Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.
Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:
Specificity of (constraints on) propagation method
Manner of movement in target network (e.g. lateral, higher value targets)
Specificity and severity of exploits (e.g. higher CVSS scores), and
This attack isn’t caused by a problem or vulnerability with a Cisco product. It results from an attacker stealing administrative credentials or getting physical access to a networking device, allowing them to load a modified version of operating system software.
Just as technology advances, so too do the nature and sophistication of attacks. Although Mandiant’s research focuses on a specific piece of malware, we believe that it is an example of an evolution of attacks. Attackers are no longer focusing just on disruption, but on compromising credentials to launch an undetected and persistent attack.
For many years we’ve known that networking devices and their credentials are high-value targets for attackers. There has always been a need to protect them accordingly. This was something we reinforced last month in this security bulletin: Evolution in Attacks Against Cisco IOS Software Platforms
We know this is an important topic for our customers, so have created an on-demand webcast outlining how to detect and remediate this type of attack:
The webcast also continues the conversation about good operating procedures, like network hardening and monitoring, that can help prevent this type of attack. The resources it describes can also be found on our Event Response Page.
If you have any additional questions about SYNful Knock, including how we can help implement some of these recommendations, please speak with your Cisco account manager.
If you are experiencing immediate technical challenges and require support, the Cisco Technical Assistance Center (TAC) is here to help.
And if you’re a member of the press with questions, please contact my PR friends at firstname.lastname@example.org.
Historically, threat actors have targeted network devices to create disruption through a denial of service (DoS) situation. While this remains the most common type of attack on network devices, we continue to see advances that focus on further compromising the victim’s infrastructure.
Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries.
The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.
SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.
Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.
Given their role in a customer’s infrastructure, networking devices are a valuable target for threat actors and should be protected as such. We recommend that customers of all networking vendors include methods for preventing and detecting compromise in their operational procedures. The following figure outlines the process of protecting and monitoring Cisco networking devices.
Cyber-Security: it has always been important for video entertainment companies. But times have changed- now it’s mission critical. Top of mind again this last few days, the events of the last 6 months have proven this point. If cyber-protection is not bullet-proof, any video entertainment company is living on borrowed time… and that bill is going to come due with potentially disastrous consequences.
There is a second change going on: security at video entertainment companies used to focus on protecting content in the distribution chain – DRM, CAS and the like. But there are many more ways to lose content – many more places in the “connected” production chain where content can be stolen. For instance, as has happened in the last few months, if an attacker can gain access to Read More »
The demand for CyberSecurity professionals began to overtake the supply of talent 4-5 years ago. The estimated world-wide shortage is one million skilled security professionals. The sophistication and growth in number cyber attacks have outpaced the industries’ ability to respond in a timely manner.
With the Internet of Everything and cloud computing, CyberSecurity must be foundational as a strategy for enterprises.