Remember 2007, when the underground economy began to flourish, using simple protocols and static subnet ranges to control their infrastructure? That was the same year Cisco published the first Annual Security Report (ASR). Nine years later, the drumbeat of cyberthreats grow louder, but the actors and threats are familiar, just as John reminded us when this year’s report was released.
We are happy to announce the final schedule for IRespondCon, a conference that is specifically designed for incident responders. IRespondCon is held annually at OpenDNS HQ and offers a day of free training, presentations, and networking with some of the top information security engineers, instructors, and fellow responders. They’ll be showing how to use freely available, open source tools to better defend networks and improve the effectiveness of DFIR efforts.
The agenda (subject to minor changes) is as follows:
Lenny Zeltser, SANS Institute: How to Run Malware Analysis Apps as Docker Containers.
Thibault Reuille, OpenDNS Labs: Using OpenGraphiti, the Open Source 3D Visualization Tool and framework.
Jason Craig, DropBox: An introduction to Sysmon and how it can be used for proactive hunting and IR in Windows environments.
Rob Fry, Netflix: Using FIDO the orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
Dean Sysman, Cymmetria: Using Nested virtualization with KVM. Showing how to create a nested virtualization array and it’s unique benefits for multiple security problems.
Rick Wesson, Support Intelligence: Performing static malware analysis using GPU’s.
Joel Esler Cisco: An update on Cisco Security Open Source projects and how they can help responders.
Kurt Hurtado, Elastic Search: Using Elastic Search and Logstash for Incident Responders.
For more information and to register visit https://irespondcon.eventbrite.com and for information on IRespondCon I check out our blog wrap-up from last year here at https://labs.opendns.com/2014/09/23/s4-irespond-con-wrap/.
Note: Seating is limited so register as soon as you know you can make it !
On April 13th, 2015, Cisco PSIRT was made aware of multiple instances of customer disruption in a specific region caused by a denial of service attack against Cisco devices. We responded quickly to support speedy restoration for our customers.
Our ongoing investigation has shown that the storage of some Cisco devices was erased, removing both the Cisco IOS and device configuration from the non-volatile RAM. Once rebooted, these devices became non-operational, affecting connectivity to the global Internet.
Cisco PSIRT, together with other internal Cisco teams, responded to support affected customers, review configuration backups of affected devices, and to analyze all available log files and Netflow information.
At this time, we have seen a common element across all inspected devices: a combination of weak credentials and a lack of device hardening. There has been no evidence of a Cisco bug or vulnerability being exploited. Should this situation change and we discover the use of a vulnerability, Cisco will disclose in accordance with our Security Vulnerability Policy.
Though 2014 has come and gone, one trend that dominated its headlines has unfortunately continued to do the same this year. So, what happens to an organization’s cybersecurity readiness plan when there aren’t enough security professionals to protect the network? What are the tested security strategies that can help organizations prepare, manage, respond to and recover from incidents in a quick and effective manner?
During our next #CiscoChat, we’ll seek to answer these questions and invite you to share your thoughts and solutions with us. #CiscoChat is a program where industry experts answer your questions and participate in an open discussion on a particular topic. Everyone is welcome to join simply by searching the hashtag #CiscoChat on Twitter and including it in your tweets to be seen by others participating. Read More »
To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.
When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be: