Cisco Blogs

Cisco Blog > Security

Why Aging Infrastructure Is a Growing Problem

Defending a network against threats of growing complexity requires a mix of technology and policies that are as sophisticated as the campaigns created by attackers. A necessary component to an efffective defense includes tackling the low-hanging fruit—that is, basic tasks such as patching vulnerabilities and updating old software.

However, as we relate in the Cisco 2016 Annual Security Report too many organizations are relying on seriously outdated network components and operating systems—thus providing even more opportunity for adversaries to infiltrate or attack their network. Read More »

Tags: , , , ,

The Value of Collaboration in Weakening Attackers

Today’s attackers deploy complex and clever threats that are difficult to combat with just one method of defense. In some cases, defenders must go beyond tools for detecting attacks and devise a different approach for obstructing our adversaries’ ability to operate.

As detailed in the Cisco 2016 Annual Security Report, recent collaborative efforts between Cisco, Limestone Networks, and Level 3 Threat Research Labs have weakened the impact of two threats: the distribution of the Angler exploit kit, and the rapid growth of one of the Internet’s largest DDoS weapons built out by SSHPsychos. Read More »

Tags: , , , , ,

Forewarned Is Forearmed: Announcing the 2016 Cisco Annual Security Report

Our just-released 2016 Cisco Annual Security Report (ASR) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom. Meanwhile attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks.

Security threats, attacks, and challenges are not new—Cisco released our first ASR in 2007. While the major trends remain essentially constant, the cumulative intelligence in the reports demonstrates how quickly attackers—with the luxury of working outside the law—innovate to exploit new security gaps.

This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge.

Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%.

The picture we see is disturbing:

Given this backdrop, the ability to recognize and respond to security threats in near real time is no less than a business imperative. We simply cannot continue to create technical debt, leaving systems unpatched, critical services exposed, and application services open to attack. These are what we can control, and yet the data shows we aren’t succeeding. This means fortifying the weakest links, such as older networking software, taking a proactive approach to patches and upgrades, and taking control of critical infrastructure. It also means working toward a cohesive security landscape, where companies, industries, and governments communicate and collaborate to thwart cyber criminals, taking an integrated approached to threat defense that operates in near real time on our behalf. What are we waiting for?

Here’s my take on what we can all do now:

  • Senior leaders across organizations of all types must acknowledge, embrace, and own security as their strategy, not a CISO’s, and not just in IT.
  • Vendors that embed IT in their offerings must produce solutions that customers can trust and are designed with security in mind. We have to slow the vulnerability being introduced.
  • Adding “yet another vendor” cannot continue to be our answer. This just adds to the complexity of the security challenge and leaves companies more vulnerable to attacks.  For cost, return on investment, efficacy, and to remain nimble, security efforts must be business led, architecturally delivered, and provably integrated and effective.

Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late.

The 2016 Cisco Annual Security Report analyzes the most compelling trends and issues in cybersecurity from Cisco security experts, providing insight on advancements made by both the security industry and the criminals hoping to breach defenses. Geopolitical trends, perceptions of cybersecurity risk and trustworthiness, and the tenets of an integrated threat defense are also discussed.


Additional Links

Cisco Annual Security Report 2016

ASR Conversation with Cisco CEO Chuck Robbins and Chief Security & Trust Officer John N. Stewart

Cisco Trust and Transparency Center

Tags: , , , ,

Research Spotlight: Needles in a Haystack

This post was authored by Mariano Graziano.

Malware sandboxes are automated dynamic analysis systems that execute programs in a controlled environment. Within the large volumes of samples submitted daily to these services, some submissions appear to be different from others and show interesting characteristics. At USENIX Security 2015 I presented a paper in which we proposed a method to automatically discover malware developments from samples submitted to online dynamic analysis systems. The research was conducted by dissecting the Anubis sandbox dataset which consisted of over 30M samples collected in six years. The methodology we proposed was effective and we were able to detect many interesting cases in which the malware authors directly interacted with the sandbox during the development phase of the threats.

Another interesting result that came from the research concerns the samples attributed to Advanced Persistent Threat (APT) campaigns. Surprisingly, some of the malware samples used in these sophisticated attacks had been submitted to the Anubis sandbox months — sometimes even years — before the attack had been attributed to the proper APT campaign by a security vendor. To be perfectly clear, we are not saying that it took security vendors months or years to detect a threat. Most times, we are able to detect the  threats in no more than a few hours. It is just that the malware samples were mislabeled and not properly associated with APT campaigns. In general, the same goes for non-APT malware campaigns. In this blog post, we tried to see if the same applied to the Cisco dataset. Specifically, we chose ten APT campaigns, — some of which were already covered in the Usenix paper. We decided to inspect two different datasets: our incoming sample feeds / malware zoo, and the telemetry associated with our Advanced Malware Protection (AMP) solutions. Talos receives samples from over 100 external feeds ranging from anti-malware companies to research centers, while the AMP dataset contains telemetry from the Cisco AMP user-base.

The remaining part of this post is organized as follows. First, we show the APT campaigns we investigated. Second, we summarize the results of the analysis of the Talos dataset. Third, we show the results from the AMP dataset.  Finally, we summarize our findings.


Microsoft Patch Tuesday – January 2016

The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.

Bulletins Rated Critical

Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month’s release.

MS16-001 and MS16-002 are this month’s Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.

  • MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
  • MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited.

One special note regarding this month’s IE advisory: In August 2014, Microsoft announced the end-of-life for Internet Explorer versions older than IE 11 that would take effect today. As a result, this month’s bulletin will be the final one for affected versions. After today, “only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” As such, there are exceptions to the end-of-life announcement with those being Windows Vista SP2 (IE9), Windows Server 2008 SP2 (IE9), and Windows Server 2012(IE 10). For more information on the IE end-of-life, please refer to Microsoft’s documentation here:


Tags: , , , , ,