Cisco Blogs


Cisco Blog > Security

AMP Threat Grid integrates with Tripwire Enterprise

Today’s threat landscape is completely different than last year; and next years will be, not surprisingly, even worse. The Industrialization of Hacking has spawned a new era of professional, entrepreneurial, and resourceful cyber criminals. In recent year’s dynamic malware analysis (aka sandboxing) has become the shiny new technology that we all want, no, need to have. At one time anti-virus held this position as well, and the same will eventually be said of sandbox technology used to fight advanced malware.

You may have purchased a sandbox a few years ago but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine. You need a more robust malware analysis tool that fits into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.

Tripwire recently partnered with Cisco and integrated the AMP Threat Grid dynamic malware analysis solutions into Tripwire Enterprise. But why choose this dynamic malware analysis tool? After careful evaluation there were a few key reasons to integrate this tool versus others:

  1. It’s not just dynamic malware analysis

    AMP Threat Grid provides both static and dynamic malware analysis, and a full subscription provides an API that is used to seamlessly deliver context rich threat intelligence into existing security technologies.

  2. Not everyone out there is a security expert

    Heck, very few are. AMP Threat Grid was designed to empower junior security analysts by providing a Threat Score so they can easily determine how malicious a sample is. The behavioral indicators are written in plain English so they can understand what the file is doing, and why its behavior is malicious, suspicious, or benign.

    Tripwire Sandboxing 1

  3. Lack of instrumentation

    AMP Threat Grid was designed without any instrumentation inside the virtual machine. Most experts agree that around 40% of today’s malware is environment aware, checking to see if it is running in a sandbox or the age of the operating system before detonating.

There are 3 ways that most people deploy a malware analysis tool:

  1. A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
  2. A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
  3. Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.

Since Tripwire is already monitoring and collecting the data on your mission critical systems, these approaches don’t seem to work. But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers integration directly with Tripwire Enterprise providing you with a better ROI and more visibility into what is happening in your environment. Tripwire has integrated AMP Threat Grid into their Tripwire Enterprise, providing both static and dynamic analysis so you can better understand the malware targeting your organization, as well as the ability to automate the consumption of threat intelligence into your existing security infrastructure.

How does the Integration actually work?

AMP Threat Grid’s content driven security analytics dynamically and statically analyzes all submitted files, executing the sample in a safe environment, examining the behavior of the samples, and correlating the results with hundreds of millions of other analyzed malware artifacts. In less than 10 minutes AMP Threat Grid reports back and Tripwire Enterprise tags the file with the result. This enables Tripwire Enterprise customers to prioritize actions for changes on systems with threats identified by AMP Threat Grid and initiate workflow actions for quick remediation.

Tripwire Sandboxing 2

Not only does AMP Threat Grid analyze a broad range of objects, but those interested in an AMP Threat Grid subscription will also be provided with deep analytics capabilities wrapped with robust context. With over 350 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before. Tripwire customers can register for their free demo here.

Tags: , , ,

Attackers Slipping Past Corporate Defenses with Macros and Cloud Hosting

Macro malware is a good example of malware writers and distributors using old tricks that most users have forgotten to spread malware. Unlike earlier macro malware, these macros don’t infect other documents but download password stealing trojans and install them on targets. Macro malware typically arrives via email with an attachment that contains a macro-based phishing attack in the form of an MS Office document (usually Word or Excel). The malicious code is written using the older Visual Basic for Applications (VBA) scripting language.

What makes the current versions of macro malware particularly dangerous is that the code is often heavily obfuscated, making detection difficult. Furthermore, once the document is opened and macros are enabled, the malware installs and begins to monitor Internet Explorer, Chrome, and Firefox browser activities with the capability of grabbing screenshots and logging keystrokes. The attacker’s ultimate goal is stealing these login credentials that give access to corporate and financial data.

Distribution of malware by email using malicious Word and Excel files containing macros is on the rise. Popular malware used by cyber criminals including Dridex, Vawtrack, Betabot, and Rovnix have been distributed using this tactic. Based on data analyzed by Cisco Managed Threat Defense Team, email attacks where macros are the method of infection are up 50% from February and have more than doubled since October of last year.

email-attacks-per-month-clustered

Email Attacks per Month

Keep reading to learn more about Email Attacks Using Malicious Macros

Tags: , , , , ,

Cisco Live!: Threat-Centric Security from Networks to Data Centers to Clouds

Security has emerged as a leading pain point for CIOs, executives, and even in the boardroom due to changing business models and growing attack surfaces, a threat landscape that is more dynamic by the day and the increasing complexity of IT environments.

With these challenges as a backdrop, attendees of our 25th annual Cisco Live! event last week in San Francisco absorbed over 170 hours of security-focused material, including hands-on labs, seminars, technical breakouts, panel discussions, and keynotes. This overwhelming amount of time and effort is a testament to Cisco’s commitment to protecting our customers against the latest threats across the full attack continuum—before, during, and after an attack.

In case you could not attend or make a session, particular highlights from the week included Chris Young and Bryan Palma’s keynote (must create Cisco Live account to view) examining the security challenges brought about by the Internet of Everything. Chief architect Martin Roesch also led a session exploring threat-centric security, examining the modern threat landscape, and how threat-centric security increases the effectiveness of threat prevention.

From a product perspective, momentum continued as we announced major updates and new products during Cisco Live! to help our customers address their security needs across the attack continuum with protection from the network to the data center to the endpoint to the cloud.

Read More »

Tags: , , , , , , , ,

Threading the Needle on Privacy and Malware Protection

We have been clear that we have a distinct approach to Advanced Malware Protection (AMP), specifically the unique way in which we leverage the compute and storage capabilities of the public cloud. Doing so enables us to do a great number of things to help customers more effectively fight malware, particularly when compared to traditional, point-in-time anti-malware systems of the past 20 years.

Read More »

Tags: , , , , , ,

Executing on our Vision: Cisco’s Comprehensive Advanced Malware Protection

The increased scrutiny on security is being driven by the evolving trends of expanding networks, mobility, cloud computing and a threat landscape that is more dynamic than ever. A combination of these factors has led to an increase in attack access points and a re-definition of the traditional network perimeter.

Due to these concerns, we have been strong proponents of threat-centric security that lets defenders address the full attack continuum and all attack vectors to respond at any time — before, during, and after attacks.

Read More »

Tags: , , , , , , , , ,