Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security

1,717 views

Published on

Cognitive Threat Analytics is a technology that analyzes web requests to identify Command & Control traffic, identifying threats that are currently present in a network. It is currently available across the entire Cisco Web Security portfolio, including Cloud Web Security (CWS) and the Web Security Appliance (WSA). To learn more, watch this webinar: http://cs.co/9000BuggO

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,717
On SlideShare
0
From Embeds
0
Number of Embeds
35
Actions
Shares
0
Downloads
83
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Thanks for taking the time to meet today to talk about Cisco Cloud Web Security Premium, or CWS Premium, from Cisco.

    T: Let’s get started.

    <click>
  • Today’s reality has 3 outcomes for your business:

    Your environment will be breached
    When it is, it will probably happen because of an infected email
    And if hackers use command and control on your system, they will probably get access via web

    T: All of this means, you need a smarter solution.

    <click>
  • With CWS Premium, you get all the features of CWS Essentials and enhanced protection in the During and After phase through AMP and CTA.

    <click>

    T: Let’s dive deeper into AMP and CTA.

    <click>
  • With CWS Premium, you get all the features of CWS Essentials and enhanced protection in the During and After phase through AMP and CTA.

    <click>

    T: Let’s dive deeper into AMP and CTA.

    <click>
  • AMP and CTA sets CWS Premium apart from competitors’ solutions.

    <click>

    AMP increases resistance against direct attacks from the web with File Reputation, content analysis, and Retrospective Security.

    <click>

    CTA is a breach detection technology that detects anomalous activity. It identifies infections that may have bypassed the web infection vector, like infected emails, USB sticks, or other guest devices.

    T: Now let’s take a look at the features that enable these benefits.

    <click>
  • T: Let’s take a closer look at the capabilities of CTA.

    <click>
  • In order to help you understand the threats on your system, CTA breaks all threats down into two categories: Confirmed and Detected.

    Confirmed threats represent verified campaigns. With 100% confirmed breaches across multiple users you can quickly get a handle on the scope of the attack, as well as automate remediation across your system.

    <click>

    The dashboard tells you everything you need to know, including:
    When the threat was first detected
    When it was last observed
    How many users are affected
    And how prevalent the threat is at other companies

    T: And the Detected Threats report gives you a similar breakdown.

    <click>
  • Get insight into exactly what a threat is doing
    See very specific behaviors, for example a particular file was added to a certain directory in a certain app or program
    Lets you know that this particular threat performed this particular action at this time
  • Detected threats are not, or not yet confirmed as part of a larger campaign.
     
    <click>

    The dashboard provides you with as much information about the detected threats as possible so you can make an informed decision on how to proceed. The report includes:
    Unique threats detected for individuals
    Suspected threat confidence and risk levels
    Forensic analysis to map the specific threat activities to domains, IPs, and autonomous systems

    T: From end-to-end, CTA supports your entire system.

    <click>
  • Starting with 10 billion requests a day, anomaly detection and trust modeling let you focus on the 1% of requests that actually matter.

    <click>

    Then, using event classification and entity modeling you can find out what type of threat it is, and where it is on your system.

    Finally, using relationship modelling, you can understand if a threat is a one-off attack or part of a larger global campaign.

    From 10 billion requests per day, down to 1-50 thousand incidents, CTA can comb through big data in near real-time.

    This means you not only get the visibility you need, you get it when you need it.

    T: Together, AMP and CTA help you determine the right course of action.

    <click>
  • In the first layer of CTA, Anomaly   Detection employs statistical machine learning methods in order to separate the statistically normal traffic from anomalous traffic.

    40+ individual detectors process every HTTP or HTTPS request in the network. Typically, the Anomaly Detection layer processes 10 billion or more requests per day.

    Each request is processed by all 40+ detectors, and each detector applies a different statistical algorithm.

    Once the requests are processed, each detector provides an anomaly score, expressed as a number from 0-1, where 1 means highly anomalous.

    <click>

    The individual scores combine and produce one single score per individual request by again applying multiple statistical methods.

    The aggregate score is then used to separate normal and anomalous traffic.

    T: Only Cisco offers this multiple detector method.

    <click>  
  • The Anomaly Detection layer was designed to be a dynamic ensemble of specialized, statistical detectors. The approach is based on the assumption of algorithm independence.

    <click>

    Each algorithm has a certain probability of classifying a normal flow as anomalous, generating a false positive.

    <click>

    However, the probability that two or more independent algorithms would err on the same flow is significantly lower. Using multiple detectors increases the statistical significance of the overall anomaly score, by reducing the number of false negatives and false positives.

    The ensemble design also allows us to make the individual algorithms more general, base them on repeatable fundamental principles, and achieve economies of scale by being able to deploy the system globally without any per-customer manual configuration. Ensemble systems are typically configured dynamically, or automatically, at deployment time.

    While the anomaly detectors do contain highly condensed and anonymized states, they are still prone to fluctuations and false positives due to the natural irregularities that occur in web traffic.

    T: CTA uses Trust Modeling to further reduce false positives.

    <click>
  • Trust modeling groups similar requests together and aggregates the anomaly score for those groups as a long-term average.

    We create an n-dimensional space from common properties of web flows. Requests carrying anomaly scores are mapped to a particular location in the space based on the requests’ properties. Similar looking flows create clusters.

    The overall anomaly of each cluster is represented as an average of the individual requests’ anomaly scores.

    <click>

    Over time, more requests are mapped to the space to produce a long-term average anomaly score for each cluster, and reduce false positives and false negatives. For example, if there are six thousand similar anomalous requests and request six thousand and one is considered normal, the cluster will maintain an average score of anomalous, because all other similar requests were seen as anomalous.

    Clusters with anomaly scores above a certain threshold move on to the next layer of processing. This threshold is determined dynamically by the system, and typically results in about 1% of traffic continuing on to the next steps.

    T: The next processing feature is Event Classification.

    <click>
  • As mentioned, the results of Trust Modeling are used to select a small subset of traffic.

    This statistically anomalous subset is classified into 100 or more categories. Most classifiers are based on individual behavior or group relationships or behavior on a global or local scale, while others can be very specific.   For example, a classifier may indicate command and control traffic, a suspicious extension, or a legitimate software update.

    The output of this phase is a set of classified anomalous events with security relevance.

    T: In the next phase, these events are attributed to specific entities in order to identify threats.

    <click>
  • If the amount of evidence supporting the malicious hypothesis about a specific entity exceeds the significance threshold, a threat is created. The classified events that contributed to the threat creation are linked to that threat, and become part of a long-term discrete model of the entity.

    <click>

    As evidence accumulates over time, the system creates new threats when the significance threshold is reached. This threshold is dynamic and intelligently adjusts based on threat risk level and other factors.

    The threat is then visible in the web GUI and is available via STIX/TAXII API, including subsequent (post-threat creation) activities of the suspected hosts.

    T: The threats created in the Entity Modeling phase continue on to the next layer: Relationship Modeling.

    <click>
  • The previous layers are capable of detecting both known and unknown threats. The goal of Relationship Modeling is to associate threats to known malware campaigns, in order to separate them from unknown threats that require different investigation and incident response processes.

    The system uses Relationship Modeling so that it can identify that several independent threat actors use identical or similar malware components, and is able to distinguish between them.

    In this example...

    <click>

    At Company A, we see two incidents of Threat Type 1 that are attributed to the same attack node. The attack node is either a domain or IP address. These two incidents are linked based on the local behavioral similarity of the threats.

    At Company B, we see an incident of Threat Type 1 attributed to a different attack node. This incident is linked to the incidents at Company A based on global behavioral similarity.

    At Company C, we see Threat Type 2. Because this incident is behaviorally similar to the incidents we see in Companies A and B, they are linked. We can extrapolate that they share threat infrastructure because similarly behaving threats came from different attack nodes .

    To summarize, relationship modeling is based on the behavioral similarity of incidents.

    T: Building this relationship model between incidents allows you to map the full threat infrastructure of the threat campaign.

    <click>  
  • Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.

    The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.

    Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.

    The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.

    The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.

    T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.

    <click>
  • Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.

    The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.

    Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.

    The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.

    The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.

    T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.

    <click>
  • Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.

    The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.

    Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.

    The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.

    The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.

    T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.

    <click>
  • Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.

    The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.

    Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.

    The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.

    The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.

    T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.

    <click>
  • Thank you.

    <Click>
  • Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security

    1. 1. Petr Cernohorsky Product Manager October 2015 Identify Zero-Day Breaches with Cognitive Threat Analytics (CTA) on Cisco Web Security
    2. 2. There’s a new cyber-threat reality Hackers will likely command and control your environment via web You’ll most likely be infected via email Your environment will get breached
    3. 3. Web Reputation Web Filtering Application Visibility & Control X X X CTA & AMP on Cisco Web SecurityTalos www Roaming User Reporting Log Extraction Management Branch Office www www Allow Warn Block Partial Block Campus Office ASA StandaloneWSA ISR G2 AnyConnect Admin Traffic Redirections www HQ STIX / TAXII (APIs) CTA Cognitive Threat Analytics Anti- Malware File Reputation Webpage Outbreak Intelligence After X www.website.com XX Dynamic Malware Analysis File Retrospection
    4. 4. Web Reputation Web Filtering Application Visibility & Control X X X CTA & AMP on Cisco Web SecurityTalos www Roaming User Reporting Log Extraction Management Branch Office www www Allow Warn Block Partial Block Campus Office ASA StandaloneWSA ISR G2 AnyConnect Admin Traffic Redirections www HQ STIX / TAXII (APIs) CTA Cognitive Threat Analytics Anti- Malware File Reputation Webpage Outbreak Intelligence After X www.website.com XX Dynamic Malware Analysis File Retrospection Layer 1 Layer 2 AMP CTA AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationship modeling CTA
    5. 5. 0I0 00I II0I 0I I 00I 0II0 0I0 I00 I0II II0I 000 0I0 00I II00 I0I0 0I0 000 0II0 0 II III I 00I 0I0 00I II0I I0II 00I 00II 0I0I I0 0 0I I I00I CTA & AMP Working Together AMP Direct attack from the web Infected email or USB stick Threat infrastructure Admin Increase resistance against direct attacks from the web with: • File reputation • Dynamic Malware Analysis • File retrospective AMP STIX / TAXII (APIs)Identify breaches using anomaly detection and network traffic analysis. Visibility into threats that may have bypassed the web infection vector, like infected email, USB stick or guest devices. CTA File rep 0I000III0I00II0II00III000I000III0I000III0 I00I0I00I0000I0I00I0II0I00I0I00I000I00I0I0 0I0 00I II0I 0II 00I 0II0 0I0 I00 I0II II0I 000 0I0 00I II00 I0I0 0I0 000 0II0 0II IIII 00I 0I0 00I II0I I0II 00I 00II 0I0I I00 0III I00I 00II 0I0 00I II0I 0II 00I 0II0 0I0 I00 I0II II0I 000 0I0 00I II00 I0I0 0I0 000 0II0 0II IIII 00I 0I0 00I II0I I0II 00I 00II 0I0I I00 0III I00I 00II Web rep Command & Control Domain Generated Algorithm CTA Tunneling 0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I
    6. 6. Layer 1 CTA Anomaly detection Trust modeling Layer 2 Event classification Entity modeling CTA Layer 3 Relationship modeling CTA 20K incidents per day 10B requests per day Recall Precision Anomalous Web requests (flows) Threat Incidents (aggregated events) Malicious Events (flow sequences) Cognitive Threat Analytics Layered Processing Engine & Scalable Cloud Infrastructure
    7. 7. Cisco WSA (Web Security Appliance) External Telemetry (BlueCoat Sec. GW) Cisco CWS (Cloud Web Security) Cisco Cognitive Threat Analytics (CTA) Confirmed Threats Detected Threats Threat Alerts Incident Response HQ STIX / TAXII API CTACTACTA SIEMs: Splunk, ArcSight, Q1 Radar, ... HQ Web Security Gateways Cloud Web Security Gateways CTA a-la-carte ATD bundle = CTA & AMP WSP bundle = CWS & ATD CTA a-la-carte CTA a-la-carte Web Access Logs (input telemetry) Breach Detection & Advanced Threat Visibility Cognitive Threat Analytics For CWS, WSA, and External Telemetry
    8. 8. CTA presents results in two categories Confirmed Threats Confirmed Threats - Threat Campaigns • Threats spanning across multiple users • 100% confirmed breaches • For automated processing leading to fast reimage / remediation • Contextualized with additional Cisco Collective Security Intelligence
