Cisco Blogs

Cisco Blog > Threat Research

Research Spotlight: Needles in a Haystack

This post was authored by Mariano Graziano.

Malware sandboxes are automated dynamic analysis systems that execute programs in a controlled environment. Within the large volumes of samples submitted daily to these services, some submissions appear to be different from others and show interesting characteristics. At USENIX Security 2015 I presented a paper in which we proposed a method to automatically discover malware developments from samples submitted to online dynamic analysis systems. The research was conducted by dissecting the Anubis sandbox dataset which consisted of over 30M samples collected in six years. The methodology we proposed was effective and we were able to detect many interesting cases in which the malware authors directly interacted with the sandbox during the development phase of the threats.

Another interesting result that came from the research concerns the samples attributed to Advanced Persistent Threat (APT) campaigns. Surprisingly, some of the malware samples used in these sophisticated attacks had been submitted to the Anubis sandbox months — sometimes even years — before the attack had been attributed to the proper APT campaign by a security vendor. To be perfectly clear, we are not saying that it took security vendors months or years to detect a threat. Most times, we are able to detect the  threats in no more than a few hours. It is just that the malware samples were mislabeled and not properly associated with APT campaigns. In general, the same goes for non-APT malware campaigns. In this blog post, we tried to see if the same applied to the Cisco dataset. Specifically, we chose ten APT campaigns, — some of which were already covered in the Usenix paper. We decided to inspect two different datasets: our incoming sample feeds / malware zoo, and the telemetry associated with our Advanced Malware Protection (AMP) solutions. Talos receives samples from over 100 external feeds ranging from anti-malware companies to research centers, while the AMP dataset contains telemetry from the Cisco AMP user-base.

The remaining part of this post is organized as follows. First, we show the APT campaigns we investigated. Second, we summarize the results of the analysis of the Talos dataset. Third, we show the results from the AMP dataset.  Finally, we summarize our findings.


Microsoft Patch Tuesday – January 2016

The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.

Bulletins Rated Critical

Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month’s release.

MS16-001 and MS16-002 are this month’s Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.

  • MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
  • MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited.

One special note regarding this month’s IE advisory: In August 2014, Microsoft announced the end-of-life for Internet Explorer versions older than IE 11 that would take effect today. As a result, this month’s bulletin will be the final one for affected versions. After today, “only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” As such, there are exceptions to the end-of-life announcement with those being Windows Vista SP2 (IE9), Windows Server 2008 SP2 (IE9), and Windows Server 2012(IE 10). For more information on the IE end-of-life, please refer to Microsoft’s documentation here:


Tags: , , , , ,

Rigging compromise – RIG Exploit Kit

This Post was Authored by Nick Biasini, with contributions by Joel Esler

Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload. One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet. RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry back in November of 2013, back then we referred to it as Goon, today it’s known as RIG.

We started focusing on RIG and found some interesting data similar to what we found while analyzing Angler. This post will discuss RIG, findings in the data, and what actions were taken as a result.

The Exploit Kit Overview

RIG compromises users like any exploit kit. It starts with a user being redirected to a landing page. This is done via malicious iframes or malvertising and looks similar the following:

It begins with an initial link to a javascript:


Read More >>>

Tags: , ,

Protecting the Video Headend and Data Center Infrastructure

George Tupy’s recent blog described how the growth of cloud and over the top (OTT) video presents a massive market opportunity for service providers to deliver video content anytime, anywhere, and on any screen. He also discussed how open IP networks and cloud-based delivery methods introduce new security vulnerabilities. To add fuel to the fire, content and customer data is often stored together inside the video headend and data centers making it more easily accessed by attackers. They can disrupt operations by launching denial of services (DoS) attacks, target your authorized users to gain access to your corporate network to steal, modify video content directly on your video headend, or even siphon out valuable customer and billing data. Theft of credit card numbers or customer identity information hurts your customers and damages your reputation in the industry.

Now the good news: Cisco has the security solutions to protect your video content and broadcast infrastructure so you can focus on developing premium content and services for your subscribers.

Imagine your video infrastructure protected by the leader in data center security. Envision multilayered solutions working together to ensure your content, services, and business are protected from advanced cyber threats – across the attack continuum – before, during and after an attack.

Cisco solutions address advanced threats



Our Next-Generation Firewalls use granular access control and identity checks. This strengthens your network perimeter and locks your video headend and data centers to defend before an attack happens.


When an attacker tries to compromise your business – through the network, web, or email – our integrated Next-Generation Intrusion Prevention System (NGIPS), Distributed Denial of Service (DDoS), and Web and Email Security Solutions engage threats as they happen.


If malware does manage to get in, Advanced Malware Protection (AMP), Network Behavioral Analysis, and sandboxing solutions have you covered.  These solutions continuously scan traffic and files to find threats before they become active. If malware does become active, we can isolate the threat and remediate the infection to bring you back online quickly.

Cisco brings a wealth of robust security solutions to provide comprehensive protection across your headend infrastructure and corporate IT systems. Security Services are also available to help you design, implement, and manage your security each step of the way and ensure you have the best protection across your business.

For more detailed product information, see Cisco’s Secure Data Center Solution. For a compelling deployment story, read how Cisco’s security solution was deployed to help fortress BT against growing cyber threats. You can also learn more on how Sky has chosen to implement Cisco’s comprehensive VideoGuard Everywhere software security solution for its next generation home entertainment system.

Tags: , , ,

Security Insights with British Telecom

The explosive growth of video, mobility, Internet-of-Things, and cloud services has brought about enormous business opportunities. Service Providers are adopting open and programmable network architectures that increase business agility and lower costs. However, adversaries are increasingly exploiting the growing attack surface presented by these new services and expanded network connections.

British Telecom, the largest service provider in the UK, has recently announced a partnership with Cisco to deliver threat-centric security solutions based on our joint expertise and leadership. By partnering with Cisco, BT will strengthen network and advanced threat protection capabilities and automate its threat intelligence to detect, analyze and remediate attacks, while providing the same security capabilities in offerings to their customers, with BT Assure Cyber, BT’s Managed Security Portfolio.

I recently had the opportunity to sit down with Les Anderson, VP of BT Cyber, and ask him how BT manages security to protect their networks and their customers and to get his take on our new partnership.

Sam Rastogi – Cisco Security: What changes in the threat landscape are you observing?
Les Anderson: Over the last 13 months, BT has experienced a 1,000% increase in threats. We’ve seen our networks targeted in ways that we haven’t seen before. There is unprecedented speed in the innovation, resiliency and evasiveness of cyber attacks.

CS: How do you counter these threats?
LA: Partnership with Cisco for threat-centric security and consolidating where it makes sense for our business and our customers.

CS: What security technologies are top of mind for you?
LA: We need threat-centric technologies that are able to stop threats. We look to solutions, such as ASA with FirePOWER Services, Advanced Malware Protection (AMP), and Next-Generation IPS (NGIPS) – all, working together. They amount to a differentiated capability in the market – to see and stop more threats for us and our customers.

CS: How do you view security as a growth engine for organizations?
LA: BT doesn’t compromise when it comes to prioritizing our own cybersecurity; security can be a growth engine for business like BT to take full advantage of today’s opportunities to be more productive, make organizations more efficient and customers happier by keeping systems — both ours and our customers — secure.  By relying on threat-centric security, we’re thus able to focus on our core business goals, making security a differentiator. Investing in security in turn inspires further trust in doing business with us and with our customers.

CS: Why did you choose to partner with Cisco? And why now?
LA: Cisco has made smart security acquisitions and technology innovations that provide a significant differentiation in the market. I’m seeing that Cisco has the ability to deploy security products into SDN and virtualized environments to unlock additional value that is critical to security. Lastly our joint portfolio has allowed us to sell the largest cyber strategic security capability globally to a nation state. This is all possible with the strong partnership we have in place together.

Watch this video to learn how BT is taking advantage of security solutions from Cisco to protect its own environment and its customers:

Tags: , , ,