Cisco Blogs

Cisco Blog > Security

Malware stealing gigabytes of your data as seen by Cognitive Threat Analytics

This post is authored by Gayan de Silva and Martin Pospisil.


Recently, about 50 users across 20 companies were alarmed by the Cisco Cognitive Threat Analytics (CTA) about a malware that exfiltrates gigabytes of data from their computers. An example of such CTA detection:

CTA Exfiltration Incident

In addition to the usual malware command and control activities, the incident features an upload of 2.3 gigabytes of data to a highly suspicious destination. CTA has classified this incident as a malware with high severity and confidence.

This particular malware is using a custom protocol over TCP port 443, which is assigned for HTTPS. Generally, less than 10% of organizations do any inspection of HTTPS traffic. In addition to relatively low probability of intercept, malware authors also use custom protocol that is not based on HTTPS. A comparison of the stream content of the custom protocol to a stream content of a HTTPS protocol is shown below.

Read More »

Tags: , ,

Sensitive Data Exfiltration and the Insider

The Insider Lifecycle

Traditional security is designed to keep outsiders from getting in. What happens when the enemy is an insider? A new paradigm must be explored, where the focus needs to shift inward and how data is going outbound.

Identifying anomalies in data exfiltration is critical to how to spot the insider. The insider has a typical lifecycle:

1. Identify places where sensitive data is store
2. Retrieve the data from the location
3. Move the data within the organization to prepare for exfiltration
4. Transfer the data outside the organization

Arguably, the weak points of this chain of events occur in steps 1, 2, and 4, where the insider must go through funnel points—near the data and at a public outbound connection.

Things to Look For

In almost all cases of data theft, the insider had access to the data, but in many cases, the insider’s role would have been suspect when considering the data they were accessing. Consequently, role should be examined for the end user in the context of data they are accessing.

Read More »

Tags: , , , , , , , ,