Buyers Beware: Scamming Is Rife, Especially In a Time of Crisis

By Dean De Beer For years, scammers have been using a combination of Blackhat SEO techniques, phishing sites and newsworthy events to either trick individuals into giving up personal information including credit card numbers or to install malware or both. Preying on an individual’s fears has always been a go to tactic for scammers.
Recently a friend texted me and asked if I could take a look at a website his wife used to try and buy some 3M N95 face masks from. He was concerned that the site did not appear to be legitimate. “Sure”, I said, “What is the domain?” He sent it over. mygoodmask[.]com. Having spent the last decade looking at malware, spammers and scammers, I responded immediately, “Yes, it’s very bad. Tell her to cancel her credit card as soon as possible.”
I figured I’d take a closer look at the domain to confirm if I was right. Dropping the domain into Cisco Threat Response – our platform that accelerates investigations by automating and aggregating threat intelligence and data across your security infrastructure. Threat Response didn’t return anything useful aside from the IP Addresses it resolved to. Since the platform is configured for my test organization at the office, it’s not going to show me any hosts that may have visited that domain, but it is still a great source of intelligence. It showed that Cisco was aware of the domain, but there was no additional information – not surprising for newly created and used domains. There is more than one way to determine if a domain is suspicious.

Enriching the two IP addresses, 50[.]97.189.190 and 66[.]147.244.168, returned everything I needed to decide that the original site was malicious. Nearly two hundred domains resolving to those two addresses, none of which looked like ones I’d like to end up on.

At this point I was curious about the website itself and wanted to take a closer look. I submitted the domain to Threat Grid, Cisco’s malware analysis tool. It immediately redirected to greatmasks[.]com which resolved to 37[.]72.184.5. Using Glovebox, a capability in Threat Grid that allows full interaction with the virtual machine, I attempted to buy some masks from the website. I used an expired card number to purchase my masks. They are using PayPal to collect payments and validate card numbers.

The results produced from the analysis highlighted further details on the website, indicating a high level of suspicious activity.

Drilling down on the IP address that the new domain resolved to, we found another related domain, safetysmask[.]com. At this point it would be easy to create a new Casebook and add these observables to the investigation.

For me, one of the most telling signs of an unknown domain is the lookup frequency and activity mapped to the domain creation date and DNS changes. A scammer may register domains and park them until they’re ready to use them. At that point they’ll set up a website and point that domain to an IP.

Looking at the timeline and domain lookup activity in Cisco Umbrella, our DNS-layer SaaS solution, it’s clear that this website has been up for less than a month which is unusual, especially in context of this investigation.

Using a combination of our platform capability and our DNS-layer security, I was able to validate that this domain, IP Addresses, and related domains were malicious. With investigations of this nature, the domain or IP might not always have a known disposition at a certain point in time but often, by following the breadcrumb trail of related information, it’s easy to make a determination and judgement about the original domain. Another path to determining the disposition of these domains is to drill down into the observables in Umbrella.

Cisco Security products not only integrate via Threat Response, there are multiple direct integrations between products as well. These integrations are used to share threat intelligence produced by individual products and to share capabilities across products through API integrations, data visualization and cross product capabilities such as Casebook’s browser plugin.
Umbrella, our cloud-delivered DNS- layer of protection, integrates with Threat Grid, our malware analysis tool, and this allows Umbrella to show information produced through dynamic analysis, mapping domains and IP addresses to samples seen in Threat Grid’s global database, providing another method of determining disposition.
By the end of my digging, I had found hundreds of scams related to sports events, fashion accessories, flu season and more. All easily searchable within your organization via Threat Response and just as easily blocked via Umbrella.

What began as just a way to help a friend one evening, became a quick but comprehensive investigation into how bad actors are trying to capitalize on a global health crisis. Hopefully this was helpful in showing how easy it can be to validate the disposition of a domain using related observables, and in doing so, build out a collection of new content to be leveraged in your environment for detection and prevention. Writing this up took longer than the investigation itself.
Note to readers:
If you’re using Threat Response and Umbrella, you’ll be able to reproduce this investigation using the original domain and the domains and IP found in Threat Grid’s analysis of the website.
Dean used the following in his investigation:
Cisco Threat Response:
Cisco Umbrella:
Cisco Threat Grid:

