Cisco Blogs

Cisco Blog > Security

Before, During and After: How to Think About Complex Threats

I’m often asked how to deal with the security threat landscape within the context of running a business. The security threat landscape can seem like a highly complex challenge, yet as I’ve looked at it through my work with Cisco and the broader industry, it can actually be boiled down into three simple phases: before, during and after attack.

It sounds simple in theory, but in practice the conversation often focuses predominantly on the “before” phase; that is, minimizing a hacker’s chances of success. While this is clearly the most important phase, it’s also crucial to have a clear threat containment strategy for “during” an attack, and a visibility and forensics plan for “after” it as well. It seems complex, but it can be surprisingly simple. Take a look at a recent video blog I did on the topic.

Tags: , , , ,

Is Your Team Prepared for a Cyber Attack? Get Ready with CyberRange Training

The fire alarm went off in my building again, but fortunately, it was only a drill. By now, we are all used to the periodic fire drills for emergency preparedness in our workplaces. But have you ever wondered if there is a similar exercise possible for a cyber attack? The same logic applies. Your team will be better prepared to handle a disaster if they are trained for it.

Seeing is believing: Today I am excited to share this video from our Cisco Korea team that showcases Cisco CyberRange.

Read More »

Tags: , , , ,

Threat Spotlight: A String of ‘Paerls’, Part One

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.


Read More »

Tags: , , , , , , , , , ,

A Holistic Approach to Secure Enterprise Mobility

Cisco_FOM_Podcast_Gordon 6.18.14“It’s not secure enough… so we are not going to allow it to happen.”

Does this phrase seem all too familiar?

Today, IT and business leaders are faced with the challenge of securing any user from any location on any device with access to any information. At times, it can be a daunting road to travel on the path towards true enterprise mobility security. This is especially true as the combination of sophisticated threats and new mobile capabilities and applications are continuing to shape the role and evolution of security controls and policies.

As the mobile endpoint becomes the new perimeter, how can organizations evolve their mobility security policies to mitigate risk? Is protecting information at the data or device level the way to keep employees and assets secure when users conduct business on untrusted networks?

Recently, I had a chance to participate in a new Future of Mobility podcast with Dimension Data’s Stefaan Hinderyckx, to discuss the biggest challenges our customers are seeing as they deploy enterprise mobility security solutions.

Many CSOs that Stefaan speaks with are seeing the clear and present danger of opening their networks, devices and applications to a new mobile world. Yet, many are not shying away from the benefits that enterprise mobility offers. They say:

“Mobility is inevitable. It’s happening and we need to embrace it and deliver it for the business.”

With this in mind, how can IT and business leaders address key challenges and embrace a holistic approach to secure enterprise mobility?

Complexity: There Are No Boundaries Anymore

One of the biggest challenges our customers are seeing is the increase in complexity as they work to meet business needs through mobility, all while keeping users and assets secure.

Simply put, there are no boundaries anymore. There is no place you can put a firewall to make things secure on the inside and insecure on the outside.

A major reason for this complexity is the result of approaching security in a siloed manner. It can be complex to try to secure the device, data on the device, the user and the network in a disparate way!

IT and business leaders need to work together to make the whole environment secure. It is no longer enough to find point solutions to data-centric or device-centric controls, the only way to be confident in your approach is to build a holistic strategy.

Read More »

Tags: , , , , , ,

New blueprint for data center security

RATS in the Data Center, a recent blog post by Cisco’s Tom Hogue, highlighted the current threat landscape for data centers. Tom was referring to Remote Access Toolkits, not the disease-carrying vermin that likely started the plagues that ravaged Europe in the Middle Ages. However, the destructive effect of modern-day RATS can be devastating.. They provide a novice hacker the tools to craft a successful attack, lowering the skill and proficiency needed while increasing the volume and likelihood of attacks. And RATS attacks will likely target the data center because that is where the most valuable information is stored – whether it’s credit card numbers, social security and other personally identifiable information (PII), financial records, intellectual property, or trade secrets.

Many organizations secure the perimeter of their network. But once network access is granted, there are minimal controls in place for authorized users. They are completely trusted on the network. The underlying problem in today’s threat environment is these users may not be in control of their device due to malware infection. Or they may not be who they say they are due to stolen credentials/passwords. A new model is needed to continually protect the critical assets of the business and to minimize complexity while supporting new data center services and business models.

Cisco developed the Secure Data Center for the Enterprise Solution portfolio of validated design guides to create a comprehensive and modular approach to securing data centers. The newest Cisco Validated Design (CVD) to be added to this portfolio is Threat Management with NextGen IPS – First Look Design Guide.  This new CVD builds on the capabilities introduced in the Single Site Clustering with TrustSec CVD by integrating the FirePOWER NextGen IPS to provide a true threat management system. The FirePOWER appliance provides threat protection capabilities beyond what a traditional IPS offers, resulting in a comprehensive solution for today’s malicious environment using highly capable threat management workflows. These workflows provide a different approach: the point of view of a cyber-attacker.

A First Look from a Different Viewpoint

That’s what makes this CVD intriguing—and, we hope, very useful. By looking at the “Attack Chain” where the capabilities to execute a successful attack are developed, this information can arm cyber-defenders with the tools and knowledge to effectively protect their networks and the business-critical information contained in their data centers.


Attack Chain

Attack Chain


The Threat Management with NextGen IPS First Look Design Guide also introduces a new security model, the attack continuum, which identifies each of the critical processes integral to a complete security system. This model addresses the cyber threat problem by looking at the actions to take before, during, and after an attack, across a broad range of attack vectors such as endpoints, mobile devices, data center assets, virtual machines, and in the cloud. Where most security solutions tend to address threat protection at a single point in time, it is important to look at it as a continuous cycle with key actions to take at each point in time.

Attack Continuum

Before an Attack: Organizations need complete visibility of their environment, including but not limited to the systems, services, users, endpoints, operating systems, applications, and network behavior models. From this visibility, ongoing monitoring and actionable alerts must be in place so informed decisions may be made in a timely manner.

During an Attack: Awareness is critical to identify the attack at the earliest possible point in time, ideally before the critical systems are compromised and valuable data is accessed. A security system should aggregate and correlate data using historical patterns and global attack intelligence to provide context to distinguish between active attacks, exfiltration, and reconnaissance using continual analysis and decision making.

After an Attack: Retrospective security is a big data challenge. With an infrastructure that can continuously gather and analyze data to create security intelligence, security teams can, through automation, identify indicators of compromise, detect malware that is sophisticated enough to alter its behavior to avoid detection, and then remediate it.

The attack continuum model provides a view of how to address threats, and helps build a framework of capabilities so organizations can start implementing robust security controls to protect their data centers. This new Cisco Validated Design, Threat Management with NextGen IPS, provides fresh tools and technologies needed to develop a comprehensive response to today’s threats affecting not only the data center, but also the entire enterprise.