Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20....
Transcript of Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20....
![Page 1: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/1.jpg)
Sunil AminPrincipal Engineer, StealthwatchJuly 20th 2018
Detecting Malware without DecryptionEncrypted Threat Analytics (ETA)
![Page 2: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/2.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
• Background: Encryption Trends• Introduction to Encrypted Traffic Analytics (ETA)
• Cryptographic Compliance
• Field Testing and Results• Mobile World Congress 2018• Miercom Report 2018
• Conclusion
Agenda
![Page 3: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/3.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Background: Encryption Trends
![Page 4: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/4.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Networks are becoming more and more opaque!
Google Chrome will mark all HTTP sites as not secure in July 2018
![Page 5: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/5.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
The New Threat Landscape38%
62%
Organizations are at risk
Decrypt Do not decrypt
New attack vectors• Employees browsing over HTTPS:
Malware infection, covert channel with command and control server, data exfiltration • Employees on internal network connecting to DMZ servers:
Lateral propagation of encrypted threats
cannot detect malicious content in
encrypted traffic
of attackers used encryption to
evade detection
of organizations have been victims of a cyber attack
41%81% 64%
Source: Ponemon Report, 2016
![Page 6: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/6.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Malicious Activity within Encrypted Traffic
November 2016
19%
12% Increase
268%Increase70%
50%38%
Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption
October 2017
![Page 7: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/7.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Privacy AND Security
Now Available: Cisco Encrypted Traffic Analytics
Industry’s first network that finds threats in encrypted traffic without decryption
Encrypted traffic Non-encrypted traffic
![Page 8: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/8.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Introduction to Encrypted Traffic Analytics (ETA)
![Page 9: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/9.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Artificial Intelligence/Machine Learning
Known Malware Traffic
Known Benign Traffic
Extract Observable Features in the Data
Employ Machine Learning techniques
to build detectors
Known Malware sessions detectedin encrypted traffic with high accuracy
“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)
![Page 10: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/10.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
ETA Solution OverviewCisco Stealthwatch
Machine Learning Malware
detection and cryptographic compliance
Cisco Networks
NetFlow
Enhanced NetFlow
Telemetry for encrypted malware detectionand cryptographic compliance
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Enhanced NetFlowfrom Cisco’s newest switches and routers
Continuous Enterprise-wide
compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
![Page 11: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/11.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Make the most of theunencrypted fields
Identify the content type through the size and timing of packets
Initial data packet Sequence of packet lengths and times
How Can We Inspect Encrypted Traffic?
Self-Signed certificate
Data exfiltrationC2 message
Who’s who of the Internet’sdark side
Global risk map
Broad behavioral information about the servers on the Internet.
![Page 12: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/12.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Multi-Layer Machine Learning
Global risk mapInitialdata packet
Sequence of packet lengths and times
Multi-layerMachineLearning
![Page 13: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/13.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Encrypted Traffic Analytics: Example Incident
![Page 14: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/14.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Cryptographic Compliance
![Page 15: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/15.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
How much of your business is in the clear versus encrypted?
![Page 16: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/16.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Encryption details on all network flows
![Page 17: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/17.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Filter Flows by TLS/SSL
![Page 18: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/18.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Supported Components
![Page 19: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/19.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Campus & Branch Branch Edge Cloud
Network Infrastructure Generating ETA Telemetry
ISR & ASR
NEW
CSR 1000V
NEW
Catalyst 9000
![Page 20: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/20.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Field Testing and Results
![Page 21: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/21.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Mobile World Congress 2018Large BYOD Environment
![Page 22: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/22.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
What is Mobile World Congress?
More than 107,000 visitors from 205 countries and territories
Stealthwatch monitored all the wireless traffic to and from the Internet with Encrypted Traffic Analytics
Over 55% of attendees held senior-level positions, including more than 7,700 CEOs
![Page 23: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/23.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Topology Internet
Distribution Cat6K
ASR 1kRouter
SPAN
Management Console Flow Collector We enabled ETA on an ASR1001-X with the MWC’s Internet bound traffic SPAN’ed from a distribution Cat6K switch to the ASR1001-X on a GigE port
MWC Wireless
ETA Telemetry
![Page 24: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/24.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
ETA at Mobile World Congress 2018
2018MWC
Massive network footprint• 55+ million flows analyzed• 82% HTTPS vs 18% HTTP• At peak hours, more than 20K flows per second
from wireless users
Threats detected• C&C and data exfiltration• 350 detections using ETA• Numerous malware instances, including mobile
malware• Over 30 applications using TLS 1.0
![Page 25: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/25.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Detection Summary
Android.spy, Boqx, infected firmwareAndroid Malware
OSX Malware Genieo, RevMob, AdInjectorAdware
Tor, BitTorrent, phishingPossibly unwanted applications
SALITY malware, SMB service discovery malware, Conficker, cryptominingVarious
![Page 26: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/26.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
![Page 27: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/27.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
![Page 28: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/28.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Miercom Report 2018
![Page 29: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/29.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Test Setup
A set of laptops served as the source of different types of generated malware traffic.
PATH WITH ETA
PATH WITHOUT ETA
74 pcap samples were run and 51 had encrypted traffic
![Page 30: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/30.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
All findings prioritized and clear course of action
Stealthwatch automates the security analyst
![Page 31: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/31.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
How secure is my digital business’s traffic?
In June 2018, PCI will make TLS 1.0 a violation
Stealthwatch/ETA makes available the details of the encrypted traffic!
![Page 32: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/32.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Conclusion
![Page 33: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/33.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pubic.
Conclusion• Nearly all network communication is encrypted these days.
• Decryption is not a viable option.
• ETA is a solution set! It is not a product.o Branch, WAN and Cloud routerso Campus switcheso Cisco Stealthwatch Enterprise
• ETA delivers two outcomes:o Cryptographic compliance.o Detection of malicious traffic in encrypted traffic WITHOUT decryption.
![Page 34: Encrypted Threat Analytics (ETA) - Cisco · Sunil Amin. Principal Engineer, Stealthwatch. July 20. th. 2018. Detecting Malware without Decryption. Encrypted Threat Analytics (ETA)](https://reader036.fdocuments.us/reader036/viewer/2022081515/5f1001687e708231d446f8cc/html5/thumbnails/34.jpg)