Das Oberberg-Online Team bedankt sich bei allen Kunden und Freunden des Hauses für die gute Zusammenarbeit und das Vertrauen im vergangenen Jahr. Wir wünschen segensreiche Weihnachtstage im Kreise lieber Menschen und ein gesundes und sicheres Jahr 2020.
By Jeff Reed Complexity is one of the top challenges our customers face today. CISOs not only want to enable their teams to detect and respond to threats faster, they want to simplify workflows and streamline operations at the same time. In our annual CISO surveys, we’ve been seeing a trend toward vendor consolidation, which tells us CISOs are looking for ways to make their solutions simpler.
Vendors typically work in siloes to solve these kinds of challenges. But at Cisco, we believe we can achieve more through collaboration. That’s why we’ve been working in partnership with IBM Security to provide joint customers an in-depth, end-to-end defense strategy while simplifying their vendor relationships.
The average organization juggles 45 different security vendors. Leveraging the breadth of Cisco and IBM’s security portfolios allows our customers to drastically reduce that number of vendors while still using best-in-class products. The reduction in vendor surface creates more than just technical efficiencies. By consolidating vendor relationships, customers can maximize their buying power through vehicles like Enterprise Agreements, as well as simplify contract management and support cases.
Leveraging Cisco and IBM strengths
At Cisco, we believe we have excellent technologies to help customers prevent threats to their businesses, and with products like Cisco Threat Response, we even speed up various elements of the technical response. With IBM, we have focused our initial integrations on QRadar and Resilient product lines to help customers further prioritize threats and better assist with their response both at a technical and business level.
Let’s say you had an insider attack. The Cisco/IBM integrated solutions enable faster investigations of suspicious behaviors that could compromise credentials or systems. For example:
Cisco Stealthwatch looks for behavioral indicators of compromise in activity traversing the network, including encrypted traffic without the need to decrypt the data. IBM QRadar builds on that detection, as well as other Cisco solutions like Firepower Threat Defense, to correlate events from network traffic and logs to help security teams quickly prioritize threats.
Cisco Identity Services Engine helps you associate malicious activity with specific user credentials, and you can quarantine the user and lock down network access right from QRadar.
Responding to the attack is not just about gathering the information. You also need to understand how the business responds to the threat — is this something that needs public release of information, do you need to involve law enforcement, will this result in employee termination, and so on. To help operationalize incident response, you can use investigation results from all the integrated solutions to create a report in Resilient.
Innovative solutions to address customer needs
Many of the Cisco/IBM collaborative solutions are unique for the industry, and they’re based on lessons Cisco and IBM have learned from our extensive customer bases and our threat intelligence teams, Cisco Talos and IBM X-Force.
To make breach response more efficient, earlier this year we integrated Cisco Advanced Malware Protection (AMP) for Endpoints with QRadar and IBM Resilient SOAR. These integrations enable security teams to do things like:
Receive AMP for Endpoints telemetry directly in QRadar for a consolidated view of events across endpoints and ability to search, analyze, and correlate them.
Pull AMP for Endpoints data into Resilient to investigate events, automatically bring the results into an incident, and get more details on detected threats, then quarantine detected malicious files.
Since threats evolve quickly, defenses can’t rely on one mechanism alone. We work together in various other ways to help you detect unknown threats like ransomware or speed up response time. For instance:
Resilient customers can submit suspicious malware samples to Cisco Threat Grid to get detonated, with the hashes sent back to Resilient. This can stop malware or ransomware before it ever reaches the end user.
IBM Resilient users can query Cisco Umbrella for a list of blocked domains, save them to a data table, and delete or add new ones — preventing end users from accessing risky internet connections.
We’re listening to your feedback
Because we’re invested in the results that this collaboration can produce for our customers, we’re continuously expanding and improving our integrated solutions based on your feedback. The latest examples are enhancements made to the Firepower Threat Defense and QRadar SIEM integration, which accelerate threat investigation and remediation by correlating events across network, applications, and users.
Our customers wanted to dig deeper than the top-level summaries previously available. We listened — and the new, enhanced Firepower app that we’re releasing provides a higher level of detail in the integrated dashboard.
With Firepower Threat Defense and QRadar, you can answer questions like:
Which hosts in my network are potentially compromised?
Which hosts are known to be compromised?
What malware is most often observed in my network?
Which hosts have sent the most malware?
This is just one of the new enhancements and expansions we’ve been making as part of our alliance, and more are on the roadmap. By reducing complexities, increasing visibility, and improving threat defenses, our collaboration is improving outcomes in areas that are top of mind for our customers.
Learn more
Cisco and IBM are continuously engaged in discussions about new possibilities, and we expect our combined forces to produce many new solutions. To see how you can benefit from this partnership, learn more about Cisco’s and IBM’s integrated technology, threat intelligence, and services.
The post Cisco and IBM: Solving Customer Challenges through the Power of Partnerships appeared first on Cisco Blogs.
Source:: Cisco Security Notice
By Talos Group
This post authored by JJ Cummings and Dave Liebenberg
This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.
The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.
In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.
Read More >>
The post Incident Response Lessons From Recent Maze Ransomware Attacks appeared first on Cisco Blogs.
Source:: Cisco Security Notice
By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 6 and Dec 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU12132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for December 6 to December 13 appeared first on Cisco Blogs.
