Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)

Sunil AminPrincipal Engineer, StealthwatchJuly 20th 2018

Detecting Malware without DecryptionEncrypted Threat Analytics (ETA)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.

• Background: Encryption Trends• Introduction to Encrypted Traffic Analytics (ETA)

• Cryptographic Compliance

• Field Testing and Results• Mobile World Congress 2018• Miercom Report 2018

• Conclusion

Agenda


Background: Encryption Trends


Networks are becoming more and more opaque!

Google Chrome will mark all HTTP sites as not secure in July 2018


The New Threat Landscape38%

62%

Organizations are at risk

Decrypt Do not decrypt

New attack vectors• Employees browsing over HTTPS:

Malware infection, covert channel with command and control server, data exfiltration • Employees on internal network connecting to DMZ servers:

Lateral propagation of encrypted threats

cannot detect malicious content in

encrypted traffic

of attackers used encryption to

evade detection

of organizations have been victims of a cyber attack

41%81% 64%

Source: Ponemon Report, 2016


Malicious Activity within Encrypted Traffic

November 2016

19%

12% Increase

268%Increase70%

50%38%

Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption

October 2017


Privacy AND Security

Now Available: Cisco Encrypted Traffic Analytics

Industry’s first network that finds threats in encrypted traffic without decryption

Encrypted traffic Non-encrypted traffic


Introduction to Encrypted Traffic Analytics (ETA)


Artificial Intelligence/Machine Learning

Known Malware Traffic

Known Benign Traffic

Extract Observable Features in the Data

Employ Machine Learning techniques

to build detectors

Known Malware sessions detectedin encrypted traffic with high accuracy

“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)


ETA Solution OverviewCisco Stealthwatch

Machine Learning Malware

detection and cryptographic compliance

Cisco Networks

NetFlow

Enhanced NetFlow

Telemetry for encrypted malware detectionand cryptographic compliance

Enhanced analytics and machine learning

Global-to-local knowledge correlation

Enhanced NetFlowfrom Cisco’s newest switches and routers

Continuous Enterprise-wide

compliance

Leveraged network Faster investigation Higher precision Stronger protection

Metadata


Make the most of theunencrypted fields

Identify the content type through the size and timing of packets

Initial data packet Sequence of packet lengths and times

How Can We Inspect Encrypted Traffic?

Self-Signed certificate

Data exfiltrationC2 message

Who’s who of the Internet’sdark side

Global risk map

Broad behavioral information about the servers on the Internet.


Multi-Layer Machine Learning

Global risk mapInitialdata packet

Sequence of packet lengths and times

Multi-layerMachineLearning


Encrypted Traffic Analytics: Example Incident


Cryptographic Compliance


How much of your business is in the clear versus encrypted?


Encryption details on all network flows


Filter Flows by TLS/SSL


Supported Components


Campus & Branch Branch Edge Cloud

Network Infrastructure Generating ETA Telemetry

ISR & ASR

NEW

CSR 1000V

NEW

Catalyst 9000


Field Testing and Results


Mobile World Congress 2018Large BYOD Environment


What is Mobile World Congress?

More than 107,000 visitors from 205 countries and territories

Stealthwatch monitored all the wireless traffic to and from the Internet with Encrypted Traffic Analytics

Over 55% of attendees held senior-level positions, including more than 7,700 CEOs


Topology Internet

Distribution Cat6K

ASR 1kRouter

SPAN

Management Console Flow Collector We enabled ETA on an ASR1001-X with the MWC’s Internet bound traffic SPAN’ed from a distribution Cat6K switch to the ASR1001-X on a GigE port

MWC Wireless

ETA Telemetry


ETA at Mobile World Congress 2018

2018MWC

Massive network footprint• 55+ million flows analyzed• 82% HTTPS vs 18% HTTP• At peak hours, more than 20K flows per second

from wireless users

Threats detected• C&C and data exfiltration• 350 detections using ETA• Numerous malware instances, including mobile

malware• Over 30 applications using TLS 1.0


Detection Summary

Android.spy, Boqx, infected firmwareAndroid Malware

OSX Malware Genieo, RevMob, AdInjectorAdware

Tor, BitTorrent, phishingPossibly unwanted applications

SALITY malware, SMB service discovery malware, Conficker, cryptominingVarious




Miercom Report 2018


Test Setup

A set of laptops served as the source of different types of generated malware traffic.

PATH WITH ETA

PATH WITHOUT ETA

74 pcap samples were run and 51 had encrypted traffic


All findings prioritized and clear course of action

Stealthwatch automates the security analyst


How secure is my digital business’s traffic?

In June 2018, PCI will make TLS 1.0 a violation

Stealthwatch/ETA makes available the details of the encrypted traffic!


Conclusion


Conclusion• Nearly all network communication is encrypted these days.

• Decryption is not a viable option.

• ETA is a solution set! It is not a product.o Branch, WAN and Cloud routerso Campus switcheso Cisco Stealthwatch Enterprise

• ETA delivers two outcomes:o Cryptographic compliance.o Detection of malicious traffic in encrypted traffic WITHOUT decryption.

Documents

Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)