Cisco Blogs


Cisco Blog > Security

Find Advanced Threats with Cisco Cognitive Threat Analytics

Attackers are constantly innovating, employing more sophisticated techniques to compromise organizations and gain access to other parts of the network and sensitive data including proprietary information, trade secrets, and of course financial information. Threats have evolved to the point that it’s no longer feasible to simply defend the perimeter.

In the 2016 Cisco Annual Security Report, Cisco researchers analyzed threat intelligence and examine some of the most compelling trends in attack vectors, attack methods and vulnerabilities. The report called out that malicious browser add-ons, typically viewed as a low-severity threat, were seen affecting more than 85 percent of organizations monitored. Malicious browser extensions can steal information, and they can be a major source of data leakage.

Identifying and blocking adware, malware, and exfiltration of data requires a multi-tiered security approach. By investing in new detection methodologies that are constantly monitoring and analyzing web communications security teams are able to identify new actors and new techniques, reducing time to detection in their environments.

Cisco Cognitive Threat Analytics (CTA) is a cloud-based service that discovers breaches, malware operating inside protected networks, and other security threats by means of statistical analysis of network traffic data. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. CTA relies
on advanced statistical modeling and machine learning to independently identify new threats, learn from what it sees, and adapt over time.

Read More »

Tags: ,

Malware stealing gigabytes of your data as seen by Cognitive Threat Analytics

This post is authored by Gayan de Silva and Martin Pospisil.

Overview

Recently, about 50 users across 20 companies were alarmed by the Cisco Cognitive Threat Analytics (CTA) about a malware that exfiltrates gigabytes of data from their computers. An example of such CTA detection:

CTA Exfiltration Incident

In addition to the usual malware command and control activities, the incident features an upload of 2.3 gigabytes of data to a highly suspicious destination. CTA has classified this incident as a malware with high severity and confidence.

This particular malware is using a custom protocol over TCP port 443, which is assigned for HTTPS. Generally, less than 10% of organizations do any inspection of HTTPS traffic. In addition to relatively low probability of intercept, malware authors also use custom protocol that is not based on HTTPS. A comparison of the stream content of the custom protocol to a stream content of a HTTPS protocol is shown below.

Read More »

Tags: , ,

Angler for Beginners in 34 Seconds

Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.

In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).

Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.

So, how does an incident start for the analyst?

Screen+Shot+2015-10-07+at+14.10.30

We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.

Read More »

Tags: , , , , ,

Cognitive Research: Fake Blogs Generating Real Money

Summary

In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.

Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.

The general traffic pattern was observed as follows:

  1. Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example: cruiserly.net/search/q/greyhounds.
  2. There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example: findreek.com.
  3. These redirects bring the clients towards another set of fake sites, with travel related names (e.g. tourxperia.com), this time these sites have no content.
  4. Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.

Details of the analysis follow: Read More »

Tags: , , ,

Cognitive Threat Analytics – Transparency in Advanced Threat Research

Cisco Cognitive Threat Analytics is a security analytics product that discovers breaches in Cisco customer’s networks by means of advanced statistical analysis, machine learning and global correlation in Cisco security cloud. Attached to Cloud Web Security (CWS) and Web Security Appliances (WSA), it is also capable of integrating the non-Cisco data sources in order to help the broadest possible set of clients.

Our team discovers tens of thousands of ongoing malware infections (aka breaches) per day. These findings are delivered in a customer-specific report or directly into customer’s SIEM system. The customers can easily identify and re-mediate breaches, get to the root cause and apply policy changes that minimize the risk of further infections in the future. Read More »

Tags: , ,