Securing the Critical Internet Infrastructure is an ongoing challenge for operators that require collaboration across administrative boundaries. A lot of attention has been given in recent years to securing the Domain Name System through a technology called DNSSEC. However, in the last couple of years, the attention has shifted to the security of the Internet routing system and the best practices adopted by network operators around the globe in this area. The main questions these efforts are trying to answer are: is your network authorised to use resources such as IP addresses? Do my packets travel through the advertised path or are diverted on their way? These problem statements may sound too technical for the audience but in reality they can quickly be converted in real business impact. Unauthorised claiming of network resources are proven to cause downtime not only for one web server but to complete networks. Particularly, imagine a phishing attack where the IP address, the domain name and the TLS certificate are legitimate but you just interacting with the wrong network. The hijack of IP addresses is normally due to bad operational practices (basically miss-configurations that leak to the global Internet) but it is also suspicious of playing a role in SPAM and other sensitive areas in security.
The global inter-domain routing infrastructure depends on Read More »
Tags: critical internet infrastructure, infrastructure, security, Service Provider
Security intelligence, threat intelligence, cyber threat intelligence, or “intel” for short is a popular topic these days in the Infosec world. It seems everyone has a feed of “bad” IP addresses and hostnames they want to sell you, or share. This is an encouraging trend in that it indicates the security industry is attempting to work together to defend against known and upcoming threats. Many services like Team Cymru, ShadowServer, ThreatExpert, Clean MX, and Malware Domain List offer lists of known command and control servers, dangerous URIs, or lists of hosts in your ASN that have been checking-in with known malicious hosts. This is essentially outsourced or assisted incident detection. You can leverage these feeds to let you know what problems you already have on your network, and to prepare for future incidents. This can be very helpful, especially for organizations with no computer security incident response teams (CSIRT) or an under-resourced security or IT operations group.
There are also commercial feeds which range anywhere from basic notifications to full-blown managed security solution. Government agencies and industry specific organizations also provide feeds targeted towards specific actors and threats. Many security information and event management systems (SIEMs) offer built-in feed subscriptions available only to their platform. The field of threat intelligence services is an ever-growing one, offering options from open source and free, to commercial and classified. Full disclosure: Cisco is also in the threat intelligence business
However the intent of this article is not to convince you that one feed is better than another, or to help you select the right feed for your organization. There are too many factors to consider, and the primary intention of this post is to make you ask yourself, “I have a threat intelligence feed, now what?” Read More »
Tags: cisco sio, CSIRT, csirt-playbook, cybersecurity, incident response, infosec, operational security, security, security intel
In October, we were delighted to announce the completion of our acquisition of Sourcefire. With Sourcefire on board, Cisco provides one of the industry’s most comprehensive advanced threat protection portfolios, as well as a broad set of enforcement and remediation options that are integrated, pervasive, continuous, and open.
Within three weeks of the acquisition closing, we completed the first deployment into a highly secure data center and we are quite impressed with the results, to say the least! Within the first hour, we began seeing some interesting things from our network. The implementation was already giving us insights into our data center that we never had before!
Read More »
Tags: data center, data correlation, network visibility, security, Sourcefire, threat protection
Proxy auto-config or PAC files are commonly used by IT departments to update browser settings so that internet traffic passes through the corporate web gateway. The ability to redirect web traffic to malicious proxy servers is particularly attractive for malicious actors since it gives them a method of intercepting and modifying traffic to and from websites from which they can gain financially.
Malicious PAC files have been described since 2005 , but this obfuscated example contains a timely festive message. The Portuguese phrase for “Happy Christmas”, “Feliz Natal” is used to encode the IP address of the malicious proxy, 188.8.131.52.
Read More »
Tags: banking malware, security, TRAC
Last month I attended a summit of subject matter experts on securing the Internet of Things (IoT). At first, I thought I had the wrong room, because it seemed that everybody other than me was an architect or engineer working for a device manufacturer, and as a result the conversation was dominated by placing security controls into the devices, themselves. In contrast, I tend to approach the issue from the perspective of protecting the core of the network. But just when I was beginning to think I had wasted an hour-long drive and was going to be bored out of my skull all day, a few of us started debating the issue and the conversation began to evolve. Before long, we had found common ground in the fact that security controls are all about trust relationships – ‘I trust you, therefore I will allow you to do that’.
Now trust is a funny thing, because by its very nature it can neither be one-sided nor one-dimensional. Instead, it must be built into every aspect of the transaction; a sort of “digital handshake” to ensure all is well before doing business. In other words, each of our pre-conceived perspectives was correct, yet we were all being stubborn and short-sighted! Read More »
Tags: Cisco, cyber security, Internet of Everything, internet of things, IoE, IoT, network security, security