In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.
Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.
The general traffic pattern was observed as follows:
- Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example: cruiserly.net/search/q/greyhounds.
- There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example: findreek.com.
- These redirects bring the clients towards another set of fake sites, with travel related names (e.g. tourxperia.com), this time these sites have no content.
- Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.
Details of the analysis follow: Read More »
Tags: AMP, Cognitive Threat Analytics, PPC scam, Threat Research
Organizations today have no shortage of challenges when it comes to cyber security and their growing IT infrastructure. Not only is the frequency and sophistication of malware attacks on the rise, but with the proliferation of mobility, BYOD, IoT, and cloud services; the number of entry points an attacker has into the network grows exponentially with them.
Given this landscape we know the most effective way to address these threats is with security offering continuous analysis and retrospective protection that extends across all attack vectors in the extended network. With AMP Everywhere, security is just as pervasive as today’s advanced threats, and thanks to continuous analysis and retrospective protection, our customers gain reduced time to detection.
For the second year in a row, we have third-party validation from NSS Labs that we provide the most effective security available in the market today. Cisco Advanced Malware Protection (AMP) was tested along with seven other vendors and achieved a 99.2% security effectiveness score – the highest of all vendors tested in the 2015 NSS Labs Security Value Map (SVM) for Breach Detection Systems. What I find most interesting and rather disappointing in these results is that Cisco is the only vendor in the test to successfully handle all evasion attempts.
Read More »
Tags: Advanced Malware Protection, AMP, breach detection test, malware, nss labs, Product Analysis Report, Security Value Map, SVM
I recently had the opportunity to sit down with Roland Cloutier, Global Chief Security Officer at ADP and former CISO at EMC, to discuss how they integrate and leverage threat intelligence into their security operations centers as well as their greater security technology infrastructure. It’s pretty rare for the CISO of a F500 company to discuss what technologies they use in such an open way, but it was really a testament to the trust they have for the solutions they have chosen. To hear Roland discuss it himself, watch the video at the end of this post or read the case study.
ADP had created a much more proactive, and dare I say “predictive” security program than most. They are consuming threat intelligence from numerous sources including AMP Threat Grid to create what Roland dubbed ‘intelligence-led decision making.’ How is this different from today? Most security organizations, whether it’s analysts in the Security Operations Center (SOC) or the <<other group>> tend to be in a very reactive mode. They see an alert pop up on screen and start to scramble. It’s tough to get ahead of the game when the technology you’ve invested in is merely a reactive one. Roland and his team have spent the time to develop and execute on a strategy that has flipped this model and puts them in a very proactive situation. So how have they done this? A few key elements: Read More »
Tags: AMP, security, Threat Grid
We recently announced the release of AsyncOS 9.5 for Cisco Email Security that included the integration of AMP Threat Grid. Now if Threat Grid could talk it would sound a lot like Ron Burgundy and say “I’m not sure if you know this, but I’m kind of a big deal.” Email is consistently one of the top two threat vectors for malware because so many people out there still open an attachment that looks harmless from someone they don’t know. We all want to think we won a cruise, but that’s not how it works. It’s how malware establishes a foothold on your system. AMP Threat Grid is there to make sure this doesn’t happen.
Cisco acquired Threat Grid to not only bolster its suite of advanced threat solutions, but to also integrate the technology into its advanced malware protection (AMP) products. AMP Threat Grid goes far beyond traditional sandboxing, providing a host of analytical engines to evaluate potential malware. From static and dynamic analysis to various post-processing techniques, AMP Threat Grid evaluates malware to provide the most comprehensive report for even the most junior security analysts. This video provides a more comprehensive overview. Those familiar with Cisco’s Email Security know we already had a sandbox built in and may ask ‘Why change?’ and that’s exactly the question you want to ask. There are really three key reasons: Read More »
Tags: AMP, email security, security, ThreatGRID
Today’s threat landscape is completely different than last year; and next years will be, not surprisingly, even worse. The Industrialization of Hacking has spawned a new era of professional, entrepreneurial, and resourceful cyber criminals. In recent year’s dynamic malware analysis (aka sandboxing) has become the shiny new technology that we all want, no, need to have. At one time anti-virus held this position as well, and the same will eventually be said of sandbox technology used to fight advanced malware.
You may have purchased a sandbox a few years ago but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine. You need a more robust malware analysis tool that fits into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.
Tripwire recently partnered with Cisco and integrated the AMP Threat Grid dynamic malware analysis solutions into Tripwire Enterprise. But why choose this dynamic malware analysis tool? After careful evaluation there were a few key reasons to integrate this tool versus others:
It’s not just dynamic malware analysis
AMP Threat Grid provides both static and dynamic malware analysis, and a full subscription provides an API that is used to seamlessly deliver context rich threat intelligence into existing security technologies.
Not everyone out there is a security expert
Heck, very few are. AMP Threat Grid was designed to empower junior security analysts by providing a Threat Score so they can easily determine how malicious a sample is. The behavioral indicators are written in plain English so they can understand what the file is doing, and why its behavior is malicious, suspicious, or benign.
Lack of instrumentation
AMP Threat Grid was designed without any instrumentation inside the virtual machine. Most experts agree that around 40% of today’s malware is environment aware, checking to see if it is running in a sandbox or the age of the operating system before detonating.
There are 3 ways that most people deploy a malware analysis tool:
- A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
- A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
- Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.
Since Tripwire is already monitoring and collecting the data on your mission critical systems, these approaches don’t seem to work. But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers integration directly with Tripwire Enterprise providing you with a better ROI and more visibility into what is happening in your environment. Tripwire has integrated AMP Threat Grid into their Tripwire Enterprise, providing both static and dynamic analysis so you can better understand the malware targeting your organization, as well as the ability to automate the consumption of threat intelligence into your existing security infrastructure.
How does the Integration actually work?
AMP Threat Grid’s content driven security analytics dynamically and statically analyzes all submitted files, executing the sample in a safe environment, examining the behavior of the samples, and correlating the results with hundreds of millions of other analyzed malware artifacts. In less than 10 minutes AMP Threat Grid reports back and Tripwire Enterprise tags the file with the result. This enables Tripwire Enterprise customers to prioritize actions for changes on systems with threats identified by AMP Threat Grid and initiate workflow actions for quick remediation.
Not only does AMP Threat Grid analyze a broad range of objects, but those interested in an AMP Threat Grid subscription will also be provided with deep analytics capabilities wrapped with robust context. With over 350 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before. Tripwire customers can register for their free demo here.
Tags: AMP, Sandboxing, security, ThreatGRID