Cognitive Threat Analytics is a technology that analyzes web requests to identify Command & Control traffic, identifying threats that are currently present in a network. It is currently available across the entire Cisco Web Security portfolio, including Cloud Web Security (CWS) and the Web Security Appliance (WSA). To learn more, watch this webinar: http://cs.co/9000BuggO
2. There’s a new cyber-threat reality
Hackers will likely
command and control
your environment via web
You’ll most likely be
infected via email
Your environment
will get breached
3. Web
Reputation
Web
Filtering Application
Visibility &
Control
X
X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect
Admin
Traffic
Redirections
www
HQ
STIX / TAXII (APIs)
CTA
Cognitive
Threat Analytics
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
X
www.website.com
XX
Dynamic
Malware
Analysis
File
Retrospection
4. Web
Reputation
Web
Filtering Application
Visibility &
Control
X
X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial Block
Campus Office
ASA StandaloneWSA ISR G2 AnyConnect
Admin
Traffic
Redirections
www
HQ
STIX / TAXII (APIs)
CTA
Cognitive
Threat Analytics
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
X
www.website.com
XX
Dynamic
Malware
Analysis
File
Retrospection
Layer 1
Layer 2
AMP
CTA
AMP
CTA
Layer 3
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationship modeling
CTA
5. 0I0
00I
II0I
0I I
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0 II
III I
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I0 0
0I I
I00I
CTA & AMP Working Together
AMP
Direct attack
from the web
Infected email or
USB stick
Threat infrastructure
Admin
Increase resistance against
direct attacks from the web with:
• File reputation
• Dynamic Malware Analysis
• File retrospective
AMP
STIX / TAXII
(APIs)Identify breaches using
anomaly detection and network
traffic analysis.
Visibility into threats that
may have bypassed the web
infection vector, like infected
email, USB stick or guest
devices.
CTA
File rep
0I000III0I00II0II00III000I000III0I000III0
I00I0I00I0000I0I00I0II0I00I0I00I000I00I0I0
0I0
00I
II0I
0II
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0II
IIII
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I00
0III
I00I
00II
0I0
00I
II0I
0II
00I
0II0
0I0
I00
I0II
II0I
000
0I0
00I
II00
I0I0
0I0
000
0II0
0II
IIII
00I
0I0
00I
II0I
I0II
00I
00II
0I0I
I00
0III
I00I
00II
Web rep
Command
& Control
Domain
Generated
Algorithm
CTA
Tunneling
0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I
8. CTA presents results in two categories
Confirmed Threats
Confirmed Threats - Threat Campaigns
• Threats spanning across multiple users
• 100% confirmed breaches
• For automated processing leading to fast reimage / remediation
• Contextualized with additional Cisco Collective Security Intelligence
9. AMP Threat Grid augments CTA reporting
AMP Threat Grid aids forensic
work on the endpoint by
presenting:
• Associated threat artifacts
from AMP Threat Grid,
exhibiting network behaviors
matching to the CONFIRMED
CTA threat
• Content security signatures
for these associated threat
samples globally
• Insights into exactly what a
threat is doing (end-point
behaviors)
10. CTA presents results in two categories
Detected Threats
Detected Threats – One-off Threats
• Unique threats detected for individuals
• Suspected threat confidence and risk levels provided
• For semi-automated processing
• Very little or no additional security context exists
18. Layer 1
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTA
Lay
File Reputation Anomaly
detection
Trust
modeling
Event classification Entity modeling
Dynamic
Malware
Analysis
File
Retrospection
Relationsh
CTA
Company B
Company C
Determine if a threat is part of a threat
campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
Threat
Type 1
Threat
Type 1
Threat
Type 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global
behavioral
similarity
Local
behavioral
similarity Local &
global
behavioral
similarity
Shared
threat
infrastructure
Entity Modeling
19. How CTA analyzes a threat
0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks
-
domain age: 3 hours
-
domain age: 1 day
Domain Generation
Algorithm (DGA)
Data tunneling via
URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:
Active channels
Web
Perimeter
CTA
Analyzing
Web Access Logs
25. Breach Detection: Ransomware
1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA
Detection
AV removing
trojan
AV signatures
updated & trojan
removed
Worm removed by
daily scan
CryptoLocker
confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing worm
& signatures found
outdated
26. 1Example
Local Context
First detected in your network on Mar 11, 2015 and last observed on Apr 14,
2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may
have rootkit capability to hide its presence, and employs various command-and-
control mechanisms. Zeus malware is often used to track user activity and steal
information by man-in-the-browser keystroke logging and form grabbing.
Zeus malware can also be used to install CryptoLocker ransomware to steal
user data and hold data hostage. Perform a full scan for the record and then
reimage the infected device.
9 THREAT 100% confidence AFFECTING 3 users
27. AFFECTING winnt://emeauser1
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
Qwest communication..
95.211.239.228
85.25.116.167
54.240.147.123
54.239.166.104
63.234.248.204
54.239.166.69
63.235.36.156
54.240.148.64
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
Activities (8) Domain (8) IPs (8) Autonomous systems (5)
9 Url string as comm…
9 Url string as comm…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
95.211.239.228
85.25.116.167
54.239.166.69
63.235.36.156
54.240.148.64
54.240.147.123
54.239.166.104
Amazon.com Tech Tel…
63.234.248.204
1Example
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs
91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6
C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnz
ATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
Encrypted Command & Control
9 THREAT 100% confidence
28. Number of Affected Users Per month (Jan. through Nov. 2014)
Breach Detection: Malvertising BotNet
Cisco security finds close to 2000 users affected & 4000+ add-on variants!
Malvertising from Browser add-ons collects huge rewards
Sophisticated code paired with refined business model
17511170 Companies Months 886,646 All users Max affected
Nov, 2014
Source: Cisco Security Research
June, 2014
Affected Users Per Month
2Example
30. Breach Detection: Qakbot Worm
Constantly adapting
TTP to avoid detection
Since 2011, taken down in
2014 to reemerge again
500,000+ infected
computers & significant
profits from fraud
Rootkit capable to hide its presence, can
spread through network shared drives and
removable storage devices
Steals user data, login credentials, may
open a backdoor to track user activity or
deliver additional malicious code
3Example
31. Amazon.com, Inc
RCS & RDS SA
Unified Layer
bnhrtqbyaujiujosnevtvn.info
ehawgbpcjefdjzxohshnmu.com
hwtmnipazuwtghl.biz
ibxyfokmjbxyfqikjiis.org
iyulawjlxbltrsut.com
julfmuljitllgtnop.biz
kkgjxxpt.biz
qfvkuoiasjqbmqrwx.info
vmdekoznnkqmerkch.net
wqdiulsyylepifnbkyatwqcr.com
olbkpxtpgckuoaharw.biz
vwnlzeuaaygbgahiwrmxsp.biz
rgfxyewwsvtaobjbdlxc.infio
Activities (10) Domain (18) IPs (7) Autonomous system (4)
9
8
8
8
8
8
8
5.2.189.251
86.124.164.25
54.72.9.51
69.89.31.210
74.220.207.180
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
3Example
AFFECTING winnt://emeauser39 THREAT 100% confidence
32. 4Example
Local Context The threat was first detected in your network on Mar 15, 2015 and last observed
on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past
45 days. The threat was also detected in 5+ other companies affecting 5+ other
users.
Global Context Also detected in 5+ other companies affecting 5+ other users.
Threat related to Dridex. Typically spread through spam campaigns, Dridex is a
banking trojan whose main goal is to steal confidential information from the
user about online banking and other payment systems. Trojan communicates
with the command-and-control server using HTTP, P2P, or I2P protocols. Perform
a full scan of the infected device for the record, and then reimage the device.
AFFECTING 1 user9 THREAT 100% confidence
33. 9
9
9
9
9
9
9
9
9
9
9
9
9
54.83.43.69
95.211.239.228
85.25.116.167
178.162.209.40
188.138.1.96
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
root SA
iWeb Technologies Inc.
Portlane Networks AB
Telenor Norge AS
qcnbmfvglhxlrorqolfxaeh.org
95.211.239.228
85.25.116.167
retufator.com
188.138.1.96
krjbjccop.com
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Anomalous http traffic
Commination to automatically ge…
Commination to automatically ge…
Http traffic to ip address (no domain…
Http traffic to ip address (no domain…
Url string as communication channel
Http traffic to ip address (no domain
Url string as communication channel
Url string as communication channel
Url string as communication channel
Anomalous http traffic
Commination to automatically ge…
Url string as communication channel
Activities (14) Domain (10) IPs (10) Autonomous systems (7)
88.208.57.103
4Example
AFFECTING winnt://emeauser49 THREAT 100% confidence
35. Current CWS and WSA do try free valuation of
Cognitive Threat Analytics (CTA)
https://cisco.com/go/websecurity
https://cisco.com/go/cognitive
Net new customers above 1000 seats, contact
your local sales representative for an evaluation
Editor's Notes
Thanks for taking the time to meet today to talk about Cisco Cloud Web Security Premium, or CWS Premium, from Cisco.
T: Let’s get started.
<click>
Today’s reality has 3 outcomes for your business:
Your environment will be breached
When it is, it will probably happen because of an infected email
And if hackers use command and control on your system, they will probably get access via web
T: All of this means, you need a smarter solution.
<click>
With CWS Premium, you get all the features of CWS Essentials and enhanced protection in the During and After phase through AMP and CTA.
<click>
T: Let’s dive deeper into AMP and CTA.
<click>
With CWS Premium, you get all the features of CWS Essentials and enhanced protection in the During and After phase through AMP and CTA.
<click>
T: Let’s dive deeper into AMP and CTA.
<click>
AMP and CTA sets CWS Premium apart from competitors’ solutions.
<click>
AMP increases resistance against direct attacks from the web with File Reputation, content analysis, and Retrospective Security.
<click>
CTA is a breach detection technology that detects anomalous activity. It identifies infections that may have bypassed the web infection vector, like infected emails, USB sticks, or other guest devices.
T: Now let’s take a look at the features that enable these benefits.
<click>
T: Let’s take a closer look at the capabilities of CTA.
<click>
In order to help you understand the threats on your system, CTA breaks all threats down into two categories: Confirmed and Detected.
Confirmed threats represent verified campaigns. With 100% confirmed breaches across multiple users you can quickly get a handle on the scope of the attack, as well as automate remediation across your system.
<click>
The dashboard tells you everything you need to know, including:
When the threat was first detected
When it was last observed
How many users are affected
And how prevalent the threat is at other companies
T: And the Detected Threats report gives you a similar breakdown.
<click>
Get insight into exactly what a threat is doing
See very specific behaviors, for example a particular file was added to a certain directory in a certain app or program
Lets you know that this particular threat performed this particular action at this time
Detected threats are not, or not yet confirmed as part of a larger campaign.
<click>
The dashboard provides you with as much information about the detected threats as possible so you can make an informed decision on how to proceed. The report includes:
Unique threats detected for individuals
Suspected threat confidence and risk levels
Forensic analysis to map the specific threat activities to domains, IPs, and autonomous systems
T: From end-to-end, CTA supports your entire system.
<click>
Starting with 10 billion requests a day, anomaly detection and trust modeling let you focus on the 1% of requests that actually matter.
<click>
Then, using event classification and entity modeling you can find out what type of threat it is, and where it is on your system.
Finally, using relationship modelling, you can understand if a threat is a one-off attack or part of a larger global campaign.
From 10 billion requests per day, down to 1-50 thousand incidents, CTA can comb through big data in near real-time.
This means you not only get the visibility you need, you get it when you need it.
T: Together, AMP and CTA help you determine the right course of action.
<click>
In the first layer of CTA, Anomaly Detection employs statistical machine learning methods in order to separate the statistically normal traffic from anomalous traffic.
40+ individual detectors process every HTTP or HTTPS request in the network. Typically, the Anomaly Detection layer processes 10 billion or more requests per day.
Each request is processed by all 40+ detectors, and each detector applies a different statistical algorithm.
Once the requests are processed, each detector provides an anomaly score, expressed as a number from 0-1, where 1 means highly anomalous.
<click>
The individual scores combine and produce one single score per individual request by again applying multiple statistical methods.
The aggregate score is then used to separate normal and anomalous traffic.
T: Only Cisco offers this multiple detector method.
<click>
The Anomaly Detection layer was designed to be a dynamic ensemble of specialized, statistical detectors. The approach is based on the assumption of algorithm independence.
<click>
Each algorithm has a certain probability of classifying a normal flow as anomalous, generating a false positive.
<click>
However, the probability that two or more independent algorithms would err on the same flow is significantly lower. Using multiple detectors increases the statistical significance of the overall anomaly score, by reducing the number of false negatives and false positives.
The ensemble design also allows us to make the individual algorithms more general, base them on repeatable fundamental principles, and achieve economies of scale by being able to deploy the system globally without any per-customer manual configuration. Ensemble systems are typically configured dynamically, or automatically, at deployment time.
While the anomaly detectors do contain highly condensed and anonymized states, they are still prone to fluctuations and false positives due to the natural irregularities that occur in web traffic.
T: CTA uses Trust Modeling to further reduce false positives.
<click>
Trust modeling groups similar requests together and aggregates the anomaly score for those groups as a long-term average.
We create an n-dimensional space from common properties of web flows. Requests carrying anomaly scores are mapped to a particular location in the space based on the requests’ properties. Similar looking flows create clusters.
The overall anomaly of each cluster is represented as an average of the individual requests’ anomaly scores.
<click>
Over time, more requests are mapped to the space to produce a long-term average anomaly score for each cluster, and reduce false positives and false negatives. For example, if there are six thousand similar anomalous requests and request six thousand and one is considered normal, the cluster will maintain an average score of anomalous, because all other similar requests were seen as anomalous.
Clusters with anomaly scores above a certain threshold move on to the next layer of processing. This threshold is determined dynamically by the system, and typically results in about 1% of traffic continuing on to the next steps.
T: The next processing feature is Event Classification.
<click>
As mentioned, the results of Trust Modeling are used to select a small subset of traffic.
This statistically anomalous subset is classified into 100 or more categories. Most classifiers are based on individual behavior or group relationships or behavior on a global or local scale, while others can be very specific. For example, a classifier may indicate command and control traffic, a suspicious extension, or a legitimate software update.
The output of this phase is a set of classified anomalous events with security relevance.
T: In the next phase, these events are attributed to specific entities in order to identify threats.
<click>
If the amount of evidence supporting the malicious hypothesis about a specific entity exceeds the significance threshold, a threat is created. The classified events that contributed to the threat creation are linked to that threat, and become part of a long-term discrete model of the entity.
<click>
As evidence accumulates over time, the system creates new threats when the significance threshold is reached. This threshold is dynamic and intelligently adjusts based on threat risk level and other factors.
The threat is then visible in the web GUI and is available via STIX/TAXII API, including subsequent (post-threat creation) activities of the suspected hosts.
T: The threats created in the Entity Modeling phase continue on to the next layer: Relationship Modeling.
<click>
The previous layers are capable of detecting both known and unknown threats. The goal of Relationship Modeling is to associate threats to known malware campaigns, in order to separate them from unknown threats that require different investigation and incident response processes.
The system uses Relationship Modeling so that it can identify that several independent threat actors use identical or similar malware components, and is able to distinguish between them.
In this example...
<click>
At Company A, we see two incidents of Threat Type 1 that are attributed to the same attack node. The attack node is either a domain or IP address. These two incidents are linked based on the local behavioral similarity of the threats.
At Company B, we see an incident of Threat Type 1 attributed to a different attack node. This incident is linked to the incidents at Company A based on global behavioral similarity.
At Company C, we see Threat Type 2. Because this incident is behaviorally similar to the incidents we see in Companies A and B, they are linked. We can extrapolate that they share threat infrastructure because similarly behaving threats came from different attack nodes .
To summarize, relationship modeling is based on the behavioral similarity of incidents.
T: Building this relationship model between incidents allows you to map the full threat infrastructure of the threat campaign.
<click>
Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.
The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.
Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.
The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.
The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.
T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.
<click>
Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.
The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.
Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.
The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.
The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.
T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.
<click>
Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.
The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.
Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.
The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.
The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.
T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.
<click>
Here’s an example of a modern attack utilizing Domain Generated Algorithms, or DGA, and data tunneling to communicate with domains.
The attacker maintains five servers distributed across various countries. Some of these servers function as a command and control channel and others are used to send captured data.
Domain registrations can be automated so we can see one of the domains has an age of 1 day. Time plays an important role here, because global Web Reputation will start picking up the malicious activity and lower this domain’s score quite quickly.
The current reputation scores reveal that some of the infrastructure has been detected as malicious and blocked by Web Reputation, while others may have a good or unknown reputation, but may be blocked by the antivirus engines or Outbreak Intelligence, or even by AMP.
The rest of the infrastructure is not blocked and this is where CTA comes to play. Not only will it flag those servers and domains but also shed light on how big the campaign is and how it evolved over time.
T: Now that we’ve detailed the individual layers of CTA’s breach detection technology, let’s look at the process from a high level.
<click>