This post was also authored by Andrew Tsonchev and Steven Poulson.
Update 2014-05-26: Thank you to Fox-IT for providing the Fiesta logo image. We updated the caption to accurately reflect image attribution.
Cisco’s Cloud Web Security (CWS) service provides TRAC researchers with a constant fire hose of malicious insight and now that we are collaborating with Sourcefire’s Vulnerability Research Team (VRT) we have additional capabilities to quickly isolate and prioritize specific web exploit activity for further analysis. Thus when we were recently alerted to an aggressive Fiesta exploit pack (EP) campaign targeting our customers, we quickly compared notes and found that in addition to the typical Java exploits, this EP was also using a Microsoft Silverlight exploit. In the Cisco 2014 Annual Security Report (ASR) we discuss how 2013 was a banner year for Java exploits, and while updating Java should remain a top priority, Silverlight is certainly worth patching as threat actors continue to search for new application exploits to leverage in drive-by attacks.
Image provided courtesy of Fox-IT
Over the past 30 days this specific Fiesta campaign was blocked across more than 300 different companies. The attacker(s) used numerous dynamic DNS (DDNS) domains – that resolved to six different IP addresses – as exploit landing pages. The chart below depicts the distribution of hosts used in this attack across the most blocked DDNS base domains.
Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.
The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.
78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.
It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.
The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).
Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context
The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!
The number and variety of threats that can infiltrate corporate networks and disable critical infrastructure are sobering. Take a look at our findings and analysis in the new Cisco 2014 Annual Security Report, and you’ll see that malicious actors are innovating just as fast as security professionals do. As threats proliferate, so do the solutions for responding. It’s a confusing, fragmented market. That’s why Cisco believes it’s time for a new security model: a model that’s threat-centric, providing better visibility across the entire attack continuum and across all attack vectors, so that your organization stands a better chance of stopping attacks, or minimizing the damage they cause.
As we explain in the Cisco 2014 Annual Security Report, today’s advanced attacks are too complex and sophisticated to be addressed by traditional technologies that only perform their analysis once at a specific point in time, versus technologies that work continuously. At the same time, the data protection needs of organizations have become incredibly multifaceted. Mobile users and reliance on the cloud have complicated the ways business networks need to be protected. There is no “silver bullet” to solve every security problem.
Our recommendation for meeting today’s security challenge is to move away from point-in-time solutions, to an any time, all the time, continuous approach:
Before an attack: You can’t protect what you can’t see. Know what’s on your network—devices, operating systems, services, applications, users, and more. With this knowledge you can set up access controls, enforce security policies, and block applications and overall access to critical assets. This will help reduce the surface area of attack. But keep in mind that there will still be gaps attackers can exploit to achieve their objectives.
During an attack: Deploy solutions that can address a broad range of attack vectors by operating everywhere a threat can turn up—networks, endpoints, mobile devices, and virtual environments, for example.
After an attack: As much as we want to stop all attacks, it’s a given that on some occasions, intruders will succeed. Prepare for this eventuality with capabilities to determine the scope of the damage, contain the event, remediate, and bring business operations back to normal as quickly as possible.
The before/during/after approach to security avoids the problems associated with fragmented security solutions, such as lack of visibility and inconsistent enforcement. The Cisco 2014 Annual Security Report details today’s top security concerns and the value of this strategy.
Thanks to extensive detection telemetry and analytics, we have a clear view into the attackers and malicious actors that are infiltrating Internet infrastructure and using trusted applications as a foothold for gaining access to networks. As explained in the Cisco 2014 Annual Security Report, online criminals continue to develop more sophisticated methods for breaching security protections—all of which require extra vigilance and a holistic view of threats and how they’re managed.
Perhaps the trend of most concern is malicious actors’ ability to gain access to web hosting servers, nameservers, and data centers, and using their processing power and bandwidth to launch far larger exploits and attacks. This is sobering, because it means that now the very foundations of the Internet are at risk of exploitation. The 2013 DarkLeech attack demonstrates how the compromise of hosting servers can help attackers gather the resources they need for a much larger campaign: In this case, servers were compromised worldwide, allowing the perpetrators to take over 20,000 legitimate websites.
The broad reach of this malicious behavior and resulting compromises can be seen in the results of Cisco’s examination of Domain Name Service (DNS) lookups originating from inside corporate networks, as detailed in the Cisco 2014 Annual Security Report.
Cisco threat intelligence experts found that 100 percent of the business networks analyzed had traffic going to websites that host malware, while 92 percent show traffic to webpages without content, which typically host malicious activity. Ninety-six percent of the networks reviewed showed traffic to hijacked servers. The pervasiveness of malicious traffic indicates that organizations need to monitor network traffic closely (and continuously) for possible indicators of compromise.
Some of the most tenacious players in the network compromise game are launching targeted attacks, which are proving very difficult for organizations to oust from their networks. These attacks are persistent and disruptive, threatening the security of intellectual property, customer data, and other sensitive information. As a guide to understanding targeted attacks, the Cisco 2014 Annual Security Report offers insights on the “attack chain”—that is, the events that lead to and through the stages of such attacks, as seen in the graphic below:
The bottom line is that IT security professionals need to think like attackers and understand the methods and approaches they use to execute their missions.
The Cisco 2014 Annual Security Report has many more findings on security threats, gleaned from Cisco research and observations—including updates on mitigating Java exploits, threats observed in mobile device use, and the status of threats and vulnerabilities reported by Cisco. You’ll find it a valuable resource as you prepare to understand security challenges in the year ahead.
I must admit that I recorded the accompanying video blog post before I had a chance to read the 2014 Cisco Annual Security Report (CASR), but this time slip on my part sets up a now-more-than-ever situation for what I’m about to tell you. The CASR projects 500,000 to 1,000,000 person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future. Yikes!
How will societies around the world bridge this gap? Technical schools and universities can train new people, but that’s going to take time for them to respond to demand, much less do the actual training. Public and private organizations can also recruit existing security professionals, but this can quickly turn into a bidding war for talent. I can also project increased demand for outsourced security services, but many of the supply and demand dynamics will apply here as with recruiting from the pool of established experts. Read More »