Beruflich Dokumente
Kultur Dokumente
Table of Contents
EXECUTIVE SUMMARY AND MAJOR FINDINGS..... 2
TIME TO SECURE.................................................. 26
INTRODUCTION...................................................... 5
Staying Power............................................................................... 7
Vulnerabilities.............................................................................. 11
TIME TO OPERATE.................................................13
1 | Table of Contents
CONCLUSION....................................................... 54
ABOUT CISCO...................................................... 55
Contributors to the Cisco 2016 Midyear Cybersecurity Report..... 55
Executive Summary
and Major Findings
Defenders must reduce attackers time to operate.
It is the key to undermining their success.
Attackers currently enjoy unconstrained time to operate.
Their campaigns, which often take advantage of known
vulnerabilities that organizations and end users could have
and should haveknown about and addressed, can remain
active and undetected for days, months, or even longer.
Defenders, meanwhile, struggle to gain visibility into threat
activity and to reduce the time to detection (TTD) of both
known and new threats. They are making clear strides but
still have a long way to go to truly undermine adversaries
ability to lay the foundation for attacksand strike with high
and profitable impact.
The Cisco 2016 Midyear Cybersecurity Reportwhich
presents research, insights, and perspectives from Cisco
Security Researchupdates security professionals on the
trends covered in our previous security report while also
examining developments that may affect the security
landscape later this year.
Our observation of recent developments within and from
the shadow economy confirms that adversaries have
become only more focused on generating revenue.
Ransomware has become a particularly effective
moneymaker, and enterprise users appear to be the
MAJOR FINDINGS
Ransomware is dominating the malware market.
Although it is not a new threat, it has evolved to
become the most profitable malware type in history
and businesses are now becoming a target of choice
for some ransomware operators. In the first half of
2016, ransomware campaigns targeting both individual
and enterprise users became more widespread and
potent. On the horizon: faster and more effective
propagation methods that maximize the impact of
ransomware campaigns and increase the probability
that adversaries will generate significant revenue.
Exploit kits, which have helped ransomware to
become such a prominent threat, continue to take
advantage of Adobe Flash vulnerabilities. In Cisco
researchers recent examination of the popular
Nuclear exploit kit, for example, Flash accounted for
80 percent of successful exploit attempts.
Vulnerabilities in the enterprise application software
JBoss are providing attackers with a new vector
that they can use to launch campaigns such as
ransomware. Cisco research shows that JBossrelated compromises have made significant inroads
within servers, leaving them vulnerable to attack.
From September 2015 to March 2016, Cisco security
researchers observed a fivefold increase in HTTPS
traffic related to malicious activity. The rise in this type
of web traffic can be attributed largely to malicious
ad injectors and adware. Threat actors are increasing
their use of HTTPS encrypted traffic to conceal their
activity on the web and expand their time to operate.
Introduction
Defenders are not protecting systems in a way that
matches how attackers do their work. Although
defenders have evolved their strategies and tools for
fighting online criminals, attackers are still permitted
far too much unconstrained time to operate.
Lack of visibility is the problem, leaving users open
to attacks. Security professionals reliance on point
solutions and a triage approachtrying to stop attacks
here and there, instead of looking holistically at security
challengesis playing to attackers strengths.
With time on their side, attackers can identify and use
vulnerabilities in infrastructure, systems, and devices
deployed but unmaintained or simply long forgotten.
They can gain a foothold in networks and move laterally.
And they can launch server-based campaigns that give
them more operational space in which to work, and
provide a greater return on investment.
5 | Introduction
We expect the next wave of ransomware to be even more pervasive and resilient.
Organizations and end users should prepare now by backing up their critical data
and confirming that those backups will not be susceptible to compromise.
COMMAND-AND-CONTROL AND
REPORTING INFECTIONS
To reduce the risk of discovery, next-generation ransomware
could be configured to have no command-and-control
functionality. This module would transmit a beacon with a
GUID (globally unique identifier) to a command-and-control
domain, trying to reach this domain through common
protocols and services such as HTTP, HTTPS, or DNS, to
transmit this data. The domain could then collect these
GUIDs for statistics on the number of infected and encrypted
systems in a targeted network. Attackers could use this
information to determine the effectiveness of their campaigns.
RATE LIMITER
This module would ensure that ransomware would be
polite to system resources, making it less likely that the
user will notice it running. It would limit the amount of CPU
usage, throttle its network usage down to a trickle, and
ensure that it performs as subtly as possible.
Vulnerabilities
2500
2992
2000
Cumulative Alerts
3000
1500
1327
1000
634
500
0
Jan
Feb
Mar
Apr
Month
2013
2014
2015
2016
SHARE
Defenders refine and innovate their processes to close gaps through vulnerability
disclosure and patching, but attackers use their skills to open these gaps yet again
creating attacks that are more numerous and more complex and that undermine
defenders ability to respond.
11 | Cybercrime Trend Spotlight: Ransomware
SHARE
Figure
XX.
Rise
of Authentication
Cryptographic
Issues
(DecMar)
Figure 2.
Rise
of Authentication
and +
Cryptographic
Issues,
DecemberMarch
254
245
133
112
53
25
CWE-79: Cross-Site
Scripting (XSS)
2015
2016
19
CWE-287:
Authentication Issues
Trending Upward
116
95
CWE-399: Resource
Management Errors
13
CWE-310:
Cryptographic Issues
85
49
77
39
CWE-264: Permissions,
Privileges, and
Access Control
CWE-200: Information
Leak/Disclosure
38
Time to Operate
Time to Operate
The rise in ransomware activity, and the breadth of recent campaigns,
underscore how adversaries benefit from having unconstrained time to operate.
It allows them to quietly lay the groundwork for their campaigns, strike when
they are ready, and ultimately succeed in generating revenue from their efforts.
To conceal their activity, they are using cryptocurrency, Tor, HTTPS encrypted
traffic, and Transport Layer Security (TLS). Meanwhile, exploit kit authors
further enable their success by moving fast to reverse-engineer patches and
exploit unmanageable vulnerability disclosures. And a new twist to malvertising
is providing adversaries with a high-efficiency and hard-to-track method to
increase traffic to compromised sites, so they can infect users machines and
eventually launch ransomware attacks.
14 | Time to Operate
CVE2015-7645
Nuclear
Magnitude
Angler
Neutrino
RIG
CVE2015-8446
Angler
Silverlight
CVE2015-8651
CVE2016-1019
Nuclear
Nuclear
Magnitude
Angler
Neutrino
CVE2016-1001
CVE2016-4117
CVE2016-0034
Angler
Nuclear
Magnitude
Angler
Angler
SHARE
Threat Spotlight: Exploit Kit Goes International, Hits 150+ Countries, Cisco Talos blog, April 20, 2016:
http://blog.talosintel.com/2016/04/nuclear-exposed.html.
15 | Time to Operate
RIG
16 | Time to Operate
SHARE
Figure 4. Vulnerabilities by Infrastructure Vendor, January 1March 30, 2016
Oracle
325
Microsoft 130
17 | Time to Operate
HP
34
Canonical
(Ubuntu) 31
IBM
123
Cisco
98
Fedora
Project
27
Debian
87
Linux
23
Apache
46
SAP
22
Novell
40
Red Hat
21
Huawei
38
SHARE
United Kingdom
6%/415
Canada
16%/181
Netherlands
15%/69
Russia
21%/81
Japan
11%/112
France
10%/294
Germany
7%/460
U.S.
