Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between March 24 and March 31. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
The Olympic Games represent the pinnacle of athleticism and excellence on the world stage like no other event. The scale of the preparation and production that goes into them is absolutely massive. That’s why providing connectivity and security to the 2016 Olympic Games in Rio was both a challenge and a great honor for Cisco.
Let’s put some context on the significance of connecting Rio 2016. Connectivity was required in 37 competition venues and more than 100 support venues. Rio 2016 needed support for 25,000 media members and 123 broadcast organizations all the while delivering 170,000 hours of video content for 5 billion TV viewers. The configuration for this alone would break world records. Yet Cisco was asked to do all this and more, securely. Cisco is the only company that has the training, resources, and the talent necessary to meet the network demands of the Olympic Games, and we delivered.
For DNS requests within the network, Cisco Umbrella provided the first line of defense against threats. We used Umbrella to protect an average of 22 million DNS requests and block 23,000 suspicious sites daily on the Rio 2016 network. Umbrella protected hosts from a range of spam, ransomware, and even exploit kits. The Angler exploit kit was blocked from being downloaded 135 times from 12 different requested domains. This can occur by hosting a malicious ad on a legitimate website. Unbeknownst to the user, Angler can take advantage of vulnerabilities on the host computer and inject malware such as ransomware. To learn how Umbrella can protect users on and off the network, please visit here.
Cisco’s security offerings paired seamlessly together to provide an end-to-end solution that is simple, open, and automated. Instead of traditional VLAN segmentation, we were able to segment the network using our TrustSec technology, which took a fraction of the time typical segmentation would for a network of that size. This was for a network that handled over 2 PB of data. Over the course of the Rio Games, our intrusion prevention system mitigated close to 7 million security events.
“The result was an amazing experience for everyone in Rio. Cisco provided us with the connectivity and security that allowed Rio 2016 to connect with the world,” said Marcelo Souza, Technology Systems General Manager of the Rio 2016 Organizing Committee for the Olympic Games.
It is a credit to the talent of our people and the strength of our portfolio that we were able to securely connect the Rio 2016 network. I invite you to learn more about Cisco’s security at Rio 2016 by reading the case study here.
The last time Talos discussed Sundown it was an exploit kit in transition. Several of the large exploit kits had left the landscape and a couple of strong contenders remain. Sundown was one of the kits still active and poised to make a move, but lacked a lot of the sophistication of the other large kits and had lots of easy identifiers throughout its infection chain. Most of these identifiers have been stripped, new exploits added, and Talos was able to uncover an interesting campaign focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.
‘…It takes a big village…’ so to speak when it comes to bringing enterprise-class big data & analytics solutions to the market. It is for this reason that our Cisco UCS team partners with several key ISVs in the big data segment be they Hadoop vendors, analytics providers, MySQL platforms, etc.
SAS Software is one of our strategic ISV relationships. Just recently at Cisco Live Berlin we introduced our first ‘Edge to Enterprise Big Data’ solution with them. Next week in Orlando, FL at their SAS Global Forum 2017 event our joint momentum continues as we will again take the stage with them.
If you are there, please try to attend the Monday morning (8:30 – 10:00), April 3rd General Session: “Technology Connection. Analytics in Action. Innovation at Work”. Here Cisco UCS CTO Raghu Nambiar will join along with others Oliver Schabenberger, SAS Executive Vice President and Chief Technology Officer. Hear from Schabenberger on how innovation in analytics affects programmers, business users and executives today. Continue reading “Cisco and SAS Software. Trusted. Powerful. Comprehensive.”
You can draw right on Cisco Spark Board. And on the wall…
Things were a bit quieter at Enterprise Connect today as the event came to a close with a few morning sessions and the final summary panel concluding at noon.
Panels
Bots, AI and IoT: Will They Transform Customer Care? Sheila McGee-Smith brought together the panel to discuss some of the latest forces in the evolution of customer care. Tod Famous represented Cisco on the panel. And he gets credit for my favorite quote of the session: “Bots get smarter over time. That’s a nice way of saying they start out kind of stupid.”
The panelists talked about their current use of bots and AI within customer care solutions, as well predictions and use case examples. Cisco technical assistance uses Cisco Spark‘s “care assistant,” which automatically connects people to subject matter experts, making it ideal for internal support and help desks. The assistant (I’m pretty sure he called it Kara? Or Care-a?!) uses keywords in the query to connect the customer with the proper Cisco Spark with the right support agent or team. If it’s a common question, Kara can use an FAQ library to answer the user directly.
Natural language processing becomes a natural input system for artificial intelligence and voice transactions. I must have been regretting missing breakfast at that point because my notes read “Think Alexa ordering your pizza.”
Sheila closed by asking panelists whether bots will eventually replace humans in contact centers. As with many conversations things tied to automation, there’s a consistent rumble about displacing people. But the panelists generally agreed that bots and AI will augment, rather than replace, people. Agents will be more effective with AI making the information they need more readily available.
I think Tod’s answer makes a lot of sense: “There will be more agents in 10 years, but they’ll be doing very different things.” As long as my pizza order is correct and on time, I’m good.
Lego = connecting. Get it?
IoT & UC: Connecting Things to People in Your Enterprise: Cisco’s John Elliott joined the conversation moderated by Michelle Burbick and Dave Michels. A good amount of the conversation focused on customer care. One perspective: When it’s about making a decision, is it thing-to-thing data or does it involve people evaluating information?
As for Cisco, John explained his current focus as putting together the right assets to help our own customers. And looking to APIs as a way to “really personalize” IoT. He detailed a use case example in which a city electric grid fails during a storm. Based on the data, the AI system identifies which people the system should notify, then creates a Cisco Spark room with those people to resolve the issue.
Like many things, it starts with the business case. There’s a need for vertical and line-of business IoT solutions that impact ROI. While some organizations will want to create very customized solutions, “not everyone wants bespoke.” John explains. “Some want a repeatable solution that leverages capabilities Cisco has in cloud and unified communications.”
Are we there yet? No. As an industry, we have to go faster to provide IoT solutions that people can take advantage of quickly. And for that, standardizing APIs and making them simple is really key.
Quote of the Day It’s time for IT to act as ambassadors for their users. More Yoda less Darth Vader. “Productive you are.” –Tim Banting, analyst (via Twitter)
Final Session: Town Hall
For the last session of the day – and the entire Enterprise Connect 2017 experience, it was time to give the analysts and consultants the whole stage. With so many sessions, speakers, and exhibitors during the week, there was a lot of informational territory to cover. Here are my six favorite topics/quotes from the session, in no particular order. (Apologies to the speakers for any paraphrasing — I type fast, but I’m only human.)
On disruption:Disruption is taking place both within the UCaaS industry and it’s coming from outside [the traditional space]. –Elka Popova
On the future:If you really want to know about the future, start thinking about your user groups and workflows. –Marty Parker
On humans: People and processes are harder to change than technology. –Melissa Swartz
On contact center tech:The space has been disconnected. The industry is selling customer engagement, but customers are buying cost reduction. –Dave Michels
On infrastructure:We live in a world that’s more dynamic and distributed. Your IT has to reflect that. –Zeus Kerravala
@ciscokima Has Left the Building
Thanks to all who read my posts, followed me on Twitter, and generally contributed to the Enterprise Connect experience this week. It was great to talk 1:1 with people to hear perspectives on technology, vendors, and even obscure music. I appreciate that people take the time to share their ideas with me at these events.
It didn’t get the crown for today’s Quote of the Day, but I like the final statement from (the ever-quotable) Dave Michels: “We’re in the early innings of this game. It’s going to be a long game. And it’s going to change the industry.”
Yeah, the bits and bytes and shiny new this and that of hardware and software are great, but as many of the panelists and speakers repeated this week – it’s about the experience, it’s about the people, it’s about what technology allows us to do that makes the difference.
That’s as close to greeting card sentiment as I ever get. And with that, I’m over and out from Orlando! (Besides, this place is being overrun by giant chocolate bunnies. I’m kinda scared.)
Learn more about all things Cisco Spark and Cisco Collaboration on Cisco.com.
On March 29, Cisco became aware of several customer outages involving different releases and models of Cisco ASA and Cisco Firepower Threat Defense (FTD) appliances. Cisco has published a Field Notice urging Cisco customers who are running specific releases of software to reboot their devices to prevent a device from hanging and stop passing traffic.
The issue is documented in Cisco Bug ID CSCvd78303.
Cisco ASA and Cisco FTD devices are affected by a functional software defect that will cause the device to stop passing traffic after 213 days after of uptime. The affected software versions are listed in the Field Notice.
The issue is due to a software regression bug introduced when addressing Cisco bug ID CSCva03607. The current issue impact is limited to device operability and it is not a vulnerability, nor is there continued exposure to the vulnerability that was already addressed. This issue cannot be triggered by a threat actor.
Workarounds Are Available
Updated software versions that address this issue will be published in the coming weeks. Cisco is proactively notifying customers of available workarounds that mitigate this issue.
To mitigate the risk and impact of device stop passing traffic, Cisco urges customers to proactively reboot their Cisco ASA or FTD devices that are running affected versions, and those rebooted devices should have fixes available before they are at risk of the issue again.
To display the device uptime, use the show version | grep up command, as shown below:
You can also use the show asp drop command over a console connection to detect the reason for packets being dropped. In this case the show asp drop command will indicate the drop reason as “punt rate limit exceeded“, as shown below:
If you have deployed Cisco ASAs in failover mode, you can first perform the reboot on the standby unit, and then reboot the primary, in order to minimize downtime.
Cisco is always transparent and committed to supporting customers when there is potential for an urgent issue in one of our products. We work hard to avoid issues with our technology, but in the event that something arises, we ensure that our customers have the information they need to keep their network running smoothly. If you require further assistance, or if you have any further questions regarding this issue, please contact the Cisco Technical Assistance Center (TAC) at any of the methods listed on the Cisco Support page: http://cisco.com/go/tac
A year ago, I introduced our Enterprise NFV solution. This year at CiscoLive Berlin (#CLEUR), we announced solutions that extend virtualization beyond the branch, across the entire enterprise network and to the cloud.
Every day, we see how digital transformation is changing the way we work, live, play and learn. Fueled by trends such as mobility, IoT, cloud and analytics, going digital is more important than ever.
In order to accelerate your digital transformation, you need a network that can respond fast to your growing needs.
Cisco’s Digital Network Architecture (DNA) enables your network to become open, software driven, and service centric by providing virtualization capabilities that are open, software driven and service centric. DNA allows you to rapidly deliver services that enable IT to innovate faster, reduce costs and complexity, lower risk and meet compliance.
Virtualization is one of its key pillars of Cisco DNA.
With DNA Virtualization you can…
Save time – Deploy virtual network services in minutes, instead of weeks.
Have more choices – Expand your network securely to any platform – branch, campus, data center, carrier-neutral facility, or the cloud.
Lower your costs– Reduce CapEx by moving to virtual services and consolidate hardware. Lower OpEx with automated central orchestration.
Increase performance– Connect all types of users to the applications they need through the most optimal path
Branch Virtualization with Enterprise NFV
Branch Virtualization with Enterprise NFV makes it simple and easy to design, provision and manage network services in the branch. Now with a new branch platform optimized for Enterprise NFV, ENCS delivers complete virtualized services. It provides service agility and density needed for the branch with limited IT resources.
Colocation Center Virtualization with Secure Agile Exchange
Cisco Secure Agile Exchange (SAE) solution enables enterprises to quickly and securely interconnect users to applications by virtualizing the DMZ and extending it to colocation centers. It allows users employees, customers and partners to reach the desired application whether the application resides in the data center, the public or SaaS cloud while ensuring the best application experience.
Public Cloud Virtualization with CSR 1000V
Public Cloud Virtualization with CSR 1000V extends your enterprise network to the public cloud by preserving existing policies and gaining visibility. With CSR 1000V at both Amazon Web Services and Microsoft Azure, Cisco has the large public cloud provider partners to help IT manage services and applications in the public cloud as one entity.
https://youtu.be/YGOPnJy6w5g
Cisco is Unique –
Simple – manage your virtualized and distributed networks as one
Everywhere in the network, branch to the cloud
Comprehensive – network services you can trust
So to summarize – here are the benefits you should expect from DNA virtualization –
Simplifies day to day operations by increasing uptime and reducing time network Administrators spend troubleshooting
Helps IT quickly roll out new services and new locations. IT can support the business in a timely manner, by deploying new applications, services or supporting business initiatives.
