Cisco Blogs

Cisco Blog > Security

Hello World! A Message from OpenDNS

This post is officially my first after coming over as part of the Cisco acquisition of OpenDNS. Since 2012, I’ve served as the CTO and am proud to be part of an incredible research team, OpenDNS Labs.  Like the Talos Research Group we are focused on detecting and preventing threats that help protect our customers globally. We are uniquely positioned to do this through statistical models and classification techniques that are fueled by our satellite view of the Internet’s infrastructure with more than 80 Billion active DNS queries per day.

Today I’d like to share some of our research that we recently published around combining classification models together to better predict, and therefore prevent phishing and targeted attacks. In this post we discuss how we can combine two of our classifiers; NLP Rank and Traffic Spikes to predict malicious domains. Additionally we highlight the value of data visualizations with OpenGraphiti.

While the blog only highlighted some of our capabilities with OpenGraphiti, I recorded a short video of the tool in action below. This video demonstrates how we not only can ingest the data but also digest it visually — enabling incident response teams to pivot through the attackers infrastructure in a way that is difficult in a textual format. The visualization shows the relationships between the top-level host with all the associated fake sites that are associated and identified with NLP Rank. Note: There is no audio.

We at OpenDNS are extremely excited about being part of Cisco and look forward to sharing more of our incredible technology, research, and data moving forward.

Tags: , , ,

When Does Software Start Becoming Malware?

This post was authored by Earl Carter, Alex Chiu, Joel Esler, Geoff Serrao, and Brandon Stultz.

Defining what is malware relies on determining when undesirable behavior crosses the line from benign to clearly unwanted. The lack of a single standard regarding what is and what is not acceptable behavior has established a murky gray area and vendors have taken advantage of this to push the limits of acceptable behavior. The “Infinity Popup Toolkit” is a prime example of software that falls into this gray area by bypassing browser pop-up blocking, but otherwise exhibits no other unwanted behavior. After analyzing the toolkit, Talos determined that software exhibiting this type of unwanted behavior should be considered malware and this post will provide our reasoning.


Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the toolbar. Even though many users objected to the inclusion of the toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the toolbar as malware.

There is more to unwanted software than just browser toolbars or widgets. Suppose a piece of software exhibits the following characteristics. Would this be considered malware?

  • The user was not given a choice whether or not to execute this piece of software.
  • The software was designed to specifically bypass browser security and privacy controls using clickjacking techniques.
  • The software avoids detection by encrypting portions of its payload.
  • Extensive fingerprinting (browser, plugins, operating system, and device type) takes place and sent to a third party without user consent.

Read More »

Tags: , , , , , ,

SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks

Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.

Recently, the Cisco Product Security Incident Response Team (PSIRT) has alerted customers around the evolution of attacks against Cisco IOS Software platforms.

Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.

The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.

SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.

Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.


ios compromise

We thank Mandiant/FireEye for their focus on protecting our shared customers, and for adding their voice to calls for greater focus on network security.

Tags: , , , , , ,

Anomaly vs Vulnerability Detection Using Cisco IPS

The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment. Read More »

Tags: , ,

Cognitive Threat Analytics – Transparency in Advanced Threat Research

Cisco Cognitive Threat Analytics is a security analytics product that discovers breaches in Cisco customer’s networks by means of advanced statistical analysis, machine learning and global correlation in Cisco security cloud. Attached to Cloud Web Security (CWS) and Web Security Appliances (WSA), it is also capable of integrating the non-Cisco data sources in order to help the broadest possible set of clients.

Our team discovers tens of thousands of ongoing malware infections (aka breaches) per day. These findings are delivered in a customer-specific report or directly into customer’s SIEM system. The customers can easily identify and re-mediate breaches, get to the root cause and apply policy changes that minimize the risk of further infections in the future. Read More »

Tags: , ,