Tag Archives: botnets

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

August 15, 2012

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Today’s Internet is a dangerous place. Imagine a small village with law and order surrounded by a wall keeping out miles of ungoverned ruthless territory. Most known websites surfed daily by your users make up a small percentage of the total Internet. The remaining 80% or more of uncategorized websites are contaminated with Botnets, malware and short-lived websites targeting your users. Many of these malicious websites are embedded in trusted sites such as social networks by hiding in advertisements or silly links posted by your friends. The best protection for this threat vector is limiting Internet usage to trusted websites and monitoring those websites for malicious applications.

The most common method to protect users while surfing the Internet is leveraging a web security solution. I wrote a post about this HERE. Cisco has two web security flavors, which are a dedicated proxy and application firewall add-on. The dedicated proxy, known as the Web Security Appliance (WSA) came from the acquisition of IronPort. Cisco replaced its content filter module for their ASA firewalls based on McAfee technology with an application aware addition known as CX Context-Aware. There are many overlapping features between the two approaches however there is a clear distinction when to choose one over the other.

Both CX and WSA provide features expected from a web security solution. Both CX and WSA offer the ability to monitor and control what type of websites are available for users based on categories (examples Adult, Hate, Gambling, etc.). Both CX and WSA include reputation controls meaning ability to blacklist known malicious websites (more on reputation HERE). Both CX and WSA can limit or deny traffic types based on user groups such as denying Skype, throttle download speeds and target specific applications (example permitting Facebook while denying Farmsville for employees 9am-5pm). Both solutions can scale beyond the internal network using VPNs to route traffic from remote users.

CX DASHBOARD (click to see larger)

CX Web Categories

IronPort WSA Categories

WSA Reputation Score Settings

Features offered by IronPort not included with CX are focused on what happens after traffic passes reputation and content policies. WSA offers anti-malware scanning licenses for McAfee, Sophos and Webroot for any traffic tagged as “grey” meaning traffic that passes the reputation blacklist but not considered completely trusted or “white-listed”. These signature-based verdict engines are licensed separately and can be stacked to provide a wide range of scanning capability. WSA also offers a dedicated layer 4 Botnet scanner targeting phone home communication from infected machines. These additional features provide more layers of defense beyond common application firewall technologies including Cisco CX.

Some other differences are based on the design and implantation of WSA and CX. The WSA is a dedicated proxy, which can be deployed using host inline proxy settings or directing network traffic to the WSA using WCCP. The CX uses policy maps routing traffic seen by an ASA through the CX addition. WSA includes caching to improve network performance. WSA can direct traffic through a DLP solution adding network based DLP scanning (A possible roadmap is including DLP in the appliance as a add-on license similar to the IronPort Email Security Appliance). Cisco roadmaps show IronPort offerings will include a virtualized option in the near future. Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. CX is also not available on some ASA 5500X models such as 5585-40s and 5585-60s. Expanding CX to other ASA models and dual IPS CX support are roadmap items at this time.

To summarize, its best to consider Cisco CX for essential web security meaning content filtering and reputation based protection. The CX is also a viable option if you don’t require IPS from your ASA 5500X. WSA is suited for Comprehensive web security meaning content filtering, reputation protection, malware scanning and layer 4 botnet awareness. WSA is also a dedicated proxy providing performance benefits as well as design options such as including Data Loss Prevention. If you desire your ASA to include IPS functionality, today you will need to consider a WSA to handle web security. Hopefully this post helps with distinguishing when to choose CX or IronPort WSA.

Rating: 5.0/5 (4 votes cast)

2 Comments

Filed under Internet Defense

Tagged as 5585, 5585-20, 5585-40, 5585-X, Adaptive Security Appliances, anti-malware, anti-virus, application, application firewall, application firewalls, asa, blue coat, Bluecoat, botnet, botnet scanner, Botnet Threat Mitigation, botnets, Cisco, cisco cx, Compliance, context-aware, CX, Data Loss Prevention, DLP, ESA, Home, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 4 scanner, layer 7 firewall, layer 7 firewalls, malware, malware defense, mobile, mobile device, MSA, Muniz, network security, palo alto, palo alto networks, proxy, S-Series, S170, S370, S670, secure facebook, Security, security apps, web proxy, web security, web security appliance, web sense, web washer, websense, World Wide Technology, world wide technology inc., wsa, wwt

July 25, 2012

RSA NetWitness: An Anatomy Of An Attack

Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.

RSA NetWitness

RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.

RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.

Why is it important?

NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.

More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.

Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.

Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.

Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.

Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.

Anatomy of an attack

Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.

Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.

A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.

Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a 127.0.0.1 IP address.

Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.

NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.

Rating: 5.0/5 (2 votes cast)

3 Comments

Filed under Security Management & Analysis

Tagged as Aamir Lakhani, advanced persistent threat, APT, botnets, CCTV, Cloud Centrics, Compliance, Continuous Controls Monitoring, continuous monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Data Loss Prevention, data traffic, DLP, EMC security, end point management, forensics, Home, http://www.cloudcentrics.com/, information leakage, Informer, Investigator, Joey, Joey Muniz, joseph, joseph muniz, keyloggers, lan security, malware, malware defense, Muniz, NetWitness, NetWitness Investigator, network forensic, network forensics, network security, nextgen, pen testing, Penetration Testing, phishing, phishing attack, phishing defense, RSA, Security, Security Information And Event Management, SEM, SIEM Technology, siemlink, SIM, Spectrum, trojan horse, visualize, World Wide Technology, world wide technology inc., wwt

October 3, 2011

What Malicious Traffic Is On Your Network? Use Free Tools To Find Out : Wireshark and NetWitness

How secure is your home or corporate network? Many administrators believe they are protected behind layers of security solutions such as firewalls, IPS/IDS appliances, endpoint security products, content filters, SIEMs, etc. Regardless of your investment in security technology there will always be risk, which dramatically increases as soon as people are included in the equation. One way to verify your risk level is to become the hunter rather than hunted by scanning all traffic on your network for malicious behavior. You may be surprised to find an unpatched server leaking sensitive information through hidden ports or bots hidden on your personal computer phoning home in the middle of the night!

There are vendors and consultants that can offer scanning services, which usually are extremely pricey but worth every penny. Regardless, some of us don’t have the budget or would like to test our home network and can’t justify purchasing enterprise level technology for one or two computers. For those use cases, there are open source tools available for performing packet captures. One of the most widely used open source tools is Wireshark. Wireshark provides detailed information about network traffic down to the packet level. Unfortunately many administrators don’t understand the information being displayed by protocol analyzers such as Wireshark. For some people it’s like staring at the matrix code, which only trained security analyst are capable of seeing the blond, brunette and redheads. NetWitness offers a free threat analysis tool called NetWitness Investigator that quickly translates a large packet capture session into readable data. For example, Investigator may reveal your home network is sending large amounts of data to other countries, which is a pretty good indicator that you have a problem.

Using WireShark:

You can download WireShark from HERE

Once downloaded and installed, open WireShark
Click capture from the top menu.
You will see the capture options
Choose the interface you want to capture (Ethernet, wireless, etc.)
Tune things as you see fit or leave them default and click start
You should see packets flowing on the screen. If not, you have not selected a live interface.
One way to see which interfaces are seeing data is clicking capture followed by capture interfaces. You will see which interfaces see packets via the counters.
Once your done, save your capture and move to NetWitness.

Using NetWitness Investigator:

You can download NetWitness Investigator from HERE

Once downloaded and installed, open NetWitness Investigator
Right click the left column under Demo Collection and select new local collection
Give it a name and click OK
Click your new folder and select import packets
Select your wireshark capture.
Double click the folder and your capture will be presented
Click any selection on the left to dive deeper into your capture.
Look for odd behavior such as weird ports, destinations, countries, etc.

It’s important to test the security status of your network. Many malicious applications are designed by hackers to be hidden using stealthy techniques that can’t be seen without a packet capture tool. Both Wireshark and NetWitness Investigator are free yet powerful tools you can use to detect communication from hidden malicious applications.

Rating: 3.0/5 (2 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as botnets, bots, contextual analysis, ethereal, Investigator, Joey, Joey Muniz, joseph, joseph muniz, Live capture, malicious applications, malware, Muniz, NetWitness, NetWitness Investigator, network assessment, network protocol analyzer, open source, open source tools, packet capture, packet capture tool, protocol analyzer, protocol analyzers, riverbed technology, RSA, scan for malware, scan for viruses, threat analysis, threat analysis application, virus, viruses, Wireshark, World Wide Technology, world wide technology inc., wwt

September 19, 2011

Internet Defense Technology : Web Proxy / Content Filter / Application Firewalls

The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.

