Cisco Blogs

Cisco Blog > Security

Cisco AMP for Endpoints Adds New Features

The threat landscape is ever-changing. Attackers continue to innovate and refine their tactics, and malware is more sophisticated than ever. New threats are surfacing every day, like the Angler exploit kit and the SSHPsychos DDoS attack. According to the 2016 Cisco Annual Security Report, ransomware is exploding, Adobe Flash vulnerabilities continue to be popular with cybercriminals, and malicious browser extensions continue to be a main source of data leakage for businesses.malware-security-challenge

But of all the threats out there today, malware still reigns supreme. In the 2016 Cisco Annual Security Report, IT decision-makers were asked to identify the top external challenges that they faced from an IT security perspective, and malware topped the list at 68%. And the target for that malware: your endpoints. Servers, laptops, desktop workstations, PCs, Macs, Linux systems, and mobile devices are all targets. In fact, 50% of respondents in the 2016 Cisco Annual Security Report study said that mobility represents one of the highest risks within their security infrastructure for a security breach. Cybercriminals want data, control of your system, or both. You need to protect your endpoints.

This is why Cisco AMP for Endpoints continues to evolve. Cisco AMP for Endpoints is now better than ever, with new features and capabilities that boost performance, improve usability, and enable IT security teams to better defend against today’s most advanced attacks.

Read More »

Tags: , ,

Pushing Security from Edge to Endpoint

On November 3rd, Cisco announced that we are extending our Security Everywhere strategy with new solutions and services aimed at helping our customers gain greater visibility, context, and control from the cloud to the network to the endpoint. Providing organizations more visibility means being able to see all their systems, not just Windows but Mac, mobile, virtual machines, and now Linux!

AMP for Endpoints now has a dedicated Linux connector. Attacks against datacenters are on the rise. Given that these systems contain highly sensitive customer and corporate data, and more often than not custom applications that are central to the day to day business, organizations need to have deep visibility into these attack vectors in order to prevent, detect, scope, contain, and remediate targeted attacks faster and more efficiently. At the moment, the Linux connector will be available for RHEL 6.5 and 6.6 as well as CentOS 6.4, 6.5 and 6.6. It is available to all current AMP customers with existing accounts, and will also be available to ELA v4 customers.

Edge to Endpoint Malware Analysis

A critical component of this launch is the extension of our advanced malware analysis and threat intelligence solution, AMP Threat Grid.

We have integrated AMP Threat Grid into our ASA with FirePOWER Services models, FirePOWER NGIPS appliances and the AMP for Networks solution. These are three huge integrations that can now tap into the power of the Threat Grid malware analysis engine. Why is this so big? Well, we acquired ThreatGRID in the summer of 2014. By January 2015 we had it integrated into our AMP for Endpoints products. We reached another critical milestone in the summer of 2015 by adding the AMP Threat Grid sandboxing capability to Cisco’s Email and Web Security solutions. Now, just a few months later, we are realizing the vision of providing full edge-to-endpoint sandboxing on a single platform – AMP Threat Grid. This is immensely powerful for anyone using the solution.

Read More »

Tags: , , , ,

Angler for Beginners in 34 Seconds

Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.

In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).

Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.

So, how does an incident start for the analyst?


We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.

Read More »

Tags: , , , , ,

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.


Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side….

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Read More »

Tags: , , , ,

Continuous Analysis Yields Continuous Leadership Against Advanced Threats

Organizations today have no shortage of challenges when it comes to cyber security and their growing IT infrastructure. Not only is the frequency and sophistication of malware attacks on the rise, but with the proliferation of mobility, BYOD, IoT, and cloud services; the number of entry points an attacker has into the network grows exponentially with them.

Given this landscape we know the most effective way to address these threats is with security offering continuous analysis and retrospective protection that extends across all attack vectors in the extended network. With AMP Everywhere, security is just as pervasive as today’s advanced threats, and thanks to continuous analysis and retrospective protection, our customers gain reduced time to detection.

For the second year in a row, we have third-party validation from NSS Labs that we provide the most effective security available in the market today. Cisco Advanced Malware Protection (AMP) was tested along with seven other vendors and achieved a 99.2% security effectiveness score – the highest of all vendors tested in the 2015 NSS Labs Security Value Map (SVM) for Breach Detection Systems. What I find most interesting and rather disappointing in these results is that Cisco is the only vendor in the test to successfully handle all evasion attempts.

nss-bds-svm Read More »

Tags: , , , , , , ,