The post Buyers Beware: Scamming Is Rife, Especially In a Time of Crisis appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Trickbot: A primer

By Talos Group In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.
The post Trickbot: A primer appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Zero chance of tackling zero trust without a platform approach

By Ben Munroe Zero trust has gone mainstream. Everyone’s either promoting the concept, offering solutions to address the challenge, or just wanting to understand what it’s all about. And that’s the trouble: it means different things to different people, especially the word “trust,” which is a loaded term in security.
Just as we don’t trust hackers and cybercriminals, we do want to trust our employees, contractors, and business partners, don’t we? How do we succeed in business, after all, without trusting our users and guests to seamlessly access our data and resources?
That’s actually where zero trust comes in. We permit users to access the resources they need to get their jobs done. We try to stay out of our users‘ way when we can. And we don’t do so blindly. We put safeguards in place to make sure users don’t leverage their access for wrongdoing, and that outsiders don’t usurp that access to carry out attacks.
As discussed on a recent security podcast, while zero trust is not new, it is now moving from the realm of hype to a pragmatic, accepted standard. In fact, Cisco was recently named a leader in the 2019 Forrester Zero Trust Wave.
Don’t let just anyone into your home…
Think of it this way. We choose to let certain visitors into our homes, but we don’t let just anybody in. We make sure we know them first, or that they can prove they’re from the plumbing company we called, for example.
We have security cameras so we can watch what people are doing when they approach our home and door. We have locks on our doors, and fences and gates around our yards, so we can decide who gets in and out. And when people do come in, we often confine them to certain areas of the house.
In a nutshell, that’s what zero trust is for our computing environments. It’s a comprehensive approach to securing access across your networks, applications, and infrastructure – including access from users, computers, phones, IoT devices, cloud applications, and more.

Amidst today’s complex computing environment, security teams are losing visibility into and control over who and what is accessing their networks and data. According to our 2020 CISO Benchmark Report, 52 percent of respondents find mobile devices very or extremely challenging to defend. And, 52 percent also said that it is very or extremely challenging to secure data stored in the public cloud.
Traditional security solutions were based on the concept of a finite network perimeter. But with the evolution of today’s workplace, the perimeter has changed due to the introduction of technologies like cloud, mobile, and the internet of things (IoT). We can no longer base security on the location from which an access request originates – because today’s users and devices are everywhere.
Cisco Zero Trust
By verifying the validity of every access request, no matter which user, location, and device it comes from, zero trust ensures that only the right users and devices get access, and that attackers cannot move laterally across the network. However, not all zero trust models are created equal.
Cisco Zero Trust protects your workforce, workloads, and workplace.Some zero trust solutions focus on just one component of your ecosystem, while Cisco Zero Trust offers comprehensive security across your workforce, workloads, and workplace, and dynamically adjusts to address new levels of risk. Cisco also extends zero trust across our security portfolio, and to third-party technologies, to enhance visibility and policy enforcement across your entire infrastructure.
In other words, your home security measures can protect your house and yard, but can they also secure the people, appliances, and other objects in and around your home?

Cisco Zero Trust video
Main components of Cisco Zero Trust
Zero trust is a framework and way of doing security, versus a single product or solution. That’s why vendors who want to sell you a single product to solve your zero trust challenges should be looked at with suspicion. Zero trust takes the precise coordination of people, processes, and technology to do it right. The key pillars of Cisco’s zero trust strategy include the following:
Secure your workforce
Duo Security secures your workforce, ensuring that only the right users and devices can access applications. It helps protect your users and their devices against stolen credentials, phishing, and other identity-based attacks. And, it verifies users‘ identities and establishes device trust before granting access to applications – from any location.
According to Vivian Ho, Software Engineer at Lyft, “My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey…we see Duo serving as a core technology building block to enable our zero trust security philosophy.”
Protect your workload
Cisco Tetration protects your workloads, securing all connections within your applications across data centers and multi-cloud environments. It contains breaches and minimizes lateral movement through application micro-segmentation.
“Tetration gives me 20/20 vision in the data center,” said Eugene Pretorius, CIO of Infrastructure and Security at First National Bank. “It’s the only tool in the world that can show what is happening across the network, application, and server planes all on one screen.”
Defend your workplace
Cisco SD-Access segments your workplace, securing user and device connections across your network, including for IoT devices like cameras, manufacturing equipment, heart pumps, and more.
“With Cisco SD-Access, we can automate and apply segmentation and security policies to our network devices up to 10 times faster than before,” said Frank Weiler, who heads up the networking department for the City of Luxembourg.