11%/4094
China
19%/1780
Republic
of Korea
17%/184
Hong Kong
11%/122
Brazil
12%/844
Australia
9%/160
% Compromised
Source: Cisco Security Research
18 | Time to Operate
JBoss Headers
Netherlands
25,437 | 25,346
Ukraine
United Kingdom
22,810 | 13,342
44,426 | 17,814
Russia
51,651 | 34,690
France
54,371 | 40,553
United States
267,398 | 177,124
Germany
105,605 | 71,388
Mexico
26,876 | 43,706
Brazil
42,781 | 48,901
Argentina
23,646 | 15,260
SHARE
19 | Time to Operate
Italy
25,556 | 14,721
China
165,249 | 137,217
India
60,627 | 45,320
Japan
41,908 | 32,291
Republic
of Korea
19,051 | 14,275
Taiwan
17,309 | 11,556
Vietnam
139,583 | 114,219
Message Summary
Language
Last Publication
Date (GMT)
95
RuleID4626
Invoice, Payment
German, English
3.18.16
82
RuleID4400KVR
Purchase Order
English
2.1.16
64
RuleID4626(cont)
Invoice, Payment,
Shipping Confirmation
English, German,
Spanish
1.28.16
62
RuleID4961KVR
Payment, Transfer,
Order, Shipping
English
3.25.16
58
RuleID4961KVR
Quote Request,
Product Order
English, German,
Multiple Languages
1.25.16
52
RuleID5118KVR
Product Order,
Payment
German, English
3.17.16
49
RuleID858KVR
Shipping Quote,
Payment
English
3.14.16
47
RuleID4961
Transfer, Shipping,
Invoice
English, German,
Spanish
2.22.16
44
RuleID4627 and
RuleID4627KVR
English
3.29.16
30
RuleID8337KVR
Order, Payment,
Quote
English
1.21.16
# of Versions
SHARE
20 | Time to Operate
SHARE
Figure
X.Ad
AdInjectors
Injectors
Are
Major
Source
Figure 8.
Are
Major
Source
of
of HTTPS
Increase
HTTPS
Increase
Figure
X.HTTPS
HTTPS
Traffic
Increase
forPercent
Ad Injectors
Figure 9.
Traffic
Increased
300
for
Ad Injectors
in 4-Month
Period April 2016
April
2015 Through
350K
500K
298,863
430,946
303,808
300K
250K
200K
113,753
150K
108,618
100K
400K
303,808
300K
200K
154,464
100K
84,408
50K
Apr
Jun
Aug
2015
Oct
Month
Ad Injectors HTTPS
Source: Cisco Security Research
21 | Time to Operate
Dec
Feb
2016
HTTPS
Apr
Apr
Jun
Aug
2015
HTTPS Traffic
Source: Cisco Security Research
Oct
Month
Dec
2016
HTTP Traffic
Feb
Apr
SHARE
Figure 10.
Component
Observed
Figure
X. Ad
Ad Injectors
InjectorsaaMain
Main
Component
in
Adware
Infections
Observed in Adware Infections
Ad-Injector
Extensions
Other
Adware
Adware
Multiplug
BrowseFox
Fake Search
Adware
DNSChanger Outbreak Linked to Adware Install Base, Cisco Security Blog, February 2016: http://blogs.cisco.com/security/dnschanger-outbreaklinked-to-adware-install-base.
22 | Time to Operate
SHARE
Figure 11. How Malvertising as a Service (MaaS) Works
Ads
RIG
Redirect to
Malware
Servers
Malicious Ads
Pass Through
Ad Exchange
Sports
User Looking for
Free Streaming
Websites
Source: Cisco Security Research
23 | Time to Operate
Redirect to
Malware
Servers
Anime
For more details on the malvertising-as-aservice trend, see the Cisco Talos blog post:
Threat Spotlight: Spin to Win Malware
24 | Time to Operate
SHARE
ro
D
id
ro
6517
4510
3676
3478
2640
nd
IF
ra
7301
in
pp
n
io
ct
je
In
s
do
w
id
nd
A
ro
sh
er
s
ke
r
e
al
M
g
in
M
sh
10,299
Pa
c
ar
w
al
nd
Tr roi
oj d
an
10,984
Ph
i
17,249
Fl
a
20,783
D
25,744
ar
ow
Tr nl
oj oa
an d
s er
Ja
va
Re Sc
d i r ip
re t
ct
io
n
s s
ow rie
d
in n a
W Bi
Fa
c
S c eb o
am o k
s
25 | Time to Operate
er
t
g
D
ow
nl
Tr
o
ki
ot
in
Ba
nk
Ro
Li
nu
ja
am
fr
tI
rip
n
Pa oad
s
er
Tr sw
oj or Tro
an d
j
Th an
ef
t
ar
al
M
Ja
va
Sc
SM
nd
ro
id
ja
al
M
e
ic
Tr
o
VB
ff
O
er
Ifr
am
ar
dw
Source: Cisco Security Research
A
17
e
ar
w
t
rip
Sc
Ja
va
nd
ro
id
er
pp
D
ro
Tr
o
Tr
o
ja
ja
e
ar
om
Ra
ns
14
as
Fl
15
Tr
o
ja
Tr
o
h
ja
or
Tr
o
ja
Time to Secure
26 | Time to Operate
Time to Secure
Even though defenders are always innovating, the infrastructure on which the digital
economy depends remains fragileand reliant on inadequate security practices.
Today, there are many entryways for attackers, thanks to the hodgepodge of web
browsers, applications, and infrastructure in place at most organizations.
These poorly protected devices and software open up operational space
to attackersand security professionals must close the space. Reducing
the unconstrained operational space of adversaries, and making attackers
presence known, are the top jobs for security.
27 | Time to Secure
Figure
Chrome
Installations
by Version
Note: The X.
time-to-patch
charts
in this section show
results for the top 50 percent of the populations studied. By highlighting a simple majority of the
population, it is easier to see whether updating is working as intended, or whether there are more pervasive barriers to securing the customer base.
Version
Adoption
41.0.2272
5
10
42.0.2311
15
43.0.2357
20
44.0.2403
25
30
45.0.2454
35
46.0.2490
40
45
47.0.2526
50
52.5
Source: Cisco
Security
Research
Figure
15. Java
Installations
by Version (Top 50 Percent of Users)
Version
Adoption
7.0.720
7.0.710
7.0.670
7.0.650
7.0.600
7.0.550
7.0.510
7.0.450
Versions
7.0.750 7.0.760
Week 0
10
7.0.790 7.0.800
15
20
25
30
35
40
45
50
52.5
40
45
50
52.5
Figure
16. Microsoft
Office Installations by Version (Top 50 Percent of Users)
Source: Cisco
Security Research
Version
Adoption
15.0.4569
15.0.4454
15.0.4420
14.0.4762
Version Released
Week 0
10
15
20
25
30
35
SHARE
28 | Time to Secure
29 | Time to Secure
Figure17.
X. Percentage
PercentageofofDevices
Devices
Running
Known
Vulnerabilities
by Age
Figure
Running
Known
Vulnerabilities
by Age
Of observable vulnerable
Cisco installations,
5.6 years = average time frame
open to vulnerabilities
>23%
~16%
of Devices
~10%
of Devices
of Devices
10
Years Vulnerable
SHARE
Cisco identified the 115,000 devices in our 1-day sample by scanning the Internet and then looking at the devices from the outside in
(from the Internet view and into the enterprise). For more details on how the analysis was conducted, see the Cisco 2016 Annual Security Report,
available here: cisco.com/go/msr2015.
30 | Time to Secure
Figure
X. Percentage of Vulnerable Cisco Devices
Figure 18. Percentage of Vulnerable Cisco Devices by Region
15.5
Western Europe 4.4
11.2
Eastern Europe
3.2 West Asia
South America
10.9
East Asia
South Asia
6.8
Southeast Asia
31 | Time to Secure
17.8
6.7
1.0 Caribbean
West Africa 1.2
SHARE
Installations by Product
Overall
3,187,102
15.97
Apache httpd
3.90
885,918
17.59
5.12
Total Observable
Installations
Average # of
Vulnerabilities
Average Years
Vulnerable
OpenSSH
704,630
8.15
4.95
SHARE
Northern Europe
North
America
39.8
Western Europe
6.3
15.8
10.7
Eastern Europe
0.3 Caribbean
Central America 1.7
East Asia
South America
4.4
Southern Africa 0.3
32 | Time to Secure
Figure
Figure21.
X. Software
SoftwareHygiene
HygieneOverview:
Overview
Cisco Versus
Apache
and OpenSSH
Cisco vs. Apache
and Open SSH
5.41 Years
Vulnerable
SHARE
33 | Time to Secure
Cisco
4.63 Years
Vulnerable
Figure
X.indications
Mean Years
Cisco Devices
Been Vulnerable
There are
that developing
nations Have
are lagging
SHARE
Figure 22. Mean Years That Cisco Devices Have Been Vulnerable by Region
Northern Europe 5.3
Western Europe 5.0
North America 5.6
6.1
North Africa
6.5
5.1 Caribbean
5.8
West Africa 5.4
South America
6.8
6.1
East Asia
West Asia
South Asia
Middle Africa
5.6
Southeast Asia
5.8
Australia and
5.1
New Zealand
5.9
Southern Africa
Figure X. Mean Years That Various Types of Server Software Have Been Vulnerable, by Region
FigureCisco
23. Security
Mean Years
That
Source:
Research
5.3
4.3
Central Asia
5.0
5.4
Middle Africa
East Africa
5.0
34 | Time to Secure
East Asia
Caribbean
West Africa 4.8
5.2
Australia and
3.7
New Zealand
% of HTTPS Traffic
in 2016 to Date
40
40.20%
36.89%
36.99%
36.74%
25.80%
25.59%
25.22%
Feb
Mar
Apr
2016
30
24.01%
25.86%
2015
20
Jan
Month
35 | Time to Secure
May
SHARE
Figure 25. HTTPS Malware Traffic Increase
January
2016
Figure X.2015April
HTTPS Malware
Traffic Increase
tisement
Category JanApr
+9.27%
(from 2015)
ines and
eng
po
ch
rt
r
a
al
s
Se
to 96.83%
ing
Ch
a
+8.58%
instant mes
sa
nd
g
ta
+8.23%
(from 2015)
to 34.06%
Figure
Top Applications
Figure 26.
X. Top
ApplicationsUsing
UsingHTTPS
HTTPS
(from 2015)
to 64.27%
Organizational Email
97.88%
96.83%
Web-Based Email
96.31%
95.70%
Internet Telephony
95.07%
Professional Networking
90.78%
Social Networking
81.15%
67.63%
Streaming Video
64.71%
64.27%
Photo Search/Images
61.90%
Webpage Translation
54.60%
54.36%
36 | Time to Secure
% Avg. HTTPS
25
Percentage
30
20
15
10
Jul
Aug
Sep
Oct
Nov
Month
37 | Time to Secure
Dec
Jan
Feb
Mar
Malware Families
Families that
use TLS
with weak and
outdated
parameters
razy
zusy
bergat
tescrypt
More Similar
deshacop
parite
Families that use
TLS with weak
parameters,
but with extensions
similar to that
of benign traffic
sality
zbot
upatre
virtob
Less Similar
dynamer
Families that
use TLS with
recommended
parameters
skeeyah
symmi
toga
dridex
virlock
toga
dridex
symmi
skeeyah
virtob
dynamer
zbot
upatre
sality
parite
tescrypt
deshacop
zusy
bergat
razy
kazy
yakes
virlock
Malware Families
Source: Cisco Security Research
38 | Time to Secure
SHARE
SHARE
True Label
deshacop
Accurate Prediction
zbot
Less Predictable
tescrypt
Error in Prediction
parite
sality
virtob
toga
upatre
bergat
dynamer
skeeyah
Predicted Label
Source: Cisco Security Research
39 | Time to Secure
dridex
skeeyah
dynamer
upatre
bergat
toga
virtob
sality
parite
zbot
tescrypt
zusy
deshacop
razy
yakes
symmi
virlock
kazy
dridex
Figure 30.
Median TTD
Figure
X. Median
TTDbybyMonth,
Month,
DecemberDecember
2014April 2016
2014-April 2016
TTD (Hours)
60
Dec
Month
113,657
103,981
62,561
110,637
Dec
67,429
185,539
451,672
184,353
2016
150,480
205,601
2015
192,975
197,158
112,664
100K
96,106
300K
112,766
Retrospectives
2014
500K
286,475
379,366
8.64
For the period from December 2015 through April 2016, the
median TTD was even lower: about 13 hours. That figure
is the weighted average of the five medians for the period
observed.
Apr
SHARE
40 | Time to Secure
40
20
50.29
2.65%
2.57%
2.91%
3.60%
4.23%
4.39%
5.15%
4.49%
4.68%
4.91%
4.98%
5.14%
5.05%
5.01%
4.85%
4.58%
4.43%
4.21%
4.52%
3.91%
3.63%
3.17%
3.25%
3.64%
7.5%
3.28%
0%
1AM
12PM
12AM
SHARE
41 | Time to Secure
Figure 32: TTD Medians of Top Malware Families (Top 20 Families by Detection Count)
Figure X. TTD Medians of Top Malware Families (Top 20 Families by Detection Count)
Average Overall Median
55,000
bayrob
50,000
45,000
40,000
Voulme
35,000
30,000
25,000
20,000 installcore
nemucod
15,000
10,000
5000
0
trojan
convertad
mydoom
0
agent
vopak
nivdort
kryptik
mail
linkury
injector ransom eorezo
amonetize pullupdate
somoto
20
40
TTD (Hours)
Malware Families Associated with Ransomware
Source: Cisco Security Research
SHARE
42 | Time to Secure
browsefox
coupons
60
120
February
March
April
1. bayrob
downloader
downloader
bayrob
2. downloader
installcore
nemucod
downloader
3. installcore
convertad
agent
installcore
4. agent
msil
installcore
nemucod
5. convertad
browsefox
convertad
agent
6. ransom
linkury
mydoom
convertad
7. linkury
nemucod
msil
fareit
8. kryptik
agent
browsefox
msil
9. browsefox
kryptik
kryptik
trojan
mydoom
vilsel
heur
10. msil
43 | Time to Secure
dridex
bayrob
0
Detected Later
(>Median)
xtrat
nemucod
teslacrypt
13
(Median)
ngrbot
50
TTD (Hours)
100
44 | Time to Secure
Note: When making security improvements, organizations should take into account any regulatory compliance mandates or other industry-related
directives they must adhere to, as these mandates may impact how the organization specifically approaches certain aspects of security, such as data
protection and data privacy.
45 | Time to Secure
46 | Time to Secure
Figure35.
X. Web
WebBlocks
BlocksbybyCountry
Country
Figure
Sweden
0.01/0.00
Canada
0.15/0.03
Great Britain
0.01/0.02
Virgin Islands
0.16/0.03
U.S.
0.02/0.08
Venezuela
0.09/0.14
Mexico
0.02/0.01
Guatemala
0.08/0.02
Panama
0.34/0.08
France
0.03/0.04
Lithuania
0.13/0.03
Brazil
0.01/0.01
Romania
0.12/0.22
2016
China
0.10/0.09
India
0.01/0.01
Vietnam
1.0/0.9
Singapore
0.01/0.01
Argentina
0.02/0.02
2015
Russia
0.02/0.03
Hong Kong
0.15/0.03
Malaysia
0.15/0.08
Australia
0.01/0.33
Indonesia
0.07/0.18
SHARE
SHARE
Figure
XX.Monthly
Monthly
Vertical
Block
Rates,
Figure 36.
Vertical
Block
Rates,
January-April2016
2016
JanuaryApril
January
March
April
Accounting
1.38
0.70
1.01
0.94
1.65
1.13
1.53
0.28
Automotive
0.93
1.40
0.75
0.60
Aviation
0.82
0.84
0.31
0.74
0.31
0.51
0.67
2.54
0.33
0.17
2.16
1.88
4.17
0.00
0.05
0.17
Education
1.48
0.73
1.13
0.71
Electronics
0.97
3.35
0.01
0.00
1.63
0.95
1.26
0.35
1.28
0.79
0.63
0.51
Entertainment
0.65
0.56
0.60
0.21
0.24
0.31
0.87
2.60
Government
0.11
0.24
0.33
2.80
Healthcare
0.07
0.06
0.04
4.22
1.88
1.06
0.40
0.27
IT and Telecommunications
0.25
0.95
1.89
1.28
Industrial
0.78
0.97
0.81
1.36
Insurance
0.58
0.53
0.66
1.24
Legal
1.11
0.66
1.23
0.51
Manufacturing
0.90
0.73
0.63
0.92
0.43
0.23
0.65
0.07
0.62
0.32
0.87
1.00
Professional Services
1.02
0.38
0.43
0.18
0.41
0.53
1.26
0.19
1.28
0.56
0.77
0.48
0.31
0.24
0.49
3.21
1.29
0.97
0.34
0.64
Utilities
1.03
0.79
0.79
1.16
February
Security Recommendations
As the next generation of ransomware evolves,
organizations need to employ a first line of defense
that will impede the opportunity for lateral movement and
propagation and reduce adversaries time to operate.
That first linein addition to basic best practices such as
patching vulnerable Internet infrastructure and systems
(see page 22 and page 29) and improving password
management (page 44)includes network segmentation.
Organizations can use network segmentation to stop or
slow the lateral movement of self-propagating threats as
well as contain them. There are multiple components for
segmented networks that organizations should consider
implementing such as:
VLANs and subnets for logically separating access to
data, including at the workstation level
Dedicated firewall and gateway segmentation
Host-based firewalls with configured ingress and
egress filtering
Application blacklisting and whitelisting
Role-based network share permissions (least privilege)
Proper credential management
THE LAST LINE OF DEFENSE: BACKUP RECOVERY
Backup recovery is the last line of defense for organizations
that want to avoidtoday, and in the futurepaying a kings
ransom to attackers who have encrypted their data with
ransomware (page 10). However, the ability to recover from
a ransomware attack with minimal data loss and service
interruption will depend on whether system backups and
disaster recovery sites have been compromised.
Conclusion
Todays attacks currently outpace defenders ability to
respond. As long as attackers are permitted unconstrained
time to operate, and innovate, their success is all but
ensured. But if an organization can limit adversaries time and
opportunity to lay the foundation for and carry out an attack,
they are forced to make decisions under pressure that place
them at higher risk of becoming knownand taken down.
Turning the tables on attackers by pushing them to
continuously evolve their threats is one strategy for
reducing their time to operate. The more they need to
adapt, the more likely they are to leave a trail that will
ultimately lead to their identificationno matter how many
ways they try to evade detection and cover their tracks.
This is why it is imperative to measure TTD. If defenders
do not know where they stand with their ability to detect
threats, they cannot improve. TTD and TTP (time to
patch) should be viewed and applied as key performance
indicators; doing so will enable security teams to home in
on the techniques that constrain attackers and force them
to change strategies.
Many organizations have reached a tipping point with their Internet infrastructure.
This is their moment to harden security, and enable visibility, throughout their
networkand help to reduce the unconstrained time to operate that adversaries
currently enjoy.
54 | Conclusion
About Cisco
Cisco delivers intelligent cybersecurity for the real world,
providing one of the industrys most comprehensive
advanced-threat protection portfolios of solutions across
the broadest set of attack vectors. Ciscos threat-centric and
operationalized approach to security reduces complexity and
fragmentation while providing superior visibility, consistent
control, and advanced threat protection before, during, and
after an attack.
Threat researchers from the Cisco Collective Security
Intelligence (CSI) ecosystem bring together, under a single
umbrella, the industrys leading threat intelligence, using
telemetry obtained from the vast footprint of devices and
sensors, public and private feeds, and the open-source
community at Cisco. This amounts to a daily ingest of
billions of web requests and millions of emails, malware
samples, and network intrusions.
Our sophisticated infrastructure and systems consume
this telemetry, helping machine-learning systems and
researchers to track threats across networks, data centers,
endpoints, mobile devices, virtual systems, web, email,
and from the cloud to identify root causes and scope
outbreaks. The resulting intelligence is translated into realtime protections for our products and services offerings
that are immediately delivered globally to Cisco customers.
To learn more about Ciscos threat-centric approach to
security, visit www.cisco.com/go/security.
55 | About Cisco
INTELLISHIELD TEAM
56 | About Cisco
LANCOPE
Lancope, a Cisco company, is a leading provider of network
visibility and security intelligence to protect enterprises
against todays top threats. By analyzing NetFlow, IPFIX, and
other types of network telemetry, Lancopes StealthWatch
System delivers Context-Aware Security Analytics to quickly
detect a wide range of attacks from APTs and DDoS to
zero-day malware and insider threats. Combining continuous
lateral monitoring across enterprise networks with user,
device, and application awareness, Lancope accelerates
incident response, improves forensic investigations, and
reduces enterprise risk.
ACTIVE THREAT ANALYTICS TEAM
The Cisco Active Threat Analytics (ATA) team helps
organizations defend against known intrusions, zeroday attacks, and advanced persistent threats by taking
advantage of advanced big data technologies. This fully
managed service is delivered by our security experts and
our global network of security operations centers.
It provides constant vigilance and on-demand analysis
24 hours a day, seven days a week.
57 | About Cisco
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 oces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/oces.