Cisco Blogs


Cisco Blog > Security

A New Model to Protect the Endpoint, Part 2: Attack Chain Weaving

In my last post, I talked about the need for a paradigm shift from point-in-time detection technologies to a new model that combines a continuous approach with a big data architecture. This new model lets Cisco deliver a range of other innovations that enhance the entire advanced malware protection process across the full attack continuum—before, during, and after an attack.

One of these innovations, unique to Cisco AMP for Endpoints, is Attack Chain Weaving which introduces a new level of intelligence not possible with point-in-time detection technologies.

We all know that attackers are making it their job to understand traditional point-in-time detection technologies and innovate around their limitations to penetrate endpoints and networks. However, as these attacks unfold, they leave in their wake massive volumes of data. Attack Chain Weaving allows defenders to use this data to their advantage. A big data architecture handles the ever-expanding volume of data that is essential to effective malware detection and analytics, and a continuous approach uses that data to provide context and, most importantly, prioritization of events when and where you need it.

Read More »

Tags: , , ,

Before, During and After: How to Think About Complex Threats

I’m often asked how to deal with the security threat landscape within the context of running a business. The security threat landscape can seem like a highly complex challenge, yet as I’ve looked at it through my work with Cisco and the broader industry, it can actually be boiled down into three simple phases: before, during and after attack.

It sounds simple in theory, but in practice the conversation often focuses predominantly on the “before” phase; that is, minimizing a hacker’s chances of success. While this is clearly the most important phase, it’s also crucial to have a clear threat containment strategy for “during” an attack, and a visibility and forensics plan for “after” it as well. It seems complex, but it can be surprisingly simple. Take a look at a recent video blog I did on the topic.

Tags: , , , ,

Is Your Team Prepared for a Cyber Attack? Get Ready with CyberRange Training

The fire alarm went off in my building again, but fortunately, it was only a drill. By now, we are all used to the periodic fire drills for emergency preparedness in our workplaces. But have you ever wondered if there is a similar exercise possible for a cyber attack? The same logic applies. Your team will be better prepared to handle a disaster if they are trained for it.

Seeing is believing: Today I am excited to share this video from our Cisco Korea team that showcases Cisco CyberRange.

Read More »

Tags: , , , ,

Threat Spotlight: A String of ‘Paerls’, Part One

June 30, 2014 at 7:00 am PST

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples -- producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.

image03

Read More »

Tags: , , , , , , , , , ,

A Holistic Approach to Secure Enterprise Mobility

Cisco_FOM_Podcast_Gordon 6.18.14“It’s not secure enough… so we are not going to allow it to happen.”

Does this phrase seem all too familiar?

Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.

As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?

Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.

Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:

“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”

With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?

Complexity: There Are No Boundaries Anymore

One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.

Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.

A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!

IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.

Read More »

Tags: , , , , , ,