Archiv für das Monat: Juli, 2019

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 5 and July 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More at Talosintelligence.com

ReferenceTRU071219 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Ben Greenbaum One of the best tools in your SOC’s arsenal is something you might already have access to and didn’t even have to pay for. If you already deploy Cisco Umbrella, AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, or Threat Grid, then you can immediately access Cisco Threat Response for FREE. As in no charge. Zero extra dollars. No strings attached.
With Cisco Threat Response, customers receive a powerful solution that can streamline and simplify detection, investigation, and remediation of threats. In addition, Threat Response offers a very easy, powerful tool in the new browser plugin (for Chromeand Firefox). By adding the plugin, security professionals now have instant access to threat intelligence and response capabilities directly from their browser. To prove the simplicity of this, let’s use a straightforward example.
For information on configuring the plugin, watch the tutorial here.
For the threat, we will use the Karkoff malware, used in the DNSpionage campaign. For background on the malware, let’s see what Talos has to say about it.

Ah, it seems that Talos has a full spotlight of Karkoff. Towards the bottom of the blog, Talos gives a full report on Indicators of Compromise for Karkoff.

Traditionally, you’d have to manually copy and paste each file, IP address, etc. from the blog, editing them to remove the defanging “safety brackets”, searching for each one in turn, in each of your telemetry sources – a laborious, manual activity. Cisco Threat Response simplifies this entire process by bringing all of these capabilities to one central source. So, let’s open the Cisco Threat Response browser plugin.

Immediately, Cisco Threat Response identifies 16 observables from this threat intelligence blog. 1 clean. 9 malicious. 6 unknown.

By clicking the malicious and unknown observables, we can tailor our investigation. We will not worry at all about snort.org, because we know Snorty is never up to anything bad!

As an example of how quickly we can take response actions, even before pivoting into Threat Response to do a more complete investigation, let’s look at kuternull.com. It is listed as “unknown.” By clicking the dropdown menu next to it, and pivoting out to other trusted intelligence sources like the Talos database or Threat Grid, we could quickly gather more information to determine a course of action.

For the purposes of simply showing the ease of the plugin, let’s assume we investigated this domain and there is no legitimate business need for our organization to be contacting it. In order to prevent potential malware activity, we will proactively block it now as a first level stopgap while we continue our investigation. Threat Response directly integrates with Umbrella, so we can immediately block the domain across our entire network with one click within the plugin.

Within a few seconds, Threat Response will flash a green banner confirming the blocking of the domain with Umbrella.

Now, after blocking a few domains quickly, our network is certainly better protected from Karkoff, but there is more investigation to be done. A quick click of the “Investigate” button will launch Cisco Threat Response’s cloud-based dashboard.

Cisco Threat Response will automatically load the list of the observables and provide insights with relation graphs, file hashes, and others.
Previously, Security Operations Centers (SOCs) would hear about trending threats and wonder, “Is my network affected by this threat?” To answer that question, it would require a series of manual processes that required investigating observables hundreds of times across the network, and then, writing sufficient policy to defend against these threats. To make life even more difficult, these solutions were often from different vendors and require manual processes to implement across different parts of the next work.
With Cisco Threat Response, within minutes, your SOC can:
Identify a trending threat from your SIEM, Talos, other threat intel sources, or virtually any third party product that has a web based interface
Identify a list of observables with one click
Quickly block domains across the network
Launch Cisco Threat Response for further investigation
It is important to note that Cisco Threat Response is a FREE add-on to existing Cisco Security solutions. In the example above, the user has Threat Response integrated with their AMP For Endpoints, Cisco Threat Grid, and Umbrella solutions. In addition, every user of Threat Response automatically gets access to the Talos Intelligence and AMP File Reputation databases for use in Threat Response. While Cisco Threat Response provides significant value when integrated with only one product, it becomes even more useful with each additional Cisco Security solution integration. It offers unparalleled central-management for detection, investigation, and remediation – and the browser plugins bring all those capabilities into any type of web content. Whether it is a blog entry like in this example, any other intelligence source, or the browser-based management console of any Cisco or third-party security or networking product.
For more information on Cisco Threat Response, visit our webpageor create an account in the U.S.or EMEARto get started right away. You can also download plugins for Chromeand Firefoxto make investigations easier today.

