In today’s age, organizations face an unprecedented – and rising – threat from advanced malware. These attacks can come from any angle, ranging from script kiddies that are having fun with some new malware they got off the dark web, hacking for profit by organized crime syndicates overseas, or malicious actors looking to actively damage the business. Regularly reported attacks typically include elements of ransomware taking systems hostage, destruction of data, or data exfiltration, which can result in compliance fines and loss of market share and brand confidence.
With the pervasive use of cloud-hosted services and applications, common behavior on an organization’s network may now mean increased risk of having online customer services exposed, and app-based business, certificates, and SSL connectivity have become mandatory facets of day to day operation of the internet. As of 2020, Google stated that 94% of all traffic they receive is encrypted, and 96% of all pages loaded within Chrome were done so across HTTPS-secured connections.1 Firefox numbers are very similar – 90% of all traffic is done across HTTPS.2 Many organizations have not anticipated this explosive growth of SSL/TLS encrypted traffic, which prevents them from inspecting it, thus eliminating the ability to take action against it. Many found it to be a problem when web filtering started breaking on a recurring basis – and the options to resolve it weren’t pretty.
Traditional solutions focused on solving for this required Man-In-The-Middle SSL decryption and inspection. Due to the nature of certificate technology and the increasing security requirements of modern web browsers, this often creates a large workload for internal IT teams to deploy comprehensive Public Key Infrastructure technologies. Failure to properly implement them often results in poor user experience, broken web pages, and frustrated customers.
Encrypted Traffic Analytics
Cisco recognized this trend, and in combination with their Secure Network Analytics (formerly Stealthwatch) platform, the Encrypted Traffic Analytics solution solves for this problem. By leveraging rich metadata on the flows within a client’s network and bringing multi-layered machine learning capabilities to bear, it is able to ingest and analyze the telemetry gathered from nodes around the network and determine if a given flow is demonstrative or showing indicators of typical malware behavior.
These insights are driven by TALOS threat research, the feedback from millions of sensors around the world, and deep learning on big data sets across thousands of malware samples. It has been found that most network traffic follows common patterns, which traditionally has been known as the “baseline”. This concept is pulled forward, and by peering into very fine-grained patterns within the network flows, Cisco has brought about the ability to identify malicious activity within an encrypted flow.
Encrypted Traffic Analytics leverage several key metrics within a flow to help assess for risk:
- Initial Data Packet (IDP): By inspecting this initial packet in a flow, Secure Network Analytics gleans important data such as the URL/domain name, encryption level, resolved DNS name, cryptographic encryption algorithms, etc.
- Sequence of Packet Lengths and Times (SPLT): This is a pattern measured across the first series of packets in a flow. The goal is to identify known malicious behavior patterns during the onset of a flow. Oftentimes malware will send data in a preformatted way to Command & Control servers or will bundle data in a specific way to be re-constructed on the receiving end. By identifying and classifying flows early on, detection can be done quickly and efficiently. While malware is often polymorphic, the large majority are not combating this approach.
- Byte Distribution: This is the method for extrapolating the activities within a session against known patterns. Against a deep and ever-expanding series of signatures and patterns, Cisco has been able to classify numerous types of common activities associated with normal and anomalous activity. By leveraging this database and utilizing machine learning, the solution can quickly identify potential malicious activity without having to invasively peer into the actual session.
Enhanced NetFlow is required to gather these key tuples for flows. This requirement does pose some hardware and software revisions in order to support this, which can be found on Cisco’s website.
Cisco Secure Network Analytics (formerly Stealthwatch)
Secure Network Analytics is the analytics engine that ingests the data from the ETA collection apparatus. Leveraging constantly updated TALOS threat intelligence via Threat Grid and threat mapping, it is able to flag possibly malicious behavior. These data sets provide enriched context when conducting this analysis, furthering the fidelity and accuracy of the results. Customers benefit from Cisco’s massive global security footprint, ensuring they are not waiting to be hit by malware before they reap the benefit of the signatures.
GDT’s Cybersecurity practice has a deep, highly experienced team of architects and engineers who are happy to design and implement these solutions. With our vast experience with Cisco ISE, DNA Center, SD-Access and FirePower products, we can analyze your current environment and propose an integrated solution that will ensure you get the highest ROI from your current investment while future-proofing your visibility and enforcement capabilities moving forward. Get in touch with one of our account managers to begin these conversations. We look forward to driving your success!
1 Google Transparency Report – https://transparencyreport.google.com/https/overview
2 Let’s Encrypt Firefox HTTPS Statistics – https://letsencrypt.org/stats/#percent-pageloads