Today’s attackers deploy complex and clever threats that are difficult to combat with just one method of defense. In some cases, defenders must go beyond tools for detecting attacks and devise a different approach for obstructing our adversaries’ ability to operate.

As detailed in the Cisco 2016 Annual Security Report, recent collaborative efforts between Cisco, Limestone Networks, and Level 3 Threat Research Labs have weakened the impact of two threats: the distribution of the Angler exploit kit, and the rapid growth of one of the Internet’s largest DDoS weapons built out by SSHPsychos.

In the case of the Angler exploit kit—which has been a major factor in the explosion of ransomware activity and has been linked to several malvertising campaigns—Cisco, Limestone, and Level 3 were able to gain a deeper insight into the threat. Through our collaborative efforts, we were able to gain visibility into Angler’s infrastructure, identify the servers associated with serving Angler, and develop better detections to catch Angler proxy server redirections.

Delivering this kind of result could not have been accomplished without the assistance and cooperation of Limestone Networks and Level 3, each of whom brought a unique strength to the table. In the end, the insights of all three organizations contributed to the end result: a global decrease in Angler activity, a disruption in Angler’s revenue stream, and most importantly documentation on how the Angler exploit kit works and how to best detect it from every aspect.

A similar coordinated effort helped disrupt the operation of the DDoS botnet run by SSHPsychos. This weapon, composed of countless machines across the Internet, had the capability and scale to launch global DDoS attacks that would have not been possible to address on a device-by-device basis—meaning that it could not be easily mitigated via traditional threat defenses. SSHPsychos was operational in two countries (the United States and China) and had immense scale. The potential consequences of allowing the botnet to continue operating unchecked could have resulting in large portions of the Internet becoming unstable. As a result, disruption this threat actors operations required a combined effort.

As Cisco security researchers observed the activity of SSHPsychos, Cisco worked with Level 3 Threat Research Labs to analyze traffic at the netblock level, or range of IP addresses, where SSHPsychos was operating out of. Once our research determined that no legitimate traffic was originating from these netblocks, Level 3, Cisco, and other collaborators took action to block these IP addresses from the internet at both a device and backbone level.

Industry collaboration with companies that can help Talos take action against our adversaries will become more frequent, since they are one of the most effective ways of disrupting our adversaries ability to operate on the Internet.

At Cisco, we’re doing our part by developing creative approaches to threat defense, such as Project Aspis, a collaboration between Cisco Talos and hosting providers designed to help the providers maintain safer environments, while helping Cisco protect its customers from threats. And the Cisco security programs help connect security industry professionals with members of the Talos Group to share ideas for improving security and gather feedback on security products and services.

We’re of the firm belief that the security industry, and organizations such as top-level domain providers and ISPs, should engage in and help to promote similar collaborations and also look for innovative ways to combat threats. Once thing is certain: We can’t afford to sit on the sidelines while criminals become increasingly adept and build large botnets.

Please download the Cisco 2016 Annual Security Report to read more on industry collaboration and other important security topics as we move into 2016.


Craig Williams


Talos Outreach