Tuesday, 15 March 2022

Randomized and Changing MAC (RCM)

What is Randomized & Changing MAC (RCM)

Historically wireless clients associate to the wireless network using the manufacturer assigned mac address that is associated with the wireless network interface card (NIC). This manufacturer-assigned mac address, which is globally unique, is also known as burn-in address (BIA). Use of this burn-in address everywhere raises the question of end-user privacy as the end-user can be tracked with WIFI’s mac address. In this document, this will be referred to as normal mac (address), in contrast to the random mac (address).

To improve end-user privacy, various operating system vendors (Apple iOS 14, Android 10 and Windows 10) are enabling the use of the locally administered mac address (LAA), also referred to as the random mac address for WIFI operation. When wireless endpoint is associated with random mac address, the MAC address of the endpoint changes over time.

The random mac address was limited to probe for known wireless networks. This is now expanded to association to the wireless networks. While this works well for the privacy of the end-user, it brings unique challenges to the Enterprise IT admin, who has been depending so far on the unique endpoint identity as the basis for driving policies. This will also affect different WIFI deployment models e.g., Guest, BYOD (Bring Your Own Device) and location analytics, etc. which rely on the uniqueness of the mac address.

To address and alleviate the issues due to the usage of random MAC addresses in the existing wireless deployments, Cisco provides an RCM solution.

Fig #1: RCM Cisco Solution

Random Mac Identification and Client access


Cisco solution Identifies the random mac usage and provides visibility for easy detection of issues and troubleshooting on WLC and Cisco DNA Center.

Cisco Catalyst 9800 can classify the device on the network using its Universally administered address (BIA) or Locally administered address (RCM) which helps administrators to distinguish between both mac addresses. Random MAC address is identified by a bit which gets set in the OUI portion of a MAC address to signify a locally administered address. The below picture depicts how to identify the locally administered mac address.

Fig #2: Random MAC Identification

In addition, Cisco 9800 wireless controller also provides the ability to control the client joining WIFI Network using RCM address. This is enabled through a configuration option to allow/deny RCM clients. When this configuration is enabled, then any client using the randomized changing MAC RCM (Locally administered MAC address) will not be able to join that wireless network.

MDM (Mobile Device Manager)/ISE BYOD Integrations:


MDM solution provides a unique device identity when the mac address of the device is randomized and changing. When the endpoint connects to the network using randomized MAC address, MDM compliance check and other security controls fail because of unrecognized random MAC addresses as device identifiers. This solution provides a unique identity to the device based on EAP-TLS which is known as DUID (Device Unique ID) solution.

◉ This solution relies on the MDM (Mobile device manager also referred to as Device managers, Unified Endpoint Managers (for example Ms Intune, Mobile Iron) which manage devices in an enterprise infrastructure.

◉ ISE provides the provisioning of the device with the device’s unique ID-based (DUID) certificates.

◉ The device presents this certificate during TLS based authentication ISE authorizes the devices and also reads the unique ID from the certificate.

◉ The device unique ID (DUID) is used for compliance check with MDM servers and also a unique identifier of the device in the endpoint table.

◉ The randomized MAC will not matter as now the device has a DUID using the ID in the cert.

◉ Since ISE has the mapping of the DUID and the random MAC and it can share this information in two ways
     
     ◉ Through pxGrid as part of session information where Cisco DNA Center is the pxGrid subscriber.
     ◉ WLC gets the client info from ISE as part of VSA access-accept, this info is sent to the Cisco DNA Center.

Fig #3: Device Unique ID MDM Flow

The same use case can be implemented through ISE as part of BYOD workflow as ISE can generate DUID during the BYOD process.

DNA Center visibility, Troubleshooting, Usage tracking for RCM


Fig #4: DNA Center RCM Client Dashboard
 
Using Cisco DNA Center, we will be able to track, troubleshoot and see where the random macs are being used in the network. For the devices using random mac addresses, Cisco DNA Center has introduced a new icon in front of the device MAC address to symbolize RCM. Cisco DNA Center users can filter the devices with mac address as an RCM address for the IT admin to track how many clients are RCM clients in the network.

Below Cisco DNA Center screen shows the filtered RCM Clients for visibility, tracking, and troubleshooting.

Users can see the visibility of the client DUID and random MAC and also which another mac address is related on Cisco DNA Center as shown in the below in Cisco DNA Center Client 360 page.

Fig 5: DNAC RCM Client 360 View

Fig 6: DNA Center RCM Client Details

Cisco DNA Center also shows if clients are not associating to the network because Random MAC is configured not to join the network. Below client screen shows that.

Fig 7: DNA Center RCM Client Association Failure View

Future of Random MAC Solution


Cisco will pursue with IETF to have a formal working group for MAC address device identification for Network and Application Services.

Source: cisco.com

Sunday, 13 March 2022

Introducing the new ‘Defending Against Critical Threats’ report

Today, we’re pleased to launch our annual Defending Against Critical Threats report. Inside, we cover the most significant vulnerabilities and incidents of 2021, with expert analysis, insights and predictions from our security and threat intelligence teams across Cisco Talos, Duo Security, Kenna Security, and Cisco Umbrella.

It’s clear that 2021 – and, indeed, the start of 2022 – has been very challenging for security defenders. To bring our Defending Against Critical Threats: Analyzing Key Incident Trends report to life, I sat down with six expert threat hunters and analysts from these teams, and asked them to tell me about their findings on one specific cybersecurity threat, or incident, from the past 12 months. Each expert chose to discuss a topic which tells us a lot about the current priorities of threat actors – below you’ll find a brief summary on some of the key themes we covered.

We also conducted a survey among 190+ security and technology leaders via PulseQA to gauge their perspectives on the current threat landscape. We found that 66% of respondents felt that the complexity and volume of cybersecurity attacks had escalated in 2021, whilst 36% felt that attacks had stayed consistent with the previous year.

In the survey, we also asked about the top threat concerns security leaders had for 2022. Ransomware came in as the top concern, with 38% of respondents choosing that option. In the report, we discuss the evolution of ransomware and how it has reached a critical level for certain bad actors, provoking a more severe and structured governmental response. You’ll read about this in Matt Olney’s (Talos’ Director of Threat Intelligence and Interdiction) section about the Colonial Pipeline attack.

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs

Matt’s section also discusses supply chain attacks, which as Matt says, is one of the most challenging types of threats we face today. Forty-three percent (43%) of our Pulse respondents told us that they were impacted in a supply chain attack in 2021. Be sure to check out this section for advice on how to make your organization a smaller target for attackers.

Zero-day vulnerabilities came in as the second biggest concern for security practitioners, according to our survey. The report discusses the impact of Log4j with Talos’ Incident Response Practice Lead Liz Waddell, and how it has continued to cause an impact in 2022. Liz also provides a detailed seven-point action plan on how to deal with future zero-day attacks.

Additionally, we also look at the most impactful disclosed vulnerabilities of 2021 with Jerry Gamblin, Kenna’s Director of Security Research (now part of Cisco). This section is particularly helpful for defenders who wish to move to a more predictive-based, prioritized vulnerability management plan.

You’ll also read about  the impact of Emotet in Artsiom Holub’s (Senior Security Analyst for Cisco Umbrella) section. Emotet is a very powerful loader that came back from the dead in 2021 to cause a lot of destruction, and the signs are that it has some very nefarious plans for 2022.

Dealing with legacy or unintegrated security technology, or ‘security debt,’ is a topic we are very passionate about helping our customers to combat, and in this report, our Advisory CISO Dave Lewis discusses why it’s becoming an increasing target of opportunity for cyber criminals. We asked  respondents if they were dealing with security debt and to what extent; the overwhelming majority (75%) said they were – but it was manageable. Unfortunately, 13% said that it’s a huge issue for them. Dave’s section contains plenty of advice on how to address this issue in your organization.

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs

Finally, for readers interested in reading about a day in the life of a Talos threat hunter, you’ll no doubt find Ashlee Benge’s section on the rise of macOS malware very thought-provoking.

The expert analysis you’ll read in this report highlights the crucial role of our defenders, and the capabilities that we, as an industry, have built based on the meticulous study of past attacker behavior.

The good news is that according to our Pulse respondents, the majority of cybersecurity professionals undertake regular incident response testing. Forty-one (41%) are testing their plans twice a year, and 29% are testing more than three times a year. Only 4% said they didn’t have an incident response plan in place.

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs

If you’re a security defender looking to prioritize your focus areas and address patterns of concern, we hope that this year’s report will be helpful to you. It was put together by a dedicated group of security leaders, whose job it is to spot key incident trends.

Here’s what we cover in the new Defending Against Critical Threats:


◉ Colonial Pipeline: Moving Beyond Ransomware Thoughts and Prayers with Matt Olney, Director of Threat Intelligence and Interdiction, Cisco Talos

◉ Security Debt: An Increasing Target of Opportunity with Dave Lewis, Advisory CISO, Cisco Secure

◉ The Most Critical Vulnerabilities (You Might Not Be Thinking About) with Jerry Gamblin, Director of Security Research, Kenna Security (now part of Cisco)

◉ Log4j and How To Plan for Zero-Days with Liz Waddell, Practice Lead, Cisco Talos Incident Response

◉ What’s Emotet Doing Now? with Artsiom Holub, Senior Security Analyst, Cisco Umbrella

◉ The Rise of macOS Malware with Ashlee Benge, Lead, Strategic Intelligence and Data Unification, Cisco Talos

Source: cisco.com

Thursday, 10 March 2022

Focus on HyperFlex: Sizing A New Cluster Using the Sizer and Profiler Tools

In this ‘Focus on HyperFlex’ blog, we’ll zero-in on different aspects of the Cisco HyperFlex (‘HX’) hyperconverged system and ways to make HX work best for you and your organization. This edition will illustrate on how to size a cluster when you might not have all the details of the workload worked out. In this situation, HyperFlex Profiler is the right approach to learn more about the workloads.

During my time in sales, teams often asked me to size a HyperFlex cluster and provide a customer quote. It was customary to have many more questions than the team or customer could answer about the application. Normally, they would provide me with an Excel sheet with some CPU and memory values. That is a great start, and it gave me deep insight into the customer’s application. However, an application profile is not only about averages of CPU and memory.  There are several more parameters needed, including the performance and latency peaks. With the customer’s permission, I would run a HyperFlex Profiler in their environment to gain more information about their application. Before installing the OVA on their vCenter, I would explain what HyperFlex Profiler is and how it helps with sizing their new HyperFlex environment. 

HyperFlex Profiler 

If there is no historical insight into the potential clustered application environment, then start with HyperFlex Profiler. HyperFlex Profiler will gather data on the vCenter environment and consolidate that mass of data to a single, easily digestible file. This file will quickly size the cluster after importing it into the HyperFlex Sizer tool and paint a clearer picture of the environment and workloads. 

However, profiling the environment is not a quick hit in a short period of time. The best approach is to run the HyperFlex Profiler for at least seven days or, preferably, 30 days. A longer measuring period ensures you capture data when “end of the month reports” are run. Of course, don’t just measure the environment during a weekend when there is little traffic! Be sure to capture at least one logical business cycle for that application. 

The HyperFlex Profiler is an OVA installed on a VMware environment. The only configuration is to provide (read-only) access to the vCenter environment and define which servers the HyperFlex Profiler will monitor. Multiple servers and/or clusters can be selected. For environments running different types of workloads, it is recommended to isolate them by selecting the servers in their environments – for instance, the VDI or the SQL environment. Of course, selecting all servers and workloads is also an option. Keep in mind that you will have more overhead this way. 

When it is monitoring the environment, you will see the following: 

Focus on HyperFlex, Cisco Preparation, Cisco Learning, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Exam Preparation

More details about the environment can be shown in other tables and graphics, that can be exported in pdf format. 

It is essential to see the peaks of the environment. This way, you can make sure the new HyperFlex designed cluster can handle the workload, and ensure there is room for expansion. 

Focus on HyperFlex, Cisco Preparation, Cisco Learning, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Exam Preparation

There are different graphs in the HyperFlex Profiler. Here you can see the metrics of the storage reads. Here, you have more insight into the frequently used block-size of the environment. This is one of them:

Focus on HyperFlex, Cisco Preparation, Cisco Learning, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Exam Preparation

The next step is to use the power of the HyperFlex ProFiler to create a bill of material out of all the information from vCenter.  The data of the HyperFlex Profiler can be manually or automatically downloaded and uploaded to the HyperFlex Sizer. 

HyperFlex Sizer 


The HyperFlex Sizer is an online tool (https://hyperflexsizer.cloudapps.cisco.com/) accessible to both partners and customers. With this tool, you can add your personal, most commonly used workloads to a HyperFlex cluster and have the sizing tool decide the best option. HyperFlex Sizer takes the HyperFlex best practices into account when calculating the optimal solution. 

Furthermore, you can customize the sizing tool, using only the preferred components the customer wishes to see in the new HyperFlex environment. Different elements, like CPU, memory, types and sizes of drives, and more, can be customized. 

Uploading the data of the HX Profiler to the HX Sizer is entirely straightforward. After claiming the HX Profile into the HX Sizer, the tool will produce a practical Bill of Materials that can be the baseline of a  discussion with your partner about the best solution for your applications. 

Here is a screenshot of the HyperFlex Sizer where a HyperFlex cluster is calculated with the requested workload:

Focus on HyperFlex, Cisco Preparation, Cisco Learning, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Exam Preparation

A variation of HyperFlex clusters may be advised. This is possible when you want to have different workloads, each with their characteristics. 

It shows the amount of HyperFlex or compute nodes, what type of nodes and  includes all the parts that are needed to create the solution. This way, you don’t have to configure everything manually, eliminating human errors.  

Create an estimate


Once you know the total size of the new HyperFlex cluster, partners or Cisco experts can easily upload the Bill of Material to Cisco Commerce Workspace (CCW) and estimate the HyperFlex cluster.

Focus on HyperFlex, Cisco Preparation, Cisco Learning, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Exam Preparation

In CCW, the estimate can be converted to an order.

Source: cisco.com

Tuesday, 8 March 2022

EIS in Transition: Impacts on Digital Transformation for Federal Networks

For Federal agencies, Enterprise Infrastructure Solutions (EIS) has provided a comprehensive, solution-based method to address their IT telecommunications and infrastructure needs. Over the years, EIS has seen many changes that directly impact stakeholders. But its primary purpose as a key driver for the digital transformation of enterprise telecommunications and networking solutions remains unchanged. Yet many agencies, such as Networx and WITs, face contract expirations on May 31, 2023. To maintain momentum for digitization, Federal agencies must begin the transition now by strategically mapping how and where it should start.

What’s next for Federal Digital Transformation?

For decades, Cisco has built a strong relationship with the U.S. Federal Government. Our portfolio of products, solutions, and services provide Federal agencies with the critical technology and support they need to enable the transformation of their networks within the EIS contract.

By leveraging these existing contracts, agencies are reducing costs and acquisition time. They’ve been able to digitize aging systems and catch-up to the private sector in capabilities. But now what? Which direction should Federal agencies go as they transition contracts within EIS? The simple answer: Cisco SD-WAN.

