Cisco Blogs

Cisco Blog > Security

Threat Spotlight: A String of ‘Paerls’, Part One

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.


Read More »

Tags: , , , , , , , , , ,

A Holistic Approach to Secure Enterprise Mobility

Cisco_FOM_Podcast_Gordon 6.18.14“It’s not secure enough… so we are not going to allow it to happen.”

Does this phrase seem all too familiar?

Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.

As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?

Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.

Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:

“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”

With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?

Complexity: There Are No Boundaries Anymore

One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.

Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.

A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!

IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.

Read More »

Tags: , , , , , ,

New blueprint for data center security

RATS in the Data Center, a recent blog post by Cisco’s Tom Hogue, highlighted the current threat landscape for data centers. Tom was referring to Remote Access Toolkits, not the disease-carrying vermin that likely started the plagues that ravaged Europe in the Middle Ages. However, the destructive effect of modern-day RATS can be devastating.. They provide a novice hacker the tools to craft a successful attack, lowering the skill and proficiency needed while increasing the volume and likelihood of attacks. And RATS attacks will likely target the data center because that is where the most valuable information is stored – whether it’s credit card numbers, social security and other personally identifiable information (PII), financial records, intellectual property, or trade secrets.

Many organizations secure the perimeter of their network. But once network access is granted, there are minimal controls in place for authorized users. They are completely trusted on the network. The underlying problem in today’s threat environment is these users may not be in control of their device due to malware infection. Or they may not be who they say they are due to stolen credentials/passwords. A new model is needed to continually protect the critical assets of the business and to minimize complexity while supporting new data center services and business models.

Cisco developed the Secure Data Center for the Enterprise Solution portfolio of validated design guides to create a comprehensive and modular approach to securing data centers. The newest Cisco Validated Design (CVD) to be added to this portfolio is Threat Management with NextGen IPS – First Look Design Guide.  This new CVD builds on the capabilities introduced in the Single Site Clustering with TrustSec CVD by integrating the FirePOWER NextGen IPS to provide a true threat management system. The FirePOWER appliance provides threat protection capabilities beyond what a traditional IPS offers, resulting in a comprehensive solution for today’s malicious environment using highly capable threat management workflows. These workflows provide a different approach: the point of view of a cyber-attacker.

A First Look from a Different Viewpoint

That’s what makes this CVD intriguing—and, we hope, very useful. By looking at the “Attack Chain” where the capabilities to execute a successful attack are developed, this information can arm cyber-defenders with the tools and knowledge to effectively protect their networks and the business-critical information contained in their data centers.


Attack Chain

Attack Chain


The Threat Management with NextGen IPS First Look Design Guide also introduces a new security model, the attack continuum, which identifies each of the critical processes integral to a complete security system. This model addresses the cyber threat problem by looking at the actions to take before, during, and after an attack, across a broad range of attack vectors such as endpoints, mobile devices, data center assets, virtual machines, and in the cloud. Where most security solutions tend to address threat protection at a single point in time, it is important to look at it as a continuous cycle with key actions to take at each point in time.

Attack Continuum

Before an Attack: Organizations need complete visibility of their environment, including but not limited to the systems, services, users, endpoints, operating systems, applications, and network behavior models. From this visibility, ongoing monitoring and actionable alerts must be in place so informed decisions may be made in a timely manner.

During an Attack: Awareness is critical to identify the attack at the earliest possible point in time, ideally before the critical systems are compromised and valuable data is accessed. A security system should aggregate and correlate data using historical patterns and global attack intelligence to provide context to distinguish between active attacks, exfiltration, and reconnaissance using continual analysis and decision making.

After an Attack: Retrospective security is a big data challenge. With an infrastructure that can continuously gather and analyze data to create security intelligence, security teams can, through automation, identify indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection, and then remediate it.

The attack continuum model provides a view of how to address threats, and helps build a framework of capabilities so organizations can start implementing robust security controls to protect their data centers. This new Cisco Validated Design, Threat Management with NextGen IPS, provides fresh tools and technologies needed to develop a comprehensive response to today’s threats affecting not only the data center, but also the entire enterprise.

Cisco Web Security and the Health Insurance Portability and Accountability Act (HIPAA)

Spurred by the Health Insurance Portability and Accountability Act (HIPAA), which outlined a set of standards and guidelines for the protection and transmission of individual health information, as well as the subsequent amendment to address standards for the security of electronic protected health information, customers often ask me the following questions:

  • Is your product HIPAA certified?
  • Is your product HIPAA compliant?
  • Will your product meet HIPAA standards?
  • If I implement your products, will I be HIPAA compliant?

While this blog post is in no way to be construed as legal advice, I wanted to provide an overview pertinent to answering the above questions.

The Reality

In short, the answer to the above questions is NO! Here is why. There are no products on the market that are HIPAA certified or HIPAA compliant! I know this sounds challenging and some vendors have claimed that implementing their products will make the customer HIPAA compliant, but that is not the case.

HIPAA cannot be addressed with a single product or set of products. HIPAA is a series of policies and procedures that “covered entities” must implement to safeguard information. Products manufactured by Cisco and other technology companies can be used to implement those defined policies and procedures but the simple inclusion of a technology in the network does not automatically make an entity compliant. Products have to be configured to adhere to the standards set forth by HIPAA.

For a better grasp on the implications of HIPAA, let’s take a look at some of the details outlined in the Act.

Covered Entities

First, let’s examine a 2“covered entity” as defined by HIPAA.

HIPAA standards apply only to:

  • Health care providers who transmit any health information electronically in connection with certain transactions
  • Health plans
  • Health care clearinghouses

What is a Health Care Provider?

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

Protected Information

1The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193).

3The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Technical Safeguards

HIPAA defines security controls around the storage, access, control, and transmission electronically of the above noted protected information.

1Technical Safeguards (§ 164.312)

We proposed five technical security services requirements with supporting implementation features: access control, audit controls, authorization control, data authentication, and entity authentication. We also proposed specific technical security mechanisms for data transmitted over a communications network, communications/network controls with supporting implementation features; integrity controls; message authentication; access controls; encryption; alarm; audit trails; entity authentication; and event reporting.

In this final rule, we consolidate these provisions into § 164.312. That section now includes standards regarding access controls, audit controls, integrity (previously titled data authentication), person or entity authentication, and transmission security.

4Technical Safeguards Summary

  • Access Control—A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls—A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls—A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security—A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Cisco believes that today’s dynamic threat landscape, new business models, and complex regulatory requirements require a new threat-centric approach to security. This new security model reduces complexity, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum. This makes it easier for customers to act more quickly before, during, and after an attack, which is particular important to risk management and reduction.

In regards to Cisco Web Security products and transmission security conformance, Cisco Web Security products provide the necessary encryption services along with audit, entity authentication, and event reporting to help address the technical safeguards.

Cisco Web Security products do not determine that the receiving website is of the appropriate type or has implemented the appropriate controls for handling HIPAA protected data but ensures that the information was transmitted securely upon request by the transmitter (think data loss prevention, not covered in this paper). It is the responsibility of the customers’ security and administrative staffs to determine which sites are deemed acceptable for receiving or transmitting this data. Cisco Web Security products can provide transmission security, transmission entity authentication, event reporting, and integrity of the transmission via the HTTPS protocol.


The Department of Health and Human Services HIPAA Act of 1996 amended in 2003 has many complex provisions and should be reviewed on a regular basis by any covered entity’s security and administrative staffs for conformance. The intent of the Act is the protection of private health information via both administrative and technical safeguards. Cisco provides a range of security products that can be used by customers to meet many of the requirements outlined in the HIPAA standards but only if properly configured, maintained, and monitored. As stated earlier, deployment of a single product or set of products will not, in and of themselves, ensure HIPAA compliance.


  2. 45 CFR §§ 160.102, 164.500

Tags: , , , ,

A New Model to Protect the Endpoint, Part 1: Continuous vs. Point-in-Time Security

The fundamental security problem that many defenders face is securing their environment in a world of continuous change. IT environments change. Threats change. But today’s threat detection technology doesn’t change. It’s stuck in time, point-in-time to be exact.

Sure, detection technologies have evolved. The latest improvements include: executing files in a sandbox for detection and analysis, the use of virtual emulation layers to obfuscate malware from users and operating systems, reputation-based application whitelisting to baseline acceptable applications from malicious ones, and, more recently, attack chain simulation and analysis detection. But predictably, attackers fundamentally understand the static nature of these security technologies and are innovating around the limitations associated with them to penetrate network and endpoint defenses.

These point-in-time detection technologies will never be 100 percent effective and are unable to identify the unfolding follow-on activities of the attacker which require continuous scrutiny. The disconnect stems from the fact that malware is dynamic and three dimensional. It doesn’t just exist in a two-dimensional point-in-time ‘X-Y’ plot waiting to be detected, where X is time and Y is the detection mechanism. Malware exists as an interconnected ecosystem that is constantly in motion. To be even remotely effective, malware defenses have to be multi-dimensional and just as dynamic, taking into account the relationship dimension as well.

Read More »

Tags: , , , ,