Cisco Blogs


Cisco Blog > Security

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS…

Read More »

Tags: , , , , ,

Sniffing Out Social Media Disinformation

The raw, edgy nature of social media is part of its charm, and its value. As Cisco’s global threat analyst, I often look at my Twitter feed in the morning before I check mainstream media sites because it provides quick, frequently expert, irreverent analysis on breaking news. In fact, my own concerns about press freedom and objectivity stemming from concentration of mass media ownership arguably strengthens the case for a lively, unregulated social media space. It can serve as a fact checker and whistle blower on traditional news sources. In societies where news outlets may be closely monitored or controlled by the state, social media may provide the only online outlet for uncensored public opinion.

Unfortunately, social media is frequently inaccurate or misleading, with the potential for real-world damage. It isn’t hard to imagine a scenario in which a terrorist coordinates on-the-ground attacks with misleading tweets with the intent to clog roads or phone lines, or send people into the path of danger. Several recent incidents underscore the ease with which social media rumors can compound the impact of real events.

Read More »

Tags: , , ,

Managing Communications During Customer-Impacting Incidents

No matter how you prepare, you never know how or when it will begin. The phone rings and sixty seconds later a sense of dread emerges. It grows slowly, peaking just as you hang up the phone. Sitting back in your chair, you take a deep breath and turn your mind to all the customers, executives, and journalists who will soon know what you know.

You and I both have a sense of the work involved in managing customer-impacting data exposures, privacy breaches, or malicious attacks. These are high pressure, high profile incidents that demand the very best response team—a team that includes technical and non-technical expertise.

Working as I do with Cisco security and incident response teams, I sit alongside some great people who understand the value of having a professional communicator at the table. With a technical response underway, the communicator can do what they do best—summarize the topic, identify impacted audiences, assess their needs, and craft the required messaging. Regardless of their department—public relations, employee communications, customer communications, or marketing—these people will be critical to sustaining customer relationships and protecting your organization’s reputation.

Read More »

Tags: , , ,

SPAN Packet Duplication: Problem and Solution

In the spirit of National Cyber Security Awareness Month (NCSAM) I offer up a recent tale of intrigue and mystery from an ongoing Cisco Security Research project…

Prologue

One of Cisco Security Research and Operation’s ongoing projects is to oversee a massive infrastructure of several high-volume Internet POPs that send large amounts of network traffic into one of our research labs. We are collecting NetFlow and packet dumps from a geographically distributed sensor network. These pcap files each contain several million packets, but due to a configuration error in the packet capture process, there was some amount of packet duplication. This short blog article will talk about why the duplication happened, how we prevented it from reoccurring, and a unique solution that was employed to remove the duplicate packets from all of the affected pcap files. Read More »

Tags: , ,

NCSAM: Diversity, Consistency, and Security Intelligence

The security community at Cisco is very diverse. It extends beyond the typical researcher or analyst roles to include customer-facing engineers and marketing, public relations, and legal teams. The community is comprised of individuals with greatly varied backgrounds, skill sets, and charters and contains a wealth of knowledge on just about any topic. This diversity allows Cisco Security Intelligence Operations to understand and react appropriately to today’s threats as well as those that we may face in the future.

If we think about security intelligence—which I define as raw information enhanced through correlation, processing or perspective—having an established variety of inputs is key. Our people are certainly one of those inputs.

The trick, however, is utilizing that diversity in such a way that you can create consistent and predictable outputs that can be easily absorbed and acted on.

Read More »

Tags: , , ,