By Talos Group This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary
Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.
Read More
The post Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques appeared first on Cisco Blog.

Source:: Cisco Security Notice

By Neil Patel AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.
While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.
Overview
First, let’s give the brief facts behind the Business Main Test Series:
19 products are participating
All products tested on a Windows 10 RS5 64-bit
All vendors were allowed to configure their products
Cloud and PUA detection activated in all products
Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.
For more information on specific configurations and a list of all participants, read the full fact sheet here.
Malware Protection Test
In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.
So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.
AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.
Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.
Real-World Protection Test
Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.
Conclusion
It is important to note that this test has not concluded. We are, however, very excited for a continued strong showing from Cisco AMP for Endpoints in the second half of the test. So far, Cisco AMP for Endpoints has already shown an elite combination of threat detection, investigation, and response combined with low false positives designed to empower IT professionals to quickly identify and respond to threats.
For more on the report, click here.
To try AMP for Endpoints for free, sign up for the free trial.

The post Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series appeared first on Cisco Blog.

Source:: Cisco Security Notice

Herzlichen Glückwunsch unseren Kollegen von Oberberg-Aktuell zum Start der neuen Version.

Nach monatelanger Arbeit startete heute Nachmittag die neue Seite unseres seit Anfang 2000 bestehenden oberbergischen Nachrichtenportals. Viele Stunden paralleler Pflege im Alt- und Neusystem liegen hinter der Redaktion. Probeläufe unserer Technischen Kollegen auf der neuen Infrastruktur, Sonderschichten der Programmierer unserer Freunde von Kiwis & Brownies, sowie zahlreiche Gestaltungsstunden unseres Partners Remus + Rachel liegen nun hinter uns und wir freuen uns, ein moderneres, aufgeräumteres und technisch zukunftsfähiges OA zu präsentieren. Was heute mit Schritt 1 startet, bedeutet jedoch nicht das Ende der Entwicklung, sondern wird uns mit zyklischen Neuerungen erfreuen.

Danke an alle Helfer für den Einsatz, danke an die treuen Werbepartner für Ihre Geduld und viel Freude unseren Lesern mit Oberberg-Aktuell 3.0.

By Pierre Cadieux During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.
In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.
Figure 1: Phases of an attack.
If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).
Initial Attack
The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.
By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.
User Actions
Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.
To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.
To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.
Account Compromise
Following the attack life-cycle, the next phase is account compromise: did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.
Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.
Privilege Escalation
The next phase is privilege escalation. In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.
Lateral Movement
Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.
Encryption of Data
The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers‘ tolerance) for downtime, and many other factors.

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?
Take Action Today
These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. Educate yourself with more information on Cisco Ransomware Defense solutions. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.
The post Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today appeared first on Cisco Blog.

Source:: Cisco Security Notice