Our World in Transition and Our Future Demands

By John N. Stewart October is Cybersecurity Awareness Month and for me, it’s a time to reflect on where we’ve been and how far we’ve come, study the trends and challenges we face today, and look ahead to the next generation of opportunities facing not only the security community, but society at large.
In my more than 30 years in the security industry, it’s been interesting to see how technology has evolved and changed the world. Security started off as a ‘systems‘ conversation. Now, technology touches everyone’s lives, and as a result, cybersecurity affects us all – individuals, businesses, cities, countries, our global community.
From Use to Reliance
During our lifetimes, we’ve shifted from using technology to, in very subtle ways, becoming reliant on it. Whether we realize it or not, these subtleties have made us dependent on technology. The notion of ‘always on‘ access to data is highly disruptive to us when we don’t have it. Take maps for example: using a printed map is foreign to us today, and when the maps on our devices don’t work, we’re lost, literally.
When technology is unavailable, in many respects we feel ‘out of the loop‘ and behind in knowing what’s going on. There’s a lagging indicator that says, ‘Now that we have access to current information, we always expect this level of connectivity – we depend on it.‘ That reliance makes securing the data and the systems that deliver it to us that much more vital.
A Confluence of Change – All in Three Years
Since 2017, three major transitions have occurred that illustrate how complicated cybersecurity has become for us all globally. These transitions have caused security professionals to feel the pressure and scrutiny from a number of organizations that have upped their games. They’re having to catch up to a confluence of changes, all occurring at the same time:
1. Technology
Prior to 2017, IT predominantly built and ran an organization’s technology infrastructure, spending on security and hoping it works, relying on best-of-breed products, and managing it all reactively.
We all needed cybersecurity, but how could we net the best results – the greatest level of efficacy – from the solutions we purchased? Exactly how much value are we getting when spending on a solution? Is it all integrated as a best strategy or are we simply buying technology from the leading brand name or best advertised?
Today, leading IT teams build, buy and run security, use a ‘best-of-integrated‘ architecture approach and emphasize visibility, controls, measures and proactive approaches to security that drive efficacy and value.
2. Laws, Regulations, and Customer Requirements
This transition shows the increasing influence that laws, regulations and customer requirements have on a technology or service provider to its clients, and in turn, to their customers, citizens, colleagues, families and friends.
The formalization of laws and regulations – from the EU-NIS Directive to GDPR to the Australian Government Protective Security Policy Framework to the California Consumer Privacy Act, to name a few – have driven greater scrutiny and reform. It’s accelerated substantially in a short period of time, from ‘do-it-yourself‘ disharmonious regulations and rule, to a set of country, inter-country and international use standards.
Now corporate and government leaders across the international community are being held accountable. This transition from varying self-rule and self-regulation to accountability, breach reporting and disclosure highlights the implications of mishandling data and privacy through significant fines and executive firings.
In many respects, it’s been a long time coming. What’s interesting is that now that it’s here, it’s caught many off-guard – and it’s by no means slowing down.
3. Internal Oversight
When I started in InfoSec, security was mainly an engineering or computer science discipline. The security team was often avoided so that they couldn’t suppress innovation because of security concerns. The business was self-governing with inconsistent levels of oversight.
Today, internal reporting to and oversight by executive leadership, the CEO, the board of directors and shareholders are becoming standard practice to ensure proper governance. In part, it is a response to the regulatory landscape and the need for higher levels of accountability and oversight from within. It’s also based on the criticality of technology moving from something we use to something we rely on to deliver a service.
All three of these transitions came to the fore in a very short period of time to know how to effectively react, govern and solve for it. By the way, we’re all going through this and determining our own strategies to face the challenges, net the value they deliver, and understand how to be safe and secure in and around it all.
Our Future Demands
Today, there are about 4 billion internet users globally – all told about 10X of what it was in 2000. We’re in a world where everything is being connected and generating data. This will have significant impact on the next few years in particular and even more substantially into the future.
By next year, there will be about 200 billion devices ‘on air,‘ which includes cars, telemetry in cities, sensors and a multitude of other connected devices. Two-hundred billion is almost an ephemeral number, but it’s not to be underestimated because the number of vendors creating IoT-connected technology is growing probably 3-4X every year than the prior year. That’s a trend that I don’t see slowing down any time soon.
By 2021, cybercrime is estimated to be a $6 trillion industry – a very profitable industry, though I don’t recommend it as a career choice. It does illustrate the depth and breadth of the challenge – that it’s an international and global issue that we all have to work together to solve because it’s something that we all face.
Raising the Bar for a More Secure Future
Governments and businesses globally are raising the bar to meet the challenge around product assurance, cloud assurance, IoT, lawful intercept, data protection, privacy and the like. Some 30-odd countries are writing or revising their cybersecurity strategies and each can have profound implications on how data is shared and how systems are built.
So, during Cybersecurity Awareness Month, consider what you can do to make the world more safe and secure, and take action. What can you do as individuals? How are you protecting yourself online and helping your business, colleagues, friends and family to do the same? Each individual act, when taken together, can move us all to a more secure future.
We’re not looking for headlines that show ‘good‘ or ‘bad.‘ We need trend lines that show that what we’re doing collectively is moving us all towards lower risk. As long as the trend line is going in the right direction, we’re doing what we need to do – and we must all do our part.
For governments, companies and individuals alike, Cisco’s Cybersecurity Awareness Month site offers events, activities and educational content, and ways to get involved. The Cisco Trust Center also offers resources to help you with security, data protection and privacy. Both feature links to security reports, videos, threat intelligence, thought leadership and more that will keep you informed.

Source:: Cisco Security Notice

Threats in encrypted traffic

By Ben Nahorney There was a time when the web was open. Quite literally—communications taking place on the early web were not masked in any significant fashion. This meant that it was fairly trivial for a bad actor to intercept and read the data being transmitted between networked devices.
This was especially troublesome when it came to sensitive data, such as password authentication or credit card transactions. To address the risks of transmitting such data over the web, traffic encryption was invented, ushering in an era of protected communication.
Today more than half of all websites use HTTPS. In fact, according to data obtained from Cisco Cognitive Intelligence, the cloud-based machine learning engine behind Stealthwatch—Cisco’s network traffic analysis solution—82 percent of HTTP/HTTPS traffic is now encrypted.
The adoption of encrypted traffic has been a boon for security and privacy. By leveraging it, users can trust that sensitive transactions and communications are more secure. The downside to this increase in encrypted traffic is that it’s harder to separate the good from the bad. As adoption of encrypted traffic has grown, masking what’s being sent back and forth, it’s become easier for bad actors to hide their malicious activity in such traffic.
A brief history of encrypted traffic
The concerns around security and privacy in web traffic originally led Netscape to introduce the Secure Sockets Layer (SSL) protocol in 1995. After a few releases, the Internet Engineering Task Force (EITF) took over the protocol, which released future updates under then name “Transport Layer Security” (TLS). While the term SSL is often used informally to refer to both today, the SSL protocol has been depreciated and replaced by TLS.
TLS protocol works directly with existing protocols and encrypts the traffic. This is where protocols like HTTPS come from— the hypertext transfer protocol (HTTP) is transmitted over SSL/TLS. While HTTPS is by far the most common protocol secured by TLS, other popular protocols, such as SFTP and SMTPS can take advantage of the protocol. Even lower-level protocols like TCP and UDP can use TLS.
Threat actors follow suit
Attackers go to great pains to get their threats onto systems and networks. The last thing they want after successfully penetrating an organization is to have their traffic picked up by network-monitoring tools. Many threats are now encrypting their traffic to prevent this from happening.
Where standard network monitoring tools might be able to quickly identify and block unencrypted traffic in the past, TLS provides a mask for the communication threats utilize to operate. In fact, according to data taken from Cognitive Intelligence, 63 percent of all threat incidents discovered by Stealthwatch were discovered in encrypted traffic.
In terms of malicious functionality, there are a number of ways that threats use encryption. From command-and-control (C2) communications, to backdoors, to exfiltrating data, attackers consistently use encryption to hide their malicious traffic.
Botnets
By definition, a botnet is a group of Internet-connected, compromised systems. Generally, the systems in a botnet are connected in a client-server or a peer-to-peer configuration. Either way, the malicious actors usually leverage a C2 system to facilitate the passing of instructions to the compromised systems.
Common botnets such as Sality, Necurs, and Gamarue/Andromeda have all leveraged encryption in their C2 communications to remain hidden. The malicious activity carried out by botnets include downloading additional malicious payloads, spread to other systems, perform distributed-denial-of-service (DDoS) attacks, send spam, and other malicious activities.
Botnets mask C2 traffic with encryption.
RATs
The core purpose of a RAT is to allow an attacker to monitor and control a system remotely. Once a RAT manages to implant itself into a system, it needs to phone home for further instructions. RATs require regular or semi-regular connections to the internet, and often use a C2 infrastructure to perform their malicious activities.
RATs often attempt take administrative control of a computer and/or steal information from it, ranging from passwords, to screenshots, to browser histories. It then sends the stolen data back to the attacker.
Most of today’s RATs use encryption in order to mask what is being sent back and forth. Some examples include Orcus RAT, RevengeRat, and some variants of Gh0st RAT.
RATs use encryption when controlling a computer.
Cryptomining
Cryptocurrency miners establish a TCP connection between the computer it’s running on and a server. In this connection, the computer is regularly receiving work from the server, processing it, then sending it back to the server. Maintaining these connections is critical for cryptomining. Without it the computer would not be able to verify its work.
Given the length of these connections, their importance, and the chance that they can be identified, malicious cryptomining operations often ensure these connections are encrypted.
It’s worth noting that encryption here can apply to any type of cryptomining, both deliberate and malicious in nature. As we covered in our previous Threat of the Month entry on malicious cryptomining, the real difference between these two types of mining is consent.
Miners transfer work back and forth to a server.
Banking trojans
In order for a banking trojan to operate, it has to monitor web traffic on a compromised computer. To do that, some banking trojans siphon web traffic through a malicious proxy or exfiltrate data to a C2 server.
To keep this traffic from being discovered, some banking trojans have taken to encrypting this traffic. For instance, the banking trojan IcedID uses SSL/TLS to send stolen data. Another banking trojan called Vawtrak masks its POST data traffic by using a special encoding scheme that makes it harder to decrypt and identify.
Banking trojans encrypt the data they’re exfiltrating.

Ransomware
The best-known use of encryption in ransomware is obviously when it takes personal files hostage by encrypting them. However, ransomware threats often use encryption in their network communication as well. In particular, some ransomware families encrypt the distribution of decryption keys.
How to spot malicious encrypted traffic
One way to catch malicious encrypted traffic is through a technique called traffic fingerprinting. To leverage this technique, monitor the encrypted packets traveling across your network and look for patterns that match known malicious activity. For instance, the connection to a well-known C2 server can have a distinct pattern, or fingerprint. The same applies to cryptomining traffic or well-known banking trojans.
However, this doesn’t catch all malicious encrypted traffic, since bad actors can simply insert random or dummy packets into their traffic to mask the expected fingerprint. To identify malicious traffic in these cases, other detection techniques are required to identify the traffic, such as machine learning algorithms that can identify more complicated malicious connections. Threats may still manage to evade some machine learning detection methods, so implementing a layered approach, covering a wide variety of techniques, is recommended.
In addition, consider the following:
Stealthwatch includes Encrypted Traffic Analytics. This technology collects network traffic and uses machine learning and behavioral modeling to detect a wide range of malicious encrypted traffic, without any decryption.
The DNS protection technologies included in Cisco Umbrella can prevent connections to malicious domains, stopping threats before they’re even able to establish an encrypted connection.
An effective endpoint protection solution, such as AMP for Endpoints, can also go a long way towards stopping a threat before it starts.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.

Source:: Cisco Security Notice

Open Document format creates twist in maldoc landscape

By Talos Group By Warren Mercer and Paul Rascagneres.
Introduction
Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an actor who has deemed antivirus engines perhaps “too good” at detecting macro-based infection vectors. We’ve noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass these detections. ODT is a ZIP archive with XML-based files used by Microsoft Office, as well as the comparable Apache OpenOffice and LibreOffice software.
There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don’t apply the same rules it normally would for an Office document. We also identified several sandboxes that fail to analyze ODT documents, as it is considered an archive, and the sandbox won’t open the document as a Microsoft Office file. Because of this, an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software.
We only found a few samples where this file format was used. The majority of these campaigns using malicious documents still rely on the Microsoft Office file format, but these cases show that the ODT file format could be used in the future at a more successful rate. In this blog post, we’ll walk through three cases of OpenDocument usage. The two first cases targets Microsoft Office, while the third one targets only OpenOffice and LibreOffice users. We do not know at this time if these samples were used simply for testing or a more malicious context.
at Talosintelligence.com

Source:: Cisco Security Notice

Threat Roundup for September 20 to September 27

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 20 to Sep 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU272019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

How to post a successful Mantis Request

Source:: Innovaphone

How to post a successful Mantis Request

Source:: Innovaphone

Cisco Security Supporting NATO’s Largest Cybersecurity Conference

By James McNab NIAS is NATO’s largest cyber security conference and provides an opportunity for NATO and government leaders, defence and cybersecurity specialists to discuss needs and priorities and effective cyber security solutions.
NATO’s mission is to protect the freedom of its members. It has innovated and adapted itself to ensure its policies, capabilities and structures meet current and future threats, including the collective defence of its members. In 2016, Allies reaffirmed NATO’s defensive mandate and also recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. Cybersecurity is also a critical component of its operations, enabling intelligence to be safeguarded and operational communications to be secure and confidential.
The demands on NATO associated with its cybersecurity mandate are significant as indeed are those for all organisations in keeping their workforces protected anywhere. They are up against active adversaries who are well-funded and endlessly patient. Nonetheless, effective cybersecurity should clear the path for any organisation to achieve its goals and not get in the way. It should be simple, yet powerful. Flexible, yet rock-solid. Invisible to users, yet easily managed behind the scenes.
At the heart of Cisco’s platform approach to cybersecurity is a simple idea that is consistent with the approach to air, land and sea defences: security solutions should be designed to act as a team. They should learn from each other. They should listen and respond as a coordinated unit. When that happens, security becomes more systematic and effective.
As the biggest security company in the world, Cisco has the breadth and depth of knowledge to solve platform-level challenges that span the data centre, network, cloud, internet, email, endpoints, and everywhere in between. As a global leader in networking that collaborates with customers to solve complex IT challenges, we’re uniquely positioned to embed security into any organisation’s network and architecture at scale.
Cisco Security will again have a prominent presence as Gold sponsor at NIAS, NATO’s largest cyber conference that takes place October 15-17 in Mons, Belgium, for engaging discussions on the critical role cyber security plays in securing the NATO Alliance. Under the banner Security Above Everything, Cisco’s presence includes Edna Conway, Cisco’s Chief Security Officer, Global Value Chain, as the keynote speaker talking about “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” and Martin Lee from Talos, Cisco Threat Intelligence, as host of a technical workshop focused on “Understanding Software Supply Chain Attacks”.
At the Cisco booth featuring the threat wall, delegates will be able to watch live demos and learn about security solutions that enable private and public organisations to prevent, detect and respond to cyber attacks. Visitors can book meetings with Cisco security experts through the event website.

Source:: Cisco Security Notice

Divergent: “Fileless” NodeJS Malware Burrows Deep Within the Host

By Talos Group Executive summary
Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called “Divergent.” We first dove into this malware after we saw compelling data from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention.
This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.
The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.
Read More >>

Source:: Cisco Security Notice

DevSecOps: Blending Critical Operations and Cultures to Increase Data Security

By Steve Martino Two major shifts are affecting organizational cybersecurity posture: digital product and service offerings are increasingly powered by mobile, cloud and data analytics; while developers of those products and services are migrating to Development Operations (DevOps) processes for greater agility and scale. Because both of these trends have security implications, CISOs are innovating approaches to build security in and shift it to a shared responsibility between the development and IT teams.
A new practice of DevSecOps—bridging DevOps workflows with Information Security (InfoSec) Operations—blends constructs familiar to both groups. Here are a few tips on how to start a DevSecOps initiative:
Establish the foundation. Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the Engineering, Operations and Security teams. This is also how expectations for mutual accountability and high security standards get defined. The org manifesto offers a great starting place. Their guidelines can be readily modified to fit a company’s unique requirements.
Prove it out first. It’s best to prove ideas manually before automating them. At Cisco, we ran an Agile security hack-a-thon with participants from the Information Security and application teams to first configure the most important security requirements – what we call the guardrails. Start by defining what your guardrails should be in the context of what platform you’ll use. For example, our first target environment was built on Amazon Web Services (AWS), so we defined 10 guardrails for our AWS accounts that fit our specific requirements. Then, conduct a hack-a-thon as you would for other Agile development efforts. Post-test readouts help the entire team be knowledgeable and support users in DevOps fashion.
Automate Your Guardrails. Provide an easy way for your teams to apply the guardrails, such as at the time of new account provisioning. Also develop simple scripting to retrofit those with existing accounts. This likely will require coordination among multiple teams – InfoSec, IT, Supply Chain, Procurement and possibly others. We achieved the security automation via our own tool we call the Continuous Security Buddy (CSB), which is built on several AWS services.
Continuously Validate. As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs. Consider creating security “health reports” based on specific scoring or grading criteria to send to department tenants on a regular basis. That will empower tenants to address any critical security findings in a timely manner, and enable a cycle of teams always integrating and deploying code while getting ongoing security assurance.

