Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security
-
Upload
cisco-security -
Category
Technology
-
view
1.899 -
download
5
Transcript of Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Security
Petr CernohorskyProduct ManagerOctober 2015
Identify Zero-Day Breaches with Cognitive Threat Analytics (CTA) on Cisco Web Security
2
There’s a new cyber-threat reality
Hackers will likelycommand and control
your environment via web
You’ll most likely be infected via email
Your environmentwill get breached
3
Web Reputation
Web Filtering Application
Visibility & Control
Before
X X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial BlockCampus Office
ASA StandaloneWSA ISR G2 AnyConnect
AdminTraffic Redirections
www
HQ
STIX / TAXII (APIs)CTA
Cognitive Threat Analytics
Anti-Malware
File Reputation
WebpageOutbreak
Intelligence
AfterDuring
X
www.website.com
XX
Dynamic Malware Analysis
File Retrospection
4
Web Reputation
Web Filtering Application
Visibility & Control
Before
X X X
CTA & AMP on Cisco Web SecurityTalos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial BlockCampus Office
ASA StandaloneWSA ISR G2 AnyConnect
AdminTraffic Redirections
www
HQ
STIX / TAXII (APIs)CTA
Cognitive Threat Analytics
Anti-Malware
File Reputation
WebpageOutbreak
Intelligence
AfterDuring
X
www.website.com
XX
Dynamic Malware Analysis
File Retrospection
Layer 1
During After
Layer 2
AMP
CTAAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
5
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I I I00I
CTA & AMP Working Together
AMP
Direct attackfrom the web
Infected email or USB stick
Threat infrastructure
Admin
Increase resistance against direct attacks from the web with:
• File reputation• Dynamic Malware Analysis• File retrospective
AMP
STIX / TAXII (APIs)Identify breaches using
anomaly detection and network traffic analysis.
Visibility into threats that may have bypassed the web infection vector, like infected email, USB stick or guest devices.
CTAFile rep
0I000III 0I00 II 0I I00I II 00 0I00 0II I0I000III 0I00I 0I0 0I000 0I0I00I0I I0 I00I 0I0 0I000 I00I 0I0
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
Web rep
Command & Control
Domain Generated Algorithm
CTA
Tunneling
0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I
6
Layer 1CTA
Anomaly detection
Trustmodeling
Layer 2
Event classification Entity modeling
CTALayer 3
Relationshipmodeling
CTA20K
incidentsper day
10Brequestsper day
Recall Precision
AnomalousWeb requests (flows)
ThreatIncidents (aggregated events)
MaliciousEvents (flow sequences)
After
Cognitive Threat AnalyticsLayered Processing Engine & Scalable Cloud Infrastructure
7
Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. GW)
Cisco CWS (Cloud Web Security)
CiscoCognitive ThreatAnalytics (CTA)
Confirmed Threats
Detected Threats
Threat Alerts
IncidentResponse
HQ
STIX / TAXII APICTA
CTA
CTA
SIEMs:Splunk, ArcSight, Q1 Radar, ...
HQ
Web Security Gateways
Cloud
Web Security Gateways
CTA a-la-carteATD bundle = CTA & AMPWSP bundle = CWS & ATD
CTA a-la-carte
CTA a-la-carte
Web Access Logs (input telemetry)
Breach Detection &Advanced Threat Visibility
Cognitive Threat AnalyticsFor CWS, WSA, and External Telemetry
8
CTA presents results in two categoriesConfirmed Threats
Confirmed Threats - Threat Campaigns• Threats spanning across multiple users• 100% confirmed breaches• For automated processing leading to fast reimage / remediation• Contextualized with additional Cisco Collective Security Intelligence
9
AMP Threat Grid augments CTA reportingAMP Threat Grid aids forensic work on the endpoint by presenting:
• Associated threat artifacts from AMP Threat Grid, exhibiting network behaviors matching to the CONFIRMED CTA threat
• Content security signatures for these associated threat samples globally
• Insights into exactly what a threat is doing (end-point behaviors)
10
CTA presents results in two categoriesDetected Threats
Detected Threats – One-off Threats• Unique threats detected for individuals• Suspected threat confidence and risk levels provided• For semi-automated processing• Very little or no additional security context exists
11
Here’s an example of how it works
Near real-time processing
1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S)Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
CONFIRMED threats(spanning multiple users)
DETECTED threats (unique)
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Deep-Dive
13
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUMAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
Identify suspicious traffic with Anomaly Detection
Normal
Unknown
AnomalousHTTP(S)Request
HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Anomaly Detection
10B+ requests are processed daily by 40+ detectors
Each detector provides its own anomaly score
Aggregated scores are used to segregate the normal traffic
14
