Cisco Blogs


Cisco Blog > Threat Research

Equation Coverage

Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on Snort.org. Talos security researchers have also added the associated IPs, Domains, URLs, and hashes to all Cisco security devices to provide immediate protection across the network. Talos will continue to monitor public information as well as continue to independently research to provide coverage to this malware family.

coveragetable
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.

Tags: , , , , , ,

Cisco ASA with FirePOWER Services – How to get infected

On October 7, 2013 Cisco completed the acquisition of Sourcefire. At that time, I recognized this via Twitter and checked out the products on their website. I was excited to see the FirePOWER in action together with a Cisco ASA.

I had a good possibility to join the “ASA with FirePower Services” Workshop in Munich directly at Cisco. A big part of this Training was a Hands-on Lab, where the FirePOWER “Virus” infected me. I was thrilled, about the Cisco ASA with FirePOWER Services and the FireSIGHT Management Center.

This intelligent cyber security solution covers gaps in traditional security solutions. The threat-focused next-generation firewall provides next-generation security capabilities:

Application Visibility and Control (AVC)

Over 3000 Application-Layer and Riskbased controls, that works closely with the IPS to optimize the security.

Next-Generation IPS (NGIPS)

Visibility to detect multivector threats to streamline and automate defense response, Superior threat prevention and mitigation for both known and unknown threats

URL Filtering, and Advanced Malware Protection (AMP)

The comprehensive malware-defeating solution can enable malware detection and blocking, continuous analysis, and retrospective alerting.

Cisco ASA1 Read More »

Tags: , , , , , , , , , , , ,

Reintroducing Snort 3.0

Snort 3.0

A little more than a year ago when Sourcefire became a part of Cisco, we reaffirmed our commitment to open source innovation and pledged to continue support for Snort and other open source projects. Our announcement of the OpenAppID initiative earlier this year was one of several ways we have delivered on this promise.

Today we are announcing the alpha release of a new Snort 3.0 architecture. This alpha release builds on several ideas that were part of the original 3.0 prototype developed several years ago and goes well beyond those initial concepts.

Snort 3.0 expands on the extensible architecture users have come to know and includes several new capabilities that make it easier for people to learn and run Snort. We encourage you check out it out at www.snort.org, give us your feedback and help us build a strong foundation for the future. As Joel mentions in his post, this is a very early release that is intended for community feedback more than anything else.

When I first began building Snort, I architected it so that we could continue to extend it over time. By working with the Snort community, it quickly evolved from the initial primitive idea of an easy-to-use intrusion detection engine to the powerful traffic analysis and control capabilities we have today. With millions of downloads and hundreds of thousands of registered users, Snort is the most widely deployed IPS technology in the world and has become the standard for intrusion detection and prevention. Snort is also the foundation of Cisco’s Next-Generation IPS and is one of the core technologies that cemented Sourcefire’s position as a leader in the security industry.

Cisco understands the power of open source and how it can help customers solve tough challenges. In the coming months you’ll hear more from us about Snort 3.0 and our continued efforts to deliver meaningful capabilities that underscore this commitment.

Tags: , ,

Cisco Coverage for ‘Regin’ Campaign

This post was authored by Alex Chiu with contributions from Joel Esler.

Advanced persistent threats are a problem that many companies and organizations of all sizes face.  In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed.  The threat actors behind ‘Regin’ appear to be targeting organizations in the Financial, Government, and Telecommunications verticals as well as targeting research institutions in the Education vertical.  Talos is aware of these reports and has responded to the issue in order to ensure our customers are protected. Read More »

Tags: , , , , ,

IE Zero Day – Managed Services Protection

As of May 1, 2014, we can confirm Cisco customers have been targets of this attack. For the latest coverage information and additional details see our new post on the VRT blog.

Protecting company critical assets is a continuing challenge under normal threat conditions. The disclosure of zero-day exploits only makes the job of IT security engineers that much harder. When a new zero-day vulnerability was announced on April 26, 2014 for Microsoft Internet Explorer, corporate security organizations sprang into action assessing the potential risk and exposure, drafting remediation plans, and launching change packages to protect corporate assets.

Some companies however, rely on Managed Security Services to protect those same IT assets. As a Cisco Managed Security services customer, the action was taken to deploy updated IPS signatures to detect and protect the companies critical IT assets. In more detail, the IPS Signature team, as a member of the Microsoft Active Protections Program (MAPP), developed and released Cisco IPS signature 4256/0 in update S791 and Snort rules 30794 & 30803 were available in the ruleset dated 4-28-2014. The Cisco Managed Security team, including Managed Threat Defense, received the update as soon as it became available April 28th. Generally, Cisco Managed Security customers have new IPS signature packs applied during regularly scheduled maintenance windows. In the event of a zero-day, the managed security team reached out to customers proactively to advise them of the exploit and immediately were able to apply signature pack updates to detect and protect customer networks.

While corporate security organizations must still assess ongoing risks and direct overall remediations to protect corporate data, Cisco can take the actions to provide security visibility into the targeted attacks, increase protection with fresh signatures, and reduce risk profile for the corporate InfoSec program.

For more detail on the vulnerability, please see Martin Lee’s blog post.

More details about this exploit and mitigation information can be found on the following links:

For additional information about Cisco Managed Security solutions please refer to the following links and contact your Cisco Services sales representative:

Tags: , , , , , , , , ,