that may need improvement. Naturally when we saw […]

November 4, 2013


Massive Increase in Reconnaissance Activity – Precursor to Attack?

2 min read

Update 2013-11-12: Watch our youtube discussion Update 2013-11-05: Upon further examination of the traffic we can confirm that a large percentage is destined for TCP port 445. This is indicative of someone looking for nodes running SMB/DCERPC. With that in mind it is extremely likely someone is looking for vulnerable windows machines or it is quite possible that […]

July 19, 2013


Zeus Botnet Impersonating Trusteer Rapport Update

1 min read

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called […]

  • 1
  • 2