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUMAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
• Each HTTP(S) request is scanned by 40+ detectors, each with a unique algorithm
• Multiple detectors increase the statistical significance of the anomaly score, reducing the number of false negatives and false positives
Examples of Anomaly Detection output (HTTP, real and synthetic malware)
HTTP(S)Request
Multiple detectors & Trust Modeling
Normal
Anomalous
012345
76
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
Dynamic threshold
False negative False
positives
# of
web
requ
ests
Anomaly score
Normal
Anomalous
012345
76
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
False positive
Dynamic threshold
(later removed after further processing)
# w
eb re
ques
ts
Anomaly score
Single detector
15
Layer 1
During After
Layer 2
AMP
CTA
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Trust Modeling
HTTP(S) requests with similar attributes are clustered together
Over time, the clusters adjust their overall anomaly score as new requests are added
16
Layer 1
During After
Layer 2
AMP
CTAAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Media website
Software update
Certificate status check
Tunneling
Domain generatedalgorithm Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
100+ classifiers are applied to a small subset of the anomalous and unknown clusters
Requests’ anomaly scores update based on their classifications
17
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUMAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTA
Attribute anomalous requests to endpoints and identify threats with Entity Modeling
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
THREAT
Entity Modeling
A threat is triggered when the significance threshold is reached
New threats are triggered as more evidence accumulates over time
18
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUMAMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling Event classification Entity modeling
Dynamic MalwareAnalysis
File Retrospection
Relationship modeling
CTACompany B
Company C
Determine if a threat is part of a threat campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
ThreatType 1
ThreatType 1
ThreatType 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global behavioral similarity
Local behavioral similarity Local &
global behavioral similarity
Shared threat infrastructure
Entity Modeling
19
How CTA analyzes a threat0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks-
domain age: 3 hours
-domain age: 1 day
Domain Generation Algorithm (DGA)
Data tunneling via URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:Active channels
WebPerimeter
CTAAnalyzing
Web Access Logs
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
STIX / TAXII API
21
CTA ExportsSTIX / TAXII API
TAXII Log Adapter: https://github.com/CiscoCTA/taxii-log-adapter
STIX formattedCTA threat intelligence
PollServiceTransform
AdapterCTA
Incident
22
CTA ExportsSTIX Sample Message Payload
1 CTA CONFIRMED threat campaign
2 CTA CONFIRMED or DETECTED threat incident
3 Malicious events (flow sequences)
4 Anomalous web requests
1
2
3
4
23
CTA Exports
id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1"> <stix:STIX_Header> <stix:Information_Source> <stixCommon:Tools> <cyboxCommon:Tool id="cta:tool-CTA"> <cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> <cyboxCommon:Tool id="cta:tool-AMP"> <cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> </stixCommon:Tools> </stix:Information_Source> </stix:STIX_Header> <stix:Incidents> <stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="incident:IncidentType" id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75"> <incident:Title>malware|transferring data through url </incident:Title> <incident:Time> <incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action> </incident:Time> <incident:Victim> <stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name> </incident:Victim> <incident:Leveraged_TTPs> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>favicon</ttp:Title> </stixCommon:TTP> </incident:Leveraged_TTP> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz
STIX Language Mapping
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Examples
25
Breach Detection: Ransomware1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA Detection
AV removingtrojan
AV signatures updated & trojan
removed
Worm removed by daily scan
CryptoLocker confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing worm& signatures found
outdated
26
1Example
Local ContextFirst detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and-control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device.
9 THREAT 100% confidence AFFECTING 3 users
27
AFFECTING winnt://emea\user1
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
Qwest communication..
95.211.239.228
85.25.116.167
54.240.147.123
54.239.166.104
63.234.248.204
54.239.166.69
63.235.36.156
54.240.148.64
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
Activities (8) Domain (8) IPs (8) Autonomous systems (5)
9 Url string as comm…
9 Url string as comm…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
95.211.239.228
85.25.116.167
54.239.166.69
63.235.36.156
54.240.148.64
54.240.147.123
54.239.166.104
Amazon.com Tech Tel…
63.234.248.204
1Example
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
Encrypted Command & Control
9 THREAT 100% confidence
28
Number of Affected Users Per month (Jan. through Nov. 2014)
Breach Detection: Malvertising BotNetCisco security finds close to 2000 users affected & 4000+ add-on variants!Malvertising from Browser add-ons collects huge rewardsSophisticated code paired with refined business model
17511170 Companies Months 886,646 All users Max affected
Nov, 2014
Source: Cisco Security Research
June, 2014
Affected Users Per Month
2Example
29
IPs (3)Activities (5) Domain (10) Autonomous systems (0)
54.68.144.135
54.69.230.10
54.68.109.54anomalous http traf…7
7 anomalous http traf…
7 Url string as comm…
7 Url string as comm…
veterance.com
veterances.net
Getjpi77.info
probookmynew.us
skyfunnjobbest.info
Versiontraffic.com
filehelper.co.il
appzappzappz.com
2Example
hXXp://getjpi77.info/sync2/?q=hfZ9oeZHrjYMCyVUojC6qGhTB6lKDzt4ok8gtNtVh7n0rjnEpjwErjrGrHrEtMFHhd9Fqda4rjaFqTr6qjaMDMlGojUMAe4UojkFrdg5rjwEqjnGrTw5pjY4qHYMC6qUojk7pdn5rHY9pdUHqjwFrdUGqTCMWy4ZBek0nMlHDwmPC7qLDe49nfbEtMZPhd99qdg5qHn5qHk5rdUErjg4rHkGtM0HAen0qTaFtMVKC6n0rTwMgNr0rn%3D%3D&amse=hs18&xname=BestDiscountApp
hXXp://getjpi77.info/sync2/?q=ext=hs18&pid=777&country=MX®d=140910132330&lsd=140910163750&ver=9&ind=5106811054221898978&ssd=5684838489351109267&xname=BestDiscountApp&hid=4468748758090169352&osid=601&inst=21&bs=1%3D%3D&amse=hs18&xname=BestDiscountApp
Encrypted Command & Control
AFFECTING winnt://emea\user26 THREAT 100% confidence
30
Breach Detection: Qakbot Worm
Constantly adapting TTP to avoid detection
Since 2011, taken down in 2014 to reemerge again
500,000+ infected computers & significant profits from fraud
Rootkit capable to hide its presence, can spread through network shared drives and removable storage devices
Steals user data, login credentials, may open a backdoor to track user activity or deliver additional malicious code
3Example
31
Amazon.com, Inc
RCS & RDS SA
Unified Layer
bnhrtqbyaujiujosnevtvn.info
ehawgbpcjefdjzxohshnmu.com
hwtmnipazuwtghl.biz
ibxyfokmjbxyfqikjiis.org
iyulawjlxbltrsut.com
julfmuljitllgtnop.biz
kkgjxxpt.biz
qfvkuoiasjqbmqrwx.info
vmdekoznnkqmerkch.net
wqdiulsyylepifnbkyatwqcr.com
olbkpxtpgckuoaharw.biz
vwnlzeuaaygbgahiwrmxsp.biz
rgfxyewwsvtaobjbdlxc.infio
Activities (10) Domain (18) IPs (7) Autonomous system (4)
9
8
8
8
8
8
8
5.2.189.251
86.124.164.25
54.72.9.51
69.89.31.210
74.220.207.180
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
Communication to automatically gener
3Example
AFFECTING winnt://emea\user39 THREAT 100% confidence
32
4Example
Local Context The threat was first detected in your network on Mar 15, 2015 and last observed on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past 45 days. The threat was also detected in 5+ other companies affecting 5+ other users.
Global Context Also detected in 5+ other companies affecting 5+ other users.
Threat related to Dridex. Typically spread through spam campaigns, Dridex is a banking trojan whose main goal is to steal confidential information from the user about online banking and other payment systems. Trojan communicates with the command-and-control server using HTTP, P2P, or I2P protocols. Perform a full scan of the infected device for the record, and then reimage the device.
AFFECTING 1 user9 THREAT 100% confidence
33
9
9
9
9
9
9
9
9
9
9
9
9
9
54.83.43.69
95.211.239.228
85.25.116.167
178.162.209.40
188.138.1.96
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
root SA
iWeb Technologies Inc.
Portlane Networks AB
Telenor Norge AS
qcnbmfvglhxlrorqolfxaeh.org
95.211.239.228
85.25.116.167
retufator.com
188.138.1.96
krjbjccop.com
94.242.233.162
184.107.255.138
193.105.134.63
79.103.160.138
Anomalous http traffic
Commination to automatically ge…
Commination to automatically ge…
Http traffic to ip address (no domain…
Http traffic to ip address (no domain…
Url string as communication channel
Http traffic to ip address (no domain
Url string as communication channel
Url string as communication channel
Url string as communication channel
Anomalous http traffic
Commination to automatically ge…
Url string as communication channel
Activities (14) Domain (10) IPs (10) Autonomous systems (7)
88.208.57.103
4Example
AFFECTING winnt://emea\user49 THREAT 100% confidence
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Call to Action
35
Current CWS and WSA do try free valuation of Cognitive Threat Analytics (CTA)
https://cisco.com/go/websecurity
https://cisco.com/go/cognitive
Net new customers above 1000 seats, contact your local sales representative for an evaluation