Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security

Petr CernohorskyProduct ManagerOctober 2015

Identify Zero-Day Breaches with Cognitive Threat Analytics (CTA) on Cisco Web Security

2

There’s a new cyber-threat reality

Hackers will likelycommand and control

your environment via web

You’ll most likely be infected via email

Your environmentwill get breached

3

Web Reputation

Web Filtering Application

Visibility & Control

Before

X X X

CTA & AMP on Cisco Web SecurityTalos

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial BlockCampus Office

ASA StandaloneWSA ISR G2 AnyConnect

AdminTraffic Redirections

www

HQ

STIX / TAXII (APIs)CTA

Cognitive Threat Analytics

Anti-Malware

File Reputation

WebpageOutbreak

Intelligence

AfterDuring

X

www.website.com

XX

Dynamic Malware Analysis

File Retrospection

4

Web Reputation

Web Filtering Application

Visibility & Control

Before

X X X

CTA & AMP on Cisco Web SecurityTalos

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial BlockCampus Office

ASA StandaloneWSA ISR G2 AnyConnect

AdminTraffic Redirections

www

HQ

STIX / TAXII (APIs)CTA

Cognitive Threat Analytics

Anti-Malware

File Reputation

WebpageOutbreak

Intelligence

AfterDuring

X

www.website.com

XX

Dynamic Malware Analysis

File Retrospection

Layer 1

During After

Layer 2

AMP

CTAAMP

CTALayer 3

File Reputation Anomaly detection

Trustmodeling Event classification Entity modeling

Dynamic MalwareAnalysis

File Retrospection

Relationship modeling

CTA

5

0I000III0I 0I I00I0II0

0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I I I00I

CTA & AMP Working Together

AMP

Direct attackfrom the web

Infected email or USB stick

Threat infrastructure

Admin

Increase resistance against direct attacks from the web with:

• File reputation• Dynamic Malware Analysis• File retrospective

AMP

STIX / TAXII (APIs)Identify breaches using

anomaly detection and network traffic analysis.

Visibility into threats that may have bypassed the web infection vector, like infected email, USB stick or guest devices.

CTAFile rep

0I000III 0I00 II 0I I00I II 00 0I00 0II I0I000III 0I00I 0I0 0I000 0I0I00I0I I0 I00I 0I0 0I000 I00I 0I0


0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II


0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II

Web rep

Command & Control

Domain Generated Algorithm

CTA

Tunneling

0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I

6

Layer 1CTA

Anomaly detection

Trustmodeling

Layer 2

Event classification Entity modeling

CTALayer 3

Relationshipmodeling

CTA20K

incidentsper day

10Brequestsper day

Recall Precision

AnomalousWeb requests (flows)

ThreatIncidents (aggregated events)

MaliciousEvents (flow sequences)

After

Cognitive Threat AnalyticsLayered Processing Engine & Scalable Cloud Infrastructure

7

Cisco WSA (Web Security Appliance)

External Telemetry (BlueCoat Sec. GW)

Cisco CWS (Cloud Web Security)

CiscoCognitive ThreatAnalytics (CTA)

Confirmed Threats

Detected Threats

Threat Alerts

IncidentResponse

HQ

STIX / TAXII APICTA

CTA

CTA

SIEMs:Splunk, ArcSight, Q1 Radar, ...

HQ

Web Security Gateways

Cloud

Web Security Gateways

CTA a-la-carteATD bundle = CTA & AMPWSP bundle = CWS & ATD

CTA a-la-carte

CTA a-la-carte

Web Access Logs (input telemetry)

Breach Detection &Advanced Threat Visibility

Cognitive Threat AnalyticsFor CWS, WSA, and External Telemetry

8

CTA presents results in two categoriesConfirmed Threats

Confirmed Threats - Threat Campaigns• Threats spanning across multiple users• 100% confirmed breaches• For automated processing leading to fast reimage / remediation• Contextualized with additional Cisco Collective Security Intelligence

9

AMP Threat Grid augments CTA reportingAMP Threat Grid aids forensic work on the endpoint by presenting:

• Associated threat artifacts from AMP Threat Grid, exhibiting network behaviors matching to the CONFIRMED CTA threat

• Content security signatures for these associated threat samples globally

• Insights into exactly what a threat is doing (end-point behaviors)

10

CTA presents results in two categoriesDetected Threats

Detected Threats – One-off Threats• Unique threats detected for individuals• Suspected threat confidence and risk levels provided• For semi-automated processing• Very little or no additional security context exists

11

Here’s an example of how it works

Near real-time processing

1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day

HTTP(S)Request

Classifier X

Classifier A

Classifier H

Classifier Z

Classifier K

Classifier M

Cluster 1

Cluster 2

Cluster 3

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request HTTP(S)

Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Cluster 1

Cluster 2

Cluster 3

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)RequestHTTP(S)

Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)RequestHTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

CONFIRMED threats(spanning multiple users)

DETECTED threats (unique)

12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CTA Deep-Dive

13

Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUMAMP

CTALayer 3




File Retrospection


CTA

Identify suspicious traffic with Anomaly Detection

Normal

Unknown

AnomalousHTTP(S)Request

HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


RequestHTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request



HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request



HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request



HTTP(S)Request

HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Anomaly Detection

10B+ requests are processed daily by 40+ detectors

Each detector provides its own anomaly score

Aggregated scores are used to segregate the normal traffic

14

Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUMAMP

CTALayer 3




File Retrospection


CTA

• Each HTTP(S) request is scanned by 40+ detectors, each with a unique algorithm

• Multiple detectors increase the statistical significance of the anomaly score, reducing the number of false negatives and false positives

Examples of Anomaly Detection output (HTTP, real and synthetic malware)

HTTP(S)Request

Multiple detectors & Trust Modeling

Normal

Anomalous

012345

76

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

Dynamic threshold

False negative False

positives

# of

web

requ

ests

Anomaly score

Normal

Anomalous

012345

76

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

False positive

Dynamic threshold

(later removed after further processing)

# w

eb re

ques

ts

Anomaly score

Single detector

15

Layer 1

During After

Layer 2

AMP

CTA

AMP

CTALayer 3




File Retrospection


CTA

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Reduce false positives with Trust Modeling

Anomalous

Normal

Unknown

Unknown

Normal

Unknown

Unknown

Unknown

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request



HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request



HTTP(S)Request

HTTP(S)Request

HTTP(S)Request


Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Trust Modeling

HTTP(S) requests with similar attributes are clustered together

Over time, the clusters adjust their overall anomaly score as new requests are added

16

Layer 1

During After

Layer 2

AMP

CTAAMP

CTALayer 3




File Retrospection


CTA

Categorize requests with Event Classification

Keep as legitimate

Alert as malicious

Keep as suspicious

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

Media website

Software update

Certificate status check

Tunneling

Domain generatedalgorithm Command and control

Suspicious extension

Repetitive requests

Unexpected destination

Event Classification

100+ classifiers are applied to a small subset of the anomalous and unknown clusters

Requests’ anomaly scores update based on their classifications

17

Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUMAMP

CTALayer 3




File Retrospection


CTA

Attribute anomalous requests to endpoints and identify threats with Entity Modeling

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

THREAT

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

THREAT HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

THREAT

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

HTTP(S)Request

THREAT

HTTP(S)Request

THREAT

Entity Modeling

A threat is triggered when the significance threshold is reached

New threats are triggered as more evidence accumulates over time

18

Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUMAMP

CTALayer 3




File Retrospection


CTACompany B

Company C

Determine if a threat is part of a threat campaign with Relationship Modeling

Attack Node 1

Attack Node 2

Company A Company A Company A

Phase 1 Phase 2 Phase 3

ThreatType 1

ThreatType 1

ThreatType 2

Incident

Incident

Incident

Incident

Similarity Correlation Infrastructure Correlation

Company B

Company C

Company B

Company C

Incident

Incident

Incident

Incident

Incident

Incident

Incident

Incident

Global behavioral similarity

Local behavioral similarity Local &

global behavioral similarity

Shared threat infrastructure

Entity Modeling

19

How CTA analyzes a threat0

+

Webrep

AV

domain age: 2 weeks

0

domain age: 2 weeks-

domain age: 3 hours

-domain age: 1 day

Domain Generation Algorithm (DGA)

Data tunneling via URL (C&C)

DGA

C&C

DGA

DGA

DGA

C&C

Attacker techniques:Active channels

WebPerimeter

CTAAnalyzing

Web Access Logs


STIX / TAXII API

21

CTA ExportsSTIX / TAXII API

TAXII Log Adapter: https://github.com/CiscoCTA/taxii-log-adapter

STIX formattedCTA threat intelligence

PollServiceTransform

AdapterCTA

Incident

https://github.com/CiscoCTA/taxii-log-adapter

https://github.com/CiscoCTA/taxii-log-adapter

22

CTA ExportsSTIX Sample Message Payload

1 CTA CONFIRMED threat campaign

2 CTA CONFIRMED or DETECTED threat incident

3 Malicious events (flow sequences)

4 Anomalous web requests

1

2

3

4

23

CTA Exports

id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1"> <stix:STIX_Header> <stix:Information_Source> <stixCommon:Tools> <cyboxCommon:Tool id="cta:tool-CTA"> <cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> <cyboxCommon:Tool id="cta:tool-AMP"> <cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> </stixCommon:Tools> </stix:Information_Source> </stix:STIX_Header> <stix:Incidents> <stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="incident:IncidentType" id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75"> <incident:Title>malware|transferring data through url </incident:Title> <incident:Time> <incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action> </incident:Time> <incident:Victim> <stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name> </incident:Victim> <incident:Leveraged_TTPs> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>favicon</ttp:Title> </stixCommon:TTP> </incident:Leveraged_TTP> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz

STIX Language Mapping

https://github.com/STIXProject/stix-viz

https://github.com/STIXProject/stix-viz


CTA Examples

25

Breach Detection: Ransomware1

Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4

Threat activity continuously detected by CTA !

CTA Detection

AV removingtrojan

AV signatures updated & trojan

removed

Worm removed by daily scan

CryptoLocker confirmed & endpoint

sent for reimage

Example

< Malware operational for more than 20 days >

Time

AV removing worm& signatures found

outdated

26

1Example

Local ContextFirst detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days.

Global Context Also detected in 5+ other companies affecting 10+ other users.

Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and-control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device.

9 THREAT 100% confidence AFFECTING 3 users

27

AFFECTING winnt://emea\user1

Amazon.com, Inc

LeaseWeb B.V.

intergenia AG

Qwest communication..

95.211.239.228

85.25.116.167

54.240.147.123

54.239.166.104

63.234.248.204

54.239.166.69

63.235.36.156

54.240.148.64

6 Http traffic to ip addr…




Activities (8) Domain (8) IPs (8) Autonomous systems (5)

9 Url string as comm…




95.211.239.228

85.25.116.167

54.239.166.69

63.235.36.156

54.240.148.64

54.240.147.123

54.239.166.104

Amazon.com Tech Tel…

63.234.248.204

1Example

http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…

Encrypted Command & Control

9 THREAT 100% confidence

28

Number of Affected Users Per month (Jan. through Nov. 2014)

Breach Detection: Malvertising BotNetCisco security finds close to 2000 users affected & 4000+ add-on variants!Malvertising from Browser add-ons collects huge rewardsSophisticated code paired with refined business model

17511170 Companies Months 886,646 All users Max affected

Nov, 2014

Source: Cisco Security Research

June, 2014

Affected Users Per Month

2Example

29

IPs (3)Activities (5) Domain (10) Autonomous systems (0)

