In the war against cyber attackers, Cisco Systems is offering service providers a new weapon: Free help.
For a small number of Internet hosting providers whose physical or virtual servers are being unwittingly used to host massive malware attacks the company’s Talos security group will help them purge systems.
Called Project Aspis — an aspis is a wood shield used by Greek soldiers — Talos staff will share expertise and resources including network and systems forensics, reverse engineering, threat intelligence sharing and, if necessary a dedicated research engineer.
Providers don’t have to be Cisco customers.
The project has already had one success, ridding Limestone Networks, a Dallas-based cloud hosting service of someone using its servers to distribute the Angler ransomware exploit kit.
The threat actor was costing Limestone about $10,000 USD a month in fraudulent charges, plus wasted engineering time and the overhead of managing the abuse tickets, Cisco said — not to mention the mess caused to victims.
Talos and Limestone were able to rapidly identify and terminate servers being used, and eventually the person behind the scheme gave up there.
“The problem we had is that providers will unknowingly sell a box (server) to a bad guy, who will inevitably end up not paying, or buy the box with a stolen credit card,” Craig Williams, a Talos senior technical leader said in an interview. “Meanwhile our customers are attacked from the provider. We can go to the provider, who will then turn the box off and act responsibly, but the goal of Project Aspis is to take that to the next level — to help us find the providers that have been targeted by these organized threat actors and take down those networks faster.”
Williams made it clear that providers who are eligible for help under the project have to show their service is inadvertently hosting more than just an exploit kit or two. This is meant to take down the biggest of the bad.
“Obviously we have a limited amount of resources, so we want to make sure we get the biggest benefit to our customers on the rest of the Internet.”
The program is “really a prototype to see if we can start knocking down these servers faster than we were before,” he said. “If you’re suffering high monetary impact and causing high monetary impact to other people we want to help you. At the end of the day we want to cripple the ability of the bad guys to make money off our customers and other victims on the Internet.”
However, the world is a big place. The threat actor that used Limestone had more than one outlet. Williams said making it uncomfortable for them at Limestone merely cut their activity by 50 per cent. But Cisco [Nasdaq: CSCO] is sharing its intel with others.
“I’m optimistic that by the end of the month using all the data that we published other providers and the rest of the Internet will make a significant dent in the rest of the traffic.”
Providers wanting to apply to Project Aspis should email project-aspis@external.cisco.com and include contact information, a description of the situation including any forensic information and indicators of compromise.