Introducing Cognitive Threat Analytics (CTA), Cisco's automated breach detection technology based on statistical modeling and machine learning of network traffic behaviors, whose goal is to identify end-user devices within the monitored network that from network perspective do not represent a communication of a legitimate human user behind their web browser, but actually represent a malware-infected (breached) device establishing its command & control communication to an external malicious infrastructure. The CTA technology produces actionable security intelligence for security operations and threat research to act on. The STIX/TAXII API standards are being used for the security intelligence interchange. An integration is available with the leading SIEM vendors and other STIX/TAXII compliant clients.

1. June 2015
Product Manager
Cognitive Threat Analytics
Behavioral Breach Detection &
Security Intelligence Interchange via TAXII/STIX API
Petr Cernohorsky

2. 2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
There’s a new cyber-threat reality
Hackers will likely
command and control
your environment via web
You’ll most likely be
infected via email
Your environment
will get breached

3. 3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Only Cisco Cloud Web Security Premium
delivers full threat visibility
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Web Filtering
Web Reputation
Application Visibility &
Control
Anti-Malware
Outbreak Intelligence
File Reputation
(AMP)
Dynamic Malware Analysis
(AMP)
File Retrospection
(AMP)
Cognitive Threat Analytics
(CTA)

4. 4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Web
Reputation
Web
Filtering Application
Visibility &
Control
Before
Cisco Cloud Web Security (CWS)Talos
www
Roaming UserBranch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect
Admin
Traffic
Redirections
www
HQ
Reporting
Log Extraction
Management
STIX / TAXII (APIs)
CTA
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
During
www.website.com
Dynamic
Malware
Analysis
File
Retrospection
Cognitive
Threat Analytics
CWS PREMIUM
CTA Layered Detection Engine
Layer 1
CTA
Anomaly
detection
Trust
modeling
Layer 2
Event
classification
Entity modeling
CTA
Layer 3
Relationship
modeling
CTA
1K
incidents
per day
After
10B
requests
per day
Recall Precision
Anomalous
Web requests (flows)
Threat
Incidents (aggregated events)
Malicious
Events (flow sequences)

5. 5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Identify suspicious traffic with Anomaly
Detection
Normal
Unknown
Anomalous
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection
10B+ requests are processed
daily by 40+ detectors
Each detector provides its
own anomaly score
Aggregated scores are used to
segregate the normal traffic

6. 6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Trust Modeling
HTTP(S) requests with similar attributes are
clustered together
Over time, the clusters adjust their overall anomaly
score as new requests are added

7. 7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Media website
Software update
Certificate status
check
Tunneling
Domain generated
algorithm
Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
100+ classifiers are applied to a small subset of the
anomalous and unknown clusters
Requests’ anomaly scores update based on their
classifications

8. 8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relatio
CTA
Attribute anomalous requests to endpoints
and identify threats with Entity Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
THREAT
Entity Modeling
A threat is triggered when the significance
threshold is reached
New threats are triggered as more evidence
accumulates over time

9. 9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructure
Entity Modeling

10. 10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CWS
Proxy
How CTA analyzes a threat
0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks
-
domain age: 3 hours
-
domain age: 1 day
Domain Generation
Algorithm (DGA)
Data tunneling via
URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:
Active channels

11. 11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Utilizing a layered detection engine
CWS PREMIUM
CTA Layered Detection Engine
Layer 1
CTA
Anomaly
detection
Trust
modeling
Layer 2
Event
classification
Entity modeling
CTA
Layer 3
Relationship
modeling
CTA
After
Recall Precision
Anomalous
Web requests (flows)
Threat
Incidents (aggregated events)
Malicious
Events (flow sequences)
IncidentsData
Correlation & Memory
Filtering
Trust Modeling
Unsupervised Learning
Classification / Layer 1
Tunneling via
URL
Generated
Domain
Data Exfiltration
Supervised Learning
Classification / Layer 2
Threat 1
Threat 2
Threat N
Individual Detectors
Detection
Agent 1
Agent 2
Agent 3
Agent N

12. 12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA presents results in two categories
Confirmed Threats
Confirmed Threats - Threat Campaigns
• Threats spanning across multiple users
• 100% confirmed breaches
• For automated processing leading to fast reimage / remediation
• Contextualized with additional Cisco Collective Security Intelligence

13. 13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA presents results in two categories
Detected Threats
Detected Threats – One-off Threats
• Unique threats detected for individuals
• Suspected threat confidence and risk levels provided
• For semi-automated processing
• Very little or no additional security context exists

14. 14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Here’s an example of how it works
Near real-time processing
1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S)
Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
CONFIRMED threats
(spanning multiple users)
DETECTED threats (unique)

15. 15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Breach Detection: Ransomware
1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA
Detection
AV removing
trojan
AV signatures
updated & trojan
removed
Worm removed by
daily scan
CryptoLocker
confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing worm
& signatures found
outdated

16. 16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1Example
Local Context
First detected in your network on Mar 11, 2015 and last observed on Apr 14,
2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may
have rootkit capability to hide its presence, and employs various command-and-
control mechanisms. Zeus malware is often used to track user activity and steal
information by man-in-the-browser keystroke logging and form grabbing.
Zeus malware can also be used to install CryptoLocker ransomware to steal
user data and hold data hostage. Perform a full scan for the record and then
reimage the infected device.
9 THREAT 100% confidence AFFECTING 3 users

17. 17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AFFECTING winnt://emeauser1
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
Qwest communication..
95.211.239.228
85.25.116.167
54.240.147.123
54.239.166.104
63.234.248.204
54.239.166.69
63.235.36.156
54.240.148.64
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
Activities (8) Domain (8) IPs (8) Autonomous systems (5)
9 Url string as comm…
9 Url string as comm…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
95.211.239.228
85.25.116.167
54.239.166.69
63.235.36.156
54.240.148.64
54.240.147.123
54.239.166.104
Amazon.com Tech Tel…
63.234.248.204
1Example
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/
0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi
+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//
NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzD
pd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
Encrypted Command & Control
9 THREAT 100% confidence

18. 18C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

19. 19C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports
STIX / TAXII API
TAXII Log Adapter:
https://github.com/CiscoCTA/taxii-log-adapter
STIX formatted
CTA threat intelligence
Poll
ServiceTransform
Adapter
CTA
Incident

20. 20C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports
STIX Sample Message Payload
1
CTA CONFIRMED
threat campaign
2
CTA CONFIRMED or
DETECTED threat incident
3
Malicious events (flow
sequences)
4 Anomalous web requests
1
2
3
4

21. 21C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports
id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1">
<stix:STIX_Header>
<stix:Information_Source>
<stixCommon:Tools>
<cyboxCommon:Tool id="cta:tool-CTA">
<cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name>
<cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor>
</cyboxCommon:Tool>
<cyboxCommon:Tool id="cta:tool-AMP">
<cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name>
<cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor>
</cyboxCommon:Tool>
</stixCommon:Tools>
</stix:Information_Source>
</stix:STIX_Header>
<stix:Incidents>
<stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="incident:IncidentType"
id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75">
<incident:Title>malware|transferring data through url
</incident:Title>
<incident:Time>
<incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Victim>
<stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name>
</incident:Victim>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Title>favicon</ttp:Title>
</stixCommon:TTP>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz
STIX Language Mapping

22. 22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential