Cisco Blogs


Cisco Blog > Security

Threat-Focused NG-Firewall – Who Cares? Part 1

Part 1: Rude Awakening

Let us begin with some context in the form of a story.

I live in a very bad part of town and I am always worried that my car is going to get stolen or broken into. So, I just invested over a thousand bucks in this awesome vehicle alarm and security system. You know, one of those ultra-advanced systems that connects to an app on your smartphone, includes an ignition kill switch, vehicle tracker, cameras, motion detection, as well as all of the typical features you would expect. If someone enters the vehicle without my key fob, it calls my phone, and even takes pictures of the inside of the vehicle. I now feel so much better about parking my car outside. The company that sold me the alarm made me feel like my car was ‘un-steal-able’ and even if it was, I would have pictures of who did it and would be able to find it easily. Perfect. I feel protected. I can sleep at night.

The other morning, I went outside and strangely, it was gone…the shock sensor and its cut-wires lying on the ground where the car once sat. I think I stood there for a solid minute with my mouth open before I thought to do anything. I checked my phone – no call. I looked at the app – no pictures or interior motion detected. All appeared normal. Darn! (actually other words, but keeping it clean here) How could this happen? That alarm company assured me this was impossible. Heck, they are the most popular system on the market – everyone loves these guys. They have all of the ‘best’ and innovative features and no one makes vehicle security easier than these guys. And, I bought the top-of-the-line model, with all of the bells and whistles, just short of the biometric entry system. Wow! How could this have happened?

I called the police to file a report and see if the tracker could be used to find my stolen car. “Sure we will look for it.” The tracker required a connection, which didn’t exist. The app was useless unless something triggered it and the company that sold it to me, of course, wasn’t much help. “Looks like someone really wanted your car” they said.  Long story short, the vehicle was found 26 days later on a burned-out flatbed in Mexico. What hadn’t been taken off of it was torched; no trace whatsoever.

Security Isn’t Easy

The moral of the story is two-fold. One, there is no such thing as easy security, at any price. As soon as you think you have achieved it, the unthinkable will certainly happen. Two: no amount of prevention or detection will ever overcome human motivation and ingenuity. Knowing that today’s attackers have the technology innovations of the entire industry at their fingertips when they attack us – ingenuity is boundless. Billions of dollars are made each year by attackers stealing our data. What better motivation than money. Considering much of what we are up against today is nation-state sponsored, everything becomes that much more complicated.

Read More »

Tags: , , , , ,

Malware stealing gigabytes of your data as seen by Cognitive Threat Analytics

This post is authored by Gayan de Silva and Martin Pospisil.

Overview

Recently, about 50 users across 20 companies were alarmed by the Cisco Cognitive Threat Analytics (CTA) about a malware that exfiltrates gigabytes of data from their computers. An example of such CTA detection:

CTA Exfiltration Incident

In addition to the usual malware command and control activities, the incident features an upload of 2.3 gigabytes of data to a highly suspicious destination. CTA has classified this incident as a malware with high severity and confidence.

This particular malware is using a custom protocol over TCP port 443, which is assigned for HTTPS. Generally, less than 10% of organizations do any inspection of HTTPS traffic. In addition to relatively low probability of intercept, malware authors also use custom protocol that is not based on HTTPS. A comparison of the stream content of the custom protocol to a stream content of a HTTPS protocol is shown below.

Read More »

Tags: , ,

Introducing the Cisco PSIRT openVuln API

Cisco PSIRT openVuln APIIn October, we announced details about Cisco PSIRT’s new and improved security vulnerability disclosure format. Our Chief Security and Trust Officer, John Stewart, also revealed that Cisco will launch an application programming interface (API) that empowers customers to customize Cisco vulnerability information and publications. Today, we have officially launched the Cisco PSIRT openVuln API and it is available for immediate use.

The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. It supports industrywide security standards such as the Common Vulnerability Reporting Framework (CVRF)Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposure (CVE) identifiers, and the Common Vulnerability Scoring System (CVSS).

openVulnSupportedStandards

This API allows technical staff and programmers to build tools that help them do their job more effectively. In this case, it enables them to easily keep up with security vulnerability information specific to their network. That frees up more time for them to manage their network and deploy new capabilities in their infrastructure.

Read More »

Tags: , , , , , , ,

New Cisco Rapid Threat Containment Solution Detects and Automatically Contains Threats

Integration of Cisco FireSIGHT Management Center and Identity Services Engine (ISE) Now Available

As explained in our 2015 Cisco Midyear Security Report, attackers are using innovative tactics like exploit kits, ransomware, and advanced malware to evade detection. Organizations are using as many as 40 to 60+ disparate security solutions that typically don’t – and can’t – work together. These point solutions have limited impact against well-funded cybercriminals and typically generate vast numbers of alerts, many of which may not be relevant. On average, large organizations have to sift through nearly 17,000 alerts each week to find the 19 percent that are considered reliable, and security professionals only have time to investigate 4 percent of warnings.

It’s no wonder that, based on various reports, the current industry average for time to detection is 200 days. That’s far too long. The longer the threat goes undetected, the greater potential for damage. By the time a breach is discovered the damage has been done.

The new Cisco Rapid Threat Containment solution with Cisco FireSIGHT Management Center and Cisco ISE lets you get to the heart of what matters – providing deep network detection and automatic containment of critical threats so you can mitigate your security risk quickly and efficiently without overburdening your security team.

Read More »

Tags: , , ,

Threat Spotlight: Cryptowall 4 – The Evolution Continues

This post is authored by Andrea Allievi and Holger Unterbrink with contributions from Warren Mercer.

Executive Summary

Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact. This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations. CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4. In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community.  

For readers that may not be familiar, ransomware is malicious software that is designed to hold users’ files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. The core functionality of CryptoWall 4 remains the same as it continues to encrypt users’ files and then presents a message demanding the user pay a ransom. However, Talos observed several new developments in CryptoWall 4 from previous versions. For example, several encryption algorithms used for holding users’ file for ransom have changed. Also, CryptoWall 4 includes a new technique to disable and delete all automatic Windows backup mechanisms, making it almost impossible to recover encrypted files without having an external backup. Finally, CryptoWall 4 has been observed using undocumented API calls not previously used to find the local language settings of the compromised host. These are just a few of the new findings Talos observed in the new iteration of CryptoWall that are detailed further in this post.

For our technically savvy users, we encourage you to continue reading. As always, we strongly encourage users and organizations to follow recommended security practices and to employ multiple layers of detection in order to reduce the risk of compromise. Our in-depth analysis of the latest CryptoWall version gives us a better opportunity to protect our users by allowing us to identify better detection methods. Finally, as a note regarding recent statements by the FBI informing users that they should just pay the ransom if they have no alternative, Talos strongly encourages users to not pay the ransom as doing so directly funds this malicious activity.

Read More >>