On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.
If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.
Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »
Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability
This week, Juniper Networks announced a new cloud-based threat intelligence service focused on fingerprinting attackers’ individual devices. We’d like to officially welcome Juniper to the cloud-based security intelligence market—a space where Cisco has a proven track record of leadership through Security Intelligence Operations (SIO). Imitation is indeed the sincerest form of flattery, but in Juniper’s case, they entered the market years late and with limited visibility.
Let’s take a closer look at Juniper’s latest offering.
To start, here is what we know for certain: cyber threats take advantage of multiple attack vectors, striking quickly or lurking for days, months and even years inside your network. Not only this, but the Cisco 2013 Annual Security Report showcases how the web is an equal opportunity infector, with cyber threats crossing national, geographic and organizational boundaries as quickly and easily as users can click on a link. Security solutions must understand the attacks and infrastructure they are launched from, with tracking individual hackers doing far less for your defenses than blocking malicious activity being actively distributed over the network.
The Problem of Visibility
When a detective walks onto a crime scene, they don’t just focus on one thing. The only way to understand an event is to look at the entire scene: interview witnesses, check the neighborhood and look into the history of everyone involved; in other words, context—or the “who, what, where and how” information using every available piece of data.
Just as a skilled investigator builds a holistic picture, security solutions are only as reliable as the intelligence they receive, with Juniper’s being limited by the number of “honeypots” across their customer base. In network security, focusing on a single piece of information, a single attack vector, or one delivery mechanism misses the global visibility and context needed to stop advanced attacks. Cisco SIO powers our security solutions, receiving over 100 terabytes of network intelligence across 1.6 million deployed web, email, firewall and IPS devices. We correlate this data from physical, virtual and cloud-based solutions with a world-class threat research team, augmenting all of this with an ecosystem of third-party contributors. Fingerprinting is one small tool you should deploy in your arsenal, even though it has limited utility and perhaps even limited accuracy.
Read More »
Tags: 2013 annual security report, attackers, attacks, cloud-based threat intelligence, cyber, cyber threats, malware, security intelligence, security intelligence operations, sio, targeted attacks, threat intelligence
The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.
These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.
* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.
Read More »
Tags: Attack, Cisco Security, DDoS, dns, DNS Server, intellishield, IPS, security, Security Intelligence Operations (SIO), targeted attacks
The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers. With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.
Aside from the obvious of changing passwords, what can you and your organization do?
I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced. The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points. We can let them tell the story, again.
Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents. We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.
First, let’s help our customers, users, and organizations. Given the opportunity, many people will take the simplest and easiest way. In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on. We’ll see these lists of bad passwords in coming weeks too. It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly). As security practitioners, professionals,…we too often are setting up our users and organizations to fail. We have to do better, and here’s how. Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective. In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly. If we let a user create a password of “123456”, they have done as should be expected, and we have failed. Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed. For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics. Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…
Read More »
Tags: event monitoring, incident response, password manager, passwords, situational awareness, targeted attacks
The axiom “Quality, not quantity” has been adopted by everyone from stock pickers to those trying to successfully navigate the online dating scene. Now cybercriminals are also putting this philosophy to practice.
The fundamental shift away from mass spam attacks to more targeted threats with potentially bigger payoffs is top of mind to me. This trend is detailed in a new report by Cisco’s Security Intelligence Operation (SIO).
Specifically on the issue of spam, Cisco’s research reveals that mass spam volumes dropped from 300 billion daily spam messages to 40 billion between June 2010 and June 2011. Although 40 billion is still a huge number, signifying that spam is still an issue, the trend that’s most alarming is the threefold increase in spearphishing and the fourfold increase in personalized scams and malicious attacks such as malware.
Read More »
Tags: advanced persistent threats, APT, cybercrime, security, security top of mind, spam, targeted attacks