Beyond EIS with SD-WAN

Cisco SD-WAN is the premier choice for replacing expensive and aging legacy WAN. Federal agency networks leveraging Cisco’s SD-WAN solution can benefit from:

◉ Enhanced user experience

◉ Reduced costs

◉ Simplified operations

◉ Improved performance

◉ And robust security.

Cisco SD-WAN enables more efficient bandwidth allocation, powering critical applications to faster, smoother performance. This capability is now a necessity as Federal agencies move to cloud services and witness an explosion of app-wielding users connecting remotely.

Cisco Prep, Cisco Tutorial and Material, Cisco Career, Cisco Skills, Cisco Job, Cisco Preparation, Cisco Learning

Wi-Fi6 for the Federal Government


The transition in EIS contracts also provides Federal agencies with the opportunity to rethink their adoption of new and emerging technologies. One example is Wi-Fi 6. It builds on earlier Wi-Fi standards to provide Gigabit Ethernet Access – but with the reliability and predictability that comes from a licensed radio.

Cisco Wi-Fi 6 Solutions let users of modern, more agile networks benefit from new capabilities while connecting wirelessly. Cisco’s Wi-Fi 6 gives access points the power to support more clients in dense environments, plus it provides a better experience for users of typical wireless LAN networks.

Partnering for the future of EIS


In late 2021, the General Services Administration (GSA) issued a Request For Information (RFI) seeking comments to modify the EIS contract so that agencies can more quickly obtain mobility-as-a-service (MaaS) offerings (starting in late 2022). This expansion of EIS would allow for the use of 5G and bring the benefits of edge compute to the government workforce.

At Cisco, we’re also planning to provide additional capabilities to the U.S. Government, including 5GaaS capabilities. This could be a game-changer, enabling the U.S. Government to take advantage of mobility services.

Cisco Prep, Cisco Tutorial and Material, Cisco Career, Cisco Skills, Cisco Job, Cisco Preparation, Cisco Learning

For Federal agencies, the transition in EIS contracts provides a unique opportunity to leverage innovative technologies that can maximize network agility and security while enhancing workforce productivity.

At Cisco, we understand this and are helping shape the future of government with products, solutions, and services that empower agile networks, enhanced collaboration, and a holistic security approach. By preparing now, your agency can leverage the upcoming EIS transition to help shape that future.

Source: cisco.com

Monday, 7 March 2022

Cisco 300-435 ENAUTO | Syllabus | Exam Overview | Questions | Study Guide

 

Cisco ENAUTO Exam Description:

The Automating and Programming Cisco Enterprise Solutions v1.0 (ENAUTO 300-435) exam is a 90-minute exam associated with the CCNP Enterprise, Cisco Certified DevNet Professional, and Cisco Certified DevNet Specialist - Enterprise Automation and Programmability certifications. This exam tests a candidate's knowledge of implementing Enterprise automated solutions, including programming concepts, Python programming, APIs, controllers and automation tools. The course, Implementing Cisco Enterprise Automation Solutions, helps candidates to prepare for this exam.

Cisco 300-435 Exam Overview:

Related Study Guide:-

Sunday, 6 March 2022

Public Sector: Five Steps to Accelerate Digital Transformation Towards eGovernment

Cisco Digital Transformation, Cisco Exam Prep, Cisco Tutorial and Material, Cisco Career, Cisco Jobs, Cisco Skills

If the past two years have taught us anything, it’s if, given the chance, we’ll choose the ease of clicking a button or an automated service over waiting in line any day. Renew my driver’s license online instead of going to the Department of Motor Vehicles? Yes please! I can opt to have my local government agency call me back when it’s my turn in the call queue instead of waiting on hold for hours? Sign me up!

Yes, delighting customers goes beyond traditional customer service industries. It also applies to the superior digital experiences public sector citizens expect from their local and federal municipalities and government agencies. A 2021 study of U.S. state CIOs showed that 90 percent felt the pandemic increased demand for digital government services, with 75 percent stating that the biggest driver behind expanding digital services was to provide a “better online experience for citizens.” And globally, it’s estimated that more than 60 percent of governments will triple citizen digital services by 2023, and half of all digital government key performance indicators will include a citizen/customer experience metric to ensure that services delivered are citizen-centric.

Accelerating digital transformation

Public Sector’s ability to digitally transform and adopt new technologies is key to providing a superior digital experience. But in an industry known for dealing with legacy-driven infrastructures and siloed strategies and resources, this transformation can be a bit of a challenge. Below are five key strategies which should be of keen focus.

1. Empower hybrid work

Now that hybrid work has proven to be technically viable, government needs to create better online experiences for citizens and employees. Empower employees to work from wherever they are – at home or in the field. Expand work-from-home options to include work from anywhere. The key is to enable secure and wireless connections combined with various multi-faceted collaboration tools. This effort allows employees to work, maintain productivity, enhance civic life, and stay mobile.

2. Unify and secure network connectivity

This powers hybrid work and enables employees to work from anywhere. There’s a need to invest in the unifying and hardening of networks. Now more than ever is the need to identify and resolve events faster and keep vigilant for threats. As a government agency, it is imperative to offer encryption and security for work-at-home devices and expand your identity and access management (IAM) solution to employees and your citizen users. A must-have is a zero-trust secure network and sturdy endpoint detection to accompany that expansion. Proactively stopping breaches and automating updates with an expanded unified network and security solution vs. chasing threats and risking vulnerabilities is now a reality.

3. Accelerate cloud migration

One thing we learned from recent events – It’s now time to “Go to the Cloud”. Digital transformation means a better online experience for citizens as well as employees. It also represents productivity increases and cost savings. If you don’t have a cloud smart strategy in place now, you should be working on it. Most public sector agencies see the benefit of modernizing by moving applications to the cloud where feasible. Whether via infrastructure-as-a-service or a hybrid model with a state-owned data center for many legacy applications. Low code intuitive and friendly apps are replacing web-based forms. These and the new breed of cloud-based applications enable instant flexibility, scalability, and accessibility. Combined with low development and start-up cost via SaaS vendor models enables testing, refinement, and ability to scale as needed. Pilot early, pilot often. Migrate what you can and combine a solid external identity and access management (IAM) cloud security solution, your team can be twice as productive with lower cost.

4. Leverage built-in data analytics

Speaking of budget. Forward-thinking agencies also leverage the innovation built into cloud platforms to leap their public services ahead. With big data and predictive analytics tools, they can purchase and use only what they need, when they need it. The ability to stand up new services and enhance existing ones by processing massive amounts of transactional data enables giant leaps of civic lifestyle, from wait times in lines to stoplight optimization, even public health emergencies. The ability to leverage data analytics is a game-changer for understanding public data.

5. Power automation with AI/Machine Learning 

There is no greater game-changer than the ability to use Artificial Intelligence and Machine Learning. AI and ML are now available for even the smallest agencies with limited budgets to make life better for their citizens. Small agencies now can run license plate cameras at heavy thoroughfares; police agencies can process massive amounts of audio/video from stoplights and drone cameras. These smaller agencies can run valuable lifesaving and revenue-producing public services with little to no staff with simple automation.

Cisco Digital Transformation, Cisco Exam Prep, Cisco Tutorial and Material, Cisco Career, Cisco Jobs, Cisco Skills

Make public sector digital transformation a reality


Adoption of these strategies and new technologies shines a light on the widening skills gap in public sector.  Case in point, a recent study of European health, government, and education organizations showed that 63 percent said lack of skills and experience is a barrier to their cloud migrations.

