Cisco Blogs


Cisco Blog > Security

Endpoint Visibility to Combat Advanced Attacks – I Want That

Protecting data, maintaining compliance, and enabling the business is a balancing act. Put too many controls in place and you inhibit workflow. Rely exclusively on traditional security tools and you lack the visibility to detect and respond to advanced attacks quickly.

The industrialization of hacking has created an effective and efficient criminal economy. Attackers are fast and the malware they write and resell is smart, able to evade traditional defenses and quick to do damage. If attackers get through – and they will since there is no such thing as 100% breach prevention – IT security professionals need to be able to detect potential malicious activity as it happens, analyze it, and take action. And, increasingly, network-centric detection is not enough.

An explosion of new, untethered devices means that endpoints extend everywhere and so does the workplace you need to protect. Windows and Mac desktops and laptops, tablets and smartphones, and even smart watches make it possible to connect back to the corporate network anytime from anywhere. Attackers are taking advantage of this proliferation of endpoints and using gaps in security to drive their attacks home. Endpoint visibility is becoming a must-have.

To combat these more frequent and destructive attacks, you need to see beyond traditional indicators of a breach, like a signature or a hash or an IP address, to identify behavior-based activities that may point to malicious activities. This visibility must be on workstations so that you can track executables and processes across your environment and cut detection time down to minutes or seconds. You also need to maintain that visibility on devices connected to a protected network or roaming on public or personal in-home wi-fi.

Cisco Advanced Malware Protection (AMP) for Endpoints gives you the visibility and control you need to protect data, maintain compliance, and enable the business – everywhere workers may be. For example, the Prevalence capability in Cisco AMP displays files that have been executed across the organization ordered from lowest to highest number of instances. Files with low prevalence likely indicate a malicious executable you need to investigate. And because AMP is cloud-based you can continue to track devices and deliver the same level of protection whether devices are on or off the network.

Customers across a broad range of industries are using Cisco AMP for Endpoints to increase protection against today’s elusive attacks. Listen to Tim McGuffin, Information Security Officer at Sam Houston State University, describe how his team used Cisco AMP for Endpoints to detect and respond to a malware attack disguised as bad user behavior, and how they maintain a secure infrastructure while ensuring academic freedom and research.

Tags: , ,

Research Spotlight: Project FTR

image00

image02_a

 

 

 

 

 

 

Intro

Historically, networks have always been at risk for new, undiscovered threats. The risk of state sponsored hackers or criminal organizations utilizing 0-day was a constant, and the best defense was simply to keep adding on technologies to maximize the odds of detecting the new threat – like adding more locks to the door if you will. Here at Cisco Talos we’re constantly pushing the envelope. Recently after some thinking juice we started brainstorming ways to better address the constant threat of attacker utilizing unknown 0-day. Today, we’re happy to inform our customer base about our new inspection technology code name project Faster Than Realtime, or FTR. Project FTR is the next generation of detection technology, that which will truly revolutionize the industry.

Project FTR

To mitigate the ever-growing threat of new and unknown attacks we simply decided to add a few options to our existing inspection infrastructure. Snort’s new Quantum Pre-Detection (QPD) leverages Predictive Attack Detection (PAD) by putting packets into an Ethereally-Buffered Capture (EBC) file.  Snort then reads the .ebc via PAD so that QPD can tell you that you are under attack before you’re even under attack.

Read More »

Tags: , , , , , , ,

Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA

This post was authored by Alex Chiu & Angel Villegas.

Overview

Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications.  In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers.  While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data.  As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes.  One of the more well known examples of banking malware is Zeus.

Table of Contents

Overview
Technical Analysis
Domain Generation Algorithm
Other Thoughts
Conclusion
Appendix

Banking malware typically operates by redirecting users to malicious phishing sites where victim’s input their banking credentials thinking they are logging into their bank’s website.  Banking malware can also operate more stealthily by hooking into a browser’s functionality, capturing the victim’s credentials as they are typed in, and exfiltrating them.  Once an attacker has a victim’s banking credentials, attackers can then sell it or use it to perform illicit transactions (such as transferring funds to another account on behalf of the victim). Read More »

Tags: , , , , ,

Announcing the First Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication

Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
Read More »

Tags: , , , ,

Threat Spotlight: The Imperiosus Curse –A Tool of the Dark Arts

Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post.

As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018. The online advertising industry field is already awash with many players, each clamoring for a piece of the Internet advertising pie. In fact, so many ad impressions are bought and sold daily, that it’s nearly impossible to keep track of who is buying and selling what. 

On one side of the online advertising spectrum are publishers. These are domains that receive Internet traffic and make money by displaying advertisements. On the other side of the spectrum we find advertisers who wish to sell products. And in the middle are ad-networks/ad-exchanges: marketplaces where publishers and advertisers can come together to wheel-and-deal on ad impressions. The astonishingly large number of online advertising industry middlemen between buyers and sellers creates terrific opportunities for bad actors to hide. The result is malware delivered through the online advertising ecosystem, A.K.A. “malvertising”.

How “bad guys” view the online ad industry.

How do malicious ads actually make it to end users? In our attempt to answer that question, Talos has uncovered a piece of Internet malvertising infrastructure that is both highly robust, and highly anonymized. It has been an Internet fixture for almost a sesquidecade, with redirection domains operating since early 2001. This infrastructure was designed specifically to focus Internet traffic towards advertising endpoints, unfortunately with little regard paid to legitimacy of the final destination. 
Read More »

Tags: , ,