Cisco Blogs


Cisco Blog > Threat Research

Tax Time: Let the Phishing Begin

This post was authored by Earl Carter and Craig Williams.

With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online credentials. An interesting twist to this latest campaign is that they seem to be specifically targeting high level security professionals and CTOs in technical companies.

On Tuesday, Talos noticed the beginning of a phishing campaign in our telemetry data. The subject of the emails all revolve around payment confirmation or Federal taxes. Some of the common subjects include:

Payment Confirmation
Federal tax payment received
Federal TAX payment
Payment Service

Read More »

Tags: , , , , , ,

Cisco PSIRT – Notice about public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability

Cisco PSIRT is aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified by Cisco bug ID CSCup36829 (registered customers only) and CVE ID CVE-2014-3393. This vulnerability was disclosed on the 8th of October 2014 in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.

All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.

NOTE: The Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software should be used as the Single Source of Truth (SSoT) for all details of this vulnerability and for any revisions of information going forward. Read More »

Tags: , , , ,

Equation Coverage

Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on Snort.org. Talos security researchers have also added the associated IPs, Domains, URLs, and hashes to all Cisco security devices to provide immediate protection across the network. Talos will continue to monitor public information as well as continue to independently research to provide coverage to this malware family.

coveragetable
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.

Tags: , , , , , ,

New Must-Know Security Research for Midsize Organizations

Midsize organizations are among the earliest adopters of new technologies. In general, they conduct much of their business over the Internet and are quick to embrace new apps, online payment systems, cloud, and Bring Your Own Device (BYOD) technologies. Fast adoption of innovations helps them to compete against larger organizations by meeting customer demands more cost effectively. But these business enablers are also creating security vulnerabilities that adversaries are exploiting for financial gain.

Adversaries aren’t just targeting prized assets like customer and employee data, invoices, and intellectual property. Cybercriminals also recognize that smaller companies are a vector into the networks of larger corporations. A 2013 study conducted by PricewaterhouseCoopers on behalf of the UK Government Department for Business, Innovation and Skills found that 87 percent of small businesses had been compromised, up 10 percent from the previous year. Many small and midsize companies are now mandated by partners to improve their threat defense. Regardless of size, organizations have legal and fiduciary responsibilities to protect valuable data, intellectual property, and trade secrets.

Read More »

Tags: , , , , ,

Moving from Indicators of Compromise to Actionable Content – Fast

Advanced threats are continuously evolving and so must our ability to detect, understand, and stop them. Indicators of Compromise are vital to this process. At Cisco, our approach to developing Indicators of Compromise and interpreting them is continuously evolving to empower you with the best intelligence to thwart stealthy attacks.

Not only the Indicators themselves, but the process for producing them needs to be dynamic and able to adapt to changing conditions. Cisco AMP Threat Grid tackles this challenge by automating the entire process, including the analyst’s approach to making a determination.

Creating an Indicator of Compromise is a multi-step process driven by analyst experience and knowledge. We start by asking: What actions, entities or artifacts, transient or persistent, can we detect and leverage throughout the analysis process? This question always leads to many more. Is the Indicator specific to a type of attack observed before, for example an eXtreme Rat variant? Or is it using an infection and persistence vector such as DLL Search Order Hijacking? Or is it more of a ‘behavior’? The creation of a CurrentControlSet Registry key would be an example of what we consider a generic Behavioral Indicator; it’s a means of maintaining persistence on a host but it’s not necessarily malicious. Indicators produced through Static Analysis also provide valuable insights. An Object Stream in a PDF that contains JavaScript is not uncommon. But an Object Stream with a reference to another Object that contains JavaScript and that JavaScript contains Indicators for obfuscated shell code is likely malicious.

Thinking about Indicator creation in this way leads to additional questions and steps that involve frequency analysis, clustering, tagging, variable scoring models, and the application of historical analyses and enriched content to the generation of Indicators.

Why are we expending so much effort on Indicators? It’s simple; Indicators are the first step in applying context to the analysis we produce. We see hundreds of thousands of submissions a day pass through the AMP Threat Grid analysis engine. This generates a huge wealth of data including PCAPs, Disk, Memory and Network Artifacts, entities such as registry entries, file paths, network activity, process information, and more. All of this is searchable and extractable via our UI or API. There is no context though. Generating context through the application of knowledge allows for the creation of intelligence that is actionable and specific to the organization that requested it.

AMP Threat Grid solves various use cases and the challenges they pose. As an example, let’s consider Security Operations Centers or SOCs. They typically follow a tiered model when it comes to staffing – junior or Tier 1 analysts through to Tier 3 or 4 specialists. With the volume of commodity malware today it is simply not scalable to expect the specialists on your team to deal with daily infections of banking Trojans or DDoS bots or Bitcoin miners. A process should be defined for each so that they can be treated as expeditiously as a password reset request. Detect, remediate, and move on. How do you operationalize the Tier 1 analyst to be able to effectively respond to an infection of this sort? Context.

AMP TG - BI

Since we began creating Indicators for our data, we’ve always tried to consider the various user types and their areas of expertise. We cannot expect everyone to look at thousands of lines of output and know, for example, that the CurrentControlSet key that was created was not simply operating system noise but a means of persisting on the host. Each of our Indicators includes a detailed description of the activity, why it might be used by a malware author, and the analysis entities that triggered the Indicator. By providing detailed and educational descriptions as well as the actionable content we’re not simply ensuring the analysts have the data to quickly respond. We are also providing an educational platform where analysts constantly gain knowledge and insight into malware and the various techniques leveraged, all the while reducing the total time of an incident. This has the added benefit of freeing up the technical specialists to focus on the attacks and events that are truly critical to the security of an enterprise.

Context allows us to better address threat content enrichment, threat intelligence creation, automation, and integration to improve response, security operations, and help drive enterprises in implementing an intelligence-driven security model.

Next time we’ll take a look at the role of AMP Threat Grid as part of an integrated workflow for response.

 

 

 

Tags: , , ,