Archiv für die Kategorie: News

By Wendy Nather As we get ready for the Gartner IT Symposium/Xpo in Orlando, we’ve been thinking more about every element and imperative in their CARTA model: Continuous Adaptive Risk and Trust Assessment. Since ‘C‘ also stands for Cisco, let’s start there.
Gartner uses the word “continuous” in a lot of places, including in their seven imperatives. It’s a reaction to the former practice of using what they call “one-time security gates”: you made a decision based on a static set of information (such as a source IP address or a username and password combination), and then you never revisited it. We know that this practice isn’t sufficient to maintain the proper level of trust. Trust is neither binary nor permanent: you don’t trust something or someone to do everything, and you don’t trust forever. Based on the changing nature of risk and the environment, you have to check more than once.
How often do you need to check, and does “continuous” really mean “all the time”? It depends on what you’re checking, what actions you’re taking based on those checks, and how both of those actions affect the system itself (users, applications, devices, networks and so on). Let’s take a look at a chart that Sounil Yu, formerly at Bank of America, devised for the purposes of identifying all the different ways that authentication can happen:

As you can see, a device can authenticate to a network using network access control; to an application using a client-side certificate; and to data with an encryption key. There are many opportunities to authenticate, but should you use all of them? If you try to make a user do all of the steps in the bottom row — authenticate to the device, the application, the network, the data — then you’re going to have a very cranky user. Continuous authentication, if you want to use it, has to be hidden from the user except at times when your estimation of risk really needs the user’s active participation.
On the other hand, devices and systems don’t mind continuous authentication, so doing the continuous checking and verification isn’t as disruptive. And continuous monitoring is fine, as long as you know what you’re going to do with all the data that’s generated. Can you interpret and respond to an ongoing stream of event data? Can you automate that response? If so, great; if not, you’ll end up throttling that “continuous” monitoring to produce the key data that you can actually use.
Gartner’s CARTA Imperative Number Two says “Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively.” How often do you do all of these things? Near real-time discovery of users and assets is the ideal state, and there are various ways to accomplish it. Continuous monitoring is (hopefully) a given. The tricky parts are assessment and prioritization, which often need a human to incorporate business context. For example, getting a login request from an unusual location could be a high risk, unless you already know that the employee using that account is really traveling there.
An organization needs to design its monitoring, analysis and actions around risk, but with tradeoffs against what the humans in the equation can reasonably support. How long can you let a successfully authenticated application session last before you start worrying that the user is no longer who you thought they were? Two hours? Eight hours (a typical working day)? A week? Can you force the user to re-authenticate just once through a single sign-on system, or will they have to log back into several applications? The answers can determine how frequently you carry out that “continuous” verification.
What events will cause you to revise your risk estimation and require fresh verification? It might be a request for a sensitive or unusual transaction, in which case you might resort to step-up authentication and kick off an extra permission workflow. It could be the release of a new security patch, so that you want to force all users to update before they can renew their access. Or it could be contact with an asset that is now known to be compromised, and you have to reset everything you knew and trusted about the application and its processes.
Your risk and trust assessments should be adaptive, but they shouldn’t be gratuitously continuous. They should be as often as your risk models require, and only as frequent as you can handle. Balancing controls against usability is the great challenge before us today.
Learn more about Cisco’s Zero Trust approach during Wendy’s talk on October 21 at 1:00 p.m. ET at Gartner IT Symposium/Xpo in Orlando, FL, which takes place at Walt Disney World Swan and Dolphin Resort.

Source:: Cisco Security Notice

By Mike Luken Today’s digital economy relies on secure communications in both our personal and business activities. We expect that when private data is transmitted over the internet, or other communications channels, it will be protected against tampering and prying eyes. The integrity and confidentiality of information is typically achieved using cryptography, mathematically based methods to encrypt and decrypt information.
We assume our communications are secure. But are they? Cryptography provides the foundation of secure communications, but how do we know that the cryptography we are using is correct and secure? When was the last time you verified that the algorithms used have been implemented correctly? Or that they have not been intentionally or unintentionally altered to make them less secure?
Fortunately for all of us, there are organizations that have active programs to do just this. As highlighted in Anthony Grieco’s blog on “Automating Explicit Trust,” Cisco and industry leaders are working to develop technologies that provide explicit trust (i.e. evidence of trustworthiness) and enhance communications security. A notable example is the Cryptographic Module Validation Program (CMVP) conducted by the National Institute of Standards and Technology (NIST) as a part of Federal Information Processing Standard (FIPS). Many organizations are required to only utilize products that contain NIST validated cryptographic modules. And this makes sense. Leaders want the communications used in their organizations to be based on a sound foundation to ensure the integrity and confidentiality of their information.
Historically, CMVP testing required significant manual effort which made the endeavor both costly to vendors and extremely time consuming. This resulted in vendors having to make hard decisions on which products and software versions to validate. The organizations requiring this validation, saw the following:
A smaller number of available validated products and software versions
Having to choose between using a non-validated version of software that contains vulnerability fixes vs. using existing validated products with known vulnerabilities while waiting for the new software to be validated.
Recognizing the impact of this dilemma, NIST and industry have been working together to create the Automated Cryptographic Validation Testing (ACVT) program. A bold and visionary move that should increase the number of validated products, reduce the lag between vulnerability fix and validation, and reduce risks inherent with manual operations. This is all made possible with the new Automated Cryptographic Validation Protocol (ACVP) which provides the communications between product under test and the NIST test server.
The ACVT program is live and the NIST ACVT server is online. Industry is actively incorporating ACVP into products. Recently, Cisco successfully passed ACVT algorithm testing for one of its core cryptographic modules (validation # A4); thereby, formally validating the cryptography used to secure customer communications.
Network and system attacks by bad actors are frequently in the news. It is encouraging to know there is now an industry defined, independent 3rd party capability available and in-use to validate that the cryptography used to secure communications. +1 for the good guys.
Visit the Trust Center to learn more about Cisco’s commitment to trustworthiness, transparency, and accountability.
Additional references:
Industry Working Group on Automated Cryptographic Algorithm Validation
NIST: Security Testing, Validation and Measurement

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 27 to Oct 4. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10042019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Sean Mason Sean Mason, Director of Cisco Incident Response Services andJeff Bollinger, Investigations Manager, Cisco Security Incident Response Team (CSIRT)
As security practitioners who continuously look for adversarial malice, one of the questions we are asked frequently is: What’s around the corner? Threat actors evolve over time, so how do we know not only what they’re doing now, but also what’s next? And if things are quiet and we’re not observing any incidents, does that mean that everything is under control? Or are adversaries simply retooling?
To help answer these tough questions, we have threat hunting. The objective of this ongoing exercise is to find and eliminate adversaries that have penetrated defenses and are yet to be detected. Essentially, it’s a shift in mentality. Instead of waiting to respond to an incident after it has triggered an alarm, we’re turning over some rocks to find things we don’t know yet.
As explained in Cisco’s recent report, “Hunting for Hidden Threats,” threat hunting is one more tool in the incident responder’s arsenal. It’s not a silver bullet. But — based on our own 30 years of combined experience mitigating threats, not to mention the whole of Cisco’s experience — we believe it’s an essential component of making security foundational.
How valuable to you is the ability to keep your organization’s data from being stolen or locked, or to keep your organization’s name out of the headlines for a breach? If you can stop even one attack successfully, then all the time and money you’ve invested into threat hunting is worth its weight in gold.
Benefits of threat hunting
Although the ultimate objective is to get ahead of adversaries by finding and expelling them before they cause damage, threat hunting has many other benefits, some of which are:
Improving security operations: While threat hunting itself can sometimes be arduous, you can use it to improve efficiencies in other areas. Once you develop techniques and ways of discovering malicious activity, commoditize and operationalize that by creating playbooks as well as automating some of your day-to-day incident response. At Cisco, for example, our incident response team has more than 400 unique playbooks, many of them informed by our threat hunting activities. We use these plays regularly to look for suspicious activity and to free up analysts‘ time.
Understanding your environment: Let’s say you’re a new CISO who needs to get a better picture of what’s going on in your network. A threat hunt, or a compromise assessment, is a good way to understand what you’ve inherited and have signed up to defend. The end result is concrete evidence that you can take to your leadership and ensure you have adequate resources to secure the organization. The hunt can prove that the threats are not just theoretical and are actually lurking inside your ecosystem.
Hardening the environment: From a day-to-day perspective, identifying gaps in security gives you the opportunity to remediate and fix larger problems. As you’re doing hunts, you’ll inevitably discover weaknesses that threat actors can exploit. Apply the knowledge you’ve gained through threat hunting to proactively improve tooling and strengthen the overall security posture.
What it takes to be successful
There are many components to a successful threat hunting program, but the ones that we can’t stress enough include access to the data, a diverse team, and the right mindset.
The importance of high-quality data is obvious, but you may be surprised how big a challenge access can be. We commonly find a lack of necessary data during threat hunts for our customers — and even in our own environment.
Instead of treating a data-access problem like a dead end, think outside the box. Can you look at things differently? Can you use a different set of network logs? And just as important, turn this into an opportunity to improve the outcome next time and go the extra mile to collaborate with those teams that can give you better data.
Which brings us to the people component. There are two aspects to it, and one is the importance of building relationships across teams. Especially those impacted by your security activities, such as the network admins and developers. The other side is the people on the hunting team. Success requires diversity of thought. Include individuals who can think creatively and look at the world a little differently, rather than only thinking in ones and zeroes. We find threat hunters from a variety of backgrounds — even nontechnical.
This also helps you hunt with the right mindset. It’s hard to be objective when you’re living and breathing your security environment day in and day out, especially if you’ve architected it. Taking a step back and asking what you may be missing is not easy. A diverse team that both designs and executes the hunt gives you new perspectives.
Jumping in
Besides the right people, you need the right technology and processes. You may already have a basic foundation you can build on — chances are, you’ve been doing threat hunting without even knowing it. If you’ve ever investigated attacks to try to understand what happened, you’ve been answering some of the same questions and following some of the same steps that hunters do.
A deliberate program, however, does take time to develop. Start with small steps and easy, tactical data sources, then build from there. Don’t make the mistake of throwing a bunch of data sources in at once, or you’ll run into challenges. You don’t even need complicated tools to get off the ground, because you can discover malicious behavior with OS event logs or logs your sysadmin keeps for troubleshooting purposes.
One final thought. There’s a misconception that only larger organizations can implement a threat hunting program. In reality, threat actors don’t concern themselves with size and are looking for easy targets — smaller organizations can benefit just as much, if not more, from getting ahead of these threats. If you don’t have in-house resources, outsource to an expert consultant. And if you already have an outside IR team on retainer, start the conversation about what it would take to proactively look for adversaries.
Want to learn more about establishing a threat hunting program? Download the recent Cisco Cybersecurity Series report, “Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program.”

Source:: Cisco Security Notice

Source:: Innovaphone