BONUS: Make sure to catch our upcoming #CiscoChat LIVE, featuring Cisco Threat Response, on Tuesday, July 16 at 10am PT/1pm ET.
To participate in this #CiscoChat LIVE:
Head over to com,YouTube, Facebook, or Twitterto watch the #CiscoChat as it happens. Moderator Jolene Tam will start the broadcast at 10am PT/1pm ET.
Post your questions in the comments section on whichever channel you’re watching on. Or, if you’re watching on Cisco.com, tweet out the questions you want answered live, making sure to include the #CiscoChat hashtag. We will be answering questions live, so feel free to post away during the chat.

Source:: Cisco Security Notice

By TK Keanini I have seen the future of the firewall and it is not a firewall!
Firewalls have been with us since the late 1980s and they have become synonymous with access control. It is time to redefine that relationship because while access control will remain a need from now into the distant future, the way to deliver access control must change given the evolution of networking and new methods of computing. We need to focus on how to deliver a consistent outcome regardless of what is appropriate for these environments.
All around us, consumers want to get as close to “paying for the outcome” versus paying for everything that is required to lead to that outcome. Some of you might remember the days when you wanted to run computer services for your company and it began with you having to rent real estate, HVAC, all the things that led up to finally operating computers and the applications offering those services. A very strong analogy here is ride sharing (like Uber or Lyft) whereby the consumer would like the outcome of “transportation” without the need for a car, insurance payments, covered parking, or the skill to drive. Hold on to this thought because the analogy carries through my entire explanation.
When you look at a ride sharing service, not only is the person paying for the direct outcome but depending on your location, different options are presented. For example, if I’m in a city center, I might be presented with not only different classes of automobiles, but I might also be offered electric scooters, bicycles, or maybe even pedicabs for shorter distances. Again, the outcome is getting from point A to point B, but depending on the environment, some transports might be more appropriate. When you look at the outcome of access control, how that is implemented in the traditional data center is drastically different in public cloud; it is different for mobile computing versus orchestrated containerized workloads. My point being, the policy of who should be able to communicate with whom and what applications can be used requires a similar decision as ride sharing and should be abstracted away from the local device that carries out that task. And this my friends, is why the future of firewalls is not a firewall, but Cisco Defense Orchestrator!
Just like with Cisco’s larger intent-based networking, Cisco Defense Orchestrator (CDO) allows you to state your intention via a policy that spans your hybrid multi-cloud environment. You assert your access policies and Cisco Defense Orchestrator will handle the rest.
This pattern of being able to articulate your intent and having machines reconcile with the dynamic changes in the world is happening across the entire information technology field. We see this happening in container-based computing with the increasing popularity of Kubernetes. As demand ebbs and flows, Kubernetes handles the orchestration to ensure the service levels you intend to deliver are reconciled with the scaling of the services architecture. This same pattern is seen with intent-based networking in that a business can state a policy of connectivity and the Cisco DNA architecture carries this out ensuring that latency, bandwidth, and quality of service are all being met. In all cases, this pattern has made it simpler for the humans to focus on the outcome as machines take on the more complicated and adaptive computing tasks.
Cisco Defense Orchestrator follows the same design pattern whereby an access policy is asserted and depending on the network topology and computing environment, enforcement-point specific configurations are implemented. Where once there was a tight coupling between the firewall being synonymous with the access policy, Cisco Defense Orchestrator separates the access policy from the configuration details of enforcement-points. You can model and explicitly state the access policy of the business such that it can then be applied to the legacy firewalls, next-generation firewalls, host-based firewalls, software defined networking, or any other form of enforcement-point that may come up in the future! Inherently this decoupling also makes policy more testable, more scalable, and simpler to manage.
Cisco Defense Orchestrator has taken the firewall, a word that we would typically view as a noun or a thing and made it an action verb or an outcome. When I realized this, my mind was blown! Just like ride sharing, abstracting away the outcome of transportation from the forms of transportation was not only genius, but also a highly durable and forward-thinking methodology. Access control and the policies that embody what the business requires have been abstracted away from the device forms that will best carry out that access control! You no longer have to worry about topology, legacy firewalls, next-gen firewalls, application firewalls, software defined networking, public cloud workloads, or the many things that we don’t even know today that will appear tomorrow. Instead, we can now focus on the outcome which is the “intended state of access.” #mindblown

Want to learn more? Watch a quick explainer video or visit our Cisco Defense Orchestrator homepage.
Like what you see? Try our free 30-day trial of Cisco Defense Orchestrator to simplify security policy management across your Cisco ASA, FTD, or Meraki MX platforms.

Source:: Cisco Security Notice