Tag Archives: botnet

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

September 13, 2012

Why you should NOT use File Sharing services such as LimeWire and UTorrent : How to hide Malware / Rootkits in legitimate software.

Free file sharing services such as LimeWire, FrostWire and UTorrent in most forms is illegal (note: there are legal sources however this post is focusing on file-sharing of pirated content). The cost of music, software and other applications are becoming more expensive to accommodate lost revenue caused by piracy spread through file sharing. As the price goes up to make up lost revenue, more people join file sharing networks. It’s a vicious cycle. There is however a more important reason besides ethics, law and cost to not be involved with file sharing services. Like my mother use to say … “nothing is free in this world”. Most of the pirated goods from file sharing you believe are free actually come at a very high price to your system and privacy.

Nuclear RAT rootkit

There are many malicious applications used by hackers to gain access to a system. The worst form is a Rootkit. Rootkits gain full control of a system without the victim’s knowledge and typically are very hard to detect and remove. Many popular rootkits include covert channel communication tools to hide phone home attempts from modern security tools. The rootkit example above is called Nuclear RAT (Remote Access Tool found at nuclearwintercrew.com). The image is the RAT server GUI that manages connections from Rootkits placed on systems. Some spy options include seeing the victim’s screen, logging keystrokes, controlling the mouse, opening a remote shell and so on (see images). There are options to hide RAT such as Melt Server (deletes executable) and using Stealth Shell Folders so you won’t see it running. Once installed, an attacker owns your system.

Continue reading →

Rating: 3.0/5 (2 votes cast)

5 Comments

Filed under General Security

Tagged as Access Control, BitTorrent, botnet, Compliance, Data Loss Prevention, DLP, file share, file sharing, FrostWire, gnutella, hiding rootkits, Home, Identity Services Engine, Injunction, ISE, Joey, Joey Muniz, joseph, joseph muniz, keyboard control, LimeWire, malicious applications, Malicious software, malware, mobile, Muniz, network access control, network security, Nuclear RAT, owning a system, P2P, peer-to-peer file share, piracy, pirate, RAT, Remote Access Tool, rootkit, rootkits, Security, Senna, spybot, spyware, Torrent, trojan, trojan horse, UTorrent, virus, viruses, World Wide Technology, world wide technology inc., wrapping, wrapping rootkits, wwt

August 15, 2012

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Today’s Internet is a dangerous place. Imagine a small village with law and order surrounded by a wall keeping out miles of ungoverned ruthless territory. Most known websites surfed daily by your users make up a small percentage of the total Internet. The remaining 80% or more of uncategorized websites are contaminated with Botnets, malware and short-lived websites targeting your users. Many of these malicious websites are embedded in trusted sites such as social networks by hiding in advertisements or silly links posted by your friends. The best protection for this threat vector is limiting Internet usage to trusted websites and monitoring those websites for malicious applications.

The most common method to protect users while surfing the Internet is leveraging a web security solution. I wrote a post about this HERE. Cisco has two web security flavors, which are a dedicated proxy and application firewall add-on. The dedicated proxy, known as the Web Security Appliance (WSA) came from the acquisition of IronPort. Cisco replaced its content filter module for their ASA firewalls based on McAfee technology with an application aware addition known as CX Context-Aware. There are many overlapping features between the two approaches however there is a clear distinction when to choose one over the other.

Both CX and WSA provide features expected from a web security solution. Both CX and WSA offer the ability to monitor and control what type of websites are available for users based on categories (examples Adult, Hate, Gambling, etc.). Both CX and WSA include reputation controls meaning ability to blacklist known malicious websites (more on reputation HERE). Both CX and WSA can limit or deny traffic types based on user groups such as denying Skype, throttle download speeds and target specific applications (example permitting Facebook while denying Farmsville for employees 9am-5pm). Both solutions can scale beyond the internal network using VPNs to route traffic from remote users.

CX DASHBOARD (click to see larger)

CX Web Categories

IronPort WSA Categories

WSA Reputation Score Settings

Features offered by IronPort not included with CX are focused on what happens after traffic passes reputation and content policies. WSA offers anti-malware scanning licenses for McAfee, Sophos and Webroot for any traffic tagged as “grey” meaning traffic that passes the reputation blacklist but not considered completely trusted or “white-listed”. These signature-based verdict engines are licensed separately and can be stacked to provide a wide range of scanning capability. WSA also offers a dedicated layer 4 Botnet scanner targeting phone home communication from infected machines. These additional features provide more layers of defense beyond common application firewall technologies including Cisco CX.

Some other differences are based on the design and implantation of WSA and CX. The WSA is a dedicated proxy, which can be deployed using host inline proxy settings or directing network traffic to the WSA using WCCP. The CX uses policy maps routing traffic seen by an ASA through the CX addition. WSA includes caching to improve network performance. WSA can direct traffic through a DLP solution adding network based DLP scanning (A possible roadmap is including DLP in the appliance as a add-on license similar to the IronPort Email Security Appliance). Cisco roadmaps show IronPort offerings will include a virtualized option in the near future. Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. CX is also not available on some ASA 5500X models such as 5585-40s and 5585-60s. Expanding CX to other ASA models and dual IPS CX support are roadmap items at this time.

To summarize, its best to consider Cisco CX for essential web security meaning content filtering and reputation based protection. The CX is also a viable option if you don’t require IPS from your ASA 5500X. WSA is suited for Comprehensive web security meaning content filtering, reputation protection, malware scanning and layer 4 botnet awareness. WSA is also a dedicated proxy providing performance benefits as well as design options such as including Data Loss Prevention. If you desire your ASA to include IPS functionality, today you will need to consider a WSA to handle web security. Hopefully this post helps with distinguishing when to choose CX or IronPort WSA.

Rating: 5.0/5 (4 votes cast)

2 Comments

Filed under Internet Defense

Tagged as 5585, 5585-20, 5585-40, 5585-X, Adaptive Security Appliances, anti-malware, anti-virus, application, application firewall, application firewalls, asa, blue coat, Bluecoat, botnet, botnet scanner, Botnet Threat Mitigation, botnets, Cisco, cisco cx, Compliance, context-aware, CX, Data Loss Prevention, DLP, ESA, Home, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 4 scanner, layer 7 firewall, layer 7 firewalls, malware, malware defense, mobile, mobile device, MSA, Muniz, network security, palo alto, palo alto networks, proxy, S-Series, S170, S370, S670, secure facebook, Security, security apps, web proxy, web security, web security appliance, web sense, web washer, websense, World Wide Technology, world wide technology inc., wsa, wwt

September 19, 2011

Internet Defense Technology : Web Proxy / Content Filter / Application Firewalls

The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.

The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.

Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.

Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.

The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.

Rating: 4.5/5 (2 votes cast)

9 Comments

Filed under Internet Defense

Tagged as anti-malware, anti-virus, application firewall, application firewalls, blue coat, Bluecoat, botnet, botnets, Cisco, Cisco IronPort, content filter, Data Loss Prevention, DLP, fireeye, GTI Proxy, Internet based threats, Internet Defense, internet security, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 7 firewall, layer 7 firewalls, malware defense, McAfee, Muniz, palo alto, palo alto networks, phishing defense, popup defense, Security, spam defense, stop spam, stopping botnets, stopping popups, Symantec, symnatec email proxy, web defense, web proxy, web security, web sense, websense, World Wide Technology, world wide technology inc., wwt

August 26, 2011

Cyber Crime Is A Well Funded Enterprise. A Look At Who Is Hacking You

Some people believe people behind Cyber Crime are disgruntled teenage hackers looking to cause chaos for fun. In some cases that may be however the majority of Cyber Crime is performed by well-funded organized criminals. Yes, I’m talking about the godfather like people who robbed banks and distributed narcotics on the street corner prior to the computer age. Organized crime realized it’s faster to automate an attack against millions of virtual targets rather than physically deal with criminal activity. Who is really behind Cyber Crime and how do they operate? Lets take at look at a case study of popups to understand the Cyber Crime organization.

Cyber criminals behind popups can for the most part be looked at as two separate groups. The first group is the well-funded mafia. They develop fake Viagra as well as other illegal narcotics. The second group is the hackers. They identify ways to compromise systems and take advantage of people’s data. The Mafia utilizes hackers to push people to their products. They offer attractive compensation packages to hackers who can capture large audiences through automated attacks. Studies show organized crime may pay a hacker a portion of sales every week tax-free. A working vulnerability could compromise millions of systems in a short time which having a small percent of that number could quickly add up to large profits for all criminal parties.

A study by the Cisco IronPort tested this concept by ordering Viagra from a phony pharmacy. The team identified the phony pharmacy by clicking a popup from a botnet and ordered Viagra like a standard customer. They called a support line to test customer service, which was polite and extremely helpful. After a few days, a package showed up containing a Russian coupon magazine. Viagra was taped to a page inside the magazine. This is how the drugs were being smuggled passed customs. After testing, the IronPort team found the Viagra to be 110% legit including a logo stamped on each pill. The team received a follow up call asking about the quality of the product and if more was desired. The overall experience was receiving a better product than commercial stores at half the cost.

The IronPort team visited the mailing address of the phony pharmacy and found an abandoned building. When they reversed engineered the advertisement popup, they identified a botnet advertising for spamit.com. Research reveled spamit.com as a criminal entity paying hackers to advertise the phony pharmacy by any means. This picture shows a spamit payment system compensating for purchases led through spam. The image below was captured by the IronPort team while posing as a hacker looking to advertise through spamit.com.

Cyber Crime is an organized business and winning the war against security professionals. Cyber criminals have more funding and less restrictions than companies developing solutions to stop them. Cyber criminals have research and development laboratories that purchase and dissect the solutions we use to prevent them from breaching our systems. Cyber Crime pays a lot more than legit organizations, which means they have first class talent. Cyber Crime is automated and criminal activity is performed across boarders through Zombie systems hiding the creators. Who is attacking you? It’s not zero cool from the movie “hackers”, it’s the Corleone crime family from The Godfather.

Rating: 0.0/5 (0 votes cast)

3 Comments

Filed under General Security

Tagged as advanced persistent threat, adware, APT, botnet, botnets, china hackers, Cisco, computer crime, computer virus, cyber attacks, cyber crime, cyber security, cyber warfare, fake viagra, hacker, hackers, hacking, ironport, Joey Muniz, joseph, joseph muniz, keyloggers, mafia crime, Malicious software, malware, Muniz, online mafia, online pharmacy, popups, spam, spamit.com, spyware, vulnerability, World Wide Technology, world wide technology inc.

Tag Archives: botnet

Cisco’s Cyber Solutions – What Is Happening In Your Network

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Cyber Crime Is A Well Funded Enterprise. A Look At Who Is Hacking You

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll