Cisco Blogs

Cisco Blog > Threat Research

Research Spotlight: Detecting Algorithmically Generated Domains

This post was authored by Mahdi Namazifar and Yuxi Pan

Once a piece of malware has been successfully installed on a vulnerable system one of the first orders of business is for the malware to reach out to the remote command-and-control (C&C) servers in order to receive further instructions, updates and/or to exfiltrate valuable user data. If the rendezvous points with the C&C servers are hardcoded in the malware the communication can be effectively cut off by blacklisting, which limits the malware’s further operation and the extent of their damage.

To avoid such static detection mechanisms recent attackers have been taking advantage of various Domain Generation Algorithms (DGA) in choosing and updating the domain names of their C&C servers. DGA embedded in the malware generate a large amount of pseudo-random domain names within a given period, most of which are nonexistent. With the same random seed, e.g. time of the day or most popular tweets of the day, the attackers can generate exactly the same list of domain names remotely, among which they will only register a few. The malware will contact some or all of the domains generated by the DGA, giving its opportunity to be able to connect to the C&C server. The sheer amount of nonexistent domains produced by the DGA on a daily basis presents a great burden for security specialists if blacklisting is still to be pursued.

Read More »

Tags: ,

Espionage in the Internet Age

If you had asked me a few years ago, I might have predicted that the rise of large scale hacking and network-based Advanced Persistent Threats (APTs) would spell the end of old-school espionage (poison-tipped umbrellas, office break-ins, dangles and the like). Those of us who fancy ourselves logical, savvy cyber security specialists can be forgiven for thinking such analog antics wouldn’t persist in a digital world.

And yet, human espionage remains a nagging issue. A Russian spy ring was disrupted in New York in January. New stories about employees stealing trade secrets from their employers regularly make headlines, such as this one in May. More than one article alleges that Vienna and Lausanne (home to recent Iranian nuclear negotiations) are swarming with spies from Tehran. And these are just the stories that get reported.

There is no question that spycraft is changing with the times. Recent, damaging breaches of US government employee information—amply documented elsewhere—provide some interesting hints as to how: Read More »

Tags: , , , ,

Securing the IoE with OpenAppID

We introduced OpenAppID in early 2014 with the goal of empowering customers and the open source community to control application usage in their network environments. Since then, we have increased our coverage from 1,000 OpenAppID detectors to more than 2,600, and have received valuable feedback from the community on ways to improve the product.

The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the Internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them.

With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to Read More »

Tags: , , , , , ,

The Need To Solve for Time

Ponemon Institute called 2014 the year of the “Mega Breaches,” which will be remembered for its series of mega security breaches and attacks. These “Mega Breaches” are perfect examples of what is commonly known as Advanced Persistent Threats (APTs). The Ponemon Institute survey asked, among many questions, “When was the breach discovered?” Surprisingly, the results revealed that ONLY 2% of the respondents in the survey discovered their breach within one week of after the incident and a staggering 90% were six months or longer, if at all.

Tom Houge 1

Read More »

Tags: , , , ,

Continuous Analysis Yields Continuous Leadership Against Advanced Threats

Organizations today have no shortage of challenges when it comes to cyber security and their growing IT infrastructure. Not only is the frequency and sophistication of malware attacks on the rise, but with the proliferation of mobility, BYOD, IoT, and cloud services; the number of entry points an attacker has into the network grows exponentially with them.

Given this landscape we know the most effective way to address these threats is with security offering continuous analysis and retrospective protection that extends across all attack vectors in the extended network. With AMP Everywhere, security is just as pervasive as today’s advanced threats, and thanks to continuous analysis and retrospective protection, our customers gain reduced time to detection.

For the second year in a row, we have third-party validation from NSS Labs that we provide the most effective security available in the market today. Cisco Advanced Malware Protection (AMP) was tested along with seven other vendors and achieved a 99.2% security effectiveness score – the highest of all vendors tested in the 2015 NSS Labs Security Value Map (SVM) for Breach Detection Systems. What I find most interesting and rather disappointing in these results is that Cisco is the only vendor in the test to successfully handle all evasion attempts.

nss-bds-svm Read More »

Tags: , , , , , , ,