techwisetv workshop: encrypted traffic analytics
TRANSCRIPT
Hands on Encrypted Traffic Analytics
January 17, 2018
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Networks are becoming more and more opaque
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New threat landscape
38%
62%
Organizations are at risk
Decrypt Do not decrypt
New attack vectors• Employees browsing over HTTPS: Malware infection, covert channel with command and control server,
data exfiltration
• Employees on internal network connecting to DMZ servers: Lateral propagation of encrypted threats
cannot detect
malicious content in
encrypted traffic
of attackers used
encryption to
evade detection
of organizations
have been victims
of a cyber attack
41%81% 64%
Source: Ponemon Report, 2016
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Web Traffic
A growing problem: malware in encrypted traffic
2019
>80% encrypted
>55% encrypted
May 2017
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network
Users
HQ
Data Center
Admin
Branch
RECORD every conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
Roaming Users
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Privacy AND Security
Now Available: Cisco Encrypted Traffic Analytics
Industry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Encrypted traffic Non-encrypted traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware Detection
Known
Malware Traffic
Known
Benign Traffic
Extract Observable
Features in the Data
Employ Machine
Learning techniques
to build detectors
Known Malware
sessions detected
in encrypted traffic
with high accuracy
“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow )
Cisco Research
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Finding malicious activity in encrypted traffic
Cisco Stealthwatch®
Machine
LearningM alware
de tection and
cryptographic compliance
Telemetry Exporter*
Ne tFlow
Enhanced
Ne tFlow
Te lemetry for
e ncrypted malware detectionand cryptographic compliance
* Catalyst, ISR, ASR, CSR are supported
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches and
routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
M etadata
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Make the most of the
unencrypted fields
Identify the content type through
the size and timing of packets
Initial data packetSequence of packet
lengths and times
How can we inspect encrypted traffic?
Self-Signed certif icate
Data exfiltration
C2 message
Who’s who of the Internet’s
dark side
Global Risk Map
Broad behavioral information about the
servers on the Internet.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat discrimination thru correlation
Global Risk MapInitial
Data Packet
Sequence of Packet Lengths and Times
Multi-layer
Machine
Learning
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Campu
s Branch Cloud
Extended Enterprise Network Visibility
News: ETA expands into the cloud and branch office
ISR & ASR
NEW
CSR 1000V
NEW
Catalyst 9000
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Encrypted Traffic Analytics Telemetry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
13
Encrypted Traffic Analytics Overview
ETA
Data
Features
Outcomes
Routers/Switches Packet Capture Devices Other Exporters
Exporters of Netflow
SPLT BD*IDP
ETA Enhanced Analytics
Cryptographic Compliance Malware Detection
Analytics
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets, IDP, SPLT, BD
Sequence of Packet Lengths and Times
The SPLT field gives us visibility beyond the first packet of the encrypted flows.
Byte Distribution
The BD keeps a count for each byte value encountered in the payloads of the packets of the flow being analyzed
Initial Data Packet
The first packets of any connection contain valuable data about the content.
*BD in fast follow release
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• HTTPS header contains several information-rich fields
• Server name provides domain information
• Crypto information educates us on client and server behavior and application identity
• Certificate information is similar to whoisinformation for a domain
• And much more can be understood when we combine the information with global data
Initial Data Packet
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SPLT shows TLS Metadata differences
Client Server
Sent
Packets
Received
Packets
Google searchPage Download
Exfiltration &Keylogging
Initiate Command& Control
Model
Packet lengths, arrival times and durations tend to be inherently different for malware than benign traffic.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavioral Patterns w.r.t. SPLT (Packet Lengths/Times)
BestaferaFirefox Self-RepairGoogle Search
Self-Signed Certificate
Data Exfiltration
Red = Unencrypted Handshake Messages
C2 Message
Initial Page LoadFirefox Real-
Time Feedback
Page Refresh
Autocomplete
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Anomaly
detection
Trust
modeling
Event
classif icationEntity
modelingRelationship modeling
Global risk mapThreat
correlation
Internet
scrapers
Encrypted Traff ic
Analytics
Threat
Grid
Anomalous RequestsProcessed NetFlow + Proxy (weblog)
ThreatIncidents (aggregated events)
MaliciousEvents (telemetry sequences)
Power of multi-layer machine learningThreat Analytics at Scale
50,000incidents
per day
10Brequests
per day
Incid
en
ts
Th
rea
t
co
nte
xt
Te
lem
etr
y
Fe
atu
res
Layer 1
Layer 2 Layer 3
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cryptographic Compliance
1000111010011101 110000
0100001100001 1100 0111010011101
0001110 1001 1101 1110011 011
Encryption TLS/SSL
Version
TLS 1.2
Encryption Key
Exchange
RSA
Encryption Algorithm
and Key Length
RSA_128
1000111010011101 110000
0100001100001 1100 0111010011101
0001110 1001 1101 1110011 011
89cZ 274eb60f9547 c22c302ae
2ae85 89c22ae 858922c302ae
C9996 fbb9 e2d291fcc 22ae85e
89cZ 274eb60f9547 c22c302ae
2ae85 89c22ae 858922c302ae
C9996 fbb9 e2d291fcc 22ae85e
Encryption TLS/SSL
Version
NONE
Encryption Key
Exchange
RSA
Encryption Algorithm
and Key Length
RSA_128
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demonstration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What do you buy?Licensing, packaging…
Solution element Software version License
Enterprise switches
(Cisco® Catalyst® 9000 Series)*Cisco IOS® XE 16.6.1+
Included in Cisco DNA™
Advantage license/
Cisco ONE™ Advanced
Branch routers
(ASR 1000 Series, 4000 Series ISR,
CSR, ISRv, 1100 Series ISR)**
Cisco IOS XE 16.6.2+Included in SEC/k9 license
Cisco ONE foundation
Stealthwatch Enterprise v6.9.2+
Management Console,
Flow Collector,
Flow Rate License
*C9300 series with 16.6.1, C9400 series available with 16.6.2
**Available for Proof of Concept (PoC) with 16.6.1, General availability in 16.6.2
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Next Steps
Learn more about ETA
http://www.cisco.com/go/eta
Thank you for watching!