The commoditization of mobile espionage software

By Talos Group Mobile stalkerware has all sorts of wide-ranging consequences. The creators of these types of apps can track user’s locations, see their social media usage and more. And they certainly open the door for abuse by governments hoping to spy on their citizens, parents looking to track their children or controlling spouses hoping to track every move their partners make. This class of software exists to surreptitiously get and provide this personal information, sometimes in real time.
Cisco Talos recently spotted a wave of vendors hawking this software, designed to spy on unsuspecting users. We observed apps across the globe — including activities in countries that have some of the worst human rights records — with vendors offering language- and country-specific services. In all, there were 87 vendors we discovered as part of our research, which we believes poses a serious threat to at-risk individuals. The stalkerware space is completely unregulated, and these apps are allowed to exist on many app stores for extended periods of time, with their creators even offering easy to follow tutorials online as to how to trick users into downloading these apps. This is an easily accessible, yet volatile, market.

Source:: Cisco Security Notice

Remote Access Trojans

By Ben Nahorney You’re working for a high-profile technology company, close to releasing a market-changing product to the public. It’s a highly contested space, with many competitors, both domestic and international. There’s also a lot of buzz in the media and online speculation on the scope and impact your new product will have. And it goes without question that customers are keen to know more about the upcoming game-changer.
Your goal is to keep the secrets under wraps until the public announcement. Unfortunately, your surprise is about to be spoiled. It happens sometimes, as much as we work to prevent it—from accidental embargo slips to insider leaks. But in this case, it’s arguably the worst-case scenario: Your company has been breached and information about the product was stolen.
It’s unfortunate, but such breaches are not an uncommon occurrence—it’s something security professionals are far too familiar with. They occur across sectors, yet the way the data is stolen often includes familiar patterns. There are plenty of possible suspects, and untangling their motives is difficult. But in this cybersecurity game of “Clue,” we’re less concerned if it were Mrs. Peacock or Professor Plum. We want to know what the weapon was and how to prevent future murders.
There are a variety of useful weapons in an attacker’s arsenal. Downloaders, administration tools, and infostealers all often play a part in such an attack. But the go-to tool in many scenarios like this today are remote access trojans, often referred to as a “RATs.”
The anatomy of a RAT
A RAT is a swiss army knife of sorts. Distributed through familiar vectors, such as malicious downloads and email attachments, many RATs include all the weapons mention above, and more, making it easier for an attacker to leverage each component when carrying out an attack. In short, a RAT consolidates a number of tools into one package.
There is a lot of variation from RAT to RAT. Some are generalist tools, meant to be used across a variety of attack scenarios. Others are highly tailored to a specific attack. Some RATs use predetermined proxies to help mask an attacker’s ultimate location. Other RATs may leverage command-and-control (C2) infrastructure to do the same.

While the functionality and infrastructure used by a given RAT will differ, what follows are common features found within many RATs. To illustrate an attack, let’s take it back to our tech company breach, showing how an attacker can leverage a RAT to gain access to, and steal, sensitive files on your upcoming product.
Gather system information
The attacker managed to breach the defenses in your company using a phishing email that included a link to the RAT. However, that doesn’t mean that they will immediately know where they are on the network. They’ll naturally want to learn more about the computer they compromised. Is it an administrative assistant’s desktop, a laptop belonging to finance, or a web server? Performing reconnaissance on the system helps the attacker learn how deep into an organization they have penetrated, if they need to move laterally, or if they’re reached their intended target. Some reconnaissance tools even allow an attacker to scan other systems, gathering information about them.
Steal usernames and passwords
The attacker got onto one machine, but it wasn’t the intended target. They’d compromised a computer belonging to someone in the engineering group, but the materials they were after resided on a shared server. To move laterally, they may want to try searching for login credentials on the system they’ve already compromised. Many RATs include the ability to scrape saved and cached passwords, and once the usernames and passwords are in hand, the attacker can attempt to log into the shared server.
Log keystrokes
The attacker scanned the compromised computer looking for the login credentials, but no luck. Good news? Yes, but it’s only a minor setback. Many RATs include information-stealing components like keyloggers, meaning all the attacker has to do is enable it, and wait for the user of the compromised system to log into the shared server. When they enter login credentials, the attacker can capture them, and later attempt to log into the server themselves.
Download further malware
The attacker was able to obtain login credentials; however, their attempt to log in failed. (Perhaps your company uses multi-factor authentication?) To get to that shared engineering server, the attacker is going to have to call in reinforcements. They’ve identified a vulnerability on the shared server, and they need an attack toolkit to exploit it and gain access. Given how networks vary widely, many RATS include the ability to download further tools to assist them in gaining further access. In this case, the RAT operates like a downloader, pulling down an attack toolkit that allows the attacker to progress.
Accessing and uploading files
The attacker managed to gain access to the shared server, traversed its directory structure, and located documents that outline your new product’s features. The next step is to exfiltrate those files. Most RATs contain the ability to upload files to a predetermined location. This is often done with help of a proxy or through a C2 infrastructure, thus covering the attacker’s tracks as they steal the documents in question.
Recording audio, video, and taking screenshots
There may be times that an attacker isn’t satisfied with simply stealing design docs. Perhaps they obtained a slide deck, but it lacks context in certain slides. In order to learn more, they might want to return their attention to the initially compromised computer and have the RAT to record audio and/or video. The RAT might overhear the engineer speaking to a coworker or capture a video of a presentation meeting that discusses the product. RATs can often take screenshots as well, capturing critical documents on display.
Other uses
This is just one scenario where a RAT could be used end-to-end in an attack. RATs can be used in other situations as well. For instance, what if an attacker is hoping to exfiltrate financial data? A RAT can be leveraged to scrape banking details from a compromised computer or collect credit card numbers using a keylogger.
What’s important to highlight is that most RATs provide command line access to the systems that have been compromised. If adequate administrative rights are gained on these computers, an attacker can use a RAT to do just about anything that he or she desires.
Notable RATs
RATs have been around for a long time, and many prominent RATs have come and gone. Some recent RATs that have been prevalent on the threat landscape include Orcus RAT and RevengeRAT, which have been used by a variety of threat actors. Another commonly seen RAT is ExileRAT, which has been used in attacks with possible espionage-related motives, and shares a C2 infrastructure with the LuckyCat family of threats.
Not all RATs are built from the ground up either. Some are semi-legitimate tools, repurposed or reconfigured for malicious use. Two such examples include Imminent RAT and Remcos.
There are a number of attack groups monitored by Talos Intelligence that use RATs in their malicious campaigns. The SWEED threat actor often used Agent Tesla, the Panda threat actor has been seen dropping Gh0st RAT, and the Tortoiseshell group, who was recently caught scamming veterans, uses a RAT called IvizTech.
To catch a RAT
So the attacker managed to get into your network and obtain your product plans this time. How do you prevent them from doing it next time?
Fortunately, there isn’t anything particularly special about the way a RAT gets onto a system. They’re distributed in much the same way as other types of malware: they’re sent by email, dropped by droppers, set up as the payloads for exploit kits, along with other common attack vectors. Consider the following:
A good endpoint protection application is very useful in protecting against RATs. AMP for Endpoints blocks malware at point of entry, then detects, contains, and remediates advanced threats.
Monitoring network traffic for unauthorized activity is also important. Cisco Stealthwatch is the most comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure.
Many RATs encrypt their traffic, as we discussed in last month’s Threat of the Month blog, so be sure you can monitor such traffic as well. Encrypted Traffic Analytics provides insight into threats in encrypted traffic, without the need for decryption, using network analytics and machine learning.
Being able to connect to C2 domains is vital for many RATs to function. Blocking known malicious domains can go a long way in stopping a RAT in its tracks. Cisco Umbrella uses DNS to stop threats over all ports and protocols—even direct-to-IP connections—preventing connections to attacker’s servers.
Multi-factor authentication products can prevent an attacker from logging into a system if they manage to obtain login credentials. Verify users‘ identities with applications such as Cisco Duo.
A good email security solution, as well as a strong network perimeter, will help to ensure that RATs are blocked outright. Cisco Email Security is your best defense against such attacks via email, while Cisco’s Next-Generation Firewall can stop attacks at the network boundaries.
A web security appliance with data loss prevention (DLP) features will also assist in cases where a RAT gets in and is attempting to steal sensitive information through the network. The Cisco and Digital Guardian DLP solution is a high-performance, comprehensive security solution for data in motion.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.

Source:: Cisco Security Notice

Cisco Named a Leader in the 2019 Forrester Zero Trust Wave

By Dr. Gee Rittenhouse “Cisco has adopted a zero-trust strategy and is well-positioned as a prominent zero-trust player.”
– The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019
In today’s modern work environment, where access happens everywhere, security is increasingly complex. With users, devices and clouds moving outside the traditional network, the perimeter has greatly expanded and created
gaps in visibility – making organizations more susceptible to an attack. To reduce organizations‘ vulnerabilities, Cisco has been working to build the most comprehensive and integrated security platform that covers customers whether they are working at headquarters, at a branch office or on-the-go.
A key pillar of that platform is zero-trust. With this model, we move from allow all users, devices and workloads by default to one where organizations do not trust anything inside or outside their network perimeter. Access is only granted to authorized users, devices and workloads after establishing trust and preventing threats—all without a decline in the user experience.
Cisco has been investing in and building the most expansive zero-trust framework in the industry for securing access across the workforce, the workplace and the workload. It is what customers require in this evolving work environment, and the market is taking note. With that, I am proud to share that Cisco has been named a leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report.

“[Cisco] spent significant time and expense to realign much of its security portfolio to enable or enhance zero trust for its customers.”
– The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019

We believe this recognition is validation of Cisco’s multi-year zero-trust vision and strategy. We have long led this market with SD-access and segmentation technologies in our network infrastructure. With the acquisition of Duo last year, we were able to add an additional layer of security with its authentication and adaptive policy technology and extend trusted access to multi-and hybrid-cloud environments. Then with the addition of Tetration, we have been able to ensure that our customers‘ cloud applications remain secure.

These products have come together to create the most comprehensive framework for securing access across three key fronts:
Workforce – Using multi-factor authentication (MFA) and contextual user access policies, Duo allows organizations to verify an employee’s identity to ensure they are who they say they are and add more checks on the trustworthiness of devices through security health inspections.
Workplace – With SD-Access, we are protecting the workplace by securing all connections into and across the network by using segmentation, so that users and devices are only getting access to what they need access to do their job and function.
Workload – Workloads are dynamic, moving across private, hybrid cloud and multi-public cloud environments. With Tetration, you can automate enforcement of highly specific segmentation policy for applications in your multi-cloud environments.
With Cisco Zero Trust, you can ensure secure, trusted access wherever it happens. Start your zero-trust journey today by signing up for a free Duo trial; demoing Tetration and learning more about SD-Access.
Download The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 report.

Source:: Cisco Security Notice

Privacy is a Shared Responsibility

By Harvey Jang Privacy is an evolving topic with diverse perspectives on how best to balance the rights and interests of consumers and companies. As allegations of data mishandling fill headlines, privacy is now front and center on everyone’s minds. While data has been the lifeblood of innovation and economic growth, there has also been excessive data collection, lax security, and undisclosed sharing. Public opinion and new laws are starting to curtail some of this bad behavior – creating both compliance challenges and business/brand opportunities.
Respecting privacy is a balancing act between the companies collecting data and the consumers providing it. To earn and preserve (or in some cases regain) trust, companies must be transparent, fair, and accountable.
“Meaningful transparency” is a bit elusive, but certainly requires more than just a “legally compliant”, lengthy privacy notice. Transparency requires being open and honest about what data is collected, why it’s needed, how it’s used, the benefits to consumers and businesses, data sharing/sale, and how data protected throughout its lifecycle.
In turn, transparency drives fairness — the market (consumers, regulators, and plaintiffs‘ lawyers) will judge if a company’s practices are appropriate. It has become increasingly apparent that consumers do care about privacy and are taking action to protect it (e.g., switching vendors, calling for legislative action, lodging complaints with regulators, initiating legal action, etc.) — making privacy both a compliance obligation and a business imperative.
Accountability is about having the governance and controls in place to operationalize and demonstrate that the promises made about data processing activities are followed. Essentially, it’s making sure companies say what they do and do what they say (and no more).
At Cisco, we have both the legally required, comprehensive privacy statement published at and Privacy Data Sheets with accompanying infographics providing more detail around the data in play when using specific products and services. These documents offer a plain language, visual representation of who, what, where, when, why, and how we protect privacy throughout the data lifecycle. These public documents are designed to eliminate surprise and give users comfort that their data is safe when using Cisco products and services.
While companies must respect and protect privacy, consumers also have an important role to play. There is no “one size fits all”. When it comes to sharing personal information, there’s a wide range in comfort level. Without being too paranoid, people must recognize the more they publish online, the more fodder is available for bad actors to exploit. Before we post things publicly, we need to think about both the intended use and how that same data may be misused (inadvertently or nefariously).
Here are some tips on keeping your family safe online. Download.

Source:: Cisco Security Notice

Threat Roundup for October 18 to October 25

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 18 and Oct 25. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or
Read More
TRU10252019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

How to post a successful Mantis Request

Source:: Innovaphone

Hit the Simple Button to Solve Complex Security Problems

By Rajat Gulati The Changing Face of Cyber Security
Cyber Security is quite like an onion; it brings tears to your eyes! And we at Cisco have made it our mission to wipe those tears and put a smile back on your face.
But the onion analogy does not end there. Good Cyber Defense is architected in layers, much like the anatomy of the tear-jerking bulbous root. As the network expands beyond the traditional perimeter, so does the need to provide defense in depth. We all see the trend: The boundaries of the network are blurring, even as it is being called upon to process even larger amounts of data. To monitor the pulse of your network, you have to dig deeper to find answers to the questions such as “Who attacked us?” or “What was compromised, and when?”. Your security teams might break into a sweat dealing with this reality without help, as the attack surface continues to expand.
Gone are the days when a bouncer at the entrance of your bar (or your friend’s bar) could keep troublemakers out. Today, bad actors can seep in through other points of entry, or disguise (encrypt) themselves and walk right through the front door. They sometimes even enter in plain sight, especially if they are not on the most-wanted list (yet). How then do you protect against such elements from seeping through the cracks?
What you need, if you stay with the bar analogy just a little longer, is a ‘stealthy‘ manager monitoring the behavior of all entities on your premises, so that you can get alerted when something looks amiss. This trusted aid should be armed to receive inputs from multiple sources: all points of entry, as well as from folks working the floor itself.
Jump back now to the real world of IT infrastructure (unless you actually own a bar, you should still read on), and what you need is a method to monitor all your traffic, both inbound/ outbound and lateral, using a single analytical tool. By bringing together these critical sources of telemetry, you get a unified view of your perimeter and internal threats, not by manual or point-by-point correlation, but by automated and programmatic means. In this manner, you get complete end-to-end visibility into your network, with the ability to detect threats and indicators of compromise. Now, what if this capability was available without need for authoring lengthy configurations or complex rules, while requiring minimal care and feeding? All of this may to sound like a fantasy novel, but often times facts are stranger than fiction.
Welcome to Cisco Security Analytics and Logging
Cisco Security Analytics and Logging was born in the cloud, with simplicity and ease of use as a core design tenet. It has a self-evident name, and an equally simple goal in mind: aggregation of your disparate sources of telemetry into a single data store. Automated means of analysis (statistical, M/L and behavioral modelling) can then be performed on this combined data set, treating it as a single logical input. Since every aggregation effort must have a start point, Security Analytics and Logging’s kick-off candidates are the most voluminous telemetry producers in networks today:
Firewall logs, which keep track of every connection made, and well as any incidents encountered (IPS/IDS or File/ Malware), mostly at the perimeter.
Internal traffic telemetry produced by connections between network elements such as endpoints, switches, wireless access points, routers, etc. on your premises.
To bring together perimeter and internal telemetry, Security Analytics and Logging integrates two avant-garde SaaS products in Cisco’s security portfolio:
Cisco Defense Orchestrator, a cloud-delivered, SaaS-based solution that cuts complexity for consistent management of policies across Cisco security products.

Stealthwatch Cloud, a cloud-delivered, SaaS-based solution that provides end-to-end visibility, behavioral analysis, and threat detection across your private network, public cloud, and hybrid environments.

Now, you might wonder “Why stop there”? We hear you, and you are right; we are NOT stopping here. Rather, this is just the start. Security Analytics and Logging is being built out as an aggregator of data, to provide intelligence derived from desperate points in the network, treating them as a pool for analysis. The discerning mind will differentiate this as being different from the outcomes of say a SOAR, which correlates processed data, rather than crunching raw data. In this manner, the output of Cisco Security Analytics and Logging’s analyzed outcomes become a source of input for other Incident Response (IR) tools.
Tell me why we need this:
Bringing machine-scale analysis to human-scale understanding
This is how I would explain it to my Grandmother: Information is Power. The more information I can gather, the better equipped I am to arrive at the correct conviction of a threat. While I can gather convictions from numerous trusted inspectors, I can also gather my own raw data straight from the source and build my own point of view. The disadvantage of relying on others‘ convictions alone is that each of them may have a limited view of the world; perimeter only, endpoint only, content only, etc. What if I gathered all the information for myself, treating these various sources as sensors, and made my own conviction in addition? Am I better or worse off?
My smart grandmother would say, “Well, that depends on your ability to process all that information intelligently”. And she would be right; You need a best of breed analysis engine to do your intelligent tasks. It is for this reason that Security Analytics and Logging is powered by Stealthwatch Cloud’s advanced entity behavioral modeling and threat detection engine. We use a combination of behavioral modeling, multilayered machine learning, and global threat intelligence to automatically detect threats. For those amongst you who are already familiar with the magic of Stealthwatch Cloud, I know you must be eager to end the conversation with my grandmother, order Security Analytics and Logging, and head to your friend’s bar. Stay a little longer, and I promise that you will be on your way.
Visibility, Visibility, Visibility
It all starts with visibility. You cannot protect what you cannot see. Often times, you don’t even realize what it is that you should be monitoring. Therefore, when it comes to visibility, there are some more advanced questions that need to be addressed. These questions may come up in a conversation with your security budget office. We shall speak to some of those now:
Question 1 – Tell me what ‘accretive‘ outcomes I achieve by sending firewall logs to Security Analytics and Logging for Analysis?
That is a great question. First of all, behavioral threat detections are based on baselining of network behavior based on established patterns. This is widely considered a more dynamic way of detecting threats than static rules or content-based inspection methods. It may come as no surprise to anyone that notwithstanding the most robust IPS/DPI inspection policies and rules, suspicious behaviors continue to be detected inside networks. The key word to understand here is ‘accretive‘; it is by no means suggested that Cisco Security Analytics and Logging attempts to be or will ever replace other sensors such as firewalls. It does however certainly enhance the efficacy of the said sensors, by allowing correlation of anomalous behavior within your network, with the traffic that is associated with it. Such analysis may point to a potential data exfiltration or a compromised insider. As stated before, Security Analytics and Logging enables you to additionally monitor traffic generated between your internal network elements (endpoint to access points, between switches and routers, etc.). Your firewall may not be in the path of this traffic, so may not be able to provide the depth of visibility needed for making high-fidelity convictions.
Question 2 – Apart from Security alerts based on correlation of my firewall logs and Network traffic, does Cisco Security Analytics and Logging provide any other outcomes?
It certainly does. One of the primary use cases of storing NGFW logs is providing a historical and live view of said logs. NetSec operators love (?) sitting in front of these views and scrolling to troubleshoot based on connections that have occurred at a particular time with a particular IP address. With filters on search, Security Analytics and Logging fulfills this use case, providing real-time visibility of what is happening at your firewalls. What is more, this view is rendered within the CDO (Cisco Defense Orchestrator) user interface. Furthermore, since CDO is the curator of firewall tenants analyzed by Security Analytics and Logging, it is simpler to view logs in the portal that is used to manage those very devices.
Question 3 – If I am an existing Stealthwatch Cloud customer using my private network monitoring, what accretive value can I derive from Security Analytics and Logging?
Let’s break this down. A firewall connection log has visibility beyond what just network elements can provide. An example for this could be blocked connections, which will immediately show up in the event viewer in CDO. Filtering by all ‘blocks‘, the operator can plainly see the policies that was responsible for the block. This is just one example of numerous workflows /sources that contribute to enhanced visibility that results from Security Analytics and Logging.
Better efficacy with smarter security
With our new offering, get ready to leverage effective policy management with CDO powered by Stealthwatch Cloud’s advanced behavioral analytics, for total network visibility and faster breach detection. You can now make better security policy management decisions with greater visibility and threat detection capabilities across the firewall and network. As the biggest security company in the world, Cisco has committed itself to solving platform-level challenges that span all the points in your network.
The good news is that Cisco Security Analytics and Logging, is just starting up. The intent is to foster a new security paradigm, one that reduces risk and makes compliance easier; one that fuses your business and security architecture, that frees your workforce to focus their valuable time and energy on business objectives. This will empower them to think less about threats, and more about opportunities.
Time now to enjoy that drink. Cheers.
Click here to learn more about Cisco Security Analytics and Logging for more details on how we are raising the bar on network security.

Source:: Cisco Security Notice

How much security do you really need?

By Wendy Nather Does money make you feel secure? Probably not if you’re a CISO. According to our new report, “The Security Bottom Line,” no matter how large your budget is, you’re not likely to feel that you have everything you need to effectively protect your environment from cyberattacks. But you can still put other capabilities and practices in place to shore up your defenses.
As part of the report, we surveyed security professionals about their budgeting and planning efforts. It was telling to find that:
Ninety-four percent of respondents said they know they have further to go to implement effective security.
Eighty-four percent said they were able to afford some, but not all, of the minimum amount of security they needed to defend their infrastructure.

Security Success Factors
If it’s not all about the money, what other factors come into play? Through a double-blind survey of IT decision makers, the report examines various sized organizations‘ security prowess through the lens of:
Budget – How much are organizations spending on security?
Expertise – Do they have the appropriate staff and skills to comprehensively protect their most critical assets?
Capability – What other conditions can get in the way of strong security? (For example, architecture, regulations, etc.)
Influence – Can IT and security buyers influence vendors and partners to help safeguard their infrastructure?
All of these are critical aspects that contribute to a security program – it’s not just about funding. We can’t throw money at a problem without having the right foundation to make it work.
Security Maturity Pyramid

Source: Cisco 2019 Security Bottom Line Survey
Our new report explores fundamental steps organizations can and should be taking to strengthen their security – regardless of how much they have to spend. For example, conducting a cyber risk assessment, or increasing security staff training.
Do you have the right resources and strategies in place to proactively defend your environment? We invite you to explore “The Security Bottom Line” to determine where your organization stands amid your peers, and learn how you can take security to the next level.
Download report
Find out how Cisco Security can help

Source:: Cisco Security Notice

5 Key Takeaways from 2019 Stealthwatch Customer Research

By Bryan Doerr At Cisco, our customers drive what we do in security. Stealthwatch provides customers around the clock visibility, and a system that keeps up with changes in their IT environments. In a survey that was sent to over 10,000 Stealthwatch customers, we were able to identify what sorts of security challenges are top of mind. Next, we examined how we could address these issues in the most helpful way. Stealthwatch provides users a comprehensive look into their security network. It reaches every port, host and every single individual threat that poses a security breach. Here is a breakdown of the most important takeaways from our research:
1. Lack of visibility was the top challenge that led our customers to Stealthwatch
Lack of visibility, insider threats, and the inability to conduct in-depth network analysis were the top three challenges for our customers and lack of visibility led the group. Those reasons haven’t changed much over the 17 years Stealthwatch has been in the market! Stealthwatch provides visibility across the enterprise network, from on-premises to cloud deployment. Further, it applies behavioral modeling and machine learning to generate alerts like data hoarding and data exfiltration, both of which are key indicators of insider threats. Stealthwatch is also able to store network telemetry long-term so that a security team can easily investigate incidents that have occurred in the past. As a result, Stealthwatch helps customers face these challenges head on. 74% of Stealthwatch customers agreed that Stealthwatch is a must have component of their network security. This number means we are doing our job!
2. Customers want a solution that integrates into their network and security stack
Our customers love the synergy between Cisco technologies. In fact, 67% believe that this is the #1 reason to choose Stealthwatch. Integration with Cisco products ensures that customers maximize their investment and ensure optimal operation of their network. Comprehensive visibility, ability to analyze encrypted traffic without decryption, and scalability were some other reasons why customers chose Stealthwatch. Stealthwatch consumes various types of telemetry from the network, endpoint, cloud and data center, and uses advanced analytics infused with Cisco Talos threat intelligence to find hidden threats. The survey identified Encrypted Traffic Analytics and integration with Identity Services Engine (ISE) as Stealthwatch’s most important features. The new Visibility Assessment app, which provides visibility into the overall network health, was also highly rated. In addition to summarizing traffic and conditions on the network, this app allows generation of a PDF security status report for senior management who typically don’t use the Stealthwatch dashboard.
3. Multi cloud and hybrid cloud are becoming increasingly common, bringing new security challenges
More than 95% of Stealthwatch on-premises respondents have deployed or are planning to deploy one or more cloud platforms spanning across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Our SaaS (software-as-a-service) offer, Stealthwatch Cloud, can monitor all these environments by consuming native cloud telemetry such as VPC (Virtual Private Cloud) flow logs and NSG (Network Security Group) flow logs. In addition to disruption in service, cloud-related breaches can result in huge bills due to its pay-as-you-go pricing model. Customers understand that they need to secure their cloud network. Stealthwatch Cloud allows them to use a single security tool to do so. Customers identified unauthorized access, data loss, insider threats and misconfigurations as common cloud security challenges. Stealthwatch Cloud detects all these incidents.
4. Forensic analysis to determine the source and impact of the threat is one of the key use cases
Because Stealthwatch casts such a wide net on an organization’s network, it can address a number of different use cases. Interestingly, the top one mentioned by customers was the ability to investigate sources of threats through network audit trails. Stealthwatch can store network telemetry for long periods, allowing for forensic analysis related to past and current events. The intuitive flow search capability and included contextual information related to threat detections are presented within the user interface (UI), which helps accelerate incident response.
Other ways in which Stealthwatch helps our customers is the visibility it provides across users, devices and applications connecting to the network – who are they and what they are doing. Using this visibility, Stealthwatch can detect advanced threats quickly before they turn into a high-impact breach. Customers also love the fact that they can extend their existing network investments to improve security by seamlessly integrating Stealthwatch into their environment. Additionally, many customers use Stealthwatch to simplify their segmentation strategy. With the visibility it provides, Stealthwatch can help define effective security policies and trigger events when policies are violated using custom security events. Allowing customers to check assumptions related to normal network traffic is a key segmentation benefit offered by Stealthwatch.
5. Stealthwatch discovers a broad spectrum of security threats for our customers.
Lastly, customers provided feedback on the kind of things Stealthwatch has discovered in their environments:
Threats in encrypted traffic like malware/spyware (C&C) connections
Cryptomining activity
WannaCry campaigns
Configuration changes
Legacy devices that were thought to be disconnected from the network
Suspicious behavior
Security policy violations

The Stealthwatch team is committed to improving based on feedback from our customers. We thank all of our survey respondents.
You can find the detailed customer research and testimonials from this year as well as past surveys here.
To learn more about Stealthwatch, go to: or sign up for our free visibility assessment.

Source:: Cisco Security Notice

Gustuff return, new features for victims

By Talos Group The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.
The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a “poor man scripting engine” based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.
The first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that’s been active for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its methodology after infection.
Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.

Source:: Cisco Security Notice