Cisco Business Critical Services provides expert, analytics-driven guidance throughout the entire lifecycle to create transformative, adaptive, and resilient IT to improve digital experience for public sector citizens. Steeped in 35 years of experience, Business Critical Services expertise transcends architectures and provides in-country experts to ensure data sovereignty and security clearance needs are met in over 20 countries.

Reach out to your Cisco sales representative or partner today and accelerate your digital transformation journey today.

Source: cisco.com

Saturday, 5 March 2022

Cisco stands on guard with our customers in Ukraine

Cisco Exam Prep, Cisco Certification, Cisco Skills, Cisco Job, Cisco Career, Cisco Tutorial and Material, Cisco Ukraine

Summary

◉ As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark.

◉ Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine while over 500 employees across Cisco have come together to assist in collecting open-source (public) intelligence.

◉ In critical Ukrainian networks, we are taking advantage of advanced product features to create Ukraine-specific protections based on intelligence we have received.

◉ We are closely monitoring telemetry and aggressively convicting threats to protect both our Ukrainian and global customers.

◉ Customers with a mature security model should design their intelligence programs to drive changes in the organization’s defensive posture based on their findings.

◉ We have been successful in our work in Ukraine up to this point and will continue to support our partners there

Introduction

You may not have noticed, but Cisco has been a different place in the past month. The unjust invasion of Ukraine, and the sense of helplessness we all have felt, has created a motivated collection of Cisco employees working to make life just a little safer and easier in a part of the world many have never been. Teams have set aside their normal tasks and now watch over Ukranian networks, some have focused on caring for and protecting refugees and others have turned their obsession with social media into a critical component of our open-source intelligence work. The plans have been creative and, while many would have been unthinkable just a week ago, approvals have come fast and everyone has been stretching far beyond their normal workload.

In today’s situation in Ukraine, lives and livelihoods depend on the up-time of systems. Trains need to run, people need to buy gas and groceries, the government needs to get messages out to civilians for morale and for safety. Cybersecurity can be invisible behind all of this. In this blog we talk about a small part of Cisco’s response to this crisis. It is just one of many stories about how the people that make Cisco what it is have responded to an unprecedented crisis. There are lessons here for the defender as well, on what a world-class intelligence team can do when handed a network to defend and a capable set of security tools. But mostly this is a story about the people – from the cubicle to the C-Suite – who would do what little they could.

Calm Before the Storm

This effort has extended through all parts of Cisco and started with Talos – Cisco’s threat intelligence arm – more than a month ago, when we initiated an internal process to manage large-scale events. We began by increasing monitoring in Ukraine as the Russian troop buildup continued. Telemetry from Ukraine customers was closely scrutinized by intelligence analysts and our SecureX Hunting team. At that point, we were not working with customers directly, just quietly watching over them.

As it became clear that there was a real possibility that Russia would invade, our intelligence team began its quiet work. We do not talk about this a lot, but speaking broadly, any major event will have many small groups of researchers who have grown to trust each other cooperating and sharing information that is not publicly available. Most of these groups are informal, but one of the newer ones, the Joint Cyber Defense Collaborative (JCDC), which works out of the Cybersecurity and Infrastructure Security Agency (CISA), has been public that it is serving as a platform for collaboration between public and private sector partners. Whether organized or informal, public or private, all these groups have been eager to work together to protect Ukraine and the world from Russian aggression online.

When both the website defacements and the first WhisperGate malware deployments occurred in mid-January, we were contacted by three Ukrainian government agencies we have worked with in the past. From that point on, we have continued to support the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice Department of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at the NSDC of Ukraine). This support has largely taken the form of incident response, and we have turned the lessons learned in those responses into protections for all our customers.

Our investigations with our government partners in Ukraine led to additional protections for our customers globally as well as a blog post to inform the world of the threats we were aware of and our perspective on those threats. This is a common cycle that has been repeated both before and after the WhisperGate deployments: Ukraine experiences an event, we help investigate, we publish new protections based on what we learned and share our understanding of what happened.

A Growing Threat

As the invasion approached, there were other minor events, but none that had any appreciable impact. These were distributed denial-of-service (DDoS) or unsuccessful wiper attacks and an unconfirmed manipulation of Border Gateway Protocol (BGP) routing. Our assessment is that the best of Russia’s cyber capability was focused elsewhere, likely in espionage activities trying to understand the global response to Russia’s invasion. Regardless of the reason, there were no major cyber incidents against Ukraine in the days leading up to the invasion.

Once the invasion began, things moved very quickly. The amount of information to be processed about what was happening in Ukraine exploded. Talos would like to thank the over 500 Cisco employees from a variety of backgrounds and with many different skillsets who have joined a space dedicated to sharing open-source intelligence about Ukraine to ensure that the intelligence team didn’t miss anything.

Early on, we deployed Secure Endpoint in some new environments under a demo license that was set to expire. When we went to the business to extend it, the decision was made to extend all security licenses for all Cisco customers in Ukraine. During this chaotic period, no customer would lose protection because they were dealing with more important matters than license renewals.

Defending Critical Networks

Additionally, we extended a new offer to critical organizations in Ukraine: Talos would monitor their Secure Endpoint configurations, modify them based on our intelligence and aggressively hunt in their environments for threats at no cost. For each organization that accepted this offer, we assigned a set of engineers to manage the protections and configurations and two hunters from Talos to work with that specific data set.

One of our frequent recommendations to mature organizations is to have an intelligence operation that drives material protections into their defensive tools. Here is an example of why we make this recommendation: In reviewing several pieces of malware, we found multiple command and control (C2) servers in a certain network. Typically, we would block those IPs and move on. But within the context of a nation under an existential threat, for Secure Endpoint installations we control we blocked the entire network so that if additional C2s opened, they were already blocked. This isn’t appropriate globally – we have no idea what the connectivity needs are for all our customers – but when tasked only with making decisions for Ukranian critical infrastructure, it’s an easy call.

Another example is the case of HermeticWiper. As part of its activity, the malware drops one of several drivers to support its wiper actions. In Ukraine, for networks we’re actively protecting, we chose to block all of these drivers. Again, globally, we can’t do that – some of our customers may well be using the software that those drivers were stolen from. But when we are looking only from Ukraine’s perspective, we can check the network quickly to confirm those hashes aren’t in use and block them.

In both cases, we are building our defense in depth. Ideally, we block HermeticWiper or a variant when it drops – but if we don’t, then the drivers are blocked. Hopefully, we block any trojan that uses the network we described above when it is dropped by a loader, but if we don’t, then the C2 communications themselves will be blocked. We are always looking for ways to layer defenses so if the adversary out-maneuvers us in one area, we have protections waiting for them.

So far, this activity has been successful in protecting our customers, including blocking what we assess to be wiper attacks very early in the attack chain. The work of our intelligence group – and let me be clear that this includes our cooperation with organizations and individuals outside of Cisco – has allowed us to have insight into several different attack chains. While we can’t publish this information because of information-sharing restrictions (mainly to protect operational security), we can leverage that information in specific networks, blocking certain things or writing advanced content signatures that look for certain patterns. This intelligence work has led directly to successful defense in Ukraine. For that, we thank all the unnamed partners – corporations and individuals – who have quietly worked with us.

Guidance for Customers

Now is not the time to tell every story, but we shared these examples because of the risk that this conflict will extend beyond the borders of Ukraine. Organizations globally should look at their intelligence teams and work to ensure they are directly driving the defensive posture of the organization. Organizations should consider how their tolerance for false positives has changed given the current threat environment and allow their teams to move more aggressively if possible.

The world right now is more dangerous than it has been in decades, and organizations need to be creative in how they restructure their defenses. We often say that in the end, humans are the most critical part of your defense. This is the kind of threat we have in mind when we make that statement.

Source: cisco.com