The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.

Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.

Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.

The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.

Rating: 4.5/5 (2 votes cast)

9 Comments

Filed under Internet Defense

Tagged as anti-malware, anti-virus, application firewall, application firewalls, blue coat, Bluecoat, botnet, botnets, Cisco, Cisco IronPort, content filter, Data Loss Prevention, DLP, fireeye, GTI Proxy, Internet based threats, Internet Defense, internet security, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 7 firewall, layer 7 firewalls, malware defense, McAfee, Muniz, palo alto, palo alto networks, phishing defense, popup defense, Security, spam defense, stop spam, stopping botnets, stopping popups, Symantec, symnatec email proxy, web defense, web proxy, web security, web sense, websense, World Wide Technology, world wide technology inc., wwt

August 26, 2011

Cyber Crime Is A Well Funded Enterprise. A Look At Who Is Hacking You

Some people believe people behind Cyber Crime are disgruntled teenage hackers looking to cause chaos for fun. In some cases that may be however the majority of Cyber Crime is performed by well-funded organized criminals. Yes, I’m talking about the godfather like people who robbed banks and distributed narcotics on the street corner prior to the computer age. Organized crime realized it’s faster to automate an attack against millions of virtual targets rather than physically deal with criminal activity. Who is really behind Cyber Crime and how do they operate? Lets take at look at a case study of popups to understand the Cyber Crime organization.

Cyber criminals behind popups can for the most part be looked at as two separate groups. The first group is the well-funded mafia. They develop fake Viagra as well as other illegal narcotics. The second group is the hackers. They identify ways to compromise systems and take advantage of people’s data. The Mafia utilizes hackers to push people to their products. They offer attractive compensation packages to hackers who can capture large audiences through automated attacks. Studies show organized crime may pay a hacker a portion of sales every week tax-free. A working vulnerability could compromise millions of systems in a short time which having a small percent of that number could quickly add up to large profits for all criminal parties.

A study by the Cisco IronPort tested this concept by ordering Viagra from a phony pharmacy. The team identified the phony pharmacy by clicking a popup from a botnet and ordered Viagra like a standard customer. They called a support line to test customer service, which was polite and extremely helpful. After a few days, a package showed up containing a Russian coupon magazine. Viagra was taped to a page inside the magazine. This is how the drugs were being smuggled passed customs. After testing, the IronPort team found the Viagra to be 110% legit including a logo stamped on each pill. The team received a follow up call asking about the quality of the product and if more was desired. The overall experience was receiving a better product than commercial stores at half the cost.

The IronPort team visited the mailing address of the phony pharmacy and found an abandoned building. When they reversed engineered the advertisement popup, they identified a botnet advertising for spamit.com. Research reveled spamit.com as a criminal entity paying hackers to advertise the phony pharmacy by any means. This picture shows a spamit payment system compensating for purchases led through spam. The image below was captured by the IronPort team while posing as a hacker looking to advertise through spamit.com.

Cyber Crime is an organized business and winning the war against security professionals. Cyber criminals have more funding and less restrictions than companies developing solutions to stop them. Cyber criminals have research and development laboratories that purchase and dissect the solutions we use to prevent them from breaching our systems. Cyber Crime pays a lot more than legit organizations, which means they have first class talent. Cyber Crime is automated and criminal activity is performed across boarders through Zombie systems hiding the creators. Who is attacking you? It’s not zero cool from the movie “hackers”, it’s the Corleone crime family from The Godfather.

Rating: 0.0/5 (0 votes cast)

3 Comments

Filed under General Security

Tagged as advanced persistent threat, adware, APT, botnet, botnets, china hackers, Cisco, computer crime, computer virus, cyber attacks, cyber crime, cyber security, cyber warfare, fake viagra, hacker, hackers, hacking, ironport, Joey Muniz, joseph, joseph muniz, keyloggers, mafia crime, Malicious software, malware, Muniz, online mafia, online pharmacy, popups, spam, spamit.com, spyware, vulnerability, World Wide Technology, world wide technology inc.

Tag Archives: botnets

Cisco’s Cyber Solutions – What Is Happening In Your Network

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

What Malicious Traffic Is On Your Network? Use Free Tools To Find Out : Wireshark and NetWitness

Cyber Crime Is A Well Funded Enterprise. A Look At Who Is Hacking You

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll