Archiv für die Kategorie: Cisco Security Notice

By Talos Group The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.
Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.
Read More >>
The post Threat Update: COVID-19 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 13 and Mar 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200320-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 13 to March 20 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Sunil Amin We’ve reached an interesting turning point for encrypted traffic.
Gartner predicted that 80% of web traffic would be encrypted by 2019. Sure enough, this prediction came true. Last year, the team at Let’s Encrypt, an organization that helps enable encryption for websites, cited that 80% of web traffic they’ve seen is now encrypted. We have reached the point where the average volume of encrypted traffic on the internet has now surpassed the average volume of unencrypted traffic.
This is largely good news, as moving forward, encrypting internet traffic is now the new norm online and will continue to grow. This is good for data privacy and should let us sleep a bit easier knowing that as out information traverses the internet, it’ll be encrypted.
However, much like the adoption rate of encrypted traffic, encrypted threats are also on the rise. This year, Gartner has predicted that more than 70% of malware campaigns will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration. Complicating matters, it’s also predicted that 60% of organizations will fail to decrypt HTTPS efficiently, thereby missing critical encrypted threats.
Traditional threat inspection methods that rely on bulk decryption, analysis, and re-encryption are not always practical or feasible, for both performance and resource reasons. These methods also compromise privacy and data integrity. Unfortunately, many organizations do not have a way to detect malicious activity in encrypted traffic without the use of decryption. With the growing amount of encrypted traffic and the number of threats hiding within it, how should organizations ensure the encrypted traffic coming into their network is safe, without compromising the integrity of that data?
A better approach to analyzing encrypted traffic
Stealthwatch Cloud is a Software-as-a-Service (SaaS) solution that is easy to try, easy to buy, and simple to operate and maintain. Stealthwatch Cloud analyzes network behavior to detect advanced threats, even those hiding in encrypted traffic. Cisco’s proprietary Encrypted Traffic Analytics (ETA) technology uses attributes like Initial Data Packet (IDP) to detect malware in encrypted traffic, without decrypting the data.
Recently, Stealthwatch Cloud has added further integrations with Cognitive Intelligence, our amazing cloud-based machine learning and AI R&D team as well as its Confirmed Threat Service.
These integrations allow Stealthwatch Cloud to ingest ETA telemetry from supported Cisco networking devices and provide additional, enhanced fidelity of encrypted (as well as non-encrypted) traffic. From there, ETA will alert users of potential threats that might be hiding in encrypted traffic. These alerts include cryptomining, unpublished TOR, botnets, Ramnit, Sality, malicious file download, phishing and typosquatting and more.
In a performance study by Miercom, Cisco Encrypted Traffic Analytics showed as much as 36% faster rates of detection, finding 100% of threats in three hours. Furthermore, the study found that Cisco ETA detected 100% of malicious flows within three hours
How it Works
Cognitive Intelligence’s Confirmed Threat Service provides Stealthwatch Cloud with a list of high-confidence Indicators of Compromise (IOCs in the form of IPs and domains), a full description of the related global threat, and a write-up of recommended remediation steps. These IOCs are generated as a result of processing billions of connections from across the globe using a pipeline of analytical techniques which include the collection of Initial Data Packets. In essence, the Confirmed Threat Service is the outcome of multi-layered machine learning and encrypted traffic analytics that can convict known as well as unknown global threat campaigns. Cisco ETA can match field data extracted from the IDP against known IOCs which allows Stealthwatch Cloud to then correlate local customer telemetry to the global Confirmed Threat Service.

New alerts created via this threat intelligence will show up as “Confirmed Threat Watchlist Hit” alerts. These alerts can include named malware type families and also provide details on what they do (exfiltration, exploit, content distribution, botnets, ransomware, etc). Some of the threat intelligence provided by the Confirmed Threat Service is created in collaboration with Cisco Talos. Talos will seed intelligence (initial set of seed IOCs), title and description of a threat. Cognitive Intelligence will then expand this seed set of IOCs with new occurrences using information gathered from IDPs and machine learning – which in turn yields new IPs and domains that are also related to the given threat and appear in real customer telemetry.

Meeting Compliance Needs

In addition to being able to effectively monitor encrypted traffic coming into their network, organizations also have to consider how they use encryption on their own data. When using encryption for data privacy and protection, an organization should be able to answer major questions:
How much of the digital business uses strong encryption?
What is the quality of that encryption?
This information is critical to prevent threat actors from getting into the encrypted stream in the first place. Today, the only way to ensure that encrypted traffic is policy compliant is to perform periodic audits to look for any TLS violations. However, this method isn’t perfect due to the sheer number of devices and the amount of traffic flowing through most businesses.
Cisco Encrypted Traffic Analytics provides continuous monitoring without the cost and time overhead of decryption-based monitoring. Using the collected enhanced telemetry, Stealthwatch provides the ability to view and search on parameters such as encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc. to help ensure cryptographic compliance.
Together, Cisco ETA and Stealthwatch Cloud can also identify encryption quality instantly from every network conversation, providing organizations with the visibility to ensure enterprise compliance with cryptographic protocols. These tools deliver the knowledge of what is being encrypted and what is not being encrypted on your network so you can confidently claim that your digital business is protected and compliant. This cryptographic assessment is displayed in Stealthwatch Cloud and can be exported via APIs to third-party tools for monitoring and auditing of encryption compliance.
Conclusion
With encryption becoming the new norm, it’s become increasingly important for organizations to be able to gain visibility into all traffic across the enterprise, without compromising data integrity. Cisco’s intuitive network can help detect hidden security threats, even those lurking in encrypted traffic. The powerful combination of Cisco ETA and Cognitive Intelligence help make Stealthwatch Cloud a premier encrypted traffic analytics powerhouse.
To learn more about Cisco Stealthwatch Cloud and Encrypted Traffic Analytics, read the At a Glance and the white paper.
Get started with a free 60-day trial of Cisco Stealthwatch Cloud today!

The post SaaS-delivered Encrypted Traffic Analytics with Cisco Stealthwatch Cloud appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Hazel Burton Welcome to the first ever episode of Security Stories! Security Stories is a brand new podcast from the Cisco Security team in which we discuss the past, present and future of cybersecurity.

The podcast is mainly interview based, and we have some absolutely amazing people lined up to share their security stories over the coming episodes (we’ll have a new one for you every two weeks). From how they lead their teams, to how various experiences have shaped them, our guests don’t hold anything back! So if you want to get the inside track on what it takes to be a security leader today, you’ve come to the right place.

Episode 1: From the battle to the boardroom: Mick Jenkins OBE

Mick Jenkins, CISO for Brunel University London

Our guest interview today is Mick Jenkins, OBE. Mick spent many years in the military in counterterrorism and bomb disposal, he is a published author of several spy novels which touch on his military experiences, and he’s also the CISO of Brunel University London. He faced some tough challenges when he first took on that role, but with strong leadership and a very talented team, he came up with some very innovative and impactful solutions which he talks openly about during our chat.

As you’ll soon learn from the interview, Mick is an incredibly interesting person. We initially talked about his mountaineering adventures and how he got lost in Snowdonia as a teenager, and how this shaped his perceptions of risk and leadership.

On leadership:

“It’s all about providing a vision and a narrative that people can buy into. Whether I was in the military or now as a CISO, I watch leaders, and a common thread amongst the best ones is a real sense of positivity, energy, and a can do attitude: ‘This is going to happen.” But they also have an open sense of honesty, reality and empathy. For example one of the best leaders I ever saw was always honest with his team and would say “You know what guys? This is going to be painful. We’re going to have to hold on to the handle for a bit. But we will come through it, we will succeed, and we will win.” Success for me all comes down to the leadership and the teamwork. And that’s true no matter what industry you’re in.”

On building partnerships:

“I was clear that I couldn’t do it by myself. We needed two or three strategic partners or, as I call them, my critical friends. They’re the ones who sit over my shoulder and tap me from time to time and say, “Well, that can’t actually be done Mick. We need to do it this way”. I think that blend of critical friendship, strategic partnership and building a strong internal team helped me with my vision. Leaders always need to be challenged. I was always encouraged to challenge the boss, to never be afraid to do so, and to offer an option that was different to theirs. That was certainly ingrained into us as military officers and it’s something that I’ve always been careful to make sure the team can feel they can do with me. So it’s an up and down cascade of ideas because I’m high level. I’m strategic. My team are subject matter experts and they’ve been brilliant at engaging me in the conversation so that we get to our goal together.”

About the podcast
Why the title ‘Security Stories‘? Good question! There’s a story behind that…

We’re going to go back to when I was 21 (a long, long time ago…) and, fresh faced out of University, my first job as a graduate was to help establish a new campaign called ‘If we can, you can‘. It was all about encouraging more people who had an idea of a business, to be inspired to take this forward, and become an entrepreneur.

The philosophy behind ‘If we can, you can‘ is that by sharing the stories of existing entrepreneurs, you would feel part of the community. They will take a lot away from learning how others overcame challenges, what mistakes are commonly made, and how it really feels to grow a business from the ground up.

So, I got in my car and drove all around the North East of England (where I still live), with my video camera, and I sat down with hundreds of entrepreneurs. They talked to me about that ‘defining moment‘ that inspired them to bite the bullet, how they balanced risk, how they scaled and grew their idea, how they hired their first employee…and much much more.

The stories were often raw, often emotional, and always honest and open. They shared their stories with me because being an entrepreneur is no walk in the park. There are as many tough times as there are amazing times. So they wanted to share their experiences with me because those stories and insights might help someone who is going through the exact same challenges.

I started working in the Security industry about 10 years ago, and what has struck me most is how tough an industry this can be. We have one of the highest rates of burnout and fatigue, and people’s jobs are constantly on the line. However, it’s also one of the most fun and interesting industries to be part of, where innovations and new ideas can make a huge amount of difference to the world we live in.

Therefore the principle of ‘If we can, you can‘ very much applies to this podcast. If other security leaders can do it, so can you. And Security Stories is about sharing exactly how they’re doing it…

What’s in each episode?

As well as interviews, we have some regular features as well. ‘Threat of the month‘ is where we discuss a growing cyber threat and what organizations can do about it. In the first episode, we talk about Industrial IoT and this discussion is led by my co-host and Cisco security intelligence expert, Ben Nahorney.

And we also have a little bit of cybersecurity trivia for you in our ‘On this day‘ feature. This is where we talk about significant events in cybersecurity history which will guarantee that you will win any pub quiz out there, as long as it’s very niche.

And the 16th March just so happens to be a very significant date in security history, but you’ll have to listen to the podcast to find out what we’re talking about!

You can listen on Apple Podcasts, Google Podcasts, Spotify and Stitcher. Or you can listen right now!

After you’ve listened to the first episode (and hopefully you enjoyed it!) please do subscribe. We are releasing new episodes every two weeks, and our next guest will be Wendy Nather, Head of Advisory CISOs at Cisco Duo.

Just to give you a preview of that interview, I asked her what is the one thing she wishes could change in Security. Her response starts with ‘I’m going to come up something really radical, are you holding onto your seat?”

Thanks for listening, we’ll see you next time on the Security Stories podcast.

The post Launching today: Security Stories podcast appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Sana Yousuf Your network is increasingly targeted by cybercriminals. One of the most clever and damaging way they strike is through command and control attacks – a technique often executed over DNS. A command-and-control (also referred to as C&C or C2) server is an endpoint compromised and controlled by an attacker. Devices on your network can be commandeered by a cybercriminal to become a command center or a bonet (a term coined by a combination of the words “robot” and “network”) with the intention of obtaining full network control. Establishing C&C communications via a Trojan horse is an important step for them to move laterally inside your network, infecting machines with the intent to exfiltrate data.
Going After the Command-and-Control Servers
What does your new investigation workflow look like? Today we take a closer look at how a C&C server attack can gain a foothold into your network, and how Cisco can identify, detect and block this type of threat using an integrated approach to security.
Imagine a security analyst whose enterprise has invested in network traffic analysis. Let’s call him Sam. He works for large financial services organization with over 10,000 employees and more than 80,000 user accounts. It’s 6:00 PM on a Friday evening and Sam is getting ready to catch the latest Zombie apocalypse movie with his buddies. A notification pops up on his Cisco Umbrella console telling him that Umbrella has blocked malware from communicating with a C&C channel.
Sam investigates this threat using the Cisco Security
Sam is tired. He spends copious amounts of time running down rabbit holes every time his SIEM registers an alert as suspicious. He is ready for a faster, more effective way to block threats and protect his environment. He is excited to see if Cisco Umbrella, a secure internet gateway, will make his life easier. Cisco Umbrella offers both real-time threat Intelligence, as well as the capabilities to mitigate attacks across an organization in a split second. It acts as the first line of defense against internet-borne threats like C&C communications attempting to exfiltrate data. Sam knows a DNS block on the Umbrella can simply be a symptom of persistent malware on your endpoints. He investigates further.
Sam identifies the malicious domain that is the epicenter of a C&C activity using Umbrella. Umbrella automatically proxies, decrypts, and inspects all subsequent requests with AMP for Endpoint to make a determination about the threat. Sam can also choose to block newly seen domains outright on the console. Now, while Sam knows that not all newly seen domains are bad, he knows this could be part of an emerging malware campaign or associated with another threat. In this case, Sam sees that Umbrella is working and has successfully blocked the threat.
Figure1: Identify the C&C Domain in UmbrellaBut Sam is curious. He wants to know more. Sam decides to analyze the malicious code and try to identify samples in Threat Grid, Cisco’s dynamic file analysis solution that referenced this domain. Umbrella Investigate shows him samples in Threat Grid that referenced this domain. He drills down deeper.
Figure 2: Sightings in Threat Grid that referenced this domainUsing the Threat Grid console, Sam quickly realizes the file is malicious. He sees two internal targets that can be potentially compromised with this attack. If successful, this infected server could connect to another server, ready to receive commands and do the botnet owner’s bidding by compromising systems and exfiltrating your data.
Figure 3: The Aha! moment: The Malicious VerdictSam is close to the Aha moment! He drills down to understand the behavioral indicators in Threat Grid. He gets every scrap of detail about this threat artifact. And sure enough, there’s our C&C connection. Victory!
Figure 4: Discovery: There’s our C&C connection.But Sam wants more. Threat Grid also shows him the internal target that might need further analysis. It analyzes the files and suspicious behavior across his environment to deliver context-rich malware analytics and threat intelligence. Now that he is armed with insights into what the file is doing, he is ready to explore how this threat has impacted the network. Sam kick starts a threat investigation for observed internal targets in Cisco Threat Response using the Browser Plugin. The Plugin enables Sam to research any observable (e.g. Domain, IP-address, File-Hash, URL, etc.), on any HTML-based webpage, in Chrome. Interested in what Sam is doing? See how you can configure the plugin, here.
Sam now knows which systems inside our network have seen the malicious file. This information is provided by AMP for Endpoint, our cloud-delivered endpoint protection, detection and response solution, that helps you simplify this investigations with a broader context from endpoint, web, email, and network data.
Figure 5: The Pivot to Threat Response
Figure 6: Getting the Full Picture – the Relations Graph in Threat ResponseUpon investigation, Sam confirms that the malware is already correctly identified and blocked. With Cisco Threat Response, Sam can now achieve faster detections, simpler investigations, and immediate responses.
Figure 7: Malware Identified and BlockedFor all the Sam’s of the world, this analysis can be at your fingertips too. With Threat Grid, you can easily construct a query using the Orbital Advanced Search feature, a new advanced capability in Cisco AMP for Endpoints based on the behavior observed when the sample executed. This feature accelerates your hunt for threats and enables you to shrink the lifecycle of an incident– mitigating any or further damaging cost of the breach to your business.
Figure 8: Orbital Advanced Search Query in Threat GridThis Orbital query enables you to gain deeper visibility so you may discern whether this is an isolated incident in your network, or there are other devices that may have seen this in your network. Additionally, Threat Grid can shine a light on other techniques like code injection that attackers might be using based on key behavioral indicators of malware. Security teams can save time by quickly prioritizing attacks with the biggest potential impact. In our investigation, we have discovered important details about this attack, as well as the malicious, forged documents that the attackers are using.
Figure 9: Orbital Query, Figure 10: Potential Code Injection DetectedCisco Advanced Malware Protection (AMP) for Endpoints Prevents Fileless Attacks
AMP for Endpoints‘ Exploit Prevention engine prevents all variants of fileless malware without needing any prior knowledge of the attacks. There are thousands of threats attempting to embed malicious code that can take over your workflows. Sam makes sure that the Exploit Prevention engine is enabled in AMP to catch any such activity.
Sounds too good to be true. No way?
Figure 11: File is quarantinedAMP’s Exploit Prevention Engine remaps the runtime environment and its components (such as libraries and DLL entry and exit points) and places a decoy or a facade of these resources in their original locations. It then only let’s legitimate applications know their newly randomized address spaces. The end result is that legitimate processes continue to run seamlessly without experiencing any performance penalty, but anything else that attempts to execute in-memory can’t find its target, and therefore, cannot execute. Exploit Prevention’s remapping of the runtime environment effectively protects you against all variants of in-memory attacks, whether they are pre-existing or undiscovered zero-days deterministically. With that done, Sam is on his way to the movies.
Cisco’s Security Platform
Can you imagine flying an Airbus A380 without an air traffic controller? Cisco’s vision for a security platform is built from a simple idea that security solutions should act as a team, learning from each other, listening and responding as a coordinated unit. Our platform, Cisco SecureX,connects the breadth of Cisco’s integrated security portfolio and your entire security infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across your network, endpoints, cloud, and applications.
Try AMP for Endpoint
You could test out AMP for Endpoints and decide whether it’s right for you in under an hour. Don’t let C&C servers sit dormant in your environment and turn your computers become someone else’s malicious botnet!

Stop fileless malware attacks dead in their tracks
by test driving a free trial of AMP for Endpoint today.

The post How to Defend Against Command-and-Control attacks: Don’t let your network turn into a Zombie appeared first on Cisco Blogs.

Source:: Cisco Security Notice