Source:: Cisco Security Notice
By Hazel Burton Today we launch our 2019 Threats of the Year report; a look back at the major tools and tactics that cybercriminals have exploited over the past year.
Based on original research conducted for our ‘Threat of the Month‘ blog series, we look into the impact of directed attacks against specific organizations, and how we can defend ourselves against these types of attack.
We also look at non-direct attacks – the attacks that are more of a numbers game for cybercriminals. In this case they are looking to hit as many victims as possible, without regard for the organizations or individuals that they affect.
Finally, we look at the cybercriminal ‘toolkit‘. From remote access trojans, to hiding threats in encrypted traffic, we’ve seen various innovations in how cybercriminals have evaded detection this year.
As we look towards the end of the year (and decade), we also sought perspectives from Cisco Security experts looking back at 2019. When asked what one particular threat stood out this year, and to offer a New Year’s resolution for 2020 that all organizations could consider adopting, here’s what they said:
Martin Lee, Talos (Cisco Threat Intelligence)
This year will be remembered as the year when we saw that DNS data, as well as TLS certificates, could be ‘fake news‘.
Although sporadic malicious activity had previously compromised DNS data, the discovery of the Sea Turtle campaign showed that DNS information could be compromised wholesale by attackers taking over top-level registries.
Consequently, legitimate domain-validated TLS certificates were granted to the attackers – since they controlled the domain’s DNS entries, meaning that the impersonation checking within TLS connections was subverted also. Attackers could thus divert a user from accessing a legitimate system to connect them to a malicious server while presenting a valid TLS certificate to authenticate the connection.
New Year’s resolution for 2020
Enable multi-factor authentication on every system that can support it. Passwords have never been a 100 percent effective or a secure mechanism for authenticating users. You can add two-factor authentication (2-FA) to all your system accounts so that even if someone steals or cracks your password, they can’t impersonate you to gain access to valuable data.
Andrea Kaiser, Cisco Umbrella (Protecting the DNS layer)
Malspam, or malicious unwanted email is still the predominant method used to cast a wide net and get up close and personal with the most vulnerable part of a network: users.
In 2019 we saw the Emotet botnet continue to spread malicious payloads and grow its victim base, expanding its malware-as-a-service tactic. Trickbot, Qakbot, IcedID, and Gootkit all spread through malicious document attachments as some of the payloads pushed by the Emotet botnet in 2019.
Emotet added the ability to hijack email threads by injecting responses into old or ongoing conversations from users‘ email. The new response can include links or malicious attachments to download Emotet.
This is all possible due to Emotet’s ability to steal email content and mail account credentials. The initial access and further propagation of the botnet relies on the distribution of malspam. This past year showed that we need to be vigilant in looking for targeted social engineering attacks in our inboxes.
New Year’s resolution for 2020
Social engineering is a threat that can affect you regardless of it being used as a tactic of malware. It can be used in any social setting to gain sensitive information. Often times, all one needs to start the process is a tiny bit of information about a person – such as the year you graduated or the city in which you were born. That one seed of information can lead to a path to compromise your personal data. My recommendation for your New Year’s resolution is to limit the online availability of your personal information. Take a look out our Consumer Data Privacy report to learn more.
Patrick Garrity, Cisco Duo (Access/Multi-Factor Authentication Security)
For those of us in access security (endpoint and MFA), we’re concerned about exploits targeting device operating system and browser software.
This year, two major examples affected the Google Chrome browser, including a zero-day vulnerability impacting all major operating systems, including Windows, Apple’s MacOS and Linux.
The vulnerability was a ‘use-after-free‘ type, which is a memory corruption flaw that allows a threat actor to exploit modified data in the memory of a machine and escalate privileges on that machine. This means if a user opens a PDF in a compromised Chrome browser, an attacker can hijack the browser to gain access to their machine.
While Google quickly released a patch to protect against this vulnerability, it’s an important example to highlight the importance of gaining visibility into your users‘ endpoints running out-of-date software and browsers.
New Year’s Resolution for 2020
Make sure your devices are up to date by regularly obtaining visibility into the security status of your users‘ devices. Then notify users of their out-of-date software and enforce policies that require software updates before allowing access to applications. Or, block access from any device that doesn’t meet your organization’s policies or requirements.
To find out more about these and other threats of 2019, download the Cisco 2019 Threats of the Year report.
Sign up here to receive our Threat of the Month blog series.
We will be holding a Cisco Live chat on this threat report on 17th December at 9am PST. Tune in on Cisco.com or via any of our social channels – Twitter, Facebook, Youtube and our Security Community.
We encourage you to use this retrospective report in any security-focused board meetings or business planning sessions you might be holding over the next few months to guide you on planning the security tools and processes needed for 2020. You can also use it as a resource to help explain how your current security posture would perform with any such attacks, and identify any gaps.
The post A Look Back at the Major Cyber Threats of 2019 appeared first on Cisco Blogs.
Source:: Cisco Security Notice
By Talos Group Introduction
Cisco Talos‘ Systems Security Research Team investigates software, operating system, IOT and ICS vulnerabilities in order to discover them before malicious threat actors do. We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases executive blogs (Vulnerability Spotlights) and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos Vulnerability Information page here.
Read the rest of the details on the Talos Blog
The post Talos Vulnerability Discovery Year in Review – 2019 appeared first on Cisco Blogs.
Source:: Cisco Security Notice
