Cisco’s Attack Continuum is the Security model that underpins the Cisco Security portfolio and ties in to the operation of AMP, Umbrella and other security products.With today’s threat landscape looking nothing like it did a decade ago, Cisco felt it was time for a change in approach. Simple attacks have given way to more sophisticated cyber attacks delivered by cybercrime organisations, and nation state sponsored groups.These modern day advanced attacks have become very difficult to detect, they use significant amounts of resources to launch these attacks remotely and tend to stay present in a compromised network for extended periods of time. The industry has calculated that it takes on average 100 days for these threats to be detected, resulting in attackers being present in your network for over three months.Our normal security methods that purely rely on detection and blocking mechanisms alone, such as firewalls and anti-virus, are no longer sufficient to cope with the ever-evolving threats of today.The Cisco Attack Continuum looks to change this, it is a threat-centric approach to security that aims to deliver Advanced Threat Protection, Superior Visibility and Continuous control, Before, During and After an attack.
The Before phase of the Attack Continuum looks to drive ‘Predictive and Preventative’ capabilities. Through the help of world class threat intelligence, the aim here is to provide Security staff with complete visibility and awareness into what’s on the network. By knowing what’s out there we can then develop security policies and configurations that will strengthen defences and reduce the attack surface, making it more difficult for the bad guys to compromise your network.
The During phase of the Attack Continuum focuses upon the ‘Preventative and Detective’ capabilities. This is where we need to take the awareness gained in the Before phase and act upon it, detecting malware that is present in your environments and having the controls in place to block it. We are not just looking to rely on traditional point-in-time detection and blocking methods here, but also consider historical patterns and behaviour, as well as global threat intelligence.
The After phase of the Attack Continuum focuses upon the ‘Detective and Response, capabilities. In the event that a threat gets through your perimeter and evades the first line of your network defences, this is where you need retrospective security. Continuous monitoring of files, processes and network activity, lets you understand what has happened where, giving a look back in time to identify Indications of compromise and enable you to quickly respond and remediate any issues discovered.
Enforcing the Attack Continuum is achieved through Cisco products and solutions working together to provide enhanced levels of protection.
The graphic above shows how each product fits into the model. Be aware though that products can deliver protection that spans the full attack continuum.Before: Discover threats, enforce and harden policies, and prevent at the perimeter - using Cisco ASA 5500-X Series & Next-Generation Firewalls, NAC & Identity Services Engine.During: Detect, block, and defend against attacks that have already penetrated the network and are in progress - using Next-Generation Intrusion Prevention Systems, and Email and Web security.After: Scope, contain, and remediate an attack to minimize damage - using Advanced Malware Protection, Threat Grid and Network Behaviour Analysis (StealthWatch).
As mentioned above Cisco products can protect across the Full Attack Continuum, and AMP is no exception. AMP for Endpoints provides continuous analysis, retrospective security and point-in-time detection to protect against Malware, when it enters and if it evades initial inspection.Before an attack, AMP uses global threat intelligence to strengthen defences, and analyse and detect vulnerable applications.During an attack, AMP uses the global threat intelligence, known file signatures, and dynamic file analysis technology to block malware trying to infiltrate your organisations network. When AMP analyses a file that is found to be malicious it prevents it from executing.After an attack, AMP continuously monitors and analyses all file activity, processes, and communications. If a file is detected as acting maliciously, AMP will detect it and know where it came from and if any other machines are affected. It will provide retrospective alerts, indications of compromise, tracking, and analysis, so security teams can respond and remove the threat quickly.
Cisco Umbrella delivers predictive security at the DNS and IP layers, resulting in internet wide visibility and protection. Umbrella prevents malware, phishing and C2 call-backs from comprising your systems or stealing data from your organisation over any port or protocol.Before an attack, Umbrella acts as the first layer of defence, blocking threats before they reach the network or attached endpoints, by preventing the user from ever connecting to the malicious site.During an attack, Umbrella continues to learn from its global threat intelligence, updating the reputation of web sites, as it discovers where the threats are being staged from. Cisco Umbrella Investigate can also be used to analyse and understand the malicious domains and IPs used in an attacker’s infrastructure.After an attack, Umbrella continues to protect your network and devices by preventing connections to Command and Control (C2) networks, ensuring that further infection and compromise is not successful.
Hopefully you can see how Cisco’s Security model and its threat-centric approach can help your business to dramatically improve your security protection, significantly increase visibility and control, while reducing complexity, before, during and after an attack.For more information on Cisco products or our services please get in touch by Clicking here.Ironshare – Security, Simplified
By
Stuart Hare
on
22/4/18
In early March 2018, a new variant of Ransomware was detected in the wild, called 'Arrow'. Arrow is linked with the Dharma and CrySis family of viruses and aims to encrypt files on the infected system, meaning that the data on a victim's computer is locked and unusable.Payment is demanded (via Bitcoin to protect the cybercriminal's identity) before the ransomed data is decrypted and access returned to the victim.The name originates from the .arrow file extension that is added to the resulting encrypted files.
As with most Ransomware, the initial infection is usually a stealthy operation, and the first warning is when the user is presented with a ransom demand page or image. This was consistent with Arrow's behaviour.Although there is limited information currently available related to this new strain, all information that we have come across suggests that the primary infection method is via phishing email campaigns containing malicious file attachments, with alternate theories stating fake ads and phishing websites.Unfortunately, these methods did not seem feasible with the infection we encountered. Our investigation focused on a Windows based server running a specific role, with no mail clients or services. Initial thoughts led us to believe that an admin may have used a web based email client but there was no evidence to support this theory.With the help of Shodan we identified three protocols that were accessible from the Internet to the compromised host; HTTP (TCP 80), Remote Desktop Protocol (TCP 3389), and Windows Remote Management (TCP 5985). Analysis into the use of these protocols confirmed that active connections had been regularly established over Remote Desktop Protocol (RDP) leading up to and during the infection. By reviewing the infection vectors of the previous variants of this ransomware we found that CrySis had also used RDP to take control and infect victim's PC's.In addition to the protocol discovery, Shodan also provided the attacker with the user ID's for a small number of administrator accounts, that were still actively logged in to the server. This meant the attacker could move straight to password brute forcing without further user enumeration. It is unclear at this stage but we believe that the attacker used a tool such as NLBrute to perform the brute forcing of the RDP credentials and gain access to the server.
Once one of the accounts was compromised, the attacker gained administrative access to the server and proceeded to install two pieces of software:
Tools such as these are commonplace with attackers, they ensure that processes are killed and files are unlocked, in order to make certain that the encryption process of the Ransomware is successful.The dropped malware came in the form of two main files, the payload and the ransom notice.
As each file is encrypted the filename is appended with the victim ID and email address that is included in the ransom demand, before finishing with .arrow.E.g. 'example-file.pdf.id-[victimID].[e-mail].arrow'Each folder that contains the encrypted files also includes a single text file named 'FILES ENCRYPTED'. This file contains a warning note that all files have been locked.
In addition to the above, Arrow also silently deletes all Volume Shadow Copies and backups that are present on the host. The following command was used:vssadmin delete shadows /all /quiet
As displayed, Bitcoin is used as the method of payment for gaining access to the decryption keys, although there is no Bitcoin wallet information included in the demand.No fixed price is included either, with the demand stating that the price will depend on how quickly you contact them.Multiple email addresses for the attacker were included in the demand notice that we observed:rigopril123[@]cock.lirigopril123[@]tutanota.com
Multiple registry entries were added or modified during the installation of the software components and the Arrow Ransomware.Process Hacker 2HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1
IObit UnlockerHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Unlocker_is1
To ensure continued running of the Ransomware the following are added:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
At the time of writing there was little in the way of information or valid samples available in the community.As part of our investigation we have extracted samples of both files mentioned above and submitted them to Cisco AMP / Threat Grid for file analysis.The image below shows an extract from the Report for 1.exe.
We recommend:
Customers running Next-Gen endpoint protection such as Cisco Advanced Malware Protection will be able to detect and block this threat.
Arrow Ransomware is an Extremely Dangerous and High Risk threat to both personal and corporate devices.Standard detection methods such host based Anti-Virus and network Intrusion Prevention were not capable of detecting this threat.Contrary to information on some sites, current removal tools are not effective with this variant.Decryption keys and tools are also not currently available (outside of paying the ransom).If you become a victim of ransomware Ironshare do not recommend paying this ransom as attackers are not obliged to respond or provide the decryption keys to recover your files.
IOCs are used to assess whether a system has been infected with malware. These indicators can be anything from a file, IP address or a particular behaviour. IOCs help us understand the threat in order for us to better protect our systems.
During our investigation there were no URLs or domains observed in association with this threat.
Filename: 1.exeSHA265: 5cac87ce35db568b9649dd7f463a564b5640688b29b933845a17b2d3150e68b40Filename: info.htaSHA265: 8841af89afd57dba4d563032e0570416848045e8b358a34ae43647b7fd2185a4
We witnessed RDP requests and connections from the following public IP addresses:76[.]8.251.17069[.]70.58.15050[.]203.188.118
By
Stuart Hare
on
28/3/18
On January 29th 2018 Cisco published a Critical Vulnerability advisory for the Cisco ASA and FTD firewall code, that if exploited could allow an unauthenticated attacker to perform a remote reload of the device (Denial of Service) or launch a Remote Code Execution attack.
This CVE has been assigned a CVSS score of 10. CVSS is scored from 0 to 10, with 10 being the most severe rating.
This vulnerability affects the SSL VPN feature for all models of the Cisco ASA and Firepower Security appliances. In order to exploit this vulnerability the appliance must have the webvpn feature globally configured, with webvpn having at least one interface enabled in its configuration. Cisco has released software updates to address this vulnerability, and it is worth noting that there are no current workarounds available. It is highly recommended that you upgrade to latest fixed version of software for your product, as soon as possible.
UPDATE: Since our original post Cisco have performed further investigations and determined that there are now additional features and threat vectors related to VPN, HTTP and HTTPS services that are vulnerable.
Full advisory details, including how to determine if your device is vulnerable, and how to find the fixed release of software, are located at the following links: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-0101
CVE Entry: CVE-2018-0101
CVSS Score: Base 10.0
By
Stuart Hare
on
31/1/18
No results found.