    9. 9. AMP Threat Grid augments CTA reporting AMP Threat Grid aids forensic work on the endpoint by presenting: • Associated threat artifacts from AMP Threat Grid, exhibiting network behaviors matching to the CONFIRMED CTA threat • Content security signatures for these associated threat samples globally • Insights into exactly what a threat is doing (end-point behaviors)
    10. 10. CTA presents results in two categories Detected Threats Detected Threats – One-off Threats • Unique threats detected for individuals • Suspected threat confidence and risk levels provided • For semi-automated processing • Very little or no additional security context exists
    11. 11. Here’s an example of how it works Near real-time processing 1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day HTTP(S) Request Classifier X Classifier A Classifier H Classifier Z Classifier K Classifier M Cluster 1 Cluster 2 Cluster 3 HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Cluster 1 Cluster 2 Cluster 3 HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request CONFIRMED threats (spanning multiple users) DETECTED threats (unique)
    12. 12. CTA Deep-Dive
    13. 13. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Identify suspicious traffic with Anomaly Detection Normal Unknown Anomalous HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Anomaly Detection 10B+ requests are processed daily by 40+ detectors Each detector provides its own anomaly score Aggregated scores are used to segregate the normal traffic
    14. 14. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA • Each HTTP(S) request is scanned by 40+ detectors, each with a unique algorithm • Multiple detectors increase the statistical significance of the anomaly score, reducing the number of false negatives and false positives Examples of Anomaly Detection output (HTTP, real and synthetic malware) HTTP(S) Request Multiple detectors & Trust Modeling Normal Anomalous 0 1 2 3 4 5 7 6 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 Dynamic threshold False negative False positives #ofwebrequests Anomaly score Normal Anomalous 0 1 2 3 4 5 7 6 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 False positive Dynamic threshold (later removed after further processing) #webrequests Anomaly score Single detector
    15. 15. Layer 1 Layer 2 AMP CTA AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Reduce false positives with Trust Modeling Anomalous Normal Unknown Unknown Normal Unknown Unknown Unknown HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) RequestHTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request Trust Modeling HTTP(S) requests with similar attributes are clustered together Over time, the clusters adjust their overall anomaly score as new requests are added
    16. 16. Layer 1 Layer 2 AMP CTA AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Categorize requests with Event Classification Keep as legitimate Alert as malicious Keep as suspicious HTTP(S) Request HTTP(S) Request HTTP(S) Request Media website Software update Certificate status check Tunneling Domain generated algorithm Command and control Suspicious extension Repetitive requests Unexpected destination Event Classification 100+ classifiers are applied to a small subset of the anomalous and unknown clusters Requests’ anomaly scores update based on their classifications
    17. 17. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Layer 3 File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relatio CTA Attribute anomalous requests to endpoints and identify threats with Entity Modeling HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request THREAT HTTP(S) Request THREAT Entity Modeling A threat is triggered when the significance threshold is reached New threats are triggered as more evidence accumulates over time
    18. 18. Layer 1 Layer 2 AMP CTA CWS PREMIUM AMP CTA Lay File Reputation Anomaly detection Trust modeling Event classification Entity modeling Dynamic Malware Analysis File Retrospection Relationsh CTA Company B Company C Determine if a threat is part of a threat campaign with Relationship Modeling Attack Node 1 Attack Node 2 Company A Company A Company A Phase 1 Phase 2 Phase 3 Threat Type 1 Threat Type 1 Threat Type 2 Incident Incident Incident Incident Similarity Correlation Infrastructure Correlation Company B Company C Company B Company C Incident Incident Incident Incident Incident Incident Incident Incident Global behavioral similarity Local behavioral similarity Local & global behavioral similarity Shared threat infrastructure Entity Modeling
    19. 19. How CTA analyzes a threat 0 + Webrep AV domain age: 2 weeks 0 domain age: 2 weeks - domain age: 3 hours - domain age: 1 day Domain Generation Algorithm (DGA) Data tunneling via URL (C&C) DGA C&C DGA DGA DGA C&C Attacker techniques: Active channels Web Perimeter CTA Analyzing Web Access Logs
    20. 20. STIX / TAXII API
    21. 21. CTA Exports STIX / TAXII API TAXII Log Adapter: https://github.com/CiscoCTA/taxii-log-adapter STIX formatted CTA threat intelligence Poll ServiceTransform Adapter CTA Incident
    22. 22. CTA Exports STIX Sample Message Payload 1 CTA CONFIRMED threat campaign 2 CTA CONFIRMED or DETECTED threat incident 3 Malicious events (flow sequences) 4 Anomalous web requests 1 2 3 4
    23. 23. CTA Exports id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1"> <stix:STIX_Header> <stix:Information_Source> <stixCommon:Tools> <cyboxCommon:Tool id="cta:tool-CTA"> <cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> <cyboxCommon:Tool id="cta:tool-AMP"> <cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> </stixCommon:Tools> </stix:Information_Source> </stix:STIX_Header> <stix:Incidents> <stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="incident:IncidentType" id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75"> <incident:Title>malware|transferring data through url </incident:Title> <incident:Time> <incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action> </incident:Time> <incident:Victim> <stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name> </incident:Victim> <incident:Leveraged_TTPs> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>favicon</ttp:Title> </stixCommon:TTP> </incident:Leveraged_TTP> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz STIX Language Mapping
    24. 24. CTA Examples
    25. 25. Breach Detection: Ransomware 1 Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4 Threat activity continuously detected by CTA ! CTA Detection AV removing trojan AV signatures updated & trojan removed Worm removed by daily scan CryptoLocker confirmed & endpoint sent for reimage Example < Malware operational for more than 20 days > Time AV removing worm & signatures found outdated
    26. 26. 1Example Local Context First detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days. Global Context Also detected in 5+ other companies affecting 10+ other users. Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and- control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device. 9 THREAT 100% confidence AFFECTING 3 users
    27. 27. AFFECTING winnt://emeauser1 Amazon.com, Inc LeaseWeb B.V. intergenia AG Qwest communication.. 95.211.239.228 85.25.116.167 54.240.147.123 54.239.166.104 63.234.248.204 54.239.166.69 63.235.36.156 54.240.148.64 6 Http traffic to ip addr… 6 Http traffic to ip addr… 6 Http traffic to ip addr… 6 Http traffic to ip addr… Activities (8) Domain (8) IPs (8) Autonomous systems (5) 9 Url string as comm… 9 Url string as comm… 6 Http traffic to ip addr… 6 Http traffic to ip addr… 95.211.239.228 85.25.116.167 54.239.166.69 63.235.36.156 54.240.148.64 54.240.147.123 54.239.166.104 Amazon.com Tech Tel… 63.234.248.204 1Example http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs 91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6 C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnz ATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw… Encrypted Command & Control 9 THREAT 100% confidence
    28. 28. Number of Affected Users Per month (Jan. through Nov. 2014) Breach Detection: Malvertising BotNet Cisco security finds close to 2000 users affected & 4000+ add-on variants! Malvertising from Browser add-ons collects huge rewards Sophisticated code paired with refined business model 17511170 Companies Months 886,646 All users Max affected Nov, 2014 Source: Cisco Security Research June, 2014 Affected Users Per Month 2Example
    29. 29. IPs (3)Activities (5) Domain (10) Autonomous systems (0) 54.68.144.135 54.69.230.10 54.68.109.54anomalous http traf…7 7 anomalous http traf… 7 Url string as comm… 7 Url string as comm… veterance.com veterances.net Getjpi77.info probookmynew.us skyfunnjobbest.info Versiontraffic.com filehelper.co.il appzappzappz.com 2Example hXXp://getjpi77.info/sync2/?q=hfZ9oeZHrjYMCyVUojC6qGhTB6lKDzt4ok8gtNtVh7n0rjnEpjwErjrGrHrEtMFHhd9Fqda4rja FqTr6qjaMDMlGojUMAe4UojkFrdg5rjwEqjnGrTw5pjY4qHYMC6qUojk7pdn5rHY9pdUHqjwFrdUGqTCMWy4ZBek0nMlH DwmPC7qLDe49nfbEtMZPhd99qdg5qHn5qHk5rdUErjg4rHkGtM0HAen0qTaFtMVKC6n0rTwMgNr0rn%3D%3D&amse=h s18&xname=BestDiscountApp hXXp://getjpi77.info/sync2/?q=ext=hs18&pid=777&country=MX&regd=140910132330&lsd=140910163750&ver=9&ind=5 106811054221898978&ssd=5684838489351109267&xname=BestDiscountApp&hid=4468748758090169352&osid=601 &inst=21&bs=1%3D%3D&amse=hs18&xname=BestDiscountApp Encrypted Command & Control AFFECTING winnt://emeauser26 THREAT 100% confidence
    30. 30. Breach Detection: Qakbot Worm Constantly adapting TTP to avoid detection Since 2011, taken down in 2014 to reemerge again 500,000+ infected computers & significant profits from fraud Rootkit capable to hide its presence, can spread through network shared drives and removable storage devices Steals user data, login credentials, may open a backdoor to track user activity or deliver additional malicious code 3Example
    31. 31. Amazon.com, Inc RCS & RDS SA Unified Layer bnhrtqbyaujiujosnevtvn.info ehawgbpcjefdjzxohshnmu.com hwtmnipazuwtghl.biz ibxyfokmjbxyfqikjiis.org iyulawjlxbltrsut.com julfmuljitllgtnop.biz kkgjxxpt.biz qfvkuoiasjqbmqrwx.info vmdekoznnkqmerkch.net wqdiulsyylepifnbkyatwqcr.com olbkpxtpgckuoaharw.biz vwnlzeuaaygbgahiwrmxsp.biz rgfxyewwsvtaobjbdlxc.infio Activities (10) Domain (18) IPs (7) Autonomous system (4) 9 8 8 8 8 8 8 5.2.189.251 86.124.164.25 54.72.9.51 69.89.31.210 74.220.207.180 Communication to automatically gener Communication to automatically gener Communication to automatically gener Communication to automatically gener Communication to automatically gener Communication to automatically gener Communication to automatically gener 3Example AFFECTING winnt://emeauser39 THREAT 100% confidence
    32. 32. 4Example Local Context The threat was first detected in your network on Mar 15, 2015 and last observed on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past 45 days. The threat was also detected in 5+ other companies affecting 5+ other users. Global Context Also detected in 5+ other companies affecting 5+ other users. Threat related to Dridex. Typically spread through spam campaigns, Dridex is a banking trojan whose main goal is to steal confidential information from the user about online banking and other payment systems. Trojan communicates with the command-and-control server using HTTP, P2P, or I2P protocols. Perform a full scan of the infected device for the record, and then reimage the device. AFFECTING 1 user9 THREAT 100% confidence
    33. 33. 9 9 9 9 9 9 9 9 9 9 9 9 9 54.83.43.69 95.211.239.228 85.25.116.167 178.162.209.40 188.138.1.96 94.242.233.162 184.107.255.138 193.105.134.63 79.103.160.138 Amazon.com, Inc LeaseWeb B.V. intergenia AG root SA iWeb Technologies Inc. Portlane Networks AB Telenor Norge AS qcnbmfvglhxlrorqolfxaeh.org 95.211.239.228 85.25.116.167 retufator.com 188.138.1.96 krjbjccop.com 94.242.233.162 184.107.255.138 193.105.134.63 79.103.160.138 Anomalous http traffic Commination to automatically ge… Commination to automatically ge… Http traffic to ip address (no domain… Http traffic to ip address (no domain… Url string as communication channel Http traffic to ip address (no domain Url string as communication channel Url string as communication channel Url string as communication channel Anomalous http traffic Commination to automatically ge… Url string as communication channel Activities (14) Domain (10) IPs (10) Autonomous systems (7) 88.208.57.103 4Example AFFECTING winnt://emeauser49 THREAT 100% confidence
    34. 34. Call to Action
    35. 35. Current CWS and WSA do try free valuation of Cognitive Threat Analytics (CTA) https://cisco.com/go/websecurity https://cisco.com/go/cognitive Net new customers above 1000 seats, contact your local sales representative for an evaluation

    ×