Cisco SecureX – A platform approach to zero trust
The above technologies work together, and with other Cisco and third-party technologies, through our platform approach to security – SecureX. Today’s security professionals can no longer get by with siloed technologies. With SecureX, the whole is greater than the sum of its parts as multiple security technologies are integrated to share information and work together as a team. Ninety-five percent of customers say SecureX is valuable for helping them take action and remediate threats.
Cisco SecureX is the industry’s broadest, most integrated security platform.Much like the security sensors on the windows in your home can trigger an alarm, which alerts your home security provider, who can call the police – SecureX seamlessly unifies visibility, enables automation, and strengthens security across network, endpoint, cloud, and applications. It’s all about greater simplicity and better security.
At the heart of our platform approach is the belief that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it more holistic and effective. With this kind of strategy, implementing zero trust becomes less of a manual, onerous process, and more of an invisible, yet powerful means of protecting your environment – reducing the attack surface and accelerating incident response.
Get started with zero trust
Protect your network like you protect your home. Go to and for further details.
The post Zero chance of tackling zero trust without a platform approach appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Stealing passwords with credential dumping

By Ben Nahorney What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.
From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.
It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.
So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.
The usual suspects
Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.
Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.
While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.
Credential dumping
There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.
Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.
However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal
An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.
WDigestThis is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
Security Accounts Manager (SAM)This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
LSA SecretsThe Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
KerberosThe Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.
If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.
NTDSThis is where Active Directory stores information about members of a domain in order to verify users and credentials.
Group Policy Preference filesThis Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
DCSyncInstead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.
However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.
For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”
There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping.
Monitor access to services like LSASS and databases like SAM.
Keep an eye out for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look out for unexpected connections from IP addresses not assigned to known domain controllers.
The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.
Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.
Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.
A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

Source:: Cisco Security Notice

COVID-19 relief package provides another platform for bad actors

By Talos Group The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.
Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.
Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

The post COVID-19 relief package provides another platform for bad actors appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Roundup for March 20 to March 27

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 20 and Mar 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or
Read More
20200327-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 20 to March 27 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Update: COVID-19

By Talos Group The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.
Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.
The post Threat Update: COVID-19 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Understanding the Shared Responsibility Model: Securing Public Cloud Just Got Easier

By Radhika Mitra Public cloud is still a hotly debated topic amongst organizations, and take a guess as to why? Security. However, that hasn’t kept businesses from investing heavily in public cloud strategies. By the end of 2020, Forbes has forecasted “67% of enterprise IT infrastructure and software will be cloud-based.” If you’re trying to increase your network scale, realize greater network value or transform to a more dynamic infrastructure, you’re either already in the midst of your journey or at least part of the way there. And with services and assets shared between your on-premises networks and the cloud, it can be a little fuzzy on how or what to secure. The public cloud Shared Responsibility model was designed to combat exactly that—and make clear delineation on who is responsible for securing what.
There are two key areas of the Shared Responsibility model:

“Security of the Cloud” – The cloud vendor is accountable to protect and ensure availability of the infrastructure and the services that make up the cloud. Cloud infrastructure is composed of the hardware, software, networking, and facilities that run the respective vendor’s cloud services.

“Security in the Cloud” — You are responsible for your cloud-based assets and management. Ultimately you design your own unique security strategy and manage your risks for any and all cloud services, asset and data you add in a public cloud. For example, any compute instances you run, you are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the cloud-based firewall on each instance. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
With all the different security offerings available in each of the public cloud providers marketplaces, it becomes overwhelming and confusing trying to identify the right tools to help you fulfill your end of the shared responsibility model. To alleviate the confusion and to help you maintain a consistent posture both on premises and in the cloud, a good rule of thumb is to partner with a security partner that supports a broad range of cloud providers. Likewise, leveraging the same tools you use to secure your premises-based networks in clouds ensures a faster deployment, alleviates misconfigurations and ensures stronger security for all your cloud-based investments.

At Cisco, we do the heavy lifting for you. We offer a comprehensive suite of security solutions for public cloud environments and maintain strong technology partners with the leading public cloud providers (AWS, Google Cloud, Azure). This allows you to integrate security seamless into your cloud environments, deliver a consistent experience for your users and maintain visibility and control over all your cloud data and assets. The depth and breadth of our solutions ensures your business can safely transition to the cloud while aligning security to the speed of your digital business:
Cloud security: Cisco Umbrella integrates multiple security services in the cloud including DNS-layer security, firewall, secure web gateway, cloud access security broker, and more to secure internet access. Since DNS is built into the foundation of the internet, security at the DNS-layer can be simple to deploy and highly effective for securing the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established.
Secure On-prem to Public Cloud: Cisco Next Generation Firewall can bring advanced capabilities of your firewall into your cloud environment, acting as a gateway and also extending your data center security policies into cloud and remaining compliant. What’s more, you can create a consistent security posture that extends from your on-premises environment to your cloud infrastructure, making the migration to public cloud seamless and painless.
Cloud Workload Security & Microsegmentation: One of the most vulnerable assets are your applications(read more on app security) and securing application workloads using microsegmentation with Cisco Tetration in your cloud can unleash the potential of your developers and security operation reaching harmonious freedom.
Advanced Threat Detection: What about network flow? Get advanced threat detection in your cloud network with Stealthwatch Cloud.
Secure Access to your Cloud: Also, ensure you have secure access using Duo multi-factor authentication to your cloud-based services.
Cisco Services is a true partner in your journey to a shared responsibility model by helping you deploy and manage your security solutions in the cloud. With Cisco you are not alone, you have the power of a trusted partner to bring along with you on your digital transformation journey to ensure a consistent security posture for your hybrid network.
The post Understanding the Shared Responsibility Model: Securing Public Cloud Just Got Easier appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Roundup for March 13 to March 20

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 13 and Mar 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or
Read More
20200320-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 13 to March 20 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Cisco Wins Global Excellence for Cybersecurity Education and Awareness

By Anthony Grieco People are the key to any effective cybersecurity strategy. If your people don’t understand relevant cyber risks or don’t know how to take the proper action when they occur, the rest of your strategy simply doesn’t matter. At Cisco, we practice a pervasive security culture. Our combination of workforce training and educational initiatives instills a company-wide commitment and collective sense of responsibility and ownership to protect ourselves and our customers.
How do you get a global network of employees and contractors to take personal responsibility for cybersecurity, data protection, and privacy? We knew we had to develop a campaign that would garner attention in a fun and creative way to keep people engaged and alert. In response, we developed Keep Cisco Safe, an innovative internal risk mitigation awareness and education program. It combined out-of-the-box creative thinking, gamification, digital signage, a personalized rewards system including achievement badges and top-down executive sponsorship to change worker’s behaviors.
A key facet of the campaign included cyber “monsters,” each representing threat characters. With a focus on data protection, privacy, secure product development, and threats such as adware, malware and phishing, the monsters gave Cisco employees an eye-catching opportunity to identify, learn and act. To learn more, I highly encourage you to read the complete case study.

Now with over 97,000 actively engaged, we’ve found that Cisco employees and contractors have increased their cybersecurity knowledge and vigilance. This is clear by the spike of incidents being reported to our Data Protection and Privacy Response team. It’s not that we have experienced more incidents, it is the fact that more people are reporting them through proper channels.
To call the Keep Cisco Safe campaign “monstrously” successful would be an understatement. I am honored to share the campaign has been named a winner in Info Security Product Guide’s 2020 Global Excellence Awards!
Info Security Products Guide – the industry’s leading information security research and advisory guide – recognizes cybersecurity IT vendors with advanced, ground-breaking marketing programs, solutions, and services that are raising the bar for the security industry.
Like any effective education and training initiative, our Keep Cisco Safe program continues to evolve and grow. We are honored to be recognized as an industry leader by the Info Security Products Guide. Behind this distinguished success is our relentless effort to drive pervasive security, trust, data protection, and privacy into everything we do at Cisco. This recognition from Info Security PG’s Global Excellence Award further validates our commitment to security and trust within our enterprise and for our customers.
For more on Cisco’s strategy to protect itself and its customers, visit our Trust Center.

The post Cisco Wins Global Excellence for Cybersecurity Education and Awareness appeared first on Cisco Blogs.

Source:: Cisco Security Notice