Learnings and Results
At Cisco, our DevSecOps adoption and the subsequent security improvements actually exceeded our expectations. Within several weeks, our minimal viable tool ran in 72% of accounts hosting Cisco’s Cloud offers; 97% of these accounts, on average, received a health score of A or B in their daily report, indicating a healthy security posture relative to the established guardrails.
The whole effort taught us meaningful lessons about moving to a new model: the need for hands-on learning; setting realistic expectations for launch then growth; detailing the full range of compliance needs; building genuine, trusting partnerships with all key internal stakeholder groups; and taking necessary but reasonable risks. A mutually respectful and cooperative culture is perhaps the most essential ingredient. Complement your InfoSec team with other appropriately skilled resources to ensure successfully delivery of your DevSecOps principles and guardrails. The collective skills and knowledge will cross-pollinate. Bringing teams together guided by a common goal is always a recipe for success.
Also see, CISO Insights: Another side to Cyber Culture

Source:: Cisco Security Notice

The Criticality of the Network in Securing IoT and Critical Infrastructure

By Simon Finn Security is the key to the success of any digital project, whether you are connecting critical infrastructure, industrial Internet of Things (IoT), or delivering data and telemetry to reduce costs and increase revenue. We have long advocated the need for a holistic approach to IoT security, and with it, shared the vital role the network plays in embedding security. To further demonstrate the network’s role, let’s explore how it can help us tackle a series of IoT-related security challenges.
The challenge of securing communications
The first challenge is simply one of securing network communications. By default, any connected device can access anything on the network. This becomes a real problem when viewed with the realization that devices are unable to protect themselves; many devices were not designed with security built in – for example, think of your thermostat or refrigerator. Even if security is a design consideration and a devices initial state is secure, vulnerabilities will be discovered over time. Vendor support lifecycles and patching practices can vary, and it often leaves devices exposed for an extended periods. The logical conclusion to this is that we need to protect the device, and we need to protect other assets from the device.
Many organizations have undertaken extensive work to do broad grained, or macro-segmentation, which is immensely valuable from a security perspective. Yet, how do we isolate and protect devices within these segmented parts of the network, applying the principle of least access? How do we stop lateral movement of malware and reconnaissance activities within these segments themselves?
However, the IoT does represent a problem of scale. Organizations are struggling with the operational scale that is required to manage the explosion of connected devices. Operational overhead such as on-boarding devices and applying the required policy will be significantly exacerbated by the problem of sheer numbers and types of devices.
How the network can help
To deal with problems associated with lateral movement movement of threats and the need to isolate devices, we need to apply network policy as close as possible to the device. This method is commonly referred to as micro-segmentation, and Cisco taken this capability from theory to practice for years now.

To address the issues relating to scale, there are a couple of capabilities that help address these problems. Firstly, we are software defining the network, including its policy controls and segmentation. What this permits us to do is to provision controls centrally, in a fast, scalable and reliable manner. The network can also leverage what it can see, such as device profiling, location and identity, to help inform that policy. This contextual information, gathered by the network, can be also shared with other services and collected from other services. I’ll share more on the value of this in subsequent blog posts.
Secondly, we have been working on defining standards in collaboration with the Internet Engineering Task Force (IETF). For example, RFC 8520: Manufacturer Usage Description (MUD) allows manufacturers to define the policy, saving administrators many hours attempting to discern the appropriate policy to apply to new devices. The standard allows for automation of the entire process.
The network is well placed to act as a gatekeeper for devices, ensuring authentication and enforcing on-boarding workflows. Standards are currently in development, such as Bootstrapping of Remote Secure Key Infrastructure (BRSKI), that will help extend these capabilities by automating the provisioning of strong identity on devices. The network acting as the gatekeeper and orchestrator of on-boarding flows also enables protection of devices whilst in a potentially vulnerable state when first plugged in.
As you can see, the network plays a significant role protecting devices and data. Look for more to come in follow on blogs, as we explore how the network’s capabilities are extended to address other issues associated with securing the IoT.

Source:: Cisco Security Notice