If you are an IT consultancy or Managed Services Provider and you’re interested in extending your portfolio to include cyber security consulting, then maybe we can help.We offer a range of white label options on our services, meaning that you can sell our expertise onto your existing client base and earn extra margins by adding cyber security into your portfolio.Our delivery team will seamlessly integrate and extend your capability, and you can expect the highest standards with a friendly and professional engagement at all times.We’ll work with you to develop specialist marketing materials with your own corporate branding, and ensure that our “Security, Simplified” message rings true throughout the engagement.In terms of the financial arrangements, we are not interested in making a quick buck, we want long-term, lasting relationships – true partnerships.You sell into the customer, settle back and let us take on the work.What’s not to like? Complete the contact form to get in touch, and we will get back to you and discuss options for moving forward with a potential new partnership.Benefits of partnering with Ironshare
By
Stuart Hare
on
25/4/18
We’ve been there ourselves, so we understand the need for you as a buyer to make an informed choice before any purchase.After all, you’re the ones who are going to have to live with the decision!As Ironshare are registered Cisco partners, we focus predominantly on Cisco security solutions, but the truth of the matter is, those solutions might not be the best fit for you.We only want happy customers… so to address this, our no-nonsense website explains the pros and cons of various products in an honest and transparent manner. We also go into greater depth with a series of easy-to-read articles about various Cisco solutions. Our aim is to provide information that gets to the point and give prospective customers a better understanding of what’s right for them.After reading these articles, you’ll be able to identify if our services sound good to you, and if you want to start working with us – then we aim to be flexible to your needs and keep everything as straightforward as possible.
"Try before you buy" - we offer a totally FREE and no-obligation 14-day trial. If you’re happy with what you see, then we make it super easy for you to proceed – simply fill in your details and requirements, and you’ll get an automated PDF quote delivered to your inbox within seconds.We always strive to be flexible, so we also offer a monthly payment plan - if that works better for your business or organisation then let us know (there are no long contracts to worry about, unless you want them).
On top of any Cisco purchase, we also offer installation assistance and a ‘fully managed service’.For installation, we have a chat with you about your environment, and then give you tailored, detailed and easy to understand instructions on how to get your new Cisco product working. We give over the phone and remote support to get you up and running – usually within a few days.
Our ‘fully managed service’ is our core offering. With our cloud-based solutions, it enables us to take on the responsibility of running and maintaining your Cisco security products on a day-to-day basis. We will have regular conversations with your security or IT support staff and try to understand which threats concern you the most – after that – you leave it to us.You will have no need to train staff on use of the products, so they can get on with other work. We monitor the outputs and findings and identify where risks and issues exist within your estate. Our Cisco qualified engineers will then give you specialist advice and let you know what you need to do to resolve and remove any threats to your company or organisation.Our service focuses on easy to understand, no-jargon reporting and remediation recommendations.
The speed of implementation is really decided by your own company change control practices.Our UK-based support team can help you get up and running with worldwide coverage of your PCs, laptops and devices in just minutes - if your network environment is simple enough. For other organisations with more complex networks and procedures, it may take a while longer - but we will work with you every step of the way and help you through the on-boarding process.Once deployed, Umbrella can protect all of your devices, wherever they are being used at home, in a hotel or maybe they’re connected to an internet café Wi-Fi network for instance. You can also manage access to different categories of websites for employees – as an example, this might be helpful if you have staff who spend long periods of time on social media during working hours.Your users will have an advanced and intelligent layer protecting them from external viruses and threats, and if you also adopt Cisco AMP for Endpoints – it will give you ultimate control on anything that sneaks through the gaps - via a rogue email, memory stick or by some other means. You’ll be able to nip concerns in the bud quickly and prevent matters from escalating.
As we’ve mentioned already, our aim is to give you expert advice - delivered in a no-nonsense and simple to understand format. In addition, the core values we pride ourselves on include the ability to be ‘efficient and flexible’ - we need to add value to our customers and we do this by having skilled and innovative staff who are professional, well-educated and trustworthy.Trust is so important to us, it might sound a bit cheesy but really, what we say is what we do, and we maintain this attitude throughout all aspects of our services. We simply do whatever it takes to get the job done, that is right for you.
Our aim is to become an extension to your security or IT team, and to ensure that we add maximum value. The Ironshare managed service comes with a dedicated Service Account Manager (SAM) and a Technical Account Manager (TAM).Both roles will keep in touch with you throughout the service via monthly or quarterly telephone meetings – you decide the frequency and we will be there! The service meetings offer a chance to discuss your overall customer experience, and ensure you are getting what you want from the service.On top of this you’ll have qualified analysts keeping tabs on your organisation and alerting you whenever we see anything that you need to know about. In addition to any specific security alerts, we’ll provide regular reports (at an agreed frequency) and more detailed advanced reporting is available as required.All of our managed service clients get technical security support from their dedicated TAM, meaning that you have access to qualified specialist security advice whenever you want – you can use that to discuss any number of topics.If you’ve had an incident of some kind, your TAM will advise on best practice and make some clear recommendations on the best course of action to take.As a bonus and as part of the service (as required) - your TAM can arrange a security assessment of your organisation and report back the findings to help you identify areas of concern.Other things your TAM can do is to provide on-call information support for any security incidents you experience, and provide training materials if you want your staff to be more hands-on.We are in regular contact with Cisco themselves and often get early information about developments to the products we sell. For example, in the last 18 months, Cisco Umbrella has been continually enhanced and improved, with a number of these improvements based on our feedback and engagement.We share any interesting product news directly with our customers via an exclusive newsletter which also contains information about loyalty discounts on future service purchases.All in all, we aim to keep our customers happy by focusing on you every day 😊
Ironshare – Security, SimplifiedFor more information about Ironshare or our services, or if you have any other questions – please Contact Us here.
By
Stuart Hare
on
23/4/18
Cisco’s Attack Continuum is the Security model that underpins the Cisco Security portfolio and ties in to the operation of AMP, Umbrella and other security products.With today’s threat landscape looking nothing like it did a decade ago, Cisco felt it was time for a change in approach. Simple attacks have given way to more sophisticated cyber attacks delivered by cybercrime organisations, and nation state sponsored groups.These modern day advanced attacks have become very difficult to detect, they use significant amounts of resources to launch these attacks remotely and tend to stay present in a compromised network for extended periods of time. The industry has calculated that it takes on average 100 days for these threats to be detected, resulting in attackers being present in your network for over three months.Our normal security methods that purely rely on detection and blocking mechanisms alone, such as firewalls and anti-virus, are no longer sufficient to cope with the ever-evolving threats of today.The Cisco Attack Continuum looks to change this, it is a threat-centric approach to security that aims to deliver Advanced Threat Protection, Superior Visibility and Continuous control, Before, During and After an attack.
The Before phase of the Attack Continuum looks to drive ‘Predictive and Preventative’ capabilities. Through the help of world class threat intelligence, the aim here is to provide Security staff with complete visibility and awareness into what’s on the network. By knowing what’s out there we can then develop security policies and configurations that will strengthen defences and reduce the attack surface, making it more difficult for the bad guys to compromise your network.
The During phase of the Attack Continuum focuses upon the ‘Preventative and Detective’ capabilities. This is where we need to take the awareness gained in the Before phase and act upon it, detecting malware that is present in your environments and having the controls in place to block it. We are not just looking to rely on traditional point-in-time detection and blocking methods here, but also consider historical patterns and behaviour, as well as global threat intelligence.
The After phase of the Attack Continuum focuses upon the ‘Detective and Response, capabilities. In the event that a threat gets through your perimeter and evades the first line of your network defences, this is where you need retrospective security. Continuous monitoring of files, processes and network activity, lets you understand what has happened where, giving a look back in time to identify Indications of compromise and enable you to quickly respond and remediate any issues discovered.
Enforcing the Attack Continuum is achieved through Cisco products and solutions working together to provide enhanced levels of protection.
The graphic above shows how each product fits into the model. Be aware though that products can deliver protection that spans the full attack continuum.Before: Discover threats, enforce and harden policies, and prevent at the perimeter - using Cisco ASA 5500-X Series & Next-Generation Firewalls, NAC & Identity Services Engine.During: Detect, block, and defend against attacks that have already penetrated the network and are in progress - using Next-Generation Intrusion Prevention Systems, and Email and Web security.After: Scope, contain, and remediate an attack to minimize damage - using Advanced Malware Protection, Threat Grid and Network Behaviour Analysis (StealthWatch).
As mentioned above Cisco products can protect across the Full Attack Continuum, and AMP is no exception. AMP for Endpoints provides continuous analysis, retrospective security and point-in-time detection to protect against Malware, when it enters and if it evades initial inspection.Before an attack, AMP uses global threat intelligence to strengthen defences, and analyse and detect vulnerable applications.During an attack, AMP uses the global threat intelligence, known file signatures, and dynamic file analysis technology to block malware trying to infiltrate your organisations network. When AMP analyses a file that is found to be malicious it prevents it from executing.After an attack, AMP continuously monitors and analyses all file activity, processes, and communications. If a file is detected as acting maliciously, AMP will detect it and know where it came from and if any other machines are affected. It will provide retrospective alerts, indications of compromise, tracking, and analysis, so security teams can respond and remove the threat quickly.
Cisco Umbrella delivers predictive security at the DNS and IP layers, resulting in internet wide visibility and protection. Umbrella prevents malware, phishing and C2 call-backs from comprising your systems or stealing data from your organisation over any port or protocol.Before an attack, Umbrella acts as the first layer of defence, blocking threats before they reach the network or attached endpoints, by preventing the user from ever connecting to the malicious site.During an attack, Umbrella continues to learn from its global threat intelligence, updating the reputation of web sites, as it discovers where the threats are being staged from. Cisco Umbrella Investigate can also be used to analyse and understand the malicious domains and IPs used in an attacker’s infrastructure.After an attack, Umbrella continues to protect your network and devices by preventing connections to Command and Control (C2) networks, ensuring that further infection and compromise is not successful.
Hopefully you can see how Cisco’s Security model and its threat-centric approach can help your business to dramatically improve your security protection, significantly increase visibility and control, while reducing complexity, before, during and after an attack.For more information on Cisco products or our services please get in touch by Clicking here.Ironshare – Security, Simplified
By
Stuart Hare
on
22/4/18
In early March 2018, a new variant of Ransomware was detected in the wild, called 'Arrow'. Arrow is linked with the Dharma and CrySis family of viruses and aims to encrypt files on the infected system, meaning that the data on a victim's computer is locked and unusable.Payment is demanded (via Bitcoin to protect the cybercriminal's identity) before the ransomed data is decrypted and access returned to the victim.The name originates from the .arrow file extension that is added to the resulting encrypted files.
As with most Ransomware, the initial infection is usually a stealthy operation, and the first warning is when the user is presented with a ransom demand page or image. This was consistent with Arrow's behaviour.Although there is limited information currently available related to this new strain, all information that we have come across suggests that the primary infection method is via phishing email campaigns containing malicious file attachments, with alternate theories stating fake ads and phishing websites.Unfortunately, these methods did not seem feasible with the infection we encountered. Our investigation focused on a Windows based server running a specific role, with no mail clients or services. Initial thoughts led us to believe that an admin may have used a web based email client but there was no evidence to support this theory.With the help of Shodan we identified three protocols that were accessible from the Internet to the compromised host; HTTP (TCP 80), Remote Desktop Protocol (TCP 3389), and Windows Remote Management (TCP 5985). Analysis into the use of these protocols confirmed that active connections had been regularly established over Remote Desktop Protocol (RDP) leading up to and during the infection. By reviewing the infection vectors of the previous variants of this ransomware we found that CrySis had also used RDP to take control and infect victim's PC's.In addition to the protocol discovery, Shodan also provided the attacker with the user ID's for a small number of administrator accounts, that were still actively logged in to the server. This meant the attacker could move straight to password brute forcing without further user enumeration. It is unclear at this stage but we believe that the attacker used a tool such as NLBrute to perform the brute forcing of the RDP credentials and gain access to the server.
Once one of the accounts was compromised, the attacker gained administrative access to the server and proceeded to install two pieces of software:
Tools such as these are commonplace with attackers, they ensure that processes are killed and files are unlocked, in order to make certain that the encryption process of the Ransomware is successful.The dropped malware came in the form of two main files, the payload and the ransom notice.
As each file is encrypted the filename is appended with the victim ID and email address that is included in the ransom demand, before finishing with .arrow.E.g. 'example-file.pdf.id-[victimID].[e-mail].arrow'Each folder that contains the encrypted files also includes a single text file named 'FILES ENCRYPTED'. This file contains a warning note that all files have been locked.
In addition to the above, Arrow also silently deletes all Volume Shadow Copies and backups that are present on the host. The following command was used:vssadmin delete shadows /all /quiet
As displayed, Bitcoin is used as the method of payment for gaining access to the decryption keys, although there is no Bitcoin wallet information included in the demand.No fixed price is included either, with the demand stating that the price will depend on how quickly you contact them.Multiple email addresses for the attacker were included in the demand notice that we observed:rigopril123[@]cock.lirigopril123[@]tutanota.com
Multiple registry entries were added or modified during the installation of the software components and the Arrow Ransomware.Process Hacker 2HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1
IObit UnlockerHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Unlocker_is1
To ensure continued running of the Ransomware the following are added:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
At the time of writing there was little in the way of information or valid samples available in the community.As part of our investigation we have extracted samples of both files mentioned above and submitted them to Cisco AMP / Threat Grid for file analysis.The image below shows an extract from the Report for 1.exe.
We recommend:
Customers running Next-Gen endpoint protection such as Cisco Advanced Malware Protection will be able to detect and block this threat.
Arrow Ransomware is an Extremely Dangerous and High Risk threat to both personal and corporate devices.Standard detection methods such host based Anti-Virus and network Intrusion Prevention were not capable of detecting this threat.Contrary to information on some sites, current removal tools are not effective with this variant.Decryption keys and tools are also not currently available (outside of paying the ransom).If you become a victim of ransomware Ironshare do not recommend paying this ransom as attackers are not obliged to respond or provide the decryption keys to recover your files.
IOCs are used to assess whether a system has been infected with malware. These indicators can be anything from a file, IP address or a particular behaviour. IOCs help us understand the threat in order for us to better protect our systems.
During our investigation there were no URLs or domains observed in association with this threat.
Filename: 1.exeSHA265: 5cac87ce35db568b9649dd7f463a564b5640688b29b933845a17b2d3150e68b40Filename: info.htaSHA265: 8841af89afd57dba4d563032e0570416848045e8b358a34ae43647b7fd2185a4
We witnessed RDP requests and connections from the following public IP addresses:76[.]8.251.17069[.]70.58.15050[.]203.188.118
By
Stuart Hare
on
28/3/18
On January 29th 2018 Cisco published a Critical Vulnerability advisory for the Cisco ASA and FTD firewall code, that if exploited could allow an unauthenticated attacker to perform a remote reload of the device (Denial of Service) or launch a Remote Code Execution attack.
This CVE has been assigned a CVSS score of 10. CVSS is scored from 0 to 10, with 10 being the most severe rating.
This vulnerability affects the SSL VPN feature for all models of the Cisco ASA and Firepower Security appliances. In order to exploit this vulnerability the appliance must have the webvpn feature globally configured, with webvpn having at least one interface enabled in its configuration. Cisco has released software updates to address this vulnerability, and it is worth noting that there are no current workarounds available. It is highly recommended that you upgrade to latest fixed version of software for your product, as soon as possible.
UPDATE: Since our original post Cisco have performed further investigations and determined that there are now additional features and threat vectors related to VPN, HTTP and HTTPS services that are vulnerable.
Full advisory details, including how to determine if your device is vulnerable, and how to find the fixed release of software, are located at the following links: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0101
CVE Entry: CVE-2018-0101
CVSS Score: Base 10.0
By
Stuart Hare
on
31/1/18
No results found.
