Cisco Blogs


Cisco Blog > Security

Ensuring Security and Trust Stewardship and Accountability

In our increasingly interconnected world, the Internet of Everything is making trust a critical element of how people use network-connected devices to work, play, live, and learn. The relentless rise in information security breaches underscores the deep need for enterprises and governments alike to trust that their systems, data, business partners, customers, and citizens are safe.

Consequently, I see an evolution taking place regarding accountability in cybersecurity moving up to the boardroom level, an issue I discussed earlier this year in Fortune. In a recent Information Systems Audit and Control Association (ISACA) report, 55 percent of corporate directors revealed that they have to personally understand and manage cyber as a risk area. The National Association of Corporate Directors recently published a document on corporate directors’ ownership and management of risk in cyber for public companies. In March of this year, an SEC commissioner said that the SEC plans to create a requirement for corporate directors regarding managing cybersecurity as a risk.

Read More »

Tags: , , , , ,

The Value of Endpoint and Network Protection Together

As I’ve discussed in past blog posts, advanced malware and sophisticated attacks are relentless as they compromise environments using new and stealthy techniques. Modern malware is dynamic and exists in an interconnected ecosystem that is constantly in motion. It will use an array of attack vectors, take endless form factors, and launch attacks over time.

In contrast, most security tools today are stuck in time – a point in time to be exact. They scan files once at the point of entry to determine if they are malicious, letting the supposedly “good” files in, and kicking the known “bad” files out. If the malicious file isn’t caught at point of entry, or if it evolves and becomes malicious AFTER entering the environment, point-in-time detection technologies give us little recourse after an infection occurs.

Read More »

Tags: , , , ,

Threat Spotlight: Group 72, Opening the ZxShell

This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba.

Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN.  This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.

Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the targets network.

ZxShell (aka Sensocode) is a Remote Administration Tool (RAT) used by Group 72 to conduct cyber-espionage operations. Once the RAT is installed on the host it will be used to administer the client, exfiltrate data, or leverage the client as a pivot to attack an organization’s internal infrastructure.  Here is a short list of the types of tools included with ZxShell:

  • Keylogger (used to capture passwords and other interesting data)
  • Command line shell for remote administration
  • Remote desktop
  • Various network attack tools used to fingerprint and compromise other hosts on the network
  • Local user account creation tools

For a complete list of tools please see the MainConnectionIo section.

The following paper is a technical analysis on the functionality of ZxShell. The analysts involved were able to identify command and control (C2) servers, dropper and installation methods, means of persistence, and identify the attack tools that are core to the RAT’s purpose. In addition, the researchers used their analysis to provide detection coverage for Snort, Fireamp, and ClamAV.

Read More »

Tags: , , , , , , ,

File Security With the Click of a Button

Securing our digital lives used to be simpler. Up until a few years ago, we primarily used email as a means for transferring or exchanging files between two parties. A handful of companies emerged to provide email encryption for those who needed it. Most other people did not worry about it.

Today, file exchange has gone beyond email. Users regularly transfer important and sensitive business and personal information using a variety of applications. It takes only a few button clicks to transfer files using Dropbox or Box. People regularly exchange files via instant messengers like Skype, Whatsapp, or Gtalk. Employees log into cloud service providers such as Salesforce and click on icons to send out invoices, proposals, quotations, and the like. Security online is no longer simple and there are many more threats to worry about.

Read More »

Tags: , , , , ,

Can the Elephant Dance to a Security Tune?

HadoopThere is a great debate in the security world right now: have SIEM and logging products run their course? Will Hadoop ride to the rescue? Can machines “learn” about security and reliably spot threats that no other approach can find?

Gartner calls this phenomenon Big Data Security Analytics, and they make a strong point to define BDSA solutions as a three-layer pyramid. At the bottom is the “data lake,” which is what most people equate with Hadoop. The next layer is context—the addition of relevant business, location, and other non-traditional security information to increase the precision of the next layer: applications and analytics (such as Machine Learning). It is this top layer where the real value of BDSA is realized in terms of finding new threats and remediating them before they do damage.

Read More »

Tags: , , , , ,