Products and Services
Technical Archives

Cisco’s Attack Continuum

April 22, 2018

Cisco’s Attack Continuum is the Security model that underpins the Cisco Security portfolio and ties in to the operation of AMP, Umbrella and other security products.With today’s threat landscape looking nothing like it did a decade ago, Cisco felt it was time for a change in approach. Simple attacks have given way to more sophisticated cyber attacks delivered by cybercrime organisations, and nation state sponsored groups.These modern day advanced attacks have become very difficult to detect, they use significant amounts of resources to launch these attacks remotely and tend to stay present in a compromised network for extended periods of time. The industry has calculated that it takes on average 100 days for these threats to be detected, resulting in attackers being present in your network for over three months.Our normal security methods that purely rely on detection and blocking mechanisms alone, such as firewalls and anti-virus, are no longer sufficient to cope with the ever-evolving threats of today.The Cisco Attack Continuum looks to change this, it is a threat-centric approach to security that aims to deliver Advanced Threat Protection, Superior Visibility and Continuous control, Before, During and After an attack.

Before an Attack

The Before phase of the Attack Continuum looks to drive ‘Predictive and Preventative’ capabilities. Through the help of world class threat intelligence, the aim here is to provide Security staff with complete visibility and awareness into what’s on the network. By knowing what’s out there we can then develop security policies and configurations that will strengthen defences and reduce the attack surface, making it more difficult for the bad guys to compromise your network.

During an Attack

The During phase of the Attack Continuum focuses upon the ‘Preventative and Detective’ capabilities. This is where we need to take the awareness gained in the Before phase and act upon it, detecting malware that is present in your environments and having the controls in place to block it. We are not just looking to rely on traditional point-in-time detection and blocking methods here, but also consider historical patterns and behaviour, as well as global threat intelligence.

After the Attack

The After phase of the Attack Continuum focuses upon the ‘Detective and Response, capabilities. In the event that a threat gets through your perimeter and evades the first line of your network defences, this is where you need retrospective security. Continuous monitoring of files, processes and network activity, lets you understand what has happened where, giving a look back in time to identify Indications of compromise and enable you to quickly respond and remediate any issues discovered.

Cisco Solutions work together

Enforcing the Attack Continuum is achieved through Cisco products and solutions working together to provide enhanced levels of protection.

The graphic above shows how each product fits into the model. Be aware though that products can deliver protection that spans the full attack continuum.Before: Discover threats, enforce and harden policies, and prevent at the perimeter - using Cisco ASA 5500-X Series & Next-Generation Firewalls, NAC & Identity Services Engine.During: Detect, block, and defend against attacks that have already penetrated the network and are in progress - using Next-Generation Intrusion Prevention Systems, and Email and Web security.After: Scope, contain, and remediate an attack to minimize damage - using Advanced Malware Protection, Threat Grid and Network Behaviour Analysis (StealthWatch).

Addressing the Attack Continuum with Cisco AMP

As mentioned above Cisco products can protect across the Full Attack Continuum, and AMP is no exception. AMP for Endpoints provides continuous analysis, retrospective security and point-in-time detection to protect against Malware, when it enters and if it evades initial inspection.Before an attack, AMP uses global threat intelligence to strengthen defences, and analyse and detect vulnerable applications.During an attack, AMP uses the global threat intelligence, known file signatures, and dynamic file analysis technology to block malware trying to infiltrate your organisations network. When AMP analyses a file that is found to be malicious it prevents it from executing.After an attack, AMP continuously monitors and analyses all file activity, processes, and communications. If a file is detected as acting maliciously, AMP will detect it and know where it came from and if any other machines are affected. It will provide retrospective alerts, indications of compromise, tracking, and analysis, so security teams can respond and remove the threat quickly.

Addressing the Attack Continuum with Cisco Umbrella

Cisco Umbrella delivers predictive security at the DNS and IP layers, resulting in internet wide visibility and protection. Umbrella prevents malware, phishing and C2 call-backs from comprising your systems or stealing data from your organisation over any port or protocol.Before an attack, Umbrella acts as the first layer of defence, blocking threats before they reach the network or attached endpoints, by preventing the user from ever connecting to the malicious site.During an attack, Umbrella continues to learn from its global threat intelligence, updating the reputation of web sites, as it discovers where the threats are being staged from. Cisco Umbrella Investigate can also be used to analyse and understand the malicious domains and IPs used in an attacker’s infrastructure.After an attack, Umbrella continues to protect your network and devices by preventing connections to Command and Control (C2) networks, ensuring that further infection and compromise is not successful.


Hopefully you can see how Cisco’s Security model and its threat-centric approach can help your business to dramatically improve your security protection, significantly increase visibility and control, while reducing complexity, before, during and after an attack.For more information on Cisco products or our services please get in touch by Clicking here.Ironshare – Security, Simplified


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi