Application security, Malware

Cisco Annual Security Report 2016: “There is a higher calling”

This new year of 2016 is a new year for cyber-security too, Terry Greer-King, director of cyber-security for UK and Ireland at Cisco, told

Speaking about the release of Cisco's new Annual Security Report, Greer-King told SC of a number of interesting developments which feature in this year's edition. 

Collaboration within the industry, perhaps strange for such a competitive place, seems to be going strong. Greer-King told SC, “We're collaborating with lots of people across the whole industry – some might be viewed as competitors. There is information being shared across police authorities, across other business users, across consulting practices. It seems that there are lot of people collaborating to protect us good guys against the bad guys.”

Cisco's report points to two of its own examples in 2015. Together with Level 3 Threat Research Labs, Cisco successfully weakened SSH Psychos, also known as Group 93, one of the largest DDoS botnets around. Perhaps the larger example is Cisco's ‘sidelining' of the infamous Angler Exploit kit, a feat it might not have been able to pull off without the assistance of colleagues and competitors.

The Angler Exploit Kit, well document by SC and carrying a reputation that keeps CISOs awake late into the night, has caused plenty of havoc and pain for enterprises as well as Joe Public in the past year. In short, it's one of the most effective, easy to use and lucrative exploit kits around, with novice cyber-criminals being able to purchase software like this off the shelf.

One particular campaign that Cisco spotted, the largest of its type in the United States, could have been raking in £42 million annually. This campaign, as it happened, was running its scams through servers operated by legitimate hosts like Limestone Networks and Hetzner. These two hosts, without their knowledge, operated servers that accounted for 75 percent of Angler related traffic in July 2015.

As it happens, Limestone had been dealing with an inordinate amount of credit card chargebacks because scammers were using false credit cards and identities to purchase the servers which they ran the Angler EK through, so Limestone Networks was more than happy to help.

The Angler campaign had spread through these servers far and wide. The report notes: “Researchers observed popular websites redirecting users to the Angler exploit kit through malvertising.” 

The false ads were found on hundreds of high traffic sites including news, real estate and popular culture websites. There was even Angler malvertising spread to an obituary in a small town's newspaper in the rural United States which researchers believe was an attempt to ensnare elderly people in the Angler's trap. Ultimately, Cisco and collaborators found more than 15,000 unique sites redirecting people to the Angler EK.

By partnering with Limestone and Level 3 Threat Research Labs, Cisco managed to cull much of the malvertising by not only figuring out how the Angler campaign worked but by monitoring new servers. The effort resulted not only in the Angler Kit adversaries fleeing from Limestone Networks servers but a worldwide decrease in Angler activity. 

The report notes, “Industry collaboration was a critical component in Cisco's ability to investigate the Angler exploit kit activity. Ultimately, it helped stop redirects to the Angler proxy servers on a US service provider and bring awareness to a highly sophisticated cyber-crime operation that was affecting thousands of users every day.”

While parts of Cisco might compete with those they considered competitors, says Greer-King, there are more noble aims than a mere buck: “Sometimes we don't always agree with each others' aims but when it comes to protecting ourselves against the bad guys, no company is an island any more, either as a customer or within the industry. There is a higher calling here.”

Integrated defence efforts may well be a major theme of 2016. Although, perhaps slightly less encouraging is the reports revelation that small and medium-sized businesses (SMBs) are not quite as well defended as they should be.

While in 2014, 59 percent of SMBs said they used web security, only 48 percent claimed to in 2015.  This decrease is seen across the board from mobile security to endpoint forensics – in all categories SMB's cyber-security is more scarce than last year.

Resources, unlike with a larger company, are less plentiful among SMBs. Roughly 40 percent of SMBs, according to Cisco's report, feel that budget constraints are a major obstacle in adopting advanced security. Many do not even have an executive devoted to cyber-security.

This also may stem from the fact that SMBs do not feel themselves to be high value targets for hackers. Not so, says Greer-King.

Even if they're not high value targets, “these weaknesses can place SMBs enterprise customers at risk”, notes the report. Where this kind of poor defence can get really worrying is in a supply chain. When a larger company, responsible for thousands of customers and employees, contracts a third party to perform some aspect of the business, that larger company opens itself up to the vulnerabilities of its third party. American retailer Home Depot's breach of 2014, showed that to be the case, when hackers used the credentials of a third-party contractor to steal the details of 53 million people.

“If I'm a bad guy,” asks Greer-King, “and trying to infiltrate an enterprise, do I try to and attack the enterprise directly? I might.” 

Instead, he says, “Why don't I just take on a small business? A small businesses security controls are probably not as robust as a large enterprise; they're connected to a large one and I can either infiltrate them and launch code through that route or I can impersonate them and craft emails and connections to that larger company.”

It's not just a problem of vulnerability, but a demand larger companies may end up making. “To SMBs, we are seeing big organisations take responsibility for the supply chain,” said Greer-King, “and saying, if you want to keep connected and trading with us, you have to be more secure.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.