Cisco Blogs

Cisco Blog > Security

An introduction to the new Cisco Network Visibility Flow Protocol (nvzFlow)

As recently announced, Cisco AnyConnect 4.2 extends visibility to the endpoint with the Network Visibility Module (NVM).  Users are one of the most vulnerable parts of any security strategy, with 78% of organizations saying in a recent survey that a malicious or negligent employee had been the cause of a breach.  However, until now, IT Administrators had been blind to user behavior on their devices.  NVM allows you to monitor and analyze this rich data to help you defend against potential security threats like data exfiltration and shadow IT, as well as address network operations challenges like application capacity planning and troubleshooting.

AnyConnect NVM supports the Cisco Network Visibility Flow protocol or nvzFlow for short
(pronounced: en-vizzy-flow).  The protocol is designed to provide greater network visibility of endpoints in a lightweight manner by extending standard IPFIX with a small set of high-value endpoint context data.  Leading IPFIX vendors have begun implementing the new protocol to provide customers with an unprecedented level of visibility.

Read More »

Tags: , , , , , , , , , , , ,

Calling all Incident Responders

We are happy to announce the final schedule for IRespondCon, a conference that is specifically designed for incident responders. IRespondCon is held annually at OpenDNS HQ and offers a day of free training, presentations, and networking with some of the top information security engineers, instructors, and fellow responders. They’ll be showing how to use freely available, open source tools to better defend networks and improve the effectiveness of DFIR efforts.

The agenda (subject to minor changes) is as follows:

Lenny Zeltser, SANS Institute: How to Run Malware Analysis Apps as Docker Containers.

Thibault Reuille, OpenDNS Labs: Using OpenGraphiti, the Open Source 3D Visualization Tool and framework.

Jason Craig, DropBox: An introduction to Sysmon and how it can be used for proactive hunting and IR in Windows environments.

Rob Fry, Netflix: Using FIDO the orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.

Dean Sysman, Cymmetria: Using Nested virtualization with KVM. Showing how to create a nested virtualization array and it’s unique benefits for multiple security problems.

Rick Wesson, Support Intelligence: Performing static malware analysis using GPU’s.

Joel Esler Cisco: An update on Cisco Security Open Source projects and how they can help responders.

Kurt Hurtado, Elastic Search: Using Elastic Search and Logstash for Incident Responders.

For more information and to register visit and for information on IRespondCon I check out our blog wrap-up from last year here at

Note: Seating is limited so register as soon as you know you can make it !

Tags: ,

New Must-Know Security Research for Midsize Organizations

Midsize organizations are among the earliest adopters of new technologies. In general, they conduct much of their business over the Internet and are quick to embrace new apps, online payment systems, cloud, and Bring Your Own Device (BYOD) technologies. Fast adoption of innovations helps them to compete against larger organizations by meeting customer demands more cost effectively. But these business enablers are also creating security vulnerabilities that adversaries are exploiting for financial gain.

Adversaries aren’t just targeting prized assets like customer and employee data, invoices, and intellectual property. Cybercriminals also recognize that smaller companies are a vector into the networks of larger corporations. A 2013 study conducted by PricewaterhouseCoopers on behalf of the UK Government Department for Business, Innovation and Skills found that 87 percent of small businesses had been compromised, up 10 percent from the previous year. Many small and midsize companies are now mandated by partners to improve their threat defense. Regardless of size, organizations have legal and fiduciary responsibilities to protect valuable data, intellectual property, and trade secrets.

Read More »

Tags: , , , , ,

Threat Spotlight: A String of ‘Paerls’, Part One

This post was co-authored by Jaeson SchultzJoel Esler, and Richard Harman

Update 7-8-14: Part 2 can be found hereVRT / TRAC

This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attempt. As we’ve seen in the past, this can be a very effective combination.

In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively.  When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes.  This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.

Discovering the threat

The VRT has hundreds of feeds of raw threat intelligence, ranging from suspicious URLs, files, hashes, etc.  We take that intelligence data and apply  selection logic to it to identify samples that are worthy of review.  Using various methods from machine learning to dynamic sandbox analysis, we gather details about the samples – producing indicator of  compromise (IOC), and alerts made up of multiple IOCs.

During our analysis we took the last 45 days’ worth of samples, and clustered them together based on a matching set of alert criteria.  This process reduced over a million detailed sample reports to just over 15 thousand sample clusters that exhibit similar behavior.  Using this pattern of similar behavior, we were capable of identifying families of malware.  This led us to discover a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

The Malicious Word documents & Associated Phishing campaign

The attacks we uncovered are an extremely targeted spear phish in the form of an invoice, purchase order, or receipt, written specifically for the recipient.  For instance, the following is an example message we observed that purportedly came from “Maesrk”, the shipping company.


Read More »

Tags: , , , , , , , , , ,

Massive Increase in Reconnaissance Activity – Precursor to Attack?

Update 2013-11-12Watch our youtube discussion

Update 2013-11-05: Upon further examination of the traffic we can confirm that a large percentage is destined for TCP port 445. This is indicative of someone looking for nodes running SMB/DCERPC. With that in mind it is extremely likely someone is looking for vulnerable windows machines or it is quite possible that the “soon to be” attackers are looking for boxes compromised by a specific malware variant.

On 2013-11-02 at 01:00 UTC Cisco saw a massive spike in TCP source port zero traffic for three hours. This was the largest spike of reconnaissance activity we’ve seen this year. TCP source port zero is a reserved port according to the RFC and it should not be used. Customers who see port zero activity on their network should consider the traffic suspicious and investigate the source.


This graph displays the magnitude of the number of sensors logging this activity. Normally we see a magnitude of less than 20, this increased five fold on 2013-11-02. There was also an associated massive increase in the volume of traffic observed by signature 24199-0.

Read More »

Tags: , , ,