On April 13th, 2015, Cisco PSIRT was made aware of multiple instances of customer disruption in a specific region caused by a denial of service attack against Cisco devices. We responded quickly to support speedy restoration for our customers.
Our ongoing investigation has shown that the storage of some Cisco devices was erased, removing both the Cisco IOS and device configuration from the non-volatile RAM. Once rebooted, these devices became non-operational, affecting connectivity to the global Internet.
Cisco PSIRT, together with other internal Cisco teams, responded to support affected customers, review configuration backups of affected devices, and to analyze all available log files and Netflow information.
At this time, we have seen a common element across all inspected devices: a combination of weak credentials and a lack of device hardening. There has been no evidence of a Cisco bug or vulnerability being exploited. Should this situation change and we discover the use of a vulnerability, Cisco will disclose in accordance with our Security Vulnerability Policy.
Read More »
Tags: denial of service, incident response, psirt, security
Though 2014 has come and gone, one trend that dominated its headlines has unfortunately continued to do the same this year. So, what happens to an organization’s cybersecurity readiness plan when there aren’t enough security professionals to protect the network? What are the tested security strategies that can help organizations prepare, manage, respond to and recover from incidents in a quick and effective manner?
During our next #CiscoChat, we’ll seek to answer these questions and invite you to share your thoughts and solutions with us. #CiscoChat is a program where industry experts answer your questions and participate in an open discussion on a particular topic. Everyone is welcome to join simply by searching the hashtag #CiscoChat on Twitter and including it in your tweets to be seen by others participating. Read More »
Tags: Business Trends, ciscochat, incident response, security, Social Chat, social media
To address today’s evolving threat landscape, there’s been a shift from traditional event-driven security to intelligence-led security. Threat intelligence plays an integral role in this shift.
When you hear the term “Threat Intelligence,” it’s easy to have preconceived notions of what it means. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” I like that Gartner’s definition does not include intent. Why? Intent implies that the “menace” is trying to target you, but we know that too often this isn’t the case. Pretty much any piece of malware out there will damage unintended targets. One example is Stuxnet. It targeted Iranian nuclear enrichment facilities. Unfortunately it escaped the purported air-gapped system and has been seen in at least 10 other countries. In more practical terms threat intelligence must be:
Read More »
Tags: forensic investigation, incident response, malware, threat intelligence
In security, there’s a gap between perception and reality. According to the Cisco 2015 Annual Security Report, 90 percent of companies are confident about their security policies, processes, and procedures – yet 54% have had to manage public scrutiny following a security breach. Not only are there direct costs to a security breach – there are also intangible expenses, including a negative impact to brand reputation, and the erosion of customer trust.
As John Chambers articulated recently at the World Economic Forum in Davos, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” 2015 is going to be another year where organizations around the world can expect to be under attack or will discover that they have been infiltrated.
There is a widening gap between resources and needs, as security practitioners lack both funding and manpower to adequately protect assets and infrastructure. Because of this, CISO’s are increasingly looking to external experts for security guidance.
This is why we are unveiling our Security Incident Response Services. Our new Incident Response Service is designed to advise organizations on how to reduce time to detection, containment and remediation. Our experts identify the source of infection, where it entered the environment, and what data was compromised. By going to the source – patient zero – and identifying malware movement throughout the environment, organizations can minimize the cost and overall impact of any breach, as well as identify methods to reduce future risk. The service leverages threat intelligence from the Cisco Talos Security Intelligence and Research Group, Cisco security technologies including AMP Threat Grid and the expertise of the Cisco Security Solutions (CSS) team. The Incident Response Service supports businesses in two areas:
Cyber Attack Response
Every event is unique and our Security Incident Response methodology provides expedience and allows for flexibility to continuously adjust to the dynamic threat landscape. Whether it’s an insider threat, distributed denial of service, advanced malware at the endpoints or customer data breach, the team guides an organization through identification, isolation and remediation using analysis and data mining, forensic image analysis, infected system dynamic instrumentation, malware reverse engineering and exploit analysis and re‐implementation.
Cyber Security Readiness
As businesses fall victim to increasingly targeted cyber-attacks and data breaches, they need external expertise to assess and promote security best practices as well as to protect corporate data and prepare for the inevitable data breach incident. An important pre-requisite for a successful incident response capability is a strong Incident Response plan, When an incident occurs, everyone knows how to respond, how to escalate, what to do, quickly and effectively. Cisco Incident Response offerings spans infrastructure breach preparedness assessments, security operations readiness assessments, breach communications assessments, and training among other activities.
Our team of experts has been actively working with customers for cyber attack response. A recent engagement was initiated when a company had identified consumer credit card data exfiltration. Working hand-in-hand with the customer, federal law enforcement and Cisco Talos, the Incident Response Services team discovered a new malware family targeting point of sale (PoS) systems. The team identified malware patient zero and its lateral movement mechanism. This ultimately led to the team’s discovery of a new family of malware, “PoSeidon,” which is detailed in this blog post. Using best of breed technology, our incident response expertise, and working closely with Talos, the Cisco Incident Response Service team compressed the process of identifying, isolating and remediating for this customer by developing detection and countermeasures.
For more information on Security Incident Response Services team, please see our overview video and our Cisco Security Launch Page.
Tags: incident response, RSA 2015, security
Dan O’Malley talks about Cisco Systems offerings that are resonating in the Energy Industry and elsewhere. Cisco helps customers pre-plan for storms and to respond to disasters with sophisticated collaboration and device connectivity enabling technologies.
Many new technologies enable worker safety and visibility using 2-way radios, smart devices, and mobile broadband “connecting people and devices and work crews together smartly over the internet”. In the video Dan talks about the challenges customers face and how Cisco is helping them get ‘positive business outcomes’.
Yes – I know what you mean – what does that really mean? Well, mother nature doesn’t always cooperate, so getting outages dealt with as quickly as possible is one positive outcome. Keeping in touch with workers, especially those in dangerous areas, and warning them if safety issues occur is another. And maybe even having ‘wearable’ biometric devices attached to workers to see how they’re doing physically, and monitoring their vitals in real time by operations centers. That’s another.
Just keeping track of field workers is a challenge – and making best use of a constrained ‘expert pool’ might be another. Some newer ‘millennial’ devices are, of course, part of the architectural approach, but so are traditional two-way radios and other devices – so that everyone can communicate and collaborate to get the job done. And it’s getting the job done that really gives good business outcomes – ask any customer!
So, in the words of Dan:
It’s about smartly connecting people, and devices and work-crews together smartly over the internet. That’s what we do.
…and providing the best business outcomes possible: Read More »
Tags: business outcomes, incident response, IPICS, outage, safety, utilities