By Panos Kampanakis The Challenge
Quantum Computers could threaten the security of TLS key exchange and authentication. To assess the performance of post-quantum certificates TLS 1.3, we evaluated NIST Round 2 signature algorithms and concluded that two of them offer acceptable speeds. We also analyzed other implications of post-quantum certs in TLS. More details in https://ia.cr/2020/071
We all know by now that the potential development of large-scale quantum computers has raised concerns among IT and security research professionals due to their ability to break public key cryptography. All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National Institute of Standards and Technology (NIST) has initiated a process to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees.
The Tests
The industry has been evaluating some of these algorithms for use in encryption protocols like TLS and IKEv2/IPsec. Cloudflare, Google, and AWS have been looking into PQ TLS key exchange. At Cisco, we focused on PQ authentication/certificates in TLS 1.3. We briefly discussed some of our early results in a recent blog post and detailed them in our paper presented at ETSI/IQC Quantum Safe Cryptography Workshop 2019.
A couple of months ago, we presented all of our results in our paper at NDSS 2020 in San Diego. The paper presented a detailed performance evaluation of the NIST signature algorithm candidates and investigated the imposed latency on TLS 1.3 connection establishment under realistic network conditions. In other words, we deployed servers all over the world. We proved that at least two candidate PQ signature algorithms perform similarly to RSA/ECDSA certificates, as shown in the figure below.

We also investigated PQ signature impact on TLS session throughput and analyzed the trade-off between lengthy PQ signatures and computationally heavy PQ cryptographic operations.
The Results
Our results demonstrated that the adoption of at least two PQ signature algorithms would be viable with little additional overhead over current signature algorithms. Also, we argued that many NIST PQ candidates could effectively be used for less time-sensitive applications, and discussed in depth the integration of PQ authentication in encrypted tunneling protocols. Finally, we evaluated and proposed the combination of different PQ signature algorithms across the same certificate chain in TLS. The results showed a reduction of the TLS handshake time and a significant increase of a server’s TLS tunnel connection rate over using a single PQ signature scheme.
For more details on the impact of PQ certificates on TLS, refer to our NDSS 2020 paper.
For additional resources, visit trust.cisco.comadditional resources, visit trust.cisco.com
The post Promising Results for Post-Quantum Certificates in TLS 1.3 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Vibhuti Garg Did you know? IT organization spend 76% of their attention on securing their data center
Virtualization, cloud, and software-defined networking are redefining the modern data center. There is a huge influx of data, from big data analytics and new types of applications. Workloads are even more dynamic than before, spanning across multiple physical data center locations and across public, private, and hybrid cloud environments. This spread of data creates a “new” perimeter outside of your traditional data center premises and can increase data theft opportunities. You could thus be challenged with where and how to secure your data center.
Modern Data Centers Need a New Approach to Security
Data centers are evolving and are no longer confined to traditional set-up. In fact, Gartner predicts that by 2022, 50 percent of enterprise-generated data will be created and processed outside a traditional, centralized data center or cloud. Ensuring Security can be challenging as Security teams spend 76% of their time securing the data center and to make it more challenging 25% of global security decision makers say staff shortages are a major challenge, and they struggle to find staff with the right skills. To address the data center security needs, IDC advocates that securing your data center can a be three-fold methodology covering visibility, reducing attack surface through segmentation and preventing threats.
Challenges of securing data everywhere
The challenge with securing data is that you need to have security EVERYWHERE, not just at the perimeter. Attackers know that your data is now highly distributed, and that you may be having a harder time keeping track of it. They know that this provides them with another layer of obfuscation and opportunity for carrying out theft.
Today’s security must therefore be pervasive – built in and integrated across the network, cloud, applications, and endpoints. This makes it harder for attackers to slip through the cracks and take advantage of the distributed nature of computing.
Why Choose Cisco Secure Data Center Solution?
Cisco is working hard to make your data center is more agile and automated – enabling you to extend workloads beyond the perimeter for new applications that require computing to be performed closer to the user experience.
The Cisco Secure Data Center Solution provides an integrated security architecture that addresses three critical needs of the modern data center around Visibility, Segmentation and Threat protection. The Cisco Secure Data Center Solution is a validated systems-level solution for highly secure data centers, delivering:
Operational efficiency from automated provisioning and flexible, integrated security
Advanced threat protection to stay up to date, informed, and secure
Improved resiliency to enable data center availability and secure services
Cisco Secure Data Center Components
Enabling a decentralized data center environment requires a security strategy that spans three important areas: visibility, segmentation, and threat protection.

Visibility – If you can’t see it, you can’t secure it. That’s why Cisco offers in-depth network and threat visibility in any data center and across any cloud.
Segmentation – Segmenting your network reduces your attack surface. It can prevent attackers from moving laterally across the network, and block legitimate users from accessing restricted resources.
Threat Protection – By now we all know that threat protection is a process, not a single product. Cisco’s data center protection consists of various levels of threat sensors to prevent attackers from stealing data or disrupting operations.
The truth is that in today’s dynamic environment, you may not always know exactly where everything is at all times. But with the right mix of tools and intelligence, you don’t have to know. Instead, you can rest assured that wherever your data may go, it will remain protected.
Where Can You Begin?
By using a common set of integrated technologies and security policies across platforms, organizations can significantly enhance their data defenses.
Cisco’s solution provides an overview of what it takes to secure the modern data center.
We recommend our in-depth design guide for traditional set-ups and cloud environments for securing your data center.
See our experts in action at Cisco Live, Barcelona and RSA earlier this year and catch up on the best and latest!
Listen to Brad Casemore from IDC and Don Meyer from Cisco Security talk about Cisco’s approach towards securing data center.
Leverage on experience of our existing customers.
The purpose of the Secure Data Center Solution is to provide our customers with a cost-effective infrastructure to experience Cisco next-generation technology. I would be pleased to set a briefing call with you to discuss the Cisco solution and can be reached at vibgarg@cisco.com.
The post Threats Can Be Anywhere: Modernize Your Data Center Security‎ appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Hazel Burton If anyone feels like they are in need of a shot of wisdom and good humor, please allow me to present the latest episode of Cisco’s Security Stories podcast as a viable contender.
Wendy Nather, Head of Advisory CISOs, Cisco DuoIn this episode, I chat to the incredible Wendy Nather. Wendy will be a name familiar to many of you I’m sure, and she has an enormous amount of credibility and respect within the cybersecurity industry.
She is currently Head of Advisory CISOs at Cisco Duo. She started her career as a security analyst and went on to lead IT security for EMEA in the investment banking division of Swiss Bank Corporation (now UBS), and served as Chief Information Security Officer of the Texas Education Agency.
Wendy is very, very passionate about the topic of people. During our interview she talks candidly about how the security industry has treated users in past, and she has a very inspiring take on developing the right culture/ how we should have people’s backs.
And my favorite part of this episode has to be when when I ask her what is the one thing she wishes she could change in the security industry….it’s one heck of a response.
Also in this episode, my cohost Ben Nahorney and I have a chat about remote working, and what users and companies can do to ensure a smooth as transition as possible to home working from a security perspective. We also talk about what some cyber criminals are doing to take advantage of the current situation, and how you can protect yourself and your data. Our friends at Cisco Talos wrote a comprehensive blog about this topic, which you can read here.
And finally our ‘On this day‘ feature is where we dig into the security archives and discuss significant events that happened in cybersecurity history. This feature is guaranteed to help you win any virtual pub quiz, as long as all the questions are about cybersecurity…and cover trivia we’ve talked about….:)
The day that we’re going to be talking about for this episode is April 1st 2009. And Ben has some personal experience in this one – he’s referenced in Wikipedia and everything! This story has many twists and turns, so strap in as Ben regales the story of the Conficker worm.
You can listen the podcast right here, or you can visit our dedicated pod page at cisco.com/go/securitystories and choose your preferred listening platform, from Apple Podcasts to Spotify to Google Podcasts.
In the meantime I’ll get back to editing the next episode, which will be out very soon!

The post Security Stories Episode 2: Democratizing Security with Wendy Nather appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Angela Frechette Cannon Which technologies will help you the most?
As part of the recent RSA Conference, we all got to see – either in-person or virtually – the latest and greatest technology coming out of the security industry. While events like this can certainly be helpful in guiding future investments, they can also make one’s head spin with the sheer volume of tools available to secure today’s infrastructure.
This year, the RSA Conference drew more than 650 exhibitors (including Cisco) and more than 700 speakers, one of which was our own Wendy Nather, who delivered a keynote. In her keynote, she discussed how security must become easier for people to use and understand if we want to keep our organizations protected now and into the future. “We have to simplify functions, data, operations, all of those things to make it easier no matter who’s going to use it,” she said.
But with so many attack vectors, network components, devices, and security technologies out there, how do we make things simpler? Which of the many security technologies will help us most?

In our 2020 CISO Benchmark Report, we inquired as to which security technologies organizations currently have in place. While technology needs are often unique to each specific organization, there were a couple of technologies that we deem important for which there are currently noticeably low adoption rates among our respondents.
Multi-factor authentication
In an age of frequently stolen passwords, multi-factor authentication (MFA) can go a long way in keeping your assets and data safe. We were surprised to find in our CISO Benchmark Study that only 27% of respondents are currently using MFA to secure their environments.
Multi-factor authentication can protect your applications by using a second factor for validation, such as a smartphone, to verify user identity before granting access. It is a key component of a zero trust security architecture.

MFA can help protect against attacks such as phishing, social engineering, and credential theft. While some MFA solutions can be difficult to roll out, Cisco’s Duo Security provides a simple experience for every user and application. It also integrates easily with organizations‘ existing technology.
Duo also helps companies streamline their security stack to lessen complexity. According to Steve Myers, head of security for KAYAK, “We were previously trying to do this through a combination of five other products. The fact that one product can provide this level of granular access control is really awesome.”
Network segmentation and micro-segmentation
Another effective way to reduce risk is through segmentation, which provides a proactive method of security by minimizing the attack surface. Through network segmentation, various network components and assets are separated from others to prevent the lateral movement of attackers throughout an environment. This way, if an outsider finds their way into one part of a network, they don’t automatically have full access to everything up to and including restricted data. Segmentation is another core pillar of a zero trust computing environment.

However, only a quarter of our respondents are currently using network segmentation, and even fewer (17 percent) are using micro-segmentation. Micro-segmentation is a more granular form of segmentation for applications and their workloads, offering policy consistency across both on-premises and cloud-based data centers. This capability is now critical since applications and their data have become a primary target for breaches and attacks. Cisco Tetration uses machine learning to understand applications and automatically generate micro-segmentation policies based on application behavior.
Getting it right
Speaking of machine learning and automation, those are key areas in which our CISO Benchmark Report respondents seem to be progressing.
It was promising to see in our study that technologies such as automation, machine learning, and artificial intelligence – which are designed to make security easier and more manageable – are being widely adopted.
Automation, machine learning, and artificial intelligence
As part of the data collected for our 2020 CISO Benchmark Study:
85 percent said they are at least somewhat reliant on artificial intelligence
88 percent said they are at least somewhat reliant on machine learning
90 percent said they are at least somewhat reliant on automation
Additionally, 77 percent said they are planning to increase automation to simplify and speed up response times in their security ecosystems. All of this is encouraging as organizations battle with crushing complexity and an inability to keep up with security alerts amidst a severe shortage of skilled cybersecurity professionals.
Over the years, Cisco has woven integration and automation into its security portfolio to simplify network protection. This recently culminated in the introduction of our new security platform, Cisco SecureX. The SecureX platform brings together various components of the Cisco security portfolio, along with third-party technologies, so that they can share information, learn from one another, and help organizations respond to threats in a more automated, coordinated fashion.

SecureX unifies visibility, enables automation via machine learning/artificial intelligence, and strengthens security across network, endpoints, cloud, and applications. Ninety-eight percent of customers said the unified view provided by SecureX enables rapid threat response. In a time where new threat vectors seem to pop up daily, rapid threat response is critical for effective cybersecurity.
Strengthening security in 2020
Technology is of course never one-size-fits-all, but the capabilities above represent some key innovations that we recommend organizations explore moving forward. For more information on how to strengthen your security in 2020, check out the following:
Cisco 2020 CISO Benchmark Report
RSA Conference Keynote – Wendy Nather, Cisco
Cisco SecureX Platform
This post is the first in our new series covering various topics and data from our 2020 CISO Benchmark Report. Check back next month for the latest installment!
The post How to Strengthen Your Security in 2020 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 27 and Apr 3. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200403-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 27 to April 3 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Matt Stauffer According to research from Enterprise Strategy Group (ESG) and the Information Systems Security Association, 91% of cybersecurity professionals believe that most organizations are either extremely or somewhat vulnerable to a significant cyber-attack or data breach.1 CISOs have tried many different solutions. Many are increasing hiring in a field with a steep talent shortage, which may have some long-term returns but doesn’t solve the problems they are facing today. Some also purchase a patchwork of security solutions that aren’t really integrated – an approach that can cause major complications for security architects. These strategies are clearly not increasing confidence in their overall security effectiveness.
What are the primary reasons you believe cybersecurity analytics and operations are more difficult today than they were 2 years ago?Research indicates that organizations can’t hire their way out of their cybersecurity woes. CISOs must improve security efficacy, streamline operations and bolster employee productivity, and they must rely on their existing workforce. That’s where Network Traffic Analysis (NTA) tools can provide a cybersecurity quick-win. An effective and modern NTA solution can continuously monitor the network and detect threats that might have bypassed the perimeter or even originated within the business. Top-tier NTA solutions take the weight off of the employees‘ shoulders by giving them the tools they need to speed up threat detection and remediation. To help you evaluate an NTA solution effectively, let’s take a look at the top features identified by cybersecurity professionals as part of the research conducted by ESG:

Built-in analytics and threat intelligence services
44% of survey respondents said that built-in analytics to help analysts detect suspicious/malicious behavior is one of the most important features. Best-in-class NTA tools have different algorithms and signatures built-in to model behavior and crunch data, allowing for high-fidelity alerts that streamline workloads and accelerate incident response. The same percentage also said that threat intelligence services/integrations to enable comparisons between suspicious behavior and known threats is another top feature. These integrations allow NTA tools to “enrich” network telemetry, making alerts more thorough and actionable.

Ability to monitor IoT traffic/devices
Users also need the ability to monitor niche equipment that is unique to their industries. This is especially important in industries that have made aggressive investments in IoT like healthcare, manufacturing and transportation. IoT devices generate telemetry and increase the threat surface like any other connected device, and therefore need to feed into an NTA tool.

Ability to monitor all network nodes
37% of respondents stated that alerts for when new network nodes are connected are essential for an NTA tool. This means security professionals want NTA tools to issue alerts when unsanctioned devices connect. This is incredibly important for monitoring and mitigating cyber-risks.

Proven integrations with other security technologies
37% also said that one of the most important features is documented and tested integrations with other types of security technologies. These other technologies could be malware sandboxes, network segmentation enforcement technologies and much more. These integrations allow for a closed-loop process that includes network security development, monitoring and enforcement.

Public cloud visibility
More than a third of respondents said that the ability to monitor cloud traffic is an essential feature. In order to provide true end-to-end visibility, NTA tools need to be able to tap into VPCs, cloud monitoring logs and APIs across AWS, Azure, GCP, etc.
Cisco Stealthwatch
Stealthwatch aligns well with the most important NTA attributes cited by the surveyed cybersecurity professionals. For example, Stealthwatch:
Features multiple types of built-in analytics. Its behavioral modeling and multi-layered machine learning algorithms can detect hidden threats- even those hiding in encrypted traffic.
Provides comprehensive visibility. In addition to monitoring on-premises environments, Stealthwatch also offers agentless visibility into the public cloud. It can also detect when a new network node connects, monitor traffic from IoT devices and more. Nothing slips through the cracks with Stealthwatch.
Backed by Cisco Talos threat intelligence. Threat intelligence is one of the most important features of an NTA tool. Stealthwatch ties its multi-layered analytics with global threat intelligence from Talos, the largest non-governmental threat intelligence organization in the world, and can take immediate action when activity is associated with a known threat, no matter the origin.

CISOs of the world can’t keep up with their security workloads, especially with a global cybersecurity talent shortage. They need quick wins– fast, efficient and accurate alerts that allow them to focus on what really matters. Cisco Stealthwatch is the tool they need right now.

You can find the full ESG Research Whitepaper here
To learn more about Stealthwatch, go to https://cisco.com/go/stealthwatch or sign up for our free visibility assessment.

1 Source: ESG Research Report, The Life and Times of Cybersecurity Professionals 2018, May 2019.
The post Top 5 features of a Network Traffic Analysis (NTA) tool- Why you need Stealthwatch now more than ever appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group By Vanja Svajcer.
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There’s also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.
Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they will attempt to find the smallest crack to achieve their goals. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.
Read More >>
The post AZORult brings friends to the party appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Dr. Gee Rittenhouse During this global health crisis, normal has been redefined. We are living through a dynamic situation that has required us to reorient our personal and professional lives in ways we never have before. Companies have had to do the same. Many have taken the extraordinary step of moving the majority, if not the entirety, of their workforces to a virtual workplace. As companies adapt to their new normal, securing this sudden exponential growth of remote workers and their devices remains a challenge.
A few weeks ago, we shared that Cisco would provide extended free licenses and expanded usage counts at no extra charge for three of our key security technologies that are designed to protect remote workers: DNS-layer security from Cisco Umbrella, zero-trust security from Duo and secure network access from AnyConnect. As a result of this, there has been a huge demand for these technologies. Cisco has supported an additional 9 million-plus users during this crisis with this rollout.
Security teams generally start by securely connecting employees to the network with the VPN, and multi-factor authentication provides an additional layer of security to customers‘ remote access strategy. As security teams work to protect a larger remote workforce, Duo is seeing the number of daily authentications from VPNs increase by 157 percent. But we know that 85 percent of corporate users bypass the VPN when working remotely. So, customers are increasingly looking to DNS-layer security to secure users on and off the network, and we have seen the need for Umbrella licenses increase by 100 percent.
Through all of this, we have been listening to customers feedback on how else we can best support them. What we heard is that more than ever there is a need to protect both user-owned and company-owned devices. Based on that input, today we are extending our free security offers to also include Cisco Advanced Malware Protection (AMP) for Endpoints. This technology prevents breaches and blocks malware at the point of entry as well as detects, contains and remediates advanced threats if they evade the frontline of defense.
With this new addition, existing customers can exceed their device limit by two times to support an increase in remote workers. To take advantage of this offer, they simply install AMP for Endpoints Connectors on extra devices, and no other action is required. As with our AnyConnect, Umbrella and Duo offers, this will be available until July 1, 2020.
Our mission is to be our customers‘ most trusted partner by providing effective security solutions. This current situation demands this more than ever, and we will continue to stand with our customers and partners through this challenging time.
You can learn more about our Cisco Security Remote Worker offerings here and find additional resources on the Business Continuity site. If you have any questions, please contact your Cisco representative or email us at pandemicsupport@cisco.com.
The post Expanding Free Security Offers into Customers‘ Endpoints appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Dean De Beer For years, scammers have been using a combination of Blackhat SEO techniques, phishing sites and newsworthy events to either trick individuals into giving up personal information including credit card numbers or to install malware or both. Preying on an individual’s fears has always been a go to tactic for scammers.
Recently a friend texted me and asked if I could take a look at a website his wife used to try and buy some 3M N95 face masks from. He was concerned that the site did not appear to be legitimate. “Sure”, I said, “What is the domain?” He sent it over. mygoodmask[.]com. Having spent the last decade looking at malware, spammers and scammers, I responded immediately, “Yes, it’s very bad. Tell her to cancel her credit card as soon as possible.”
I figured I’d take a closer look at the domain to confirm if I was right. Dropping the domain into Cisco Threat Response – our platform that accelerates investigations by automating and aggregating threat intelligence and data across your security infrastructure. Threat Response didn’t return anything useful aside from the IP Addresses it resolved to. Since the platform is configured for my test organization at the office, it’s not going to show me any hosts that may have visited that domain, but it is still a great source of intelligence. It showed that Cisco was aware of the domain, but there was no additional information – not surprising for newly created and used domains. There is more than one way to determine if a domain is suspicious.

Enriching the two IP addresses, 50[.]97.189.190 and 66[.]147.244.168, returned everything I needed to decide that the original site was malicious. Nearly two hundred domains resolving to those two addresses, none of which looked like ones I’d like to end up on.

At this point I was curious about the website itself and wanted to take a closer look. I submitted the domain to Threat Grid, Cisco’s malware analysis tool. It immediately redirected to greatmasks[.]com which resolved to 37[.]72.184.5. Using Glovebox, a capability in Threat Grid that allows full interaction with the virtual machine, I attempted to buy some masks from the website. I used an expired card number to purchase my masks. They are using PayPal to collect payments and validate card numbers.

The results produced from the analysis highlighted further details on the website, indicating a high level of suspicious activity.

Drilling down on the IP address that the new domain resolved to, we found another related domain, safetysmask[.]com. At this point it would be easy to create a new Casebook and add these observables to the investigation.

For me, one of the most telling signs of an unknown domain is the lookup frequency and activity mapped to the domain creation date and DNS changes. A scammer may register domains and park them until they’re ready to use them. At that point they’ll set up a website and point that domain to an IP.

Looking at the timeline and domain lookup activity in Cisco Umbrella, our DNS-layer SaaS solution, it’s clear that this website has been up for less than a month which is unusual, especially in context of this investigation.

Using a combination of our platform capability and our DNS-layer security, I was able to validate that this domain, IP Addresses, and related domains were malicious. With investigations of this nature, the domain or IP might not always have a known disposition at a certain point in time but often, by following the breadcrumb trail of related information, it’s easy to make a determination and judgement about the original domain. Another path to determining the disposition of these domains is to drill down into the observables in Umbrella.

Cisco Security products not only integrate via Threat Response, there are multiple direct integrations between products as well. These integrations are used to share threat intelligence produced by individual products and to share capabilities across products through API integrations, data visualization and cross product capabilities such as Casebook’s browser plugin.
Umbrella, our cloud-delivered DNS- layer of protection, integrates with Threat Grid, our malware analysis tool, and this allows Umbrella to show information produced through dynamic analysis, mapping domains and IP addresses to samples seen in Threat Grid’s global database, providing another method of determining disposition.
By the end of my digging, I had found hundreds of scams related to sports events, fashion accessories, flu season and more. All easily searchable within your organization via Threat Response and just as easily blocked via Umbrella.

What began as just a way to help a friend one evening, became a quick but comprehensive investigation into how bad actors are trying to capitalize on a global health crisis. Hopefully this was helpful in showing how easy it can be to validate the disposition of a domain using related observables, and in doing so, build out a collection of new content to be leveraged in your environment for detection and prevention. Writing this up took longer than the investigation itself.
Note to readers:
If you’re using Threat Response and Umbrella, you’ll be able to reproduce this investigation using the original domain and the domains and IP found in Threat Grid’s analysis of the website.
Dean used the following in his investigation:
Cisco Threat Response: cisco.com/go/threatresponse
Cisco Umbrella: cisco.umbrella.com/
Cisco Threat Grid: cisco.com/go/threatgrid

The post Buyers Beware: Scamming Is Rife, Especially In a Time of Crisis appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.
Read More >>
The post Trickbot: A primer appeared first on Cisco Blogs.

Source:: Cisco Security Notice