New, clever, and dangerous malware is being devised all the time. After a piece of malware is well known, signature-based defenses such as antivirus and other detection and prevention tools can catch it. But what about new, increasingly insidious malware that isn’t well known? Last year, Cisco acquired the dynamic malware analysis and threat intelligence capabilities of ThreatGRID. The fruit of this acquisition is Cisco Advanced Malware Protection (AMP) Threat Grid, a technology that complements our AMP products and is currently integrated into Cisco security gear spanning the network, from intrusion detection systems, to email and web security appliances, to endpoints.
With AMP Threat Grid, we can detect malware that doesn’t have a signature, files we’ve never seen before, by analyzing what a potential piece of malware is doing. Threat Grid performs dynamic behavior analysis for malicious activity by activating the potential malware in a safe, secure compartment – sandboxing – and tracking the network activity, file activity, and memory utilization of suspicious samples sent to it. While samples are run through a variety of antivirus engines, Threat Grid analyzes the activity of every sample and artifact it receives based on over 450 (and growing) behavioral indicators defined by the reverse-engineering and threat research team. These indicators range from known malware variants such as Cridex and Teslacrypt or a file compiled in multiple languages to particular behaviors such as a document establishing network communications. Static and dynamic analysis is run on each sample to understand exactly how it behaves and what the sample was attempting to do. All traffic and changes generated by a potential malware sample are observed on the host and over the network. Because Threat Grid is context aware, it can recognize meaningful deviations from normal behavior without increasing the amount of false positives.
Samples are submitted to Threat Grid via an API, manually, or automatically by Cisco gear integrated with Threat Grid. Threat Grid is integrated with the Cisco Email Security Appliance (ESA), Web Security Appliance (WSA), and AMP for Endpoints. Threat Grid is currently in beta with AMP for Networks, Cisco Next-Generation Intrusion Prevention System (NGIPS), and ASA with FirePOWER services.
Since integrating Threat Grid, we’ve seen a significant rise in detected threats. For the ESA and WSA, for example, the number of threats detected increased from less than 5000 in July 2014 to more than 30,000 in July 2015. More document types are being supported by the ESA and WSA as well, which also contributed to the increase. Cisco IT works in partnership with the Information Security (InfoSec) group when deploying our security solutions. InfoSec, along with security product groups, are taking an aggressive approach, moving rapidly to address current and future threats in our fast-changing industry.
AMP Threat Grid is deployed as a cloud-based service or an on-premises appliance for businesses that have in-house data retention requirements. The appliance provides the same advanced malware analysis as the cloud service, but analysis is performed and can be fully controlled on site. Cisco IT is deploying the on-premises appliance for local analysis at the largest gateways where traffic enters and leaves our network toward the Internet, complementing the detection capabilities of existing security systems. We’re putting 14 Threat Grid 5500 Series Appliances at 8 large Internet gateways globally. Each Threat Grid appliance can handle up to 10,000 samples a day for analysis. Unlike traditional sandboxing, Threat Grid puts the suspected malware into a special isolated sandbox for observation. Even malicious code designed to evade detection by lying dormant will act and display its threat behavior in a safe place away from the Cisco network.
Threat Grid draws on data from billions of incidents that Cisco collects and analyzes on our own private cloud-based platform. On average, we perform millions of analyses a month. All of this observed data is correlated with other information in the master Threat Grid database. Customers can get threat intelligence from this database through content feeds that include all the underlying metadata and information associated with each sample.
Using a proprietary algorithm that factors in the confidence and severity of the observed malware actions, along with historical and global data, Threat Grid generates a threat score and behavioral analysis of the sample, and sends this information back to the originating device. All of this is done in near real time, wherever an incident is triggered across the extended network. Instead of taking hours, weeks, or longer to reverse-engineer a sample manually, in an average of 7.5 minutes we know what a suspected attack is doing, how large a threat it poses, and the specific steps we need to take to block and recover from it.