Network Security Trends in 2019

    So it is accepted that at the end of each year, companies remind of themselves, sharing their achievements and publishing forecasts, which, by a lucky chance, are connected with the company's products. I will not break this tradition with two small additions. I will not talk about our achievements over the past year; maybe i will write about it in our corporate blog. And with the predictions, the situation is not so obvious advertising. We have a lot to say in the context of cyber security, but I will try to focus on what other companies don’t usually mention, but it’s very important and what should be taken into account in its information security strategy in 2019. In addition, I will not hide, to part of the described trends, we ourselves had a hand. Among other things, we’ll talk about BGP and CDN vulnerabilities, network device hacking, upcoming TLS 1.3 and 5G networks, APIs and cyber attacks.

    I'm guessing at the coffee grounds

    Traffic interception through BGP vulnerabilities

    Recently, vulnerabilities have become more frequent in the BGP Internet Routing Protocol. Intercepting and redirecting traffic allows you to analyze and manipulate it, which leads to theft of cryptocurrency, breach of confidentiality, and restoration of control over computers under police control. In the autumn of 2018, a new scheme was used, which was used by cybercriminals for fraudulent Internet advertising. The attacker's operation, dubbed 3ve , allowed the traffic of over 1.5 million IP addresses to be intercepted and made advertising companies believe that billions of Internet banner hits were actually seen by real users. Yes, this is not a theft of traffic from a UK nuclear weapons agency. And yes, it is notintercepting the traffic of 1,300 addresses of Amazon in order to disguise under the MyEtherWallet website with the subsequent theft of 150 thousand dollars in cryptocurrency. And this is not intercepting the traffic of two dozen financial organizations, including MasterCard and Visa (as well as Symantec and Verisign). Some annoying ads that we all try to remove using plug-ins and specialized software. But for advertising campaigns, this attack cost $ 29 million, which was “thrown into the abyss”, that is, paid to fraudsters who exploited vulnerabilities and incorrectly configured BGP.

    What Cisco will answer : to neutralize the implementation of random or malicious threats via BGP, we will not sell you anything :-) We just advise you to familiarize yourself with our guides ( here andhere ) and configure your network equipment accordingly. In addition, a good recommendation would be to monitor the route information of your network using the appropriate BGP monitoring services.

    Hacking network devices

    45 thousand compromised routers were found at the end of November 2018. A botnet of 100,000 compromised network devices from Broadcom, Asus, TP-Link, Zyxel, D-Link, Netgear, US Robotics, and others was detected a couple of weeks earlier. In May, Cisco Talos experts discovered half a million compromised network devices in 54 countries around the world. Among the affected vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE, as well as Linksys, MikroTik, Netgear and TP-Link. Hacking network equipment turns from isolated cases into mainstream, as it allows attackers to gain access to large volumes of information of interest to them, which can be transmitted in unencrypted form.

    How will Cisco respond?: when it comes to Cisco equipment, we have developed quite a few recommendations for protecting routers based on Cisco IOS , IOS XR , IOS XE operating systems , the correct implementation of which increases their security many times. In addition, we were among the first to encounter attacks on our routers (because of their popularity), we began to implement Secure Boot, boot protection, memory protection, protection against the substitution of hardware components, etc.

    Other manufacturers should also have appropriate instructions on how to update and protect them. In addition, telemetry analysis will be good practice.coming from the network equipment, which allows you to identify anomalies in network traffic and timely detect compromise at the level of network infrastructure, which in 2019 will continue to interest intruders.

    Supply Chain Attacks

    Attacks on network equipment reminded us of the old story that some of our customers faced around the world (there were not many of them). Not having a service contract for our equipment, they download new firmware for already discontinued lines of routers warez sites on the Internet, which led to the contamination of devices, eavesdropping, and we are prompted to revise the strategy of self-defense network equipment and launch initiatives the Trustworthy Systems' , in the framework of which we substantially reworked the architecture of our devices and equipped them with mechanisms of trusted loading , protection against the execution of malicious code in memory, protection against the substitution of electronic components etc.

    In 2018, the US Department of Homeland Security shared its storyabout how unknown hackers attacked a number of energy companies in North America and they did this through the so-called Waterhole attack. The essence of the attack lies in the fact that attackers begin the first step of their attack not by breaking into the victim company, but by compromising the site of the manufacturer of the software or equipment used by the victim. Sooner or later (with the current software quality, it’s rather early) the company comes to the manufacturer’s website for software updates and firmware downloads and downloads software from the trusted resource, completely trusting it. So attackers get inside the organization and begin to expand the springboard. This attack allows you to infect not one, but many companies at once, which, like at a watering place (hence the waterhole), come to the manufacturer’s website for updates.

    At the end of August 2018, British Airways encountereddue to the fact that several hundred thousand of its clients suffered from the leakage of payment card data that was entered on the site when ordering tickets. During the investigation, it turned out that the hacker grouping Magecart had hacked ... no, not the British Airways website, but the website of its contractor, from which infected JavaScript was loaded, which caused the leakage of information. Magecart followed a similar tactic in the case of attacks on the Ticketmaster ticket sales site, as well as a number of other e-commerce resources. Finally, it is worth noting that, according to one of the versions, it was not the main site of British Airways that suffered, but one of its clones located in the CDN infrastructure of the Internet service provider and intended to speed up access to the airline's website from certain locations. In this case, it was not the company itself that was hacked, but one of its counterparties,

    These examples, as well as the case described above with the interception of traffic through BGP in the case of cryptocurrency theft, show that not only the resources of interest to the company's hackers, but also the infrastructure serving it can be attacked. In our opinion, such attacks will only increase, which raises the question of the need to expand the scope of attention of cybersecurity experts and the development of not only their own security strategy, but also control the security of their partners, contractors and counterparties.

    How will Cisco respond?: there is no universal recipe here - everything very much depends on how and what infrastructure of the contractor the intruders crack. If we are talking about attacks on BGP, then it is necessary to monitor BGP routes. If we are talking about an attack through an infected script on the site of a compromised manufacturer, then DNS monitoring with Cisco Umbrella will help , if we are talking about downloading firmware replacement software, then analyzing telemetry anomalies with Cisco Stealthwatch can help . Most importantly, include this threat in the list of current in 2019 year.

    Coming TLS 1.3

    Everyone has heard of the TLS protocol, the predecessor of which was the SSL protocol. Most recently, in August 2018, the recommendation RFC 8446 was published, which identified a new version 1.3. The advantages of the new version include higher speed and cryptographic strength. At the same time, the vulnerabilities of the previous version were eliminated, and new useful features were added. Today TLS 1.3 is supported by many popular browsers and crypto libraries (for example, Chrome, Firefox, OpenSSL). It seems all is well, but alas. The delay in adopting TLS 1.3 was due, among other things, to the fact that this version of the protocol does not allow inspecting traffic using intermediate devices (NGFW, IDS, proxy, etc.), which is necessary for many corporate cyber security services. A number of companies are in the process of discussing TLS 1. 3 proposed the inclusion of a weaker key exchange protocol, but all of these proposals were rejected in order to protect Internet privacy and protect against government interference with freedom of communication. As TLS 1.3 is actively used, the impossibility of its inspection will rise very sharply and the first problems may begin as early as 2019.

    What Cisco will answer : we do not plan to stand in the way of progress and put a spoke in the wheels when introducing a new version of TLS (especially since we are introducing it into our solutions), but we advise you to think about whether you need to switch to it in your infrastructure if TLS 1.2 is not hacked and not yet banned? But since sooner or later such a transition will still happen and the information security specialists in all their glory will face the question - how to monitor traffic that cannot be monitored? The answer may be a technology similar to the one developed by us Encrypted Traffic Analytics , which allows us to understand what is inside the encrypted traffic (but without access to the content itself) without decrypting and decrypting.

    Traffic encryption

    Speaking of encryption ... In our annual cybersecurity report (Cisco Annual Cybersecurity Report 2018), we noted that 55% of the global web traffic in the past year was transmitted in encrypted form, which is 12% more than last year, and the number of malicious programs, using encryption has tripled. In the next of his predictions, Gartner predicted that in the year of the Yellow Earthen Pig (yes, this is the 2019th year), 80% of all web traffic will be encrypted. And what to do in this situation? Especially if the traffic is encrypted using the TLS 1.3 described above?

    How will Cisco respond?: we, in our own infrastructure, also face this problem and have developed a number of recommendations that we are ready to share with you. First, you should not discard intermediate devices (for example, Cisco NGFW or Cisco WSA ), which can terminate tunnels on themselves and inspect the decoded traffic (at least, up to version TLS 1.3). If there are concerns that the network security device will “perform” performance, then you can assign the function of terminating encrypted traffic to an external device, for example, Radware Alteon. Without the ability to disassemble the encrypted channel, do not despair. You can use machine learning technologies that “penetrate” inside encrypted traffic without decrypting it (for example, Cisco ETA), or detect interaction with command servers or other malicious resources on the Internet. In the Cisco portfolio, this task will be solved by Cisco Umbrella . Finally, we should not forget that there is a place where even encrypted traffic is already decrypted — these are the end devices — workstations and servers, where you can (and should) install the appropriate means of protection. But the usual antivirus does not work here - you need something more modern than the solution developed in the late 80s. At Cisco, this solution is called Cisco AMP for Endpoints and we ourselves use it on our laptops (not all security developers can boast of this), but you can of course use other EDR (Endpoint Detection & Response) class solutions.

    Fileless attacks

    Anti-virus protection technologies appeared in the late 80s and since then, in a large way, they have not changed much. There is a malware program that is being studied by virus analysts, developing a signature and equipping its products. There is a signature - the malware is caught. No signature - not caught. One of the tasks of the intruders is to go unnoticed as long as possible, and for this they continue to actively play with the cat and mouse safeguards. Some strengthen their competence in the methods of detecting malicious and abnormal activity, others increase the potential to remain imperceptible for as long as possible. One of the growing trends continues to be the use of fileless attacks, actively exploiting the commands built into the OS and PowerShell, posing as legitimate computer users.

    How will Cisco respond?: Since we are talking only about end devices, we have two solutions that are aimed at protecting and controlling against fileless attacks - Cisco AMP for Endpoints and Cisco AnyConnect. The first solution belongs to the EDR class and allows software inventory, including analysis of its vulnerabilities, blocking exploits, including those launched in memory, analyzing activity using constantly updated compromise indicators (IOC), as well as investigating and searching for threats (threat hunting ). Cisco AnyConnect with the integrated Network Visibility Module (NVM) module allows you to collect activity data on a site in an adapted Netflow format to correlate it with data received at the Cisco Stealthwatch network layer. In addition, an additional level of protection will be Cisco Umbrella, which tracks communications with command servers of malicious programs, including non-file ones.

    Integration, automation and API

    The integration of Cisco AnyConnect with Cisco Stealthwatch is not a vendor’s whim, but a pressing need that is dictated by changing the threat landscape and the emergence of multi-vector attacks that penetrate corporate and departmental networks in many different ways — through web portal vulnerabilities, thrown in USB drives, Waterhole attacks, through vulnerable wi-fi brought by an infected laptop of a manager or contractor, etc. No decision on information security alone can deal with modern threats. It’s too long and unreliable to wait for the consumer to start integrating the acquired products in the field of information security among themselves. We must take the process into our own hands. According to Cisco statistics, many companies use several dozen different protections that do not know how to interact with each other, creating a sense of false security. The average time for undetected malicious activity within the network today is about 200 days. And all because the remedies work as states in the Balkans - each independently of each other (it was not by chance that the term “Balkanization of the Internet” appeared, as a synonym for creating national segments of the Internet). But the situation will change, which can already be seen on the example of the same Cisco and its initiatives.pxGrid , ACI, Cisco Security Technology Alliance , which unite two hundreds of software companies that have teamed up to counter the increasingly complex and accelerating attacks.

    What Cisco will answer : our answer is automation and APIs that permeate all our products with the goal of combining them into a single security system and obtaining a synergistic effect from this, which allows you to speed up the threat detection process from a couple of hundred days to 4 and a half hours. This is achieved by exchanging threat data, automating the creation of signatures, gaining access from external sources of indicators of compromise, sending commands between protection tools, etc.

    Integration of Cisco solutions among themselves

    The growth of the use of artificial intelligence on both sides of the barricades

    Artificial Intelligence is HYIP. Unlike machine learning, which is already becoming the norm, and not an exception in information security. Automation of routine tasks, acceleration of slow processes, replacement, and so lack of qualified personnel. Here are just a few benefits from the use of machine learning in information security. Today, it can detect malicious code and malicious domains and IP addresses on the Internet, phishing attacks and vulnerabilities, raise awareness and identify insiders. But artificial intelligence is used not only for good, but also for harm. It was chosen by attackers who use machine learning to search for vulnerabilities and implement phishing attacks, bypass biometrics and create fake profiles on social networks, create malicious programs, selection of passwords and bypass mechanism CAPTCHA. In 2018, very interesting projects were presented to create fake master fingerprints, synthesize voice, replace faces on video images, synchronize lip movement with synthesized speech superimposed on someone else's image in a video stream. I have no doubt that they will quickly be taken on board by the attackers and attackers, which in 2019 will put a number of new questions to the information security specialists on countering the harmful use of AI.

    How Cisco will respond : we will continue our efforts to develop new and improve existing machine learning mechanisms in our cybersecurity products. Already, these models are already built into Cisco AMP for Endpoints , Stealthwatch , CloudLock , Umbrella , Cognitive Threat Analytics, and this list will only expand. In the meantime, we can offer you to visit our website dedicated to the use of artificial intelligence in Cisco solutions.

    Some Cisco Machine Learning Projects

    Multifactor authentication

    How many authentication factors can you name? One two Three? And if you think? Here is a small list of what can identify you:

    • Something you know (yes, this is a classic password)
    • Something you have (yes, this is a token)
    • Something you own (yes, this is biometrics)
    • Something that you do
    • Something you lost
    • Something you forgot
    • Something you found
    • Something that you and where you saw
    • Something where you were
    • Something you created
    • Something you destroyed
    • Something that or what you donated
    • Something you stole.

    In fact, the old passwords, the most popular of which over the past five years was 123456, are becoming a thing of the past and they are replaced by two- and multifactor authentication, which can significantly increase the security of user access to various services and data — corporate and personal; stored inside corporate data centers and beyond, in the clouds. And we are already accustomed to using the entrance to external services via Facebook or Yandex, and we will get used to using two-factor, and then multi-factor authentication. I think in 2019 there will be a certain change in consciousness, and many security people will think about how to replace unreliable passwords. And yes, biometrics is unlikely to become such a replacement due to its high cost compared with other methods of multifactor authentication and the lack of a model of threats to it.

    How Cisco will respond : in 2018, we bought Duo , the market leader in multifactor authentication, which we will introduce to the Russian market.

    Data centricity

    All gradually abandon the perimeter, leaving the clouds and gradually introducing BYOD. No one cares whether your network is hacked or not (or almost none). But if your data leaks, you will be mixed with dirt, regulators will come to you, you will be rinsed in the media, accusing you of inability to care for customers and employees. Have you ever thought how many people suffered from leaks of their personal and identification data? I allowed myself to make a small list and a bit wondered how much data flowed into the Internet (in millions of records):

    • Exactis - 340
    • Facebook - 50
    • Equifax - 145
    • Starwood - 500
    • Yahoo - 3000
    • Under Armor - 150
    • Adult FriendFinder - 412
    • MySpace - 164
    • Ebay - 145
    • Target - 110
    • Heartland Payment Systems - 130
    • LinkedIn - 117
    • Rambler - 98
    • TJX - 94
    • AOL - 92
    • Quora - 100
    • VK - 100
    • Deep Root Analytics - 198
    • JP Morgan Chase - 78
    • - 25
    • Anthem - 80
    • Dailymotion - 85
    • Uber - 57
    • Tumblr - 65
    • Dropbox - 68
    • Home Depot - 56
    • Adobe - 38
    • Sony PSN - 77
    • RSA Security - 40.

    I'm afraid to assume, but I think that more than half of the entire Internet has parted with its data (mine, by the way, were also there repeatedly). Note that the number of incidents in which the size of a leak exceeds ten million records is no longer measured by one or even by a dozen. And the situation will be exacerbated. We are too fixated on the perimeter defense, forgetting that security has become data-centric, not perimeter. And it's not just data incidents, but also an increase in the regulatory burden associated with data protection. GDPR, large user data (this is the topic of the new bill), amendments to FZ-152 and others are waiting for Russians next year with open arms.

    Cisco SAFE for perimeter

    How will Cisco respond?: we do not sell projects to bring you into compliance with the requirements of the legislation (although in Europe we have quite a few projects on GDPR). And we do not have the means to classify data or combat leaks (DLP). But we have a wealth of experience in building corporate cyber security systems that we have accumulated in the Cisco SAFE project - a set of practical recommendations for protecting various parts of a corporate or departmental network. It's not just about the perimeter , but about the data center, the cloud, Wi-Fi, unified communications, industrial networks, etc. Only the protection of all components will allow to protect data from leaks, at the same time fulfilling the requirements of the legislation.

    Using 5G networks as a springboard for attacks

    In the US, several cities have announced that they have practically covered their territory with networks of the 5th generation (5G), which allow working on the Internet at speeds up to 10 Gbit / s. This will eliminate the “middleman” in the face of the router, which today accumulates the majority of connections. In 5G networks, the situation may change, which will multiply the attack surface and make attacks on the Internet of Things more widespread. As, in fact, the use of the Internet of Things as a springboard for attacks (I think Mirai’s 5G reincarnation is not far off), which makes it possible to multiply the power of DDoS attacks. Stop. But in Russia, the introduction of 5G was postponed until the end of 2021. What then is the trend for the year of the yellow earthen pig? Yes, here you are right. I just wanted to show my skillsFor Russia, our recommendations and solutions for protecting the new generation of networks are still irrelevant. But, at least, it is worth remembering about this opportunity.


    You are already tired of reading my opus about what awaits us all in 2019, so I will be round. And I would like to complete the last observation, which is already becoming a trend, which will only intensify next year. We are talking about cyber attacks, which allow to check the weak points in one or another process of ensuring cyber security and draw up a plan for their elimination. In contrast to the authorized courses that give knowledge, and trainings that allow you to work out quite specific skills for working with certain products, cyber attacks allow you to simulate various situations similar to what can happen in reality (searching for traces of a threat, information leaks about an incident in Media, lobed USB flash drive with malicious code, etc.) and work out methods for stopping them. Usually, within such cyber attacks,

    In 2018, cyber attacks became very popular both at the corporate, as well as at the state and interstate level. I had the opportunity to conduct or participate in a couple of dozens of such cyber attacks, and I can safely say that this is becoming a trend for corporate information services, which thus test the skills of their specialists to withstand various incidents and abnormal situations.

    What Cisco will answer : this trend in Russia is becoming not without our help. We began to conduct the first cyber-attacks of Cisco Cyber ​​Range several years ago, when at Moscow Cisco Connect we had several free sessions for two days for our customers. Then we repeated the success of Cyber ​​Range and want to re-conduct these cyber attacks in April, as part of Cisco Connectin Moscow. True, on Cisco Connect we have a lightweight version, reduced to 4 hours of intensive practical work. In reality, we offer three- or five-day cyber attacks, in which the skill of dealing with hundreds of regularly updated various attack scenarios, taken from real life, is worked out. In addition to Cyber ​​Range, we actively began to conduct one-day Cisco Threat Threats Hunting Workshop cyberservices in our office, where participants are trying to find traces of various threats (you can check the date of the next cyber attacks with your Cisco manager). In addition, we have a number of other online cybercuts that are available to our partners and customers in our online Cisco dCloud demonstration service .

    Here is a list of trends that we would like to talk about and which, in our opinion, is waiting for us all in 2019! Happy New Year!

    Also popular now: