Cisco has determined that Cisco dCloud is at a high risk due to the observation of attack by 13 different families of malware. Cisco Advanced Malware Protection (AMP) was deployed for an assessment period of 7 days. This report is a record of what was found on the network during this time.
Cisco recommends that Advanced Malware Protection (AMP) is deployed to:
Establish continuous visibility into advanced malware
Augment existing controls in order to mitigate this risk
II. Assessment Results
Hosts Displaying Indications of Compromise
Special attention should be paid to computers showing high amounts of indications of compromise as they are likely to be exfiltrating information from your private systems. Devices that fall into this category likely have had malware residing on them for some time already and the initial infection has been missed by existing security protections, or are under current attack.
Host Address
IOC Count
10.141.10.27
2
10.141.10.34
2
10.141.10.41
2
10.141.10.53
2
10.141.10.91
2
Total Hosts Connected to CnC Servers
(details on next page)
0
Common Indications of Compromise Found
Indications of compromise take many forms, perhaps a host has been seen to execute malware, be connected to a Command & Control server, be targeted with a high impact attack, or actively leaking data. Across the monitored network, these are a sample of different IOCs detected against live systems.
Most Common IOC Types Discovered
Category
Description
Count
Malware Detected
The host has encountered malware
132
Impact 2 Attack
The host was attacked and is potentially vulnerable
68
Impact 1 Attack
The host was attacked and is likely vulnerable
8
Malware Found on the Network
Top threats seen in your environment should be researched because they may affect your security exposure. You should take action to remove and prevent reintroduction by these specific threat types:
File-based Malware Detections
Malware Name
Number of Detections
Number of Hosts
87
70
W32.553CC30ACC-95.SBX.TG
19
18
Win.Trojan.Trafox-3
15
12
W32.2782A4ABB1-100.SBX.TG
13
11
III. File Details
Files Seen Moving Around the Network
The following files types have been seen moving around the network. To limit your exposure to malware risk it is wise to control data movement by policy. File movement can be controlled by user, group, network zone, app, protocol, file type, and disposition.
Type
Count
MSEXE
189
MSOLE2
55
BINARY_DATA
46
JAR
40
ZIP
37
Dynamic Analysis & Threat Score
Dynamic Analysis & Threat Score
File Name
SHA256
Threat Score
9VKH.dOC
4cd88851...310078b3
Very High
Alcan.exe
2782a4ab...9c50404f
Very High
Babonock.exe
2782a4ab...9c50404f
Very High
Badtrans.exe
6232ea9b...3299b4aa
Very High
Bamital.exe
7ff81093...293edc5c
Very High
Bancos.exe
0b0b24ca...16ae69ea
Very High
Banker.exe
7ff81093...293edc5c
Very High
Banload.exe
2782a4ab...9c50404f
Very High
Banload.exe
553cc30a...097b27ca
Very High
Bob.exe
7ff81093...293edc5c
Very High
Dynamic Analysis Summary Output
Below is an example of dynamic analysis output taken from one file found on your network. This file had a threat score of Very High. A more detailed analysis of this file is available in the FMC along with screenshots, network traffic it generated, and files it may have also dropped.
File Sample:
9VKH.dOC
Threat Score:
Very High
Observations
IV. Malware Risk to the Business
Impact of Malware Types
Malware exposes different types of risk to the organisation that encounters it. Malware is commonly categorized into different types that enable the security team to deal with the Immediate threat. Below are different types of malware commonly discovered by Cisco solutions.
Malware Type
Risk to Business
Botnet client
Denial of Service, Information Theft: A botnet is a collection of computers controlled by a third party. Hosts controlled by a botnet may steal information from your organization or be used to launch denial-of-service attacks, send spam, or conduct other undesirable activity.
Trojan / Backdoor
System Degradation, Information Theft: A trojan horse is a program that appears to be benign to an end user but is in fact malicious. It can be used to steal information or introduce control
Spyware
Information Theft: Spyware is software installed on machines that collects information without users’ knowledge and forwards it to other organizations.
V. Recommendations
Despite your existing network and endpoint protections, advanced malware is getting through and placing your organization at risk. Additional countermeasures and security controls are required to mitigate the risk.
Cisco recommends that Cisco dCloud deploy Firepower Appliances with Advanced Malware Protection to:
Establish continuous network visibility into its advanced malware risk
Augment its existing controls in order to mitigate this risk
Add host protection and enhanced remediation via AMP connectors
1. Establish Continuous Malware Visibility
Existing protections are neither dynamic enough nor capable of fully protecting from new or unknown threats that emerge daily. Cisco recommends deployment of network-based protections via Firepower Appliances with Advanced Malware Protection. Advanced Malware Protection can be enabled through a license on any NGFW or NGIPS appliance from Cisco. This will provide the following new capabilities and benefits:
New Capability
Benefit
Network Based Detection
Detect and block advanced malware from existing network IDS/IPS infrastructure
Trend Analysis
Measure and see how effective your protections are over time
Cloud-Based Analytics
Powerful cloud analytics leverages Cisco's vast security intelligence and expertise without complex or costly deployment
Full-stack Visibility
Identify and understand the file types traversing your networks and employ intelligent decisions based on Cisco reputational data
Advanced Malware Protection (AMP)
Protect against malware with AMP for networks, which includes integration with AMP ThreatGRID for superior sandboxing, security intelligence and advanced file analysis. Also, AMP for Endpoints provides endpoint protection to offer defense in depth
Security Intelligence
With unparalleled visibility into the Internet, Cisco Talos provides dynamic IP and URL black list to protect against malicious websites
Virtual Protection
Monitor VM-to-VM communications the same as physical networks
2. Augment Controls to Mitigate Risk
Deploying additional countermeasures can help mitigate the risk advanced malware poses. These measures may entail control of threat surface, blocking entry and propagation of malware or suspect file types, and rapid notification upon new malware discovery.
Cisco recommends deployment of network-based protections via Firepower Appliances with Advanced Malware Protection. These provide the following new capabilities and benefits:
New Capability
Benefit
24/7 Real-Time Protection
Deploy in-line for continuous network protection and minimize propagation of advanced malware
IP and URL Blacklisting
Block Bot CnC, open proxy, and custom IP lists from your IPS
DNS Sinkholing
Intercept DNS requests to malicious sites, and redirect if desired
Retrospective Alerting
Alert on files deemed malicious by the Cisco Security Intelligence cloud even after infection - leverage community awareness to know when you may be at risk of infection
3. Add Host Protection & Enhanced Remediation Via AMP for Endpoints
Typically advanced malware enters the network via hosts (compromised end devices such as PCs, smartphones, etc.). Having a presence at the host/client-side OS enables easier determination of root cause, malware trajectory, and more control over the spread of malware (even after a compromise!). It also helps to speed post-infection clean-up efforts.
Cisco recommends AMP for Endpoints for additional visibility and control. These provide the following new capabilities and benefits:
New Capability
Benefit
Host Protection
Deploy Cisco AMP to gain additional protection and more capability to take action against malware at the host.
Mobile Protection
Protect mobile workers and Android-based devices from advanced malware attacks
Virtual Protection
Protect Virtual Desktop communications the same as physical networks
Malware Trajectory
Understand how malware enters and trace the path of infection to identify ‘patient zero’
File Analysis
Get advanced malware analysis with Cisco AMP and integrated ThreatGRID technology
Retrospective Detection
Recall files deemed malicious by the Cisco Security Intelligence cloud even after infection - automate and speed malware cleanup
In addition, Cisco offers NGIPS capabilities and optional Application Control and URL Filtering, to help better protect against the latest threats. Please contact your Cisco representative or reseller for more information.
About Cisco
It's no secret that today's advanced attackers have the resources, expertise, and persistence to compromise any organization at any time. As attacks become more sophisticated and exploit a growing set of attack vectors, traditional defenses are no longer effective.
It's more imperative than ever to find the right threat-centric security products, services, and solutions for your current environment. These solutions must also easily adapt to meet the evolving needs of your extended network, which now goes beyond the perimeter to include endpoints, mobile devices, virtual machines, data centers, and the cloud.
For over three decades, Cisco has been a leader in network security protection, innovation, and investment. Our expertise and experience helps us increase intelligence and expand threat protection across the entire attack continuum for a level of security you can build your business on.
Cisco delivers intelligent cybersecurity for the real world.
Contact Us
Want to learn more about getting this information on your network? Go to cisco.com/go/security and request a live demo.
