Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: Group 72

This post is co-authored by Joel Esler, Martin Lee and Craig Williams

Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.

Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat actors from the crowd of malicious activity on the internet.

Talos security and intelligence research group collects attack data from our various telemetry systems to analyse, identify and monitor threat actors through their different tactics, techniques, and procedures. Rather than give names to the different identified groups, we assign numbers to the threat actors. We frequently blog about significant attack campaigns that we discover, behind the scenes we integrate our intelligence data directly into our products. As part of our research we keep track of certain threat actor groups and their activities. In conjunction with a number of other security companies, we are taking action to highlight and disrupt the activities of the threat actors identified by us as Group 72. Read More »

Tags: , , , , , ,

Gartner’s perspective on Cisco TrustSec

I am very pleased to be able to share some Gartner research on TrustSec.

While we’re continuing to make progress through broader product support, validation from auditors and implementation by other vendors, we believe that this research and Gartner’s perspective will provide you with a useful and informative viewpoint.

To read Gartner’s perspective on TrustSec please go to Cisco TrustSec Deployed Across Enterprise Campus Branch and Data Center Networks. We’d love to hear your feedback so please leave any comments below.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Source: Gartner Research, G00245544, Phil Schacter, 12 February 2013, refreshed 1 October  2014

Tags: , ,

Evolution of the Nuclear Exploit Kit

This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas.

Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.

Read More »

Security and the Internet of Everything

The theme of this year’s Cyber Security Awareness Month is “Our Shared Responsibility.” At Cisco, security is everyone’s responsibility – from our trustworthy development processes, to innovation enabling our customers and partners to address threats on end points, networks, and in the cloud. That is why Cisco is setting the industry standard for meeting the security needs demanded by the Internet of Everything (IoE).

Over the next six years, the number of devices connected to the Internet is going to reach 50 billion, creating some pretty unique opportunities and dilemmas as companies and industries are connecting people and devices to one another in ways we’ve never seen before, changing the way we work and live.

As the number of connected devices in the “Internet of Things” increases exponentially, organizations must keep security top of mind as the number and type of attack vectors increases alongside the quantity of data IoE creates. This shift is creating a daunting challenge for companies and those responsible to defend the infrastructure.

I recently did a video blog on the IoE from the security perspective. Take a look and let me know what you think in the comments.

Tags: , , , , ,

To Succeed with Big Data, Enterprises Must Drop an IT-Centric Mindset; Securing IoT Networks Requires New Thinking

October 7, 2014 at 2:54 pm PST

To help organizations who aspire to apply the power of big data enterprise-wide, Cisco provides a powerful, efficient, and secure infrastructure and a wide array of analytics solutions. In our previous blogs, others have highlighted the benefits of Cisco’s ability to provide the scalability, ability to process both real-time data and historical data with predictable, high performance, and the comprehensive management automation enterprises will need to keep pace with big data in the IoE era. Today, I’d like to begin a conversation about how enterprises can secure their increasingly distributed networks – and the data that is being transported across them – as we operate in an environment comprised of 50 billion connected devices (in just five years from now).

One of the key drivers of Big Data is the Internet of Things (IoT), when every connected ‘thing’ will be capable of producing data. IoT has become a popular topic of discussion amongst security company executives, analysts, and other industry pundits. As they discuss the technical details, it quickly becomes evident that many of the most experienced security professionals still approach IoT with an IT-centric mindset. Of course, they are partially correct. Securing an escalating volume of data requires rethinking our approach to security. Not only do security devices need to be faster, they need to navigate issues very specific to data centers and complex data flows. They need to be inserted as close to the traffic flow as possible, such as being positioned inline into East/West traffic flowing across the data center. They need to be able to track and secure asymmetric traffic, often across multiple locations. They need to be able to blend corporate policy with public standards. Finally, they need to move seamlessly across physical, virtual, and cloud environments in order to ensure seamless policy enforcement. Gone are the days when we can just hairpin traffic out of the data center to be inspected elsewhere. Speed and agility do not allow for that sort of bottleneck.

However, IoT is not only about the billions of new connected objects and inspecting the data they are producing. While the dramatic increase in the number and types of connected objects certainly expands the attack surface and dramatically increases the diversity of threats, they are only part of the IoT security challenge. Another new challenge is the convergence of the organization’s existing IT network with the operational technology (OT) network (e.g., manufacturing floors, energy grids, transportation systems, and other industrial control systems.) These new environments, usually omitted from traditional IT thinking, expand the depth of security challenges, and makes threat remediation remarkably more complex.

Big Data is not just being generated by web-enabled toothbrushes or smart appliances. For Big Data to be useful, the data that is collected needs to be actionable. Converging data needs to be able to turn on or off water supplies, ramp up manufacturing floors, redirect traffic, or manage the flow of electricity during peak usage. As a result, while IT and OT were once separate networks, they are now simply different environments within a single extended network ‒ but by no means are they the same! The architectures, operational needs, platforms, and protocols are vastly different for each of them, and drive radically different security requirements. As a result, security architectures, solutions, and policies that have proven effective for years in the IT world often don’t apply in OT environments, so attempting to enforce consistent security policies across the extended network is doomed for failure.

Protecting data confidentiality, especially at high volume, is IT’s primary concern, so when faced with a threat, a common immediate response is to quarantine or shut down the affected system. But OT runs critical, 24×7 processes, including critical infrastructures, so data availability is their primary concern. Shutting down these processes can cost an organization millions of dollars, and actually put the public at risk, so the cost of remediation may be greater than simply dealing with the aftermath of an infection. In addition, because OT is a human-based operation in what can often be dangerous working conditions, their focus is also on the safety of their operation as well as their employees. Because of these main differences, IT and OT teams have traditionally approached security in completely different ways. While IT uses a variety of cybersecurity controls to defend the network against attack and to protect data confidentiality, OT views security more in terms of secure physical access, as well as operational and personnel safety.

Securing IoT networks that need to participate in and respond to the demands of Big Data must go beyond today’s thinking. Rather than focusing on individual security devices, solutions need to be networked so they can collaborate to process increasing volumes of data into comprehensive, actionable security intelligence. By combining numerous systems, including cyber and physical security solutions, IoT-enabled security driven by Big Data can protect the entire interconnected environment outside threats, monitor and secure critical data and infrastructure inside specific domains, and even improve employee safety. As a best practice, IT should maintain centralized management over the entire security solution, including the use of open standards in order to see and coordinate with public standards, but IT also needs to develop a high level of sensitivity to and understanding of the specific needs of OT. This will allow them to enforce differentiated security policies to meet the specific needs, of the different parts of their network and provide localized control over critical OT systems while dealing with the operational demands of Big Data.

At the end of the day, IT and OT need to work together for the common good of the entire IoT implementation – locally and globally –thereby driving truly pervasive, customized security across the extended network.

Cisco can help organizations deliver the security they need to succeed in the IoT and IoE eras. To hear more about Cisco’s big data story, join us for a webcast at 9 AM Pacific time on October 21st entitled ‘Unlock Your Competitive Edge with Cisco Big Data and Analytics Solutions.’ #UnlockBigData

As the pace of big data adoption increases, speeding delivery of new big data and analytics solutions will become increasingly important. To find out how Cisco is helping our customers do just that, watch for Mike Flannagan’s upcoming blog “Aligning Solutions to Meet Our Customers’ Data Challengesthis Thursday. #UnlockBigData

Tags: , , , , ,