Cisco Blogs

Cisco Blog > Threat Research

Holiday Shopping Threat Avoidance

The holidays are upon us and the shopping season is kicking into high gear. This year, an estimated 270 million consumers will shop online and, for the first time, more than half of them will use mobile devices to check off their holiday shopping lists.

With consumers searching for holiday discounts through display ads, social media and email, Cisco Talos Security Intelligence and Research Group predict that both malvertising and email spam will be significant vectors for cyber crime this season — especially for mobile shoppers. This is worrisome for the simple reason that most mobile devices do not posses the ability to block many of these threats, leading to increased vulnerabilities as attackers seek profit gain during the busiest time for online commerce.

Through their research, Talos found that Android users are particularly vulnerable. Of the all Apple and Android OS blocks observed on the Cisco’s Cloud Web Security (CWS) platform, the Talos team found that nearly 95% were Android-related. At the heart of the problem, many users are running significantly older versions of the Android OS, which lack the security updates for today’s most persistent threats. This holiday season, we advise that our mobile shoppers exercise additional caution.

Keep reading for more on our findings and recommendations.

How OpenDNS Predicts Attacks When Hacker Infrastructure Is Cheap and Plenty

On Thursday OpenDNS announced two new data science models that detect clues to an attack, and then find the attacker’s entire infrastructure. The first model titled Spike Rank (SPRank) detects spikes in network traffic using mathematical concepts that are often found in sound wave analysis, the same methods music services like Shazam and Pandora use for analyzing song patterns. The spikes SPRank finds, which indicate an attack or use of an exploit kit, then serve as fingerprints or clues for further detective work, often starting by finding a single IP address or domain currently exhibiting suspicious behavior.


A visual example of network traffic spikes or “sound waves” that SPRank can detect.

Read More »

Introducing the Cisco Technology Verification Service

Building Trust and Transparency One Step at a Time

Like all successful companies, we listen to our customers and strive to exceed their expectations. Our customers expect us to be trustworthy, transparent and accountable. As a company, there are many ways we are doing just that.

We started this journey more than 10 years ago when, based on customer feedback, we centralized our approach to driving security and trust—not only into our products, but into the very fabric of how we do business. And, we’ve continued to build on these efforts to earn your trust one step at a time. The momentum we’re gaining this year is clear.

In April 2015, we launched the Cisco Trust and Transparency Center, which includes our Transparency Report on Government Requests for Customer Data, articulates our Trust Principles, and provides information about our Trustworthy Systems and processes.

Read More »

Tags: , , , , ,

An introduction to the new Cisco Network Visibility Flow Protocol (nvzFlow)

As recently announced, Cisco AnyConnect 4.2 extends visibility to the endpoint with the Network Visibility Module (NVM).  Users are one of the most vulnerable parts of any security strategy, with 78% of organizations saying in a recent survey that a malicious or negligent employee had been the cause of a breach.  However, until now, IT Administrators had been blind to user behavior on their devices.  NVM allows you to monitor and analyze this rich data to help you defend against potential security threats like data exfiltration and shadow IT, as well as address network operations challenges like application capacity planning and troubleshooting.

AnyConnect NVM supports the Cisco Network Visibility Flow protocol or nvzFlow for short
(pronounced: en-vizzy-flow).  The protocol is designed to provide greater network visibility of endpoints in a lightweight manner by extending standard IPFIX with a small set of high-value endpoint context data.  Leading IPFIX vendors have begun implementing the new protocol to provide customers with an unprecedented level of visibility.

Read More »

Tags: , , , , , , , , , , , ,

How (not) to Sample Network Traffic

This post has been authored by Karel Bartos and Martin Rehak

The volume of the network traffic has been steadily increasing in the last years. In the same time, the delivery of critical services from cloud data centers has increased not only the volume of traffic, but also the complexity of transactions.

High volumes of network traffic allow the attackers to effectively hide their presence in the background. Moreover, attackers can shift or deceive the internal models of detection systems by creating large bursts of non-malicious network activity. Such activity typically draws an attention of statistical detection methods and is further reported as anomalous incident, while the important, yet much smaller malicious activity would remain unrecognized. To counter this, we need to deploy more sophisticated detection models and algorithms to detect such small and hidden attacks. The increase in volume of the transaction logs also brings computational problems for such algorithms, as they may easily become increasingly difficult to compute on the full traffic log.

Sampling reduces the amount of input network data that is further analyzed by the detection system, allowing the system of arbitrary complexity to operate on network links regardless of their size. However, the use of sampled data for CTA would be problematic, as it negatively impacts the efficacy. CTA algorithms are based on statistical traffic analysis and adaptive pattern recognition, and the distortion of traffic features can significantly increase the error rate of these underlying methods by breaking their assumptions about the traffic characteristics. The loss of information introduced by sampling methods also negatively impacts any forensics investigation.

Read More »