Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Sunil AminPrincipal Engineer, StealthwatchJuly 20th 2018
Detecting Malware without DecryptionEncrypted Threat Analytics (ETA)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
• Background: Encryption Trends• Introduction to Encrypted Traffic Analytics (ETA)
• Cryptographic Compliance
• Field Testing and Results• Mobile World Congress 2018• Miercom Report 2018
• Conclusion
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Background: Encryption Trends
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Networks are becoming more and more opaque!
Google Chrome will mark all HTTP sites as not secure in July 2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
The New Threat Landscape38%
62%
Organizations are at risk
Decrypt Do not decrypt
New attack vectors• Employees browsing over HTTPS:
Malware infection, covert channel with command and control server, data exfiltration • Employees on internal network connecting to DMZ servers:
Lateral propagation of encrypted threats
cannot detect malicious content in
encrypted traffic
of attackers used encryption to
evade detection
of organizations have been victims of a cyber attack
41%81% 64%
Source: Ponemon Report, 2016
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Malicious Activity within Encrypted Traffic
November 2016
19%
12% Increase
268%Increase70%
50%38%
Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption
October 2017
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Privacy AND Security
Now Available: Cisco Encrypted Traffic Analytics
Industry’s first network that finds threats in encrypted traffic without decryption
Encrypted traffic Non-encrypted traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Introduction to Encrypted Traffic Analytics (ETA)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Artificial Intelligence/Machine Learning
Known Malware Traffic
Known Benign Traffic
Extract Observable Features in the Data
Employ Machine Learning techniques
to build detectors
Known Malware sessions detectedin encrypted traffic with high accuracy
“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
ETA Solution OverviewCisco Stealthwatch
Machine Learning Malware
detection and cryptographic compliance
Cisco Networks
NetFlow
Enhanced NetFlow
Telemetry for encrypted malware detectionand cryptographic compliance
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Enhanced NetFlowfrom Cisco’s newest switches and routers
Continuous Enterprise-wide
compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Make the most of theunencrypted fields
Identify the content type through the size and timing of packets
Initial data packet Sequence of packet lengths and times
How Can We Inspect Encrypted Traffic?
Self-Signed certificate
Data exfiltrationC2 message
Who’s who of the Internet’sdark side
Global risk map
Broad behavioral information about the servers on the Internet.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Multi-Layer Machine Learning
Global risk mapInitialdata packet
Sequence of packet lengths and times
Multi-layerMachineLearning
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Encrypted Traffic Analytics: Example Incident
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Cryptographic Compliance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
How much of your business is in the clear versus encrypted?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Encryption details on all network flows
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Filter Flows by TLS/SSL
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Supported Components
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Campus & Branch Branch Edge Cloud
Network Infrastructure Generating ETA Telemetry
ISR & ASR
NEW
CSR 1000V
NEW
Catalyst 9000
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Field Testing and Results
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Mobile World Congress 2018Large BYOD Environment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
What is Mobile World Congress?
More than 107,000 visitors from 205 countries and territories
Stealthwatch monitored all the wireless traffic to and from the Internet with Encrypted Traffic Analytics
Over 55% of attendees held senior-level positions, including more than 7,700 CEOs
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Topology Internet
Distribution Cat6K
ASR 1kRouter
SPAN
Management Console Flow Collector We enabled ETA on an ASR1001-X with the MWC’s Internet bound traffic SPAN’ed from a distribution Cat6K switch to the ASR1001-X on a GigE port
MWC Wireless
ETA Telemetry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
ETA at Mobile World Congress 2018
2018MWC
Massive network footprint• 55+ million flows analyzed• 82% HTTPS vs 18% HTTP• At peak hours, more than 20K flows per second
from wireless users
Threats detected• C&C and data exfiltration• 350 detections using ETA• Numerous malware instances, including mobile
malware• Over 30 applications using TLS 1.0
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Detection Summary
Android.spy, Boqx, infected firmwareAndroid Malware
OSX Malware Genieo, RevMob, AdInjectorAdware
Tor, BitTorrent, phishingPossibly unwanted applications
SALITY malware, SMB service discovery malware, Conficker, cryptominingVarious
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Miercom Report 2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Test Setup
A set of laptops served as the source of different types of generated malware traffic.
PATH WITH ETA
PATH WITHOUT ETA
74 pcap samples were run and 51 had encrypted traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
All findings prioritized and clear course of action
Stealthwatch automates the security analyst
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
How secure is my digital business’s traffic?
In June 2018, PCI will make TLS 1.0 a violation
Stealthwatch/ETA makes available the details of the encrypted traffic!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Conclusion
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Conclusion• Nearly all network communication is encrypted these days.
• Decryption is not a viable option.
• ETA is a solution set! It is not a product.o Branch, WAN and Cloud routerso Campus switcheso Cisco Stealthwatch Enterprise
• ETA delivers two outcomes:o Cryptographic compliance.o Detection of malicious traffic in encrypted traffic WITHOUT decryption.