Cisco Catalyst 9300X – IPsec And Cisco Umbrella

In this blog, you will learn how to configure IPsec and Cisco Umbrella tunnels on a Catalyst 9300X by onboarding it with the Plug and Play (PNP) Cloud Service and Cisco DNA Center.

This capability is supported with Cisco DNA Center 2.3.4. The switch will need IOS-XE 17.8.1 for onboarding and an Advantage license. The IPsec feature on the switch requires an HSEC K9. Please refer to Part 1 of this series to understand at least three use cases that can leverage IPsec on a Catalyst switch.

PnP Cloud Service (Onboarding C9300X with IPsec)

The onboarding section below assumes that the switch only has direct internet and requires a secure connection back to Cisco DNA Center for management. Traditionally a switch has access to a local PnP Server but with this lean branch deployment with just the 9300X connectivity back to a PnP server is highly unlikely.

Figure 1. Day 0 Automation Workflow for onboarding Catalyst 9300X

Cisco has augmented the PNP Connect with Plug and Play as a Service (PnPaaS). This enhancement allows Cisco DNA Center to send the Day 0 switch configuration file to the PnP Cloud Service. Once the switch sends its PnP request to devicehelper.cisco.com, the PnP Cloud Service responds with the configuration file. This allows the switch to establish the IPsec tunnel and for Cisco DNA Center to manage the newly onboarded switch.

Figure 2. Onboard Catalyst 9300X Device using PnP Cloud

So, how do you create the Day 0 configuration file? Easy, it’s pretty straightforward. Just go to Cisco DNA Center Provision –> Services –> Secure Tunnels and click on Onboard New Device. The form will ask for a Site and a Virtual Account where the switch is associated. Once this information is confirmed, the form can be completed with the following: the switch serial number, a management IP (resulting in a loopback address on the switch), the IP address of the Head-End (or remote side), an IPsec pre-shared key, the HSEC token, and a switch hostname. If the switch already has the HSEC token pre-installed from manufacturing at the time of purchase (it requires a selection in CCW), then the HSEC token entry does not need to be filled in. To look at the configuration file prior to its implementation, select the Day-0 Configuration Preview tab.

Figure 3. Cisco DNA Center Plug and Play Status

After selecting the Onboard Device option, the onboarding status of the switch can be verified under Provision –> Network Devices –> Plug and Play. Initially, the switch will appear as Unclaimed, and the state as Planned. When the process completes (please be patient, it will take several minutes) the switch appears under Provisioned and the state as Provisioned.

Figure 4. Cisco Catalyst 9300X with IPsec in Inventory

After the switch is onboarded, it can be managed over the IPsec tunnel using the loopback by selecting Provision –> Network Devices –> Inventory.

Cisco Umbrella – Creating Secure Tunnels

Now that the switch is under Cisco DNA Center management, additional IPsec tunnels can be configured to connect to a Secure Internet Gateway (SIG). In this case, it will be to Cisco Umbrella, but it can also be to a third party like Zscaler. In order to automate both sides of the tunnel the switch and Cisco Umbrella there is a prerequisite to integrate Cisco Umbrella and Cisco DNA Center using API Keys (System –> Settings –> External Services). This topic is not covered here. Cisco DNA Center will only automate the switch portion when the API integration is not established.

Figure 5. Cisco Umbrella IPsec Tunnel Creation in Cisco DNA Center

In order to add the Cisco Umbrella tunnels, go to Cisco DNA Center Provision –> Services –> Secure Tunnels but this time click on Create Secure Tunnel. The form will require the following information: Site, Device, number of Cisco Umbrella tunnels (up to 4), Tunnel Name, and Tunnel Source Interface. In addition, a selection of the Cisco Umbrella data center location can be made, otherwise, the selection will be made based on the switch site location. If you have more than one tunnel, either the same data center or a different location can be selected.

Figure 6. Cisco Umbrella IPsec Pre-Shared Key in Cisco DNA Center

The next screen will ask for the Cisco Umbrella Tunnel Pre-Shared Key and the option to change the default IKEv2 and Transform Set values. The default values are for best practice and should not be changed unless it is for interoperability or other security reasons.

Figure 7. Handling Site Traffic using ECMP or PBR

In the next screen, traffic can be handled either by sending all traffic to Cisco Umbrella using Equal-Cost Multi-Path (ECMP) load balancing when using multiple tunnels or traffic can be steered using Policy-Based Routing (PBR). Handling the traffic in this manner should help with most use cases. Subsequently, there will be a summary screen and a selection to create the tunnel(s).

Figure 8. Cisco DNA Center and Cisco Umbrella Tunnel Confirmation

After the switch and Cisco Umbrella have been provisioned, the status of the tunnels can be verified under Cisco DNA Center Provision –> Services –> Secure Tunnels.

Figure 9. C9300X IPsec Tunnels Cisco DNA Center and Cisco Umbrella

The IPsec tunnel information to both Cisco DNA Center and Cisco Umbrella can be verified via the CLI as well. Tunnel1 is the tunnel to Cisco DNA Center and Tunnel2 is the tunnel to Cisco Umbrella.

Figure 10. Cisco Umbrella UI IPsec tunnel to C9300X

Alternatively, Cisco Umbrella can also display the IPsec tunnel established to the Catalyst 9300X.

Source: cisco.com

Continue reading

Introducing the new ‘Defending Against Critical Threats’ report

Today, we’re pleased to launch our annual Defending Against Critical Threats report. Inside, we cover the most significant vulnerabilities and incidents of 2021, with expert analysis, insights and predictions from our security and threat intelligence teams across Cisco Talos, Duo Security, Kenna Security, and Cisco Umbrella.

It’s clear that 2021 – and, indeed, the start of 2022 – has been very challenging for security defenders. To bring our Defending Against Critical Threats: Analyzing Key Incident Trends report to life, I sat down with six expert threat hunters and analysts from these teams, and asked them to tell me about their findings on one specific cybersecurity threat, or incident, from the past 12 months. Each expert chose to discuss a topic which tells us a lot about the current priorities of threat actors – below you’ll find a brief summary on some of the key themes we covered.

We also conducted a survey among 190+ security and technology leaders via PulseQA to gauge their perspectives on the current threat landscape. We found that 66% of respondents felt that the complexity and volume of cybersecurity attacks had escalated in 2021, whilst 36% felt that attacks had stayed consistent with the previous year.

In the survey, we also asked about the top threat concerns security leaders had for 2022. Ransomware came in as the top concern, with 38% of respondents choosing that option. In the report, we discuss the evolution of ransomware and how it has reached a critical level for certain bad actors, provoking a more severe and structured governmental response. You’ll read about this in Matt Olney’s (Talos’ Director of Threat Intelligence and Interdiction) section about the Colonial Pipeline attack.

Matt’s section also discusses supply chain attacks, which as Matt says, is one of the most challenging types of threats we face today. Forty-three percent (43%) of our Pulse respondents told us that they were impacted in a supply chain attack in 2021. Be sure to check out this section for advice on how to make your organization a smaller target for attackers.

Zero-day vulnerabilities came in as the second biggest concern for security practitioners, according to our survey. The report discusses the impact of Log4j with Talos’ Incident Response Practice Lead Liz Waddell, and how it has continued to cause an impact in 2022. Liz also provides a detailed seven-point action plan on how to deal with future zero-day attacks.

Additionally, we also look at the most impactful disclosed vulnerabilities of 2021 with Jerry Gamblin, Kenna’s Director of Security Research (now part of Cisco). This section is particularly helpful for defenders who wish to move to a more predictive-based, prioritized vulnerability management plan.

You’ll also read about  the impact of Emotet in Artsiom Holub’s (Senior Security Analyst for Cisco Umbrella) section. Emotet is a very powerful loader that came back from the dead in 2021 to cause a lot of destruction, and the signs are that it has some very nefarious plans for 2022.

Dealing with legacy or unintegrated security technology, or ‘security debt,’ is a topic we are very passionate about helping our customers to combat, and in this report, our Advisory CISO Dave Lewis discusses why it’s becoming an increasing target of opportunity for cyber criminals. We asked  respondents if they were dealing with security debt and to what extent; the overwhelming majority (75%) said they were – but it was manageable. Unfortunately, 13% said that it’s a huge issue for them. Dave’s section contains plenty of advice on how to address this issue in your organization.

Finally, for readers interested in reading about a day in the life of a Talos threat hunter, you’ll no doubt find Ashlee Benge’s section on the rise of macOS malware very thought-provoking.

The expert analysis you’ll read in this report highlights the crucial role of our defenders, and the capabilities that we, as an industry, have built based on the meticulous study of past attacker behavior.

The good news is that according to our Pulse respondents, the majority of cybersecurity professionals undertake regular incident response testing. Forty-one (41%) are testing their plans twice a year, and 29% are testing more than three times a year. Only 4% said they didn’t have an incident response plan in place.

If you’re a security defender looking to prioritize your focus areas and address patterns of concern, we hope that this year’s report will be helpful to you. It was put together by a dedicated group of security leaders, whose job it is to spot key incident trends.

Here’s what we cover in the new Defending Against Critical Threats:

◉ Colonial Pipeline: Moving Beyond Ransomware Thoughts and Prayers with Matt Olney, Director of Threat Intelligence and Interdiction, Cisco Talos

◉ Security Debt: An Increasing Target of Opportunity with Dave Lewis, Advisory CISO, Cisco Secure

◉ The Most Critical Vulnerabilities (You Might Not Be Thinking About) with Jerry Gamblin, Director of Security Research, Kenna Security (now part of Cisco)

◉ Log4j and How To Plan for Zero-Days with Liz Waddell, Practice Lead, Cisco Talos Incident Response

◉ What’s Emotet Doing Now? with Artsiom Holub, Senior Security Analyst, Cisco Umbrella

◉ The Rise of macOS Malware with Ashlee Benge, Lead, Strategic Intelligence and Data Unification, Cisco Talos

Source: cisco.com

Continue reading

Building a Custom SecureX Orchestration Workflow for Umbrella

Improving efficiency for the Cisco team in the Black Hat USA NOC

As a proud partner of the Black Hat USA NOC, Cisco deployed multiple technologies along with the other Black Hat NOC partners to build a stable and secure network for the conference. We used Cisco Secure Malware Analytics to analyze files and monitor any potential PII leaks. We also used Meraki SM to manage over 300 iPads used around the venue for registration, as well as sales lead generation. Last but not least, we used Umbrella to add DNS level visibility, threat intelligence and protection to the entire network.

Read More: 300-620: Implementing Cisco Application Centric Infrastructure (DCACI)

Lets go over an example scenario which many customers may find themselves in. While we were in the Black Hat USA NOC, we were constantly keeping our eyes on the Umbrella security activity report, in order to recognize, investigate and work with other teams to respond to the threats.

Continuously monitoring the activity report can be taxing, especially in our case with two Umbrella organizations – one for the conference iPad deployment and another for the conference attendee network. In comes SecureX to help make our lives simpler. Using SecureX orchestration we were able to import a pre-built Umbrella workflow and easily customize it to suite our needs. This workflow pulls the activity report for a configurable list of categories, creates an incident in SecureX, notifies the team in Webex Teams and updates a SecureX dashboard tile. Let’s jump into SecureX orchestration and take a look at the workflow.

A plethora of SecureX orchestration content is available on our GitHub repo to help you find value in our automation engine in no time. At the link above, you’ll find fully built workflows, as well as building blocks to craft your own use cases. Here is what the 0023 Umbrella: Excessive Requests To Incidents workflow looks like upon importing it (shoutout to @mavander for authoring the workflow).

You can see in the variable section there are four variables, three strings and one integer. “Categories to Alert On” is a comma separated list of categories we want to be notified about, which makes it very easy to add or remove categories on the fly. In our case, we want to be notified if there is even one DNS request for any of the Security Categories, which is why we have set the “request threshold” to one.

Now that our variables are set, let’s dig into the first web service call that is made to the Umbrella API. Umbrella has three API’s:

◉ The management API

◉ The Investigate API

◉ The reporting API (which is the one we need to use to pull the activity report)

There are often minute differences when authenticating to various API’s, but luckily for us, authenticating to the Umbrella API is built into the workflow. It’s as simple as copying and pasting an API key from Umbrella into orchestration and that its. You’ll notice the Umbrella API key and secret are stored as ‘Account Keys’ in orchestration this way you can reuse the same credentials in other workflows or other API calls to Umbrella.

In this case, we are dynamically crafting the URL of /v2/organizations/<umbrella_org_id>/categories-by-timerange/dns?from=-1hours&to=now by using the Umbrella org ID from the variables above. Notice the API call is going to GET an activity report for the past hour, but it could be modified to be more or less frequently.

Now that we have a JSON formatted version of the activity report, we can use JSON path query to parse the report and construct a table with the category names and the number of requests. Using this dictionary, we can easily determine if Umbrella has seen one or more requests for a category which we want to alert on.

If the conditions are met, and there was activity in Umbrella, the workflow will automatically create a SecureX incident. This incident can be assigned to a team member and investigated in SecureX threat response, to gain additional context from various intelligence sources. However, our team decided that simply creating the SecureX incident was not enough and that a more active form of notification was necessary to ensure nothing got overlooked. Using the pre-built code blocks in SecureX orchestration, we customized the workflow to print a message in Webex teams this way the whole team can be notified and nothing will go unseen.

Here is what the message looks like in Webex teams. It includes includes the name of the category and how many requests in said category were seen in the past one hour. We scheduled the workflow to run once an hour, so this way even if we needed to step away to walk the Black Hat floor or meet with a NOC partner, we can still stay abreast to the latest Umbrella detections.

It also includes a hyperlink to the SecureX incident to make the next step of conducting an investigation easier. Using SecureX threat response we can investigate any domains detected by umbrella to get reputational data from multiple intelligence sources. In this particular example www.tqlkg[.]com showed up as ‘potentially harmful’ in the Umbrella activity report. The results of the threat response investigation show dispositions from 5 different sources including a suspicious disposition from both Talos and Cyberprotect. We can also see that the domain resolves to 6 other suspicious URLs. In a future version of this workflow this step could be automated using the SecureX API’s.

In addition to the Webex teams alert, we created a tile for notification the SecureX dashboard, which is on display for the entire NOC floor to view.

You can see in the dashboard high level statistics, which are provided from Secure Malware Analytics (Threat Grid) including “top behavioral indicators”, “submissions by threat score” “submissions by file type” as well as the “request summary” from Umbrella.

Also notice the “private intelligence” tile – this is where you can see if there were any new incidents created by the orchestration workflow. The SecureX dashboard keeps the entire Black Hat NOC well-informed as to how Cisco Secure’s portfolio is operating in the network. Adding tiles to create a custom dashboard can be done in just a few clicks. In the customize menu you will see all the integrated technologies that provide tiles to the dashboard.  Under the “private intelligence” section you can see the option to add the ‘Incident statuses and assignees’ tile to the dashboard – it’s that easy to create a customized dashboard!

I hope you enjoyed this edition of SecureX at Black Hat; and stay tuned for the next version of the workflow on GitHub, that will automatically conduct an investigation of suspicious domains and provide intelligence context directly in the Webex teams message.

Continue reading

Threat Protection: The REvil Ransomware

The REvil ransomware family has been in the news due to its involvement in high-profile incidents, such as the JBS cyberattack and the Kaseya supply chain attack. Yet this threat carries a much more storied history, with varying functionality from one campaign to the next.

The threat actors behind REvil attacks operate under a ransomware-as-a-service model. In this type of setup, affiliates work alongside the REvil developers, using a variety of methods to compromise networks and distribute the ransomware. These affiliates then split the ransom with the threat actors who develop REvil.

We looked at REvil, also known as Sodinokibi or Sodin, earlier in the year in a Threat Trends blog on DNS Security. In it we talked about how REvil/Sodinokibi compromised far more endpoints than Ryuk, but had far less DNS communication. However, when revisiting these metrics, we noticed that this changed in the beginning of 2021.

Figure 1-DNS activity surrounding REvil/Sodinokibi.

 

What’s interesting in revisiting this data over an 18-month span is that while the number of endpoints didn’t rise dramatically in 2021, comparing each month to the overall averages, the amount of DNS activity did. In fact, the one noticeable drop in endpoints in December appears to coincide with the beginning of a dramatic rise in DNS activity. 

What’s notable about the initial attacks is that on many occasions, zero-day vulnerabilities have been leveraged to spread REvil/Sodinokibi. In the most recent case, attackers exploited a zero-day vulnerability in the Kaseya VSA in order to distribute the ransomware. Previously the group exploited the Oracle WebLogic Server vulnerability (CVE-2019-2725) and a Windows privilege escalation vulnerability (CVE-2018-8453) in order to compromise networks and endpoints. There have been reports of other, well-known vulnerabilities being leveraged in campaigns as well.

It’s worth noting that in the case of the campaign that leveraged the Kaseya VSA vulnerability, the threat actors behind REvil disabled the command and control (C2) functionality, among other features, opting to rely on the Kaseya software to deploy and manage the ransomware. This highlights how the malware is frequently tailored to the circumstances, where different features are leveraged from one campaign to the next.

So given how functionality varies, what can REvil/Sodinokibi do on a computer to take control and hold it for ransom? To answer this question, we’ve used Cisco Secure Malware Analytics to look at REvil/Sodinokibi samples. The screenshots that follow showcase various behavioral indicators identified by Secure Malware Analytics when it is executed within a virtualized Windows sandbox.

While the features that follow aren’t present in every REvil/Sodinokibi sample, once it is successfully deployed and launched, the result is generally the same.

Figure 2-A desktop that has been encrypted by REvil/Sodinokibi.

What follows provides an overview of how the ransomware goes about locking down a computer to hold it for ransom.

Creating a mutex

One of the first things that REvil/Sodinokibi does is create a mutex. This is a common occurrence with software. Mutexes ensure only one copy of a piece of software can run at a time, avoiding problems that can lead to crashes. However, being a unique identifier for a program, mutexes can sometimes be used to identify malicious activity.

Figure 3-REvil/Sodinokibi creating a mutex.

Once the mutex is created, the threat carries out a variety of activities. The functions that follow do not necessarily happen in chronological order—or in one infection—but have been organized into related groupings.

Establishing persistence

As is the case with many threats, REvil/Sodinokibi attempts to embed itself into a computer so it will load when the computer starts. This is often done by creating an “autorun” registry key, which Windows will launch when starting up.

The creation of run keys, like mutexes, is a fairly common practice for software. However, REvil/Sodinokibi sometimes creates run keys that point to files in temporary folders. This sort of behavior is hardly ever done by legitimate programs since files in temporary folders are meant to be just that—temporary.

Figure 4-REvil/Sodinokibi creating a run key for a temporary file.

Terminating processes and services

REvil/Sodinokibi not only establishes persistence, but it also disables and deletes keys associated with processes and services that may interfere with its operation. For example, the following two indicators show it attempting to disable two Windows services: one involved in managing file signatures and certificates, and another that looks after application compatibility.

Figure 5-REvil/Sodinokibi disabling another service.

Figure 6-REvil/Sodinokibi deleting another service.

It’s worth noting that these two behavioral indicators carry a medium threat score. This is because there are legitimate reasons that these activities might happen on a system. For example, processes and services might be disabled by an administrator. However, in this case, REvil/Sodinokibi is clearly removing these processes so that they don’t interfere with the operation of the malicious code.

Deleting backups

Many ransomware threats delete the backups residing on a system that they intend to encrypt. This stops the user from reverting files to previous versions after they’ve been encrypted, taking local file restoration off the table.

Figure 7-REvil/Sodinokibi deleting a shadow copy used in backups and restoration.

Disabling Windows recovery tools

The command that REvil/Sodinokibi uses to delete backups also includes a secondary command that disables access to recovery tools. These tools are available when rebooting a Windows computer, and disabling them further cripples a system, preventing it from easily being restored.

Figure 8-REvil/Sodinokibi disabling recovery tools.

Figure 8-REvil/Sodinokibi disabling recovery tools.

Changing firewall rules

REvil/Sodinokibi sometimes makes changes to the Windows Firewall. In this case, it turns on Network Discovery, which makes it easier to find other computers on the network and spread further.

Figure 10-REvil/Sodinokibi enabling Network Discovery.

Contacting the C2 server

To carry out various functions remotely, the threat actors behind REvil often need it to connect back to a C2 server. Each of the C2 servers listed below have been classified as high risk by Cisco Umbrella.

Figure 11-Domains flagged as High Risk by Cisco Umbrella.

When looking at these domains using Umbrella Investigate, we see that the domain is associated with REvil/Sodinokibi.

Figure 12-Information in Cisco Umbrella Investigate about a REvil/Sodinokibi domain.

Encrypting files

Once most of the previous functions have been carried out, REvil/Sodinokibi will execute its coup de grâce: encrypting the files on the drive.

Figure 13-REvil/Sodinokibi encrypting a drive.

Creating ransom notes

During this process, REvil/Sodinokibi creates additional files in the folders it encrypts. These files contain information about how to pay the ransom.

Figure 14-REvil/Sodinokibi creating ransomware notes.

Changing desktop wallpaper

Finally, REvil/Sodinokibi changes the desktop wallpaper to draw attention to the fact that the system has been compromised.

Figure 15-REvil/Sodinokibi changing the desktop wallpaper.

The new wallpaper includes a message pointing the user to the ransom file, which contains instructions on how to recover the files on the computer.

Figure 16-The ransom note created by REvil/Sodinokibi.

Since the files have been successfully encrypted, the computer is now largely unusable. Each file has a file extension that matches what is mentioned in the ransom note (.37n76i in this case).

Figure 17-Encrypted files on a compromised endpoint.

Defense in the real world

Given the variation in behaviors during infection, running REvil/Sodinokibi samples inside Cisco Secure Malware Analytics is a great way to understand how a particular version of the threat functions. However, when it comes to having security tools in place, it’s unlikely you’ll see this many alerts.

For example, when running Cisco Secure Endpoint, it’s more likely that the REvil/Sodinokibi executable would be detected before it could do any damage.

Figure 18-Detection of a REvil/Sodinokibi executable.

Figure 19-Generic ransomware detection.

Source: cisco.com

Continue reading

Under Pressure to Secure Your Enterprise? Predict More to Prevent More

Cybersecurity is a top priority for any organization conducting business over the Internet. Protecting your assets encompasses an ever-expanding digital landscape. Any data breach can have a devastating impact on the finances and brand equity of an organization. It’s why cybersecurity is treated as a business risk, rather than merely an IT issue. The importance of security is nothing new, but the global pandemic has made it even more critical.

Rise in Remote Access Authentication

Many of the new security challenges stem from the rapid increase in remote work that occurred almost overnight last year with the global rollout of stay-at-home orders. According to data from Cisco DUO, more organizations across all industries have enabled their employees to work from home, and there’s every indication this could continue for an extended time. Between February and April of 2020, we saw a 60% increase in remote access authentication — a percentage that has held remarkably steady ever since.

For IT Ops, a key challenge was ensuring their business employees could securely access the tools and resources they needed to do their jobs, seamlessly and with no additional friction. At the same time, organizations have had to protect critical information and minimize risk, all while accommodating myriad types of users and devices using unsecured networks. In order to accomplish the above, having visibility and insights into remote work patterns is a must, allowing SecOps and NetOps teams to authenticate and secure enterprise traffic through zero-trust solutions and multi-factor authentication.

Identifying Cyberthreat Patterns

In addition to the expansion of the attack surface due to the shift to remote work, cyber-criminals evolved their attacks to feed on people’s fears around the pandemic. DNS traffic analysis by Cisco Umbrella revealed some startling findings for the first nine months of 2020. For example, among our Umbrella DNS customers:

◉ 91% saw a domain linked to malware

◉ 68% saw a domain linked to cryptomining

◉ 85% saw a domain linked to phishing

◉ 63% saw a domain linked to trojans

In fact, since 2019, trojans and phishing have traded spots in threat ranking. In 2019, trojans were the number two threat at 59%, while phishing was number four with 46% impacted. Over the past year, phishing has risen by nearly 40% in large part due to malicious actors preying on people’s fears about the virus.

If IT teams are to scale and stay ahead of the bad actors in this evolving landscape of cyberthreats, they must be able to proactively monitor and identify malicious traffic and its patterns. It is vastly better to predict and prevent cyberattacks than to try to undo the damage caused by data breaches after the fact.

Threat Targets by Industry

Shifts in the distribution of threat traffic across different business markets since 2019 offer further insight into how to secure your enterprise. In particular, managed service providers (MSPs) have now surpassed financial services as the most impacted markets. In fact, U.S. government agencies have issued recent warnings about the heightened risk of attacks by state actors on MSPs.

Why this jump in MSP threat traffic? MSPs are attractive targets because, unless an MSP has effectively secured its own environment, it is vulnerable to attack by malicious actors who can then hijack remote monitoring management to go after the MSP’s clients. These customers are then at higher risk than the MSP itself. (By contrast, higher education traffic has dropped considerably in the ranking of impacted markets over the past year — from the top spot to the number six spot — most likely due to students being unable to attend classes in person.)

The rise in malware using sophisticated hiding and evasion techniques has made cyber defense teams’ jobs that much harder. In order to secure your data and your enterprise, manual monitoring and intervention is no longer a viable solution. Today’s cyber defenders must have visibility across applications, networks, and devices, along with the ability to leverage machine speed and predictive intelligence to deliver scalable, adaptable protection.

Source: cisco.com

Continue reading

Threat Trends: DNS Security, Part 2

Part 2: Industry trends

In our Threat Trends blog series, we attempt to provide insight into the prevalent trends on the threat landscape. Our goal in giving you the latest info on these trends is that you’ll be better prepared to allocate security resources to where they’re needed most.

Knowing the larger trends can help in this pursuit, particularly when it comes to the most common threat types. This is what we covered in part one of this Threat Trends release on DNS Security, using data from Cisco Umbrella, our cloud-native security service.

However, different industries sometimes have different levels of exposure to certain threat types. For example, those in the financial services industry may see more activity around information stealers; others in manufacturing may be more likely to encounter ransomware.

This is what we’re going to cover in part two. We’ll focus on specific industries, looking at two things: the top threat categories they face, and the categories that they’re more likely to encounter when compared to other industries. In this way, you’ll be better armed knowing which threats you’re more likely to encounter within your industry.

As in part one, we’ll be looking at data covering the calendar year of 2020. This time we’ll be comparing yearly totals of DNS traffic to malicious sites, by industry. While we do this, we’ll occasionally drill down to the monthly level, or look at endpoint data, to highlight items of interest. All of this gives us a window into the categories of threats that generate the most traffic for various organizations.

So, without further ado, and in no particular order, here are the industry trends:

Technology

The vast majority of DNS traffic in the Technology sector—the sector involving the development and/or distribution of technological goods and services—can be attributed to two categories: cryptomining and phishing. These two categories alone accounted for 70 percent of the traffic for organizations in this sector.

Unsurprisingly, the Technology sector saw far more cryptomining traffic than any other industry. While much of this activity can be attributed to bad actors, it’s possible that more knowledge surrounding cryptocurrencies could lead workers in this field to attempt to install miners on their company computers, triggering DNS blocks in Umbrella due to company policy violations. In comparison, Financial Services—an industry where workers are more likely aware of the risks of running cryptomining software on company devices—had one of the lowest levels.

Interestingly, the Technology sector saw the second-highest level of ransomware-related traffic, primarily driven by attacks involving Sodinobiki and Ryuk. However, the incredibly high proportion of cryptomining pushed the overall percentage down, coming in a six percent. trojan activity was also high, given that Emotet and Trickbot were used to distribute Ryuk, as previously discussed in part one.

Financial Services

Phishing resulted in the highest levels of malicious DNS traffic in the Financial Services sector. In fact, this sector saw 60 percent more phishing than the next-closest sector, Higher Education. It’s possible that this sector is targeted by attackers through phishing more often than others simply because of its proximity to many bad actor’s end goal: money.

Supporting this idea is the fact that the Financial Services sector also saw more information-stealing threats than any other industry. While not known to generate high volumes of DNS traffic (only 2 percent), Financial Services saw five times as much traffic in this category than any other industry.

Financial Services also saw the second-highest amount of traffic in a number of categories, such as trojans, botnets, and remote access trojans (RATs). The breadth of malicious traffic seen in this industry could speak to how attractive a target it is to bad actors.

Healthcare

The Healthcare industry saw more trojans than any other sector, as well as higher numbers of droppers. Most of the trojan-based activity can be attributed to Emotet, as healthcare organizations were hit hard by the threat in 2020. Close to seven out of every ten trojans seen within the healthcare sector was Emotet. Throw Emotet’s close cousin Trickbot into the mix, you’re looking at 83 percent of all trojan-related traffic.

It likely comes as no surprise that ransomware also made its presence known within the Healthcare sector. Ryuk was particularly active, no doubt associated with the high activity surrounding Emotet. The Healthcare sector was also narrowly edged out of the second-highest place for ransomware, coming in only 1.5 percent lower in overall DNS traffic.

Manufacturing

Like the Technology sector, cryptomining activity was also high in the Manufacturing industry. It saw roughly half the activity seen in the Technology sector, but interestingly, there were almost three times as many endpoints in the Manufacturing sector involved in cryptomining. In short, more machines resulting in less DNS activity leads us to believe these endpoints were less powerful when compared to those in the Technology sector. It’s possible that the machines compromised are involved in the manufacturing process itself, even IoT related. In these cases, cryptomining would likely have been slower, but could still impact production speeds.

It turns out that the Manufacturing sector is also the most likely to be impacted by ransomware. This industry saw almost as much ransomware-related traffic as the next two closest industries combined (Technology and Healthcare). This appears to be a clear indication the industry is regularly targeted by bad actors, likely through big game hunting and the potential payout bad actors could receive.

Higher Education

The COVID-19 pandemic closed campuses worldwide in 2020. As classes moved remote, many malicious activities that would have been blocked on campus would have occurred on student’s home networks. This resulted in drop-offs in malicious activity for this sector in many categories from March onwards, and much lower overall numbers in 2020 than in previous years.

That’s not to say that activity dropped off a cliff, as certain activities that would require access to campus resources did register their share of DNS activity. For instance, phishing activity managed to put Higher Education in second place when comparing across industries. Cryptomining outfits also frequently target the Higher Education sector in an attempt to siphon off computing resources, or student-discounted cloud computing credits, to run their miners.

Government

Of the industries that we’ve examined, the Government sector appears to be the most evenly distributed across the top categories highlighted in part one of this series (Phishing, Cryptomining, Ransomware, and Trojans). The Government sector even saw a fairly even distribution for each of these categories when looking at them month-on-month.

The sole exception to this trend was cryptomining, which saw low numbers in the first three quarters of the year, only to jump in October as cryptocurrency values reached a high for the year and continued to climb. However, the month-on-month numbers didn’t fluctuate through the last quarter of the year, remaining at largely the same elevated level each month.

Preventing successful attacks

As mentioned earlier, the data used to show these trends comes from Cisco Umbrella, our cloud delivered security service that includes DNS security, secure web gateway, firewall, and cloud access security broker (CASB) functionality, and threat intelligence. The malicious activity shown here was stopped in its tracks by Umbrella.

Umbrella combines multiple security functions into one solution, so you can extend protection to devices, remote users, and distributed locations anywhere. Umbrella is the easiest way to effectively protect your users everywhere in minutes.

Picking your battles

There is no doubt that examining trends on threat landscape can reap benefits. Knowing where attacks are occurring can make it easier to decide where to dedicate your resources to defend against them. Cryptomining and phishing are commonly seen these days, as are trojans like Emotet and Trickbot, used to deploy ransomware such as Ryuk.

Of course, different sectors are impacted by different threats in different ways, so it helps to understand the specific trends surrounding the sector you find yourself within. For instance, it would be wise for someone in the Financial Services sector to keep a close eye on phishing trends, while someone in the Manufacturing sector may want to take a closer look at ransomware.

Ultimately designing a defensive strategy combining the larger trends and those of your specific industry, can bring you a long way towards protecting your assets.

Methodology

We’ve followed the same overall methodology in this blog that we did in part one, with a few changes in representation. Pie charts are based off DNS query traffic to malicious sites. Any category comprising more than one percent of traffic for a particular industry is represented in the charts. All categories below one percent are combined into the ‘All Others’ group in the charts.

Source: cisco.com

Continue reading