Author Archives: Paul Stewart, CCIE 26009 (Security)
Author Archives: Paul Stewart, CCIE 26009 (Security)
Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.
Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.
So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.
Without analyzing the key generation or key storage components, Talos believes Continue reading
Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.
Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.
So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.
Without analyzing the key generation or key storage components, Talos believes Continue reading
Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.
Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.
So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.
Without analyzing the key generation or key storage components, Talos believes Continue reading
The use of geolocation is fairly obvious in monitoring networks with Firepower Management Center. What may be less obvious is that Continents and Countries can also be specified as the source or destination of connections in an Access Control Policy. Basically, this geographical information becomes one more match criteria that can be used to identify traffic for a block or allow action.
To get to this capability, open the Access Control Policy that is in use by the Firepower device. Within the policy, open or create an applicable rule. On the network tab (where you configure the source and destination addresses) a Geolocation tab can also be found. Clicking on this tab exposes Continents and Countries. These can be added as sources and/or destinations.
As can be seen in the diagram above, I am creating a rule to block traffic to France. Before I save and deploy the policy changes to the device, I will confirm reachability to an IP address that exists in that part of Europe.
Last login: Mon Jul 17 11:48:29 on ttys000 PAULS:~ pauls$ Continue reading
A few days ago I wrote an article demonstrating the Packet Tracer feature for troubleshooting Firepower Threat Defense. Another very cool tool for troubleshooting is the Capture w/Trace Feature. The power of this tool comes from both capturing a PCAP file (for Wireshark or your tool of choice) and a separate window pane that has a view of the device operation (very similar to the Packet Tracer output).
Similar to Packet Tracer, to initiate Capture w/Trace in the Firepower Management Console, choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.
This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.
Select the Capture w/Trace tab. The Add Capture button will allow for selection of filter criteria for the capture.
After filling out this information and choosing “Save“, an entry will be created for Continue reading
Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.
A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.
policy-map global_policy class inspection_default no inspect sip
Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.
According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.
Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.
Maybe some are smug enough to think they cannot be affected–they have built resilient systems and have a diesel generator. Ever consider the likelihood of that fuel supply being available for the long term if there’s no electricity? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Maslow’s pyramid Continue reading
According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.
Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.
Maybe some are smug enough to think they cannot be affected–with their resilient systems and diesel generators. Ever consider the likelihood of that fuel supply being available for the long term if there’s no utility power available at other places? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Continue reading
According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.
Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.
Maybe some are smug enough to think they cannot be affected–with their resilient systems and diesel generators. Ever consider the likelihood of that fuel supply being available for the long term if there’s no utility power available at other places? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Continue reading
In Information Technology, we commonly hear the mantra of “doing more with less.” That may sound great, and in some cases it can actually be beneficial. It obviously drives the requirement of streamlining performance and the simplification of processes. It can drive innovators to innovate and the attrition of unnecessary systems. The predominate reason for this philosophy is cost cutting.
My argument would generally be that IT should NOT simply be keeping the lights on, it should be adding value by creating competitive differentiators for the business. Being able to execute on that effectively SHOULD change the perspective of IT as it is viewed by the rest of the leadership team. One particular concern I have in regards to those businesses that continue aggressively down this path of cost cutting (or don’t proper initially fund) IT, is in regards to Cybersecurity.
In many cases smaller shops, or shops that don’t fully understand the risks, tend to place their technical team members into split roles. Maybe the view is that someone should be a part-time security person and a part-time network or system administrator. This introduces several concerns and I wanted to quickly share three that are top of mind.
I love using VIRL to do quick self-check of a config, personal education, and learning the behavior of particular features. I also love using the iTerm2 Terminal Emulator on the Mac. Unfortunately, it isn’t obvious how to make the two play well together. I have had to re-educate myself on this over and over again as I get new computers, mess up my settings and do certain upgrades. I’m pretty sure I copied some of this configuration and the script that I will share from somewhere. So if this looks familiar, reach out to me and I will link back to the source.
This post meant to both share the config and caveats with others as well as to document the nuances for my future reference. In short, there is a standard configuration and a custom configuration for the terminal settings in VIRL’s VMMaestro. These are found in “VMMaestro -> Preferences.”
These settings control whether the built-in (VMMaestro’s client) is used or an external terminal client should be used. I much prefer an external client and iTerm2 is my current client of choice. To eliminate the need of manually launching and connecting, I have customized the Applescript code found below. Continue reading
Those of us who work in technology see the need to take expensive, time consuming and/or mundane activities and convert them to streamlined automated processes. Ideally we improve these to the point that they improve accuracy, provide a better experience and can [mostly] be forgotten about. However, not every process fits all of the intended use cases. Maybe a more accurate statement might be that every process isn’t developed to fit every use case. For those of us who are outliers and find ourselves in those process deficiencies, these incomplete processes can create a lot of frustration.
I’ve been an Amazon Prime user for some period of time. I have also been free of a home mailbox for about 18 months and only used a PO Box to receive general mail. As a Prime customer, I regularly place orders with Amazon. Anyone else that has had the experience I’m about to share can probably finish my story.
The problem with this scenario is that each order can only have one delivery address. When the order is placed, there is no way to select the delivery mechanism. So if I list my physical home address, I have Continue reading
I wanted to share a quick post on a feature that I have found incredibly useful on the ASA and has been extended to Firepower Threat Defense. The feature is called Packet Tracer and is an easy way to apply “packet walk” logic to a flow that would be initiated through the platform. Like most things FTD, the Firepower Management Console is the point of contact for initiating the process.
To initiate Packet Tracer in FTD, open the Firepower Management Console and choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.
This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.
Selecting the Packet Tracer tab will allow for input like Source/Destination, Protocol, Port, SGT, etc.
After filling out this information and choosing “Start“, the device would be put through the same process as an initial packet of a new connection. The resulting packet walk is shown in an expandable tree view or raw text (user selectable).
There’s a lot of talk about network programmability and I recently had a simple use case that surfaced. The goal was locating a serial number in Cisco Devices. Basically, a script is required that will do the following.
There are many ways this can be accomplished, but the method I am using utilizes SSH. This example requires the use of Paramiko to implement SSHv2. The script can match other items in the output of show version and can easily be modified to have multiple matches and return additional information.
It is worth noting that the script I’m sharing will automatically add public ssh keys and therefore may not be appropriate in a high security environment.
The Python and sample device files can be downloaded here.
import paramiko import getpass #get user/password/substring (for search) myuser = raw_input("Enter Username For Process: ") mypass = getpass.getpass() mysearch = raw_input("Please enter string to search: ") #get a list of devices from devices.txt - one per line qbfile = open("devices. Continue reading
I think everyone that touches security has had multiple conversations about the hardened edge and soft center, commonly found in networks. This usually accompanies some discussion around the overlapping concepts of difference in depth, layered security and security ecosystems. It seems like many of the recent exploits have used a C2 connection for instructions. In those cases, assuming a perfect NGFW product and configuration actually existed that caught 100% of the malicious traffic, it would have the capability to impact those attacks.
However on June 27, Cisco Talos published an article about a ransomware variant known as Nyetya. As of today, Talos has been able to find no evidence of the more common initial infection vehicles. Both Cisco and Microsoft have cited the upgrade process for a tax accounting package as the initial point of infection.
Per Cisco Talos:
The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.
So what does this mean to the majority of the world that Continue reading
I am giving a great big shout out to a new community podcast. The Network Collective is only five session in, AND it is a great podcast. I’m looking forward to catching many future episodes.
Episode 1 – Top 10 Ways To Break Your Network
The post New Podcast for the Podcatcher – The Network Collective appeared first on PacketU.
I have often wondered why the “security as an enabler” model is as unique as unicorns in the wild. I think the logic works in a vacuum and it would be great if it held true. However when humans and politics (layer 8 stuff) come into the mix, it seems that the cybersecurity team tend to be viewed as the naysayers that block progress. Quite honestly, the “security as an enabler” mantra only seems to work for those organizations that are directly profiting from the sale of cybersecurity. Those that understand the role cybersecurity plays in a typical organization realize that this is unfortunate.
With this thought in mind, I was reading through an article about the traits of CEO’s and found identified points that I think contribute to these challenges for information security:
By no means am I criticizing CEO’s for these traits—they are primary contributors to keeping a given business relevant in its industry. I’m just using these to help explain the fallacy of a “security as an enabler” mindset within a given organization.
CEO’s are the highest single point of authority within an organization. They often appoint CSO’s (Chief Security Officers) or CISO’s Continue reading
Cybersecurity professionals know that security cannot be a bolt on process or technology. Likewise, I also believe that that the thought of including the security team is rarely goes far enough. To be effective, security should be ingrained and it should be pervasive. With a this commitment, there is at least one primary question that every organization should be asking in regards to Cybersecurity. That question is simply “Why?”
Not only should this question be asked organizationally, it should also be asked by individuals that are assuming security related roles within an organization. Some would think that the answer is simple or obvious. In many cases it is, but the complete answer WILL differ from organization to organization and differ based on the type of organization. What is important is that the organization itself agree upon the answer to this question.
Relevant answers to the Why question might be any or all of the following:
Governance—Specific regulatory requirements that the organization is required to meet. When these exist, they are often considered a top priority and a baseline requirement to transact business.
Cost/Expense—This could be direct and/or indirect. A direct example would be the typical scenario that occurs with ransomeware. Continue reading
Cybersecurity, as defined by Merriam-Webster, is “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”
—
The true importance of cybersecurity can only be understood if our dependence on “computer systems” is understood. It is difficult to imagine a day using nothing that is actively dependent on technology. We depend on connected systems to purchase groceries, perform medical procedures, manage the delivery of utilities and facilitate communications. These systems facilitate safe travel and alert us of impending dangers. It is conceivable that a cyberattack could take the power grid offline making it difficult or impossible to fill a car with fuel, purchase groceries, receive healthcare and even gain access to the typical procedures to restore the grid itself.
In our world today, unless we are primitive camping, we are using products of computer systems continually. To state it differently, our lives would change drastically if these systems became under widespread compromise. Considering Maslow’s hierarchy of needs, most individuals in a civilized society depend on computer systems for most of the elements defined in the critical first two layers. Since we have built this dependence, we must also protect these systems Continue reading
As many PacketU readers know, I have held the role as a vendor SE for a couple of years. In this role, a primary function is to correctly position our products into customer environments. What I’ve come to realize is that many of our conversations actually start incorrectly. I think we need to change that. I will be sharing, as well as structuring, my own thoughts with an upcoming series of posts on security.
I firmly believe that products are only tools and we need to back up to better understand the problems we are trying to solve. One analogy I use on a regular basis when talking about autonomous vehicles is that “no one needs a car [they only need the transportation].” So if technology can provide autonomous cars, transportation can become a service instead of a depreciating asset in our garage.
Although it isn’t a parallel thought or analogy, no organization needs an NGFW for the sake of owning an NGFW. There is a need to provide proper tools required to enable the organization’s security program. Thinking in these terms guides the conversations to a more appropriate solution. My goal with this upcoming series is to help anyone that touches cybersecurity Continue reading