54.68.144.135

54.69.230.10

54.68.109.54anomalous http traf…7

7 anomalous http traf…



veterance.com

veterances.net

Getjpi77.info

probookmynew.us

skyfunnjobbest.info

Versiontraffic.com

filehelper.co.il

appzappzappz.com

2Example

hXXp://getjpi77.info/sync2/?q=hfZ9oeZHrjYMCyVUojC6qGhTB6lKDzt4ok8gtNtVh7n0rjnEpjwErjrGrHrEtMFHhd9Fqda4rjaFqTr6qjaMDMlGojUMAe4UojkFrdg5rjwEqjnGrTw5pjY4qHYMC6qUojk7pdn5rHY9pdUHqjwFrdUGqTCMWy4ZBek0nMlHDwmPC7qLDe49nfbEtMZPhd99qdg5qHn5qHk5rdUErjg4rHkGtM0HAen0qTaFtMVKC6n0rTwMgNr0rn%3D%3D&amse=hs18&xname=BestDiscountApp

hXXp://getjpi77.info/sync2/?q=ext=hs18&pid=777&country=MX&regd=140910132330&lsd=140910163750&ver=9&ind=5106811054221898978&ssd=5684838489351109267&xname=BestDiscountApp&hid=4468748758090169352&osid=601&inst=21&bs=1%3D%3D&amse=hs18&xname=BestDiscountApp

Encrypted Command & Control

AFFECTING winnt://emea\user26 THREAT 100% confidence

30

Breach Detection: Qakbot Worm

Constantly adapting TTP to avoid detection

Since 2011, taken down in 2014 to reemerge again

500,000+ infected computers & significant profits from fraud

Rootkit capable to hide its presence, can spread through network shared drives and removable storage devices

Steals user data, login credentials, may open a backdoor to track user activity or deliver additional malicious code

3Example

31

Amazon.com, Inc

RCS & RDS SA

Unified Layer

bnhrtqbyaujiujosnevtvn.info

ehawgbpcjefdjzxohshnmu.com

hwtmnipazuwtghl.biz

ibxyfokmjbxyfqikjiis.org

iyulawjlxbltrsut.com

julfmuljitllgtnop.biz

kkgjxxpt.biz

qfvkuoiasjqbmqrwx.info

vmdekoznnkqmerkch.net

wqdiulsyylepifnbkyatwqcr.com

olbkpxtpgckuoaharw.biz

vwnlzeuaaygbgahiwrmxsp.biz

rgfxyewwsvtaobjbdlxc.infio

Activities (10) Domain (18) IPs (7) Autonomous system (4)

9

8

8

8

8

8

8

5.2.189.251

86.124.164.25

54.72.9.51

69.89.31.210

74.220.207.180

Communication to automatically gener







3Example


32

4Example

Local Context The threat was first detected in your network on Mar 15, 2015 and last observed on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past 45 days. The threat was also detected in 5+ other companies affecting 5+ other users.

Global Context Also detected in 5+ other companies affecting 5+ other users.

Threat related to Dridex. Typically spread through spam campaigns, Dridex is a banking trojan whose main goal is to steal confidential information from the user about online banking and other payment systems. Trojan communicates with the command-and-control server using HTTP, P2P, or I2P protocols. Perform a full scan of the infected device for the record, and then reimage the device.

AFFECTING 1 user9 THREAT 100% confidence

33

9

9

9

9

9

9

9

9

9

9

9

9

9

54.83.43.69

95.211.239.228

85.25.116.167

178.162.209.40

188.138.1.96

94.242.233.162

184.107.255.138

193.105.134.63

79.103.160.138

Amazon.com, Inc

LeaseWeb B.V.

intergenia AG

root SA

iWeb Technologies Inc.

Portlane Networks AB

Telenor Norge AS

qcnbmfvglhxlrorqolfxaeh.org

95.211.239.228

85.25.116.167

retufator.com

188.138.1.96

krjbjccop.com

94.242.233.162

184.107.255.138

193.105.134.63

79.103.160.138

Anomalous http traffic

Commination to automatically ge…


Http traffic to ip address (no domain…

Http traffic to ip address (no domain…

Url string as communication channel

Http traffic to ip address (no domain




Anomalous http traffic



Activities (14) Domain (10) IPs (10) Autonomous systems (7)

88.208.57.103

4Example



Call to Action

35

Current CWS and WSA do try free valuation of Cognitive Threat Analytics (CTA)

https://cisco.com/go/websecurity

https://cisco.com/go/cognitive

Net new customers above 1000 seats, contact your local sales representative for an evaluation

https://cisco.com/go/websecurity

https://cisco.com/go/cognitive

Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security

Technology

Transcript of Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security