Cisco is deeply concerned by increases in high-sophistication attacks on network infrastructure, as well as indications that state-sponsored actors are targeting routers and firewalls globally.
Recently, the UK’s National Cyber Security Center (NCSC) released a report on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco had published a patch for in 2017. Cisco encourages you to familiarize yourself with these advisories, as well as previously released patch and mitigation steps.
Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.
As of 15-March-2023, Kenna Security scored CVE-2023-23397 with a risk score of 74 out of 100 — higher than 99 percent of all the vulnerabilities it has scored. However, the risk score is expected to rise once proof-of-concept exploit code becomes available.
On October 25, 2022, the OpenSSL project alerted the public to a high level security release scheduled for November 1, 2022. The full scope of the vulnerability is explained in the Talos blog and Cisco Security Advisory. Based on details released by the OpenSSL project, the vulnerabilities covered in CVE-2022-3602 and CVE 2022-3786 apply to OpenSSL versions 3.0.0 to 3.0.6. OpenSSL versions 1.0.2 and 1.1.1 are not affected by this upcoming announcement. Click the links below for more up-to-date information.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends global organizations with ties to Ukraine should carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage. CISA released additional steps organizations could take to protect themselves.
|Strong segmentation policies and dynamic based control
|Restrict lateral movement and dynamically add controls based on assets and server needs. In the event of compromise dynamically limit access and reduce the blast radius.
|Visibility into assets and how they communicate
|Asset inventory and leverage this insight for dynamic control. Base line what normal network activity looks like on the network to detect deviations – operational networks are fairly static, and this gives defenders an advantage. Do not overlook this capability in both business and operational networks.
|System hygiene and understanding vulnerability risk
|Understanding the full risk allows for precision-based prioritization, limits downtime, while reducing resource constraints when trying to patch 100% of everything even when the risk cannot be realized.
|Network based controls and inspection at gateways of entry for example DNS, NGFW, NGIPS, WAF, AMP, URL, Email, CASB. Protecting at the network decreases the risk of the asset being compromised. Protecting farthest away from the assets is always preferred since protecting at the asset requires 100% efficacy or one will be compromised
Strong network-based controls with advanced warning systems engaged:
Note: TLS Decryption is a MUST and if you are NOT doing it, you are at high risk of missing threats embedded inside the encryption channel (no IPS and no Malware inspection on majority of your traffic). You become 100% reliant on your endpoint (victim) to mitigate the risk
|BGP monitoring, DDOS protection, GEO Control
|Monitor your prefixes and alert in case of an 'interesting' path change. Path changes can be of different kinds, such as more specifics, change of as path, change of origin AS, Transit AS or any combination of these, leading to such threats as blackholed traffic or traffic redirection and interception. DDOS mitigation for enterprise-based application attacks to volumetric attacks. GEO based policies add one more layer and forces the advisory to pivot to other GEOs giving all defenders a change to detect these nefarious activities.
|Cloud based visibility and control including API risk and exposure
|Ensure cloud-based services and infrastructure meets compliance needs and is monitored for weaknesses including APIs. Behavioral monitoring of the network across multi-cloud environment gives defenders an advantage and pulls together the full story.
|Endpoint protection, detection, and response and browser isolation
|This is the last line of defense before compromise and an opportunity to mitigate. Multiple engines are key including sandboxing of unknown files but in the event of compromise tracking all activities will empower responders with insight into what took place and ultimately allow for better controls once understood and mitigate reinfection. When protecting high valued targeted individuals such as C-Suite, Accounting, IT and so on it may make sense to consider browser isolation to ensure endpoints are not compromised if the web sites visited are nefarious and meant to cause compromise.
|Username and passwords alone have enabled adversaries to gain access to too many systems and two factor authentication is a must. This should cover all critical services which includes SaaS, web front ends, VPN, RDP/SSH and so on.
|Security awareness training
|The human element is still a key element and one of the biggest advantages the defender has in their tool kit. Education empowers the users to be part of the overall security posture, and this include mitigation and detection. Never underestimate the power of humans.
|Incident Response and Threat Hunting
|Tools are required to help augment the incident and response process which includes real time data collection and summarization, orchestration, and automation to reduce the time to respond and time to mitigate and eradicate. It is also time to revisit your overall plans and playbooks to ensure all is in line in the event of exposure. Consider the following exercises such as network reviews, red teaming, overall readiness assessment, emergency response teams, processes, and support channels are in place.
Sorry, no results matched your search criteria(s). Please try again.
Organizations should upgrade either Log4j or the applications that use this library following vendor instructions as soon as possible. If it's not possible to update them, follow the mitigations recommended by the Apache Foundation in the threat advisory.
Activate incident response plans immediately for REvil - Kaseya supply chain attack.
Every Cisco Secure customer is entitled to the Cisco SecureX platform. See the value of SecureX integrations today and unlock every Cisco Secure product's full potential, speeding your investment time to value.