Cognitive Threat Analytics is a technology that analyzes web requests to identify Command & Control traffic, identifying threats that are currently present in a network. It is currently available across the entire Cisco Web Security portfolio, including Cloud Web Security (CWS) and the Web Security Appliance (WSA). To learn more, watch this webinar: http://cs.co/9000BuggO

1. Petr Cernohorsky
Product Manager
October 2015
Identify Zero-Day Breaches with
Cognitive Threat Analytics (CTA)
on Cisco Web Security

2. There’s a new cyber-threat reality
Hackers will likely
command and control
your environment via web
You’ll most likely be
infected via email
Your environment
will get breached

3. Web
Reputation
Web
Filtering Application
Visibility &
Control
X
X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect
Admin
Traffic
Redirections
www
HQ
STIX / TAXII (APIs)
CTA
Cognitive
Threat Analytics
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
X
www.website.com
XX
Dynamic
Malware
Analysis
File
Retrospection

4. Web
Reputation
Web
Filtering Application
Visibility &
Control
X
X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect
Admin
Traffic
Redirections
www
HQ
STIX / TAXII (APIs)
CTA
Cognitive
Threat Analytics
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
X
www.website.com
XX
Dynamic
Malware
Analysis
File
Retrospection
Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationship modeling
CTA

5. 0I0
00I
II0I
0I I
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0 II
III I
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I0 0
0I I
I00I
CTA & AMP Working Together
AMP
Direct attack
from the web
Infected email or
USB stick
Threat infrastructure
Admin
Increase resistance against
direct attacks from the web with:
• File reputation
• Dynamic Malware Analysis
• File retrospective
AMP
STIX / TAXII
(APIs)Identify breaches using
anomaly detection and network
traffic analysis.
Visibility into threats that
may have bypassed the web
infection vector, like infected
email, USB stick or guest
devices.
CTA
File rep
0I000III0I00II0II00III000I000III0I000III0
I00I0I00I0000I0I00I0II0I00I0I00I000I00I0I0
0I0
00I
II0I
0II
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0II
IIII
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I00
0III
I00I
00II
0I0
00I
II0I
0II
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0II
IIII
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I00
0III
I00I
00II
Web rep
Command
& Control
Domain
Generated
Algorithm
CTA
Tunneling
0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I

6. Layer 1
CTA
Anomaly
detection
Trust
modeling
Layer 2
Event
classification
Entity modeling
CTA
Layer 3
Relationship
modeling
CTA
20K
incidents
per day
10B
requests
per day
Recall Precision
Anomalous
Web requests (flows)
Threat
Incidents (aggregated events)
Malicious
Events (flow sequences)
Cognitive Threat Analytics
Layered Processing Engine & Scalable Cloud Infrastructure

7. Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. GW)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Threat Alerts
Incident
Response
HQ
STIX / TAXII API
CTACTACTA
SIEMs:
Splunk, ArcSight,
Q1 Radar, ...
HQ
Web Security
Gateways
Cloud
Web Security
Gateways
CTA a-la-carte
ATD bundle = CTA & AMP
WSP bundle = CWS & ATD
CTA a-la-carte
CTA a-la-carte
Web Access Logs (input telemetry)
Breach Detection &
Advanced Threat Visibility
Cognitive Threat Analytics
For CWS, WSA, and External Telemetry

8. CTA presents results in two categories
Confirmed Threats
Confirmed Threats - Threat Campaigns
• Threats spanning across multiple users
• 100% confirmed breaches
• For automated processing leading to fast reimage / remediation
• Contextualized with additional Cisco Collective Security Intelligence

9. AMP Threat Grid augments CTA reporting
AMP Threat Grid aids forensic
work on the endpoint by
presenting:
• Associated threat artifacts
from AMP Threat Grid,
exhibiting network behaviors
matching to the CONFIRMED
CTA threat
• Content security signatures
for these associated threat
samples globally
• Insights into exactly what a
threat is doing (end-point
behaviors)

10. CTA presents results in two categories
Detected Threats
Detected Threats – One-off Threats
• Unique threats detected for individuals
• Suspected threat confidence and risk levels provided
• For semi-automated processing
• Very little or no additional security context exists

11. Here’s an example of how it works
Near real-time processing
1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S)
Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
CONFIRMED threats
(spanning multiple users)
DETECTED threats (unique)

12. CTA Deep-Dive

13. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Identify suspicious traffic with Anomaly
Detection
Normal
Unknown
Anomalous
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Anomaly Detection
10B+ requests are processed
daily by 40+ detectors
Each detector provides its
own anomaly score
Aggregated scores are used to
segregate the normal traffic

14. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
• Each HTTP(S) request is
scanned by 40+ detectors, each
with a unique algorithm
• Multiple detectors increase the
statistical significance of the
anomaly score, reducing the
number of false negatives and
false positives
Examples of Anomaly Detection output
(HTTP, real and synthetic malware)
HTTP(S)
Request
Multiple
detectors &
Trust Modeling
Normal
Anomalous
0
1
2
3
4
5
7
6
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
Dynamic threshold
False
negative False
positives
#ofwebrequests
Anomaly score
Normal
Anomalous
0
1
2
3
4
5
7
6
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
False
positive
Dynamic threshold
(later removed after
further processing)
#webrequests
Anomaly score
Single
detector

15. Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
RequestHTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Trust Modeling
HTTP(S) requests with similar attributes are
clustered together
Over time, the clusters adjust their overall anomaly
score as new requests are added

16. Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
Media website
Software update
Certificate status
check
Tunneling
Domain generated
algorithm
Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
100+ classifiers are applied to a small subset of the
anomalous and unknown clusters
Requests’ anomaly scores update based on their
classifications

17. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relatio
CTA
Attribute anomalous requests to endpoints
and identify threats with Entity Modeling
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
HTTP(S)
Request
THREAT
HTTP(S)
Request
THREAT
Entity Modeling
A threat is triggered when the significance
threshold is reached
New threats are triggered as more evidence
accumulates over time

18. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructure
Entity Modeling

19. How CTA analyzes a threat
0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks
-
domain age: 3 hours
-
domain age: 1 day
Domain Generation
Algorithm (DGA)
Data tunneling via
URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:
Active channels
Web
Perimeter
CTA
Analyzing
Web Access Logs

20. STIX / TAXII API

21. CTA Exports
STIX / TAXII API
TAXII Log Adapter:
https://github.com/CiscoCTA/taxii-log-adapter
STIX formatted
CTA threat intelligence
Poll
ServiceTransform
Adapter
CTA
Incident

22. CTA Exports
STIX Sample Message Payload
1
CTA CONFIRMED
threat campaign
2
CTA CONFIRMED or
DETECTED threat incident
3
Malicious events (flow
sequences)
4 Anomalous web requests
1
2
3
4

23. CTA Exports
id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1">
<stix:STIX_Header>
<stix:Information_Source>
<stixCommon:Tools>
<cyboxCommon:Tool id="cta:tool-CTA">
<cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name>
<cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor>
</cyboxCommon:Tool>
<cyboxCommon:Tool id="cta:tool-AMP">
<cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name>
<cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor>
</cyboxCommon:Tool>
</stixCommon:Tools>
</stix:Information_Source>
</stix:STIX_Header>
<stix:Incidents>
<stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="incident:IncidentType"
id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75">
<incident:Title>malware|transferring data through url
</incident:Title>
<incident:Time>
<incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action>
</incident:Time>
<incident:Victim>
<stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name>
</incident:Victim>
<incident:Leveraged_TTPs>
<incident:Leveraged_TTP>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Title>favicon</ttp:Title>
</stixCommon:TTP>
</incident:Leveraged_TTP>
<incident:Leveraged_TTP>
<stixCommon:TTP xsi:type="ttp:TTPType">
<ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz
STIX Language Mapping

24. CTA Examples

25. Breach Detection: Ransomware
1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA
Detection
AV removing
trojan
AV signatures
updated & trojan
removed
Worm removed by
daily scan
CryptoLocker
confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing worm
& signatures found
outdated

26. 1Example
Local Context
First detected in your network on Mar 11, 2015 and last observed on Apr 14,
2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may
have rootkit capability to hide its presence, and employs various command-and-
control mechanisms. Zeus malware is often used to track user activity and steal
information by man-in-the-browser keystroke logging and form grabbing.
Zeus malware can also be used to install CryptoLocker ransomware to steal
user data and hold data hostage. Perform a full scan for the record and then
reimage the infected device.
9 THREAT 100% confidence AFFECTING 3 users

27. AFFECTING winnt://emeauser1
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
Qwest communication..
95.211.239.228
85.25.116.167
54.240.147.123
54.239.166.104
63.234.248.204
54.239.166.69
63.235.36.156
54.240.148.64
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
Activities (8) Domain (8) IPs (8) Autonomous systems (5)
9 Url string as comm…
9 Url string as comm…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
95.211.239.228
85.25.116.167
54.239.166.69
63.235.36.156
54.240.148.64
54.240.147.123
54.239.166.104
Amazon.com Tech Tel…
63.234.248.204
1Example
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs
91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6
C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnz
ATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
Encrypted Command & Control
9 THREAT 100% confidence

28. Number of Affected Users Per month (Jan. through Nov. 2014)
Breach Detection: Malvertising BotNet
Cisco security finds close to 2000 users affected & 4000+ add-on variants!
Malvertising from Browser add-ons collects huge rewards
Sophisticated code paired with refined business model
17511170 Companies Months 886,646 All users Max affected
Nov, 2014
Source: Cisco Security Research
June, 2014
Affected Users Per Month
2Example

29. IPs (3)Activities (5) Domain (10) Autonomous systems (0)
54.68.144.135
54.69.230.10
54.68.109.54anomalous http traf…7
7 anomalous http traf…
7 Url string as comm…
7 Url string as comm…
veterance.com
veterances.net
Getjpi77.info
probookmynew.us
skyfunnjobbest.info
Versiontraffic.com
filehelper.co.il
appzappzappz.com
2Example
hXXp://getjpi77.info/sync2/?q=hfZ9oeZHrjYMCyVUojC6qGhTB6lKDzt4ok8gtNtVh7n0rjnEpjwErjrGrHrEtMFHhd9Fqda4rja
FqTr6qjaMDMlGojUMAe4UojkFrdg5rjwEqjnGrTw5pjY4qHYMC6qUojk7pdn5rHY9pdUHqjwFrdUGqTCMWy4ZBek0nMlH
DwmPC7qLDe49nfbEtMZPhd99qdg5qHn5qHk5rdUErjg4rHkGtM0HAen0qTaFtMVKC6n0rTwMgNr0rn%3D%3D&amse=h
s18&xname=BestDiscountApp
hXXp://getjpi77.info/sync2/?q=ext=hs18&pid=777&country=MX&regd=140910132330&lsd=140910163750&ver=9&ind=5
106811054221898978&ssd=5684838489351109267&xname=BestDiscountApp&hid=4468748758090169352&osid=601
&inst=21&bs=1%3D%3D&amse=hs18&xname=BestDiscountApp
Encrypted Command & Control
AFFECTING winnt://emeauser26 THREAT 100% confidence

30. Breach Detection: Qakbot Worm
Constantly adapting
TTP to avoid detection
Since 2011, taken down in
2014 to reemerge again
500,000+ infected
computers & significant
profits from fraud
Rootkit capable to hide its presence, can
spread through network shared drives and
removable storage devices
Steals user data, login credentials, may
open a backdoor to track user activity or
deliver additional malicious code
3Example

31. Amazon.com, Inc
RCS & RDS SA
Unified Layer
bnhrtqbyaujiujosnevtvn.info
ehawgbpcjefdjzxohshnmu.com
hwtmnipazuwtghl.biz
ibxyfokmjbxyfqikjiis.org
iyulawjlxbltrsut.com
julfmuljitllgtnop.biz
kkgjxxpt.biz
qfvkuoiasjqbmqrwx.info
vmdekoznnkqmerkch.net
wqdiulsyylepifnbkyatwqcr.com
olbkpxtpgckuoaharw.biz
vwnlzeuaaygbgahiwrmxsp.biz
rgfxyewwsvtaobjbdlxc.infio
Activities (10) Domain (18) IPs (7) Autonomous system (4)
9
8
8
8
8
8
8
5.2.189.251
86.124.164.25
54.72.9.51
69.89.31.210
74.220.207.180
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
3Example
AFFECTING winnt://emeauser39 THREAT 100% confidence

32. 4Example
Local Context The threat was first detected in your network on Mar 15, 2015 and last observed
on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past
45 days. The threat was also detected in 5+ other companies affecting 5+ other
users.
Global Context Also detected in 5+ other companies affecting 5+ other users.
Threat related to Dridex. Typically spread through spam campaigns, Dridex is a
banking trojan whose main goal is to steal confidential information from the
user about online banking and other payment systems. Trojan communicates
with the command-and-control server using HTTP, P2P, or I2P protocols. Perform
a full scan of the infected device for the record, and then reimage the device.
AFFECTING 1 user9 THREAT 100% confidence

33. 9
9
9
9
9
9
9
9
9
9
9
9
9
54.83.43.69
95.211.239.228
85.25.116.167
178.162.209.40
188.138.1.96
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
root SA
iWeb Technologies Inc.
Portlane Networks AB
Telenor Norge AS
qcnbmfvglhxlrorqolfxaeh.org
95.211.239.228
85.25.116.167
retufator.com
188.138.1.96
krjbjccop.com
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Anomalous http traffic
Commination to automatically ge…
Commination to automatically ge…
Http traffic to ip address (no domain…
Http traffic to ip address (no domain…
Url string as communication channel
Http traffic to ip address (no domain
Url string as communication channel
Url string as communication channel
Url string as communication channel
Anomalous http traffic
Commination to automatically ge…
Url string as communication channel
Activities (14) Domain (10) IPs (10) Autonomous systems (7)
88.208.57.103
4Example
AFFECTING winnt://emeauser49 THREAT 100% confidence

34. Call to Action

35. Current CWS and WSA do try free valuation of
Cognitive Threat Analytics (CTA)
https://cisco.com/go/websecurity
https://cisco.com/go/cognitive
Net new customers above 1000 seats, contact
your local sales representative for an evaluation