Archiv für die Kategorie: Cisco Security Notice

By Thu T. Pham Complexity, opacity and the gatekeeping of knowledge are tactics often used to appear sophisticated or intelligent. They can also be used to intimidate.
In security and technology, complexity can lead to critical gaps in visibility and an extended attack surface – with too many vendors and solutions to interconnect and manage. Additionally, many enterprises are operating with limited budgets, too many projects with conflicting priorities, projects creating disparity between different technology teams; all supported by a limited security team (or an IT or networking team doing double duty). As a result, complexity creep has risen to counteract our best security efforts.
At Cisco, we’re seeking to eliminate that complexity and close knowledge gaps with simplicity in how we execute and deliver security, as well as transparency in how we talk about it. The security industry is often guilty of using buzzwords and jargon that can add to the growing complexity and shifting priorities as enterprises attempt to follow best security practices defined by the industry.
Zero Trust: The Concept, Defined
To that end, let’s start with defining and simplifying the most popular buzzword, ‘zero trust‘ – it’s about never implicitly trusting, but always verifying someone or something that is requesting access to work resources.
It’s not about getting rid of the perimeter – but rather tightening security on the inside.The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.
–Wendy Nather, Head of Advisory CISOs, Summarized from Zero Trust: Going Beyond the Perimeter
Historically:
Users, devices and applications were located behind a firewall, on the corporate network
All endpoints accessing resources were managed by the enterprise
Systems managed by enterprises could all inherently trust one another, and trust was often based on network location
The new zero trust is about:
Gaining visibility to intelligently inform policy, and enabling BYOD (bring your own device) or IoT (Internet of Things) devices for business agility
Continual reestablishment of user, device and application trust
Continuous monitoring and threat containment
Protecting the Workforce, Workloads & Workplace
With all of that in mind, what exactly are you trying to protect?
Enterprises are complex by nature. They have vast IT ecosystems, with many different vendors, software and infrastructure spread across the multi-cloud and on-premises. They have many different types of users – employees, contractors, customers, etc. – everywhere across the world – often using their own personal devices to work. They have applications that talk to each other via APIs, microservices and containers. And they still have enterprise networks that devices regularly access, including IoT.
That’s why we’ve simplified things – by classifying each area of your enterprise IT as equally important to protect using a zero-trust security approach.
Zero Trust for the Workforce – Ensure only the right users (employees, contractors, partners, etc.) and their secure devices (BYOD) can access applications (regardless of location).
Zero Trust for Workloads – Secure all connections within your applications (when an API, micro-service or container is accessing an application’s database), across the multi-cloud (cloud, data centers and other virtualized environments).
Zero Trust for the Workplace – Secure all user and device connections across your enterprise network, including IoT (types of devices may include: servers, printers, cameras, HVAC systems, infusion pumps, industrial control systems, etc.).
For complete zero-trust security, you need to address each area of your IT ecosystem – securing access across all environments, in a consistent and automated way.
Enter the Cisco Approach to Zero Trust
Cisco’s approach does not implicitly trust a request – but rather establishes trust for every access request, regardless of where the request is coming from. It secures access across your applications and network, while extending trust to support modern enterprises with BYOD, cloud apps and hybrid environments.
Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:
Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
Enforcing trust-based access policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities
For the workforce, Duo Security protects against phishing, compromised credentials or other identity-based attacks with multi-factor authentication (MFA) to verify user identities and establish device trust before granting access to applications.
For workloads, Tetration secures hybrid, multi-cloud workloads and contains lateral movement with application segmentation. Identify vulnerabilities in software versions and block communication to reduce your overall attack surface.
For the workplace, Software-Defined Access (SD-Access) provides insight into users and devices, identify threats and provides control over all connections across the enterprise network, including IoT devices.
Extending Trust
While this is a good starting place, other solutions in the Cisco Security portfolio can extend the zero-trust security model further. Cisco’s framework is built to integrate seamlessly with your existing infrastructure and investments using an open API model, standards-based platform and strong technology partnerships to ensure that everything across your environment is protected – securing your enterprise as you scale.
Those strong partnerships include major players in the industry, including Microsoft, Amazon Web Services (AWS), Google and many more.Extending trust to integrate with third parties for better visibility and consistent policy enforcement is key to making a zero-trust approach practical and effective for modern enterprises.
Benefits of a Zero-Trust Security Approach
Overall – this framework provides the benefits of a comprehensive zero-trust approach:
Increased visibility – Get insight into the contextual data behind access requests, including users, user endpoints and IoT devices connecting and talking to your applications and network
Reduced attack surface – Mitigate risks related to identity attacks (stolen or compromised passwords, phishing) and lateral attacker movement within your network (in the event of a breach – contain the impact of the initial breach)
Broad coverage – Zero-trust security for not just the workforce, but across workloads and the workplace for complete coverage and a consistent approach to securing access and enforcing policies, regardless of where data or applications are located

Learn more about Cisco Zero Trust. Or, sign up for a free trial of Duo, demo Tetration and learn more about SD-Access to start your zero-trust journey today.
Did you hear? Cisco was named a leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 – read the report.

The post Welcome to the New Zero Trust appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Don Meyer Welcome to The Future of Firewalling, Part 1…
For over two decades, the firewall has been the de-facto tool that facilitated secure connectivity between different networks. Firewalls were traditionally designed around the idea that internal traffic and users were inherently trustworthy and external traffic wasn’t. Thus, the firewall was deployed to create a trust boundary – or perimeter – between networks. This network perimeter became the logical security control point to protect an organization’s network, data, users, and devices. What’s more, all network traffic (whether originating from the corporate headquarters, its data center, or remote workers) was funneled through this single control point, making it easy to maintain that trust boundary and establish consistent control. Life was good.
Then the world went digital
And when it did, the way we worked, consumed data, and exchanged ideas transformed. The introduction of the “cloud” further compounded things: many of our business-critical applications started moving from our data centers and premises-based networks to places we no longer owned or controlled. At the same time, our branch offices started directly connecting to the Internet to consume services that are now more frequently hosted outside our data centers. And users began accessing more and more resources from their personal devices everywhere but in the office.
As our networks have become far more interconnected, the notion of a single perimeter or control point no longer exists. The industry has been abuzz for some time about the “dissolving perimeter” and whether the firewall is even necessary anymore. I would argue that not only is the firewall more relevant than ever, we now need more firewalls everywhere – on our premises networks, at branch offices, at the gateway and within our data center, in the cloud, on devices, and even within our application workloads.
From macro to micro
Instead of a single perimeter we now have multiple “micro-perimeters” across a variety of networks, devices, users, and data. Typically, each of these new “perimeters” is secured by adding different point technologies, which require a lot of manual intervention just to get going. Couple that with the significant shortage of available talent to manage all these new devices and we’ve got an even bigger challenge. As a result, organizations are struggling to operationalize their disparate security solutions to maintain consistent policies and uniform threat visibility. Network complexity? Check. Network security complexity? Check. Misconfigurations and inconsistencies leading to exposures and breaches? Check mate!
And while we’re struggling to get a handle on all this complexity, our adversaries continue to unleash more sophisticated threats more frequently across more threat vectors. In fact, the average reported rate of data breaches was 46% in 2018, up from 24% in 2017, according to the 2018 Global Threat Report. This steep climb in reported breaches is a testament to the increasingly sophisticated methods bad actors are using to infiltrate our networks; the growing rate of their success shows just how ineffective the status quo is against modern threats.
And here we are
It has become painfully obvious that we’ve lost visibility and control. We no longer have a good understanding of where our users and data go nor how exposed our businesses are. It’s hard to determine what’s communicating with what, or if we’ve even been breached, until it’s too late. And the pace of change is accelerating as more businesses embrace digital transformation, creating a perfect storm of opportunity for motivated hackers. And a perfect headache for those of us tasked with security. Where do we start to get a handle on it all?
It’s time to rethink the firewall
The importance of the firewall hasn’t diminished – in fact it’s more relevant than ever – but we need to think differently about it. We must go beyond form factors and physical or virtual appliances to embrace firewalling as a functionality. Firewalling needs to be about delivering world-class security controls – the key elements for preventing, detecting, and stopping attacks faster and more accurately – with common policy and threat visibility delivered where you need it: in the data center, in the cloud, at the branch office. So you’re protected everywhere.
At Cisco, we’ve been hard at work bringing that vision into reality, so you can build your strongest security posture for today and tomorrow. Stay tuned to The Future of Firewalling blog series to hear about it. And visit cisco.com/go/ngfw to learn more about Cisco Next-Generation Firewalls.
Coming soon:
The Future of Firewalling, Part 2: Don’t let complexity ruin your security
The post The death of the network perimeter and the firewall? Not so fast. appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Amanda Rogerson Challenges of Protecting Endpoints
With an estimated 70% of breaches starting on endpoints – laptops, workstations, servers, and mobile devices – organizations need visibility into the devices connecting to applications both on the network and in the cloud. Organizations need the ability to establish trust in the devices connecting to resources containing sensitive information.
Curious how you can determine if you can trust the endpoints that are connecting to your business resources? Ask yourself a few quick questions:
Are you able to automatically notify users of out-of-date software to reduce your help desk tickets or block devices that have been compromised? Or automatically quarantine malicious files from infecting your entire network?
Can you enforce endpoint controls for risky devices or corporate-owned devices? What about contractor devices or external third parties connecting to your network?
Can you enforce access policies based on the application risk or whether the device is a known healthy device that meets security guidelines?

Establishing Trust in Endpoints
In order to effectively establish trust in user devices, organizations should have device-based policies in place to prevent access by any risky or unknown devices. By validating the device is both healthy and meets security policies, you can ensure they’re trustworthy – key components of the Cisco Zero Trust security approach for the workforce.
Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:
Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
Enforcing trust-based policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities
With Duo and Cisco® Advanced Malware Protection (AMP) for Endpoints, organizations have the tools in place to effectively establish trust in users‘ devices connecting to protected applications. The ability to prevent, detect and respond are key elements when considering device trust in a zero-trust security approach for the workforce.
Trust Through Protection and Detection
Establishing trust extends beyond managing the status of the device to include inspecting the device and controlling access based on risk evaluations to ensure only devices that are healthy and meet your security controls are able to gain access to your corporate systems. With Duo Trusted Endpoints, you can enforce controls and policies to keep risky endpoints from accessing your applications. This includes devices that are unmanaged; don’t meet OS requirements; status of enabled security features (configured or disabled); full disk encryption.
AMP for Endpoints offers endpoint protection, advanced endpoint detection and response capabilities and a holistic view of your endpoints, regardless of operating system. AMP continuously monitors and analyzes all file and process activity within your network to find and automatically block threats that other solutions miss. It has more than 15 built-in protection and detection mechanisms to prevent threats from compromising your business. With a few clicks in AMP’s browser-based management console, the file can be blocked from running on all endpoints. AMP knows every other endpoint the file has reached, so it can quarantine the file for all users.
Available Soon – Integration between Duo Security and AMP for Endpoints
Adding AMP for Endpoints as a Trusted Endpoint in Duo provides the ability to protect applications from devices that have been flagged by AMP as an infected endpoint containing malware. This prevents access to any application that contains sensitive data reducing the risk of data loss.
Duo’s access policies will allow admins to entirely block access to devices flagged by AMP without blocking the user entirely, permitting them to access applications from an alternate device to ensure continued productivity.
The automatic isolation and blocking of compromised devices provides organizations the ability to quickly remediate potential threats, reducing their risk surface without completely interrupting user productivity.

Duo and AMP provide organizations with comprehensive tools to prevent, detect and respond to potential threats from endpoint devices, helping to establish trust in those devices.
Learn more about Cisco Zero Trust, and get started with a free trial of Duo and Cisco AMP for Endpoints to start establishing trust in your endpoints today.

The post Establishing Device Trust to Secure the Workforce appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 25 and Nov 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU11012019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Ben Nahorney You’re working for a high-profile technology company, close to releasing a market-changing product to the public. It’s a highly contested space, with many competitors, both domestic and international. There’s also a lot of buzz in the media and online speculation on the scope and impact your new product will have. And it goes without question that customers are keen to know more about the upcoming game-changer.
Your goal is to keep the secrets under wraps until the public announcement. Unfortunately, your surprise is about to be spoiled. It happens sometimes, as much as we work to prevent it—from accidental embargo slips to insider leaks. But in this case, it’s arguably the worst-case scenario: Your company has been breached and information about the product was stolen.
It’s unfortunate, but such breaches are not an uncommon occurrence—it’s something security professionals are far too familiar with. They occur across sectors, yet the way the data is stolen often includes familiar patterns. There are plenty of possible suspects, and untangling their motives is difficult. But in this cybersecurity game of “Clue,” we’re less concerned if it were Mrs. Peacock or Professor Plum. We want to know what the weapon was and how to prevent future murders.
There are a variety of useful weapons in an attacker’s arsenal. Downloaders, administration tools, and infostealers all often play a part in such an attack. But the go-to tool in many scenarios like this today are remote access trojans, often referred to as a “RATs.”
The anatomy of a RAT
A RAT is a swiss army knife of sorts. Distributed through familiar vectors, such as malicious downloads and email attachments, many RATs include all the weapons mention above, and more, making it easier for an attacker to leverage each component when carrying out an attack. In short, a RAT consolidates a number of tools into one package.
There is a lot of variation from RAT to RAT. Some are generalist tools, meant to be used across a variety of attack scenarios. Others are highly tailored to a specific attack. Some RATs use predetermined proxies to help mask an attacker’s ultimate location. Other RATs may leverage command-and-control (C2) infrastructure to do the same.

While the functionality and infrastructure used by a given RAT will differ, what follows are common features found within many RATs. To illustrate an attack, let’s take it back to our tech company breach, showing how an attacker can leverage a RAT to gain access to, and steal, sensitive files on your upcoming product.
Gather system information
The attacker managed to breach the defenses in your company using a phishing email that included a link to the RAT. However, that doesn’t mean that they will immediately know where they are on the network. They’ll naturally want to learn more about the computer they compromised. Is it an administrative assistant’s desktop, a laptop belonging to finance, or a web server? Performing reconnaissance on the system helps the attacker learn how deep into an organization they have penetrated, if they need to move laterally, or if they’re reached their intended target. Some reconnaissance tools even allow an attacker to scan other systems, gathering information about them.
Steal usernames and passwords
The attacker got onto one machine, but it wasn’t the intended target. They’d compromised a computer belonging to someone in the engineering group, but the materials they were after resided on a shared server. To move laterally, they may want to try searching for login credentials on the system they’ve already compromised. Many RATs include the ability to scrape saved and cached passwords, and once the usernames and passwords are in hand, the attacker can attempt to log into the shared server.
Log keystrokes
The attacker scanned the compromised computer looking for the login credentials, but no luck. Good news? Yes, but it’s only a minor setback. Many RATs include information-stealing components like keyloggers, meaning all the attacker has to do is enable it, and wait for the user of the compromised system to log into the shared server. When they enter login credentials, the attacker can capture them, and later attempt to log into the server themselves.
Download further malware
The attacker was able to obtain login credentials; however, their attempt to log in failed. (Perhaps your company uses multi-factor authentication?) To get to that shared engineering server, the attacker is going to have to call in reinforcements. They’ve identified a vulnerability on the shared server, and they need an attack toolkit to exploit it and gain access. Given how networks vary widely, many RATS include the ability to download further tools to assist them in gaining further access. In this case, the RAT operates like a downloader, pulling down an attack toolkit that allows the attacker to progress.
Accessing and uploading files
The attacker managed to gain access to the shared server, traversed its directory structure, and located documents that outline your new product’s features. The next step is to exfiltrate those files. Most RATs contain the ability to upload files to a predetermined location. This is often done with help of a proxy or through a C2 infrastructure, thus covering the attacker’s tracks as they steal the documents in question.
Recording audio, video, and taking screenshots
There may be times that an attacker isn’t satisfied with simply stealing design docs. Perhaps they obtained a slide deck, but it lacks context in certain slides. In order to learn more, they might want to return their attention to the initially compromised computer and have the RAT to record audio and/or video. The RAT might overhear the engineer speaking to a coworker or capture a video of a presentation meeting that discusses the product. RATs can often take screenshots as well, capturing critical documents on display.
Other uses
This is just one scenario where a RAT could be used end-to-end in an attack. RATs can be used in other situations as well. For instance, what if an attacker is hoping to exfiltrate financial data? A RAT can be leveraged to scrape banking details from a compromised computer or collect credit card numbers using a keylogger.
What’s important to highlight is that most RATs provide command line access to the systems that have been compromised. If adequate administrative rights are gained on these computers, an attacker can use a RAT to do just about anything that he or she desires.
Notable RATs
RATs have been around for a long time, and many prominent RATs have come and gone. Some recent RATs that have been prevalent on the threat landscape include Orcus RAT and RevengeRAT, which have been used by a variety of threat actors. Another commonly seen RAT is ExileRAT, which has been used in attacks with possible espionage-related motives, and shares a C2 infrastructure with the LuckyCat family of threats.
Not all RATs are built from the ground up either. Some are semi-legitimate tools, repurposed or reconfigured for malicious use. Two such examples include Imminent RAT and Remcos.
There are a number of attack groups monitored by Talos Intelligence that use RATs in their malicious campaigns. The SWEED threat actor often used Agent Tesla, the Panda threat actor has been seen dropping Gh0st RAT, and the Tortoiseshell group, who was recently caught scamming veterans, uses a RAT called IvizTech.
To catch a RAT
So the attacker managed to get into your network and obtain your product plans this time. How do you prevent them from doing it next time?
Fortunately, there isn’t anything particularly special about the way a RAT gets onto a system. They’re distributed in much the same way as other types of malware: they’re sent by email, dropped by droppers, set up as the payloads for exploit kits, along with other common attack vectors. Consider the following:
A good endpoint protection application is very useful in protecting against RATs. AMP for Endpoints blocks malware at point of entry, then detects, contains, and remediates advanced threats.
Monitoring network traffic for unauthorized activity is also important. Cisco Stealthwatch is the most comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure.
Many RATs encrypt their traffic, as we discussed in last month’s Threat of the Month blog, so be sure you can monitor such traffic as well. Encrypted Traffic Analytics provides insight into threats in encrypted traffic, without the need for decryption, using network analytics and machine learning.
Being able to connect to C2 domains is vital for many RATs to function. Blocking known malicious domains can go a long way in stopping a RAT in its tracks. Cisco Umbrella uses DNS to stop threats over all ports and protocols—even direct-to-IP connections—preventing connections to attacker’s servers.
Multi-factor authentication products can prevent an attacker from logging into a system if they manage to obtain login credentials. Verify users‘ identities with applications such as Cisco Duo.
A good email security solution, as well as a strong network perimeter, will help to ensure that RATs are blocked outright. Cisco Email Security is your best defense against such attacks via email, while Cisco’s Next-Generation Firewall can stop attacks at the network boundaries.
A web security appliance with data loss prevention (DLP) features will also assist in cases where a RAT gets in and is attempting to steal sensitive information through the network. The Cisco and Digital Guardian DLP solution is a high-performance, comprehensive security solution for data in motion.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.

Source:: Cisco Security Notice