Remember 2007, when the underground economy began to flourish, using simple protocols and static subnet ranges to control their infrastructure? That was the same year Cisco published the first Annual Security Report (ASR). Nine years later, the drumbeat of cyberthreats grow louder, but the actors and threats are familiar, just as John reminded us when this year’s report was released.
TLS (Transport Layer Security) is a cryptographic protocol that provides privacy for applications. TLS is usually implemented on top of common protocols such as HTTP for web browsing or SMTP for email. HTTPS is the usage of TLS over HTTP, which is the most popular way of securing communication between a web server and client and is supported by the bulk of major web servers.
As TLS has become more popular and easier to use, we have seen the adoption of this technology by malware to secure its own communication. It is fairly straightforward for malware to plug into existing TLS libraries, and in some cases include an entire implementation in its own source code. This ease of use is troubling because it allows malware to easily evade detection and blend into benign traffic patterns typically observed on a network. In short, malware authors know how to use encryption, and they use it in TLS and in custom applications across many different ports and protocols.
In this blog post, we highlight some of the trends we are seeing with respect to the volume of malware traffic taking advantage of TLS, and on which ports this traffic appears. We compare and contrast malware’s usage of TLS with that of benign network traffic. Finally, we conclude by giving next steps to detect malware even in the face of encryption.
The Domain Name Service (DNS) provides the IP addresses of intended domain names in response to queries from requesting end hosts. Because many threat actors today are leveraging DNS to compromise end hosts monitoring DNS is often a critical step in identifying and containing malware infections and investigating attacks. Yet our research found that few organizations actually monitor DNS for security purposes—or at all—which makes DNS a security “blind spot.”
We explore this issue in more detail Read More »
Defending a network against threats of growing complexity requires a mix of technology and policies that are as sophisticated as the campaigns created by attackers. A necessary component to an efffective defense includes tackling the low-hanging fruit—that is, basic tasks such as patching vulnerabilities and updating old software.
However, as we relate in the Cisco 2016 Annual Security Report too many organizations are relying on seriously outdated network components and operating systems—thus providing even more opportunity for adversaries to infiltrate or attack their network. Read More »
Today’s attackers deploy complex and clever threats that are difficult to combat with just one method of defense. In some cases, defenders must go beyond tools for detecting attacks and devise a different approach for obstructing our adversaries’ ability to operate.
As detailed in the Cisco 2016 Annual Security Report, recent collaborative efforts between Cisco, Limestone Networks, and Level 3 Threat Research Labs have weakened the impact of two threats: the distribution of the Angler exploit kit, and the rapid growth of one of the Internet’s largest DDoS weapons built out by SSHPsychos. Read More »