Provides consistent network policies through the entire network and to the cloud. IT has the freedom to choose the network services, where it is deployed and where they deploy it on.
Check out the demo I have done on stage with Scott Harrell, SVP Product Management Enterprise Networking –
Our market economy, which produces goods and services and jobs for billions around the world, is built on the foundation of a strong commercial law system – a foundation that promises “a deal is a deal”, that rights and obligations can be enforced through courts offering equal justice under law. For companies like mine, access to that system is easy – we have the resources to hire the lawyers we need, and to pay them. For many others, including those who feel the system is only for the powerful, and who voted for change last year, the promise of equal justice under law is illusory; unaffordability means that instead of being able to enforce their rights, their stronger contractual partner gets the benefit, while they get the short end of the stick.
The federally-created Legal Services Corporation plays a vital role in securing access to justice for those who can’t otherwise afford the costs that are unfortunately built into our current system. The LSC provides seed funding for local legal services organizations around the country that offer services themselves, and creates a multiplier effect by facilitating pro bono efforts by lawyers in law firms and companies. For this reason. I’m proud to have co-signed a letter with over 170 of my general counsel peers urging Congress to retain funding for the LSC this year, which is threatened in an age of tight and shifting budgetary priorities.
Last year, dozens of Cisco lawyers donated their time and sweat to working on pro bono cases. We were honored this February to receive the American Bar Association’s Corporate Counsel Committee Pro Bono Award because of the scope of the efforts of so many great people on our legal team. Our efforts, in many cities around the country, were only possible because of the structure and logistics provided by LSC-funded organizations, which allow our individual engagement to scale.
Two weeks ago, I and four other members of our team spent a morning volunteering at the Law Foundation of Silicon Valley, offering pro bono assistance in landlord-tenant cases; we were supported by Cisco, which also makes a donation to charitable organizations where Cisco employees volunteer. My client that morning was a woman who works her heart out to support her family; her take-home pay is only $1600 per month, in a job she has held for over two years. Her landlord is unfairly seeking to evict her, which would effectively force her and her family to leave the area, since she has no money to obtain a new place to live in expensive Silicon Valley. I was proud to make sure she was able to navigate the system. The integrity of our country and its legal system depends on making sure all people can have a day in court. For that reason, I hope you too will ask your Congressional representatives to support funding for the Legal Services Corporation.
In addition to having the coolest name for a generation in decades, millennials are a huge target market for our partners and their customers. Our ISV partners like Turnstyle are helping customer tap into that market by building Wi-Fi marketing platforms and programs. Recently, they figured out how to bring the younger generation into a chain of convenience stores in Canada. Free Wi-Fi and candy bars.
Turnstyle says…
Mondelēz International teamed up with convenience store industry powerhouse, Couche-Tard (Mac’s), to run a 90-day Wi-Fi marketing pilot program. Their goal was to drive penetration with millennials and find unique and relevant ways to reach them with high impulse products in the moments leading up to a purchase. They wanted to learn how to effectively grab their attention and then keep them engaged and coming back.
Our cloud-based Wi-Fi marketing platform, powered by Cisco Meraki access points, allowed the two retail giants to successfully map, analyze, and market to customers, generating a considerable increase in revenue and customer loyalty. We were able to help Mac’s & Mondelēz uncover invaluable information about their customers and deliver highly contextual offers and rewards to drive increased traffic and purchases.
Over 3,244 customers opted-in to the program over a 31-day period and a 14% increase in customers redeeming coupons. Altogether, customers returned to their local Mac’s 25% more frequently than they had before the campaign.
Thanks, Turnstyle!
If you’ve been to a partner ecosystem event, you may have bumped into Turnstyle. They’re taking full advantage of our partner ecosystem and working with traditional resellers to rack up a list of satisfied customers with great sales results.
