Cisco Blogs

A Sheep in Wolf’s Clothing

- October 28, 2015 - 2 Comments

Those of us who work in security operations are well accustomed to blind spots. Depending on the size of the network, our security technologies can trigger thousands of security alerts daily. We know from experience that the vast majority of these alerts are false-positives – innocuous activity that behaves a bit funny. But we also know that real threats are hiding in plain sight among the throng, finding safety in numbers. If threats are wolves in sheep’s clothing, false-positives are the sheep masquerading as wolves. How can we know the difference?

We can eliminate a sizable proportion of false-positives with reasonable certainty through investigation, but we struggle to cut this list down to a small number of confirmed threats, and we waste a lot of time chasing wild geese in the process. To hone in on confirmed threats, we need a better sieve for sifting through alerts. Advanced analytics and granular forensic technologies enable overburdened security operations personnel to separate the wheat from the chaff through high-fidelity threat investigation. Using advanced data analytics methodologies enables Cisco Active Threat Analytics investigators to weed out a huge proportion of false-positive alerts with great accuracy, and applying data enrichment and deep packet inspection tools in the threat investigation process equips us to validate confirmed threats quickly. 

Cisco Active Threat Analytics (ATA) offers three tiers of service with increasing levels of fidelity and analytics at each tier. Looking at the threat investigation process at each tier gives us a glimpse of how more detailed analytics and higher-fidelity investigation reveals a different picture than what we see with the naked eye – or even with some pretty sophisticated tools. Let’s see how this works when a common malware attack is detected:

ATA Essential Analysis

An ATA investigator receives an alert that AMP has detected a customer receiving a suspicious file via email: W32.00B8EC2063.toc.tht.VRT – parking.doc.


Without full packet capture (PCAP), the investigator can’t download the file to run it in ThreatGrid, so all we can do is research the SHA256 hash. VirusTotal has hits on the file calling it: VBA/TrojanDownloader.Agent.YU.

2_pm and had analyses of the file, listing these callout IPs and domains:

Up to this point, the investigation process takes about 2 minutes. If these sources identify the file as malicious, additional research can take up to 5 minutes.

This information gives us a good idea about the file’s disposition (later confirmed to be Dridex). Without Netflow or full PCAP, however, the investigator is unable to determine if the host is making callouts that would indicate the malware is running on the machine, so the customer has to investigate that on their own.

At this level, the file seems suspicious enough to be treated as malicious. The investigator can’t know if this malware has compromised the system without more context, but initial investigation has revealed several warning signs. Better safe than sorry, the investigator would create a ticket noting the detection of a malicious file download identified as a Generic Macro Trojan Downloader to the internal host. The ATA Essential customer would be left to determine if the malware is still present on the machine, or if perhaps it was removed by AV or blocked by the mail server.

ATA Enhanced Analysis

At the ATA Enhanced level, the investigator goes through the same initial steps as with Essential, but now he or she can search the Netflow for callback traffic:


Searching for Netflow data usually takes 1-2 minutes. Depending on the amount of data the query returns, the investigator may spend another 2-3 minutes interpreting this data.

As part of the hunt, the investigator can also look back to see if any hosts have made connections to that IP in the past. For the purposes of this example, we searched back a week, but found no connections:


At this point, the investigator can’t confirm that the suspicious file is not malicious, but we can qualify the ticket we submit back to the customer to let them know that we have not detected any connections signifying that the malware is running on the host. If the customer feeds us antivirus logs, he or she can determine if the malware was detected and erased by the antivirus and potentially close the case. If not, then we would recommend further investigation to determine if the malware still exists on the host. Increased context via Netflow analysis takes us another step closer toward figuring out the true identity and threat risk of the file, in some cases allowing us to close the case. But the investigator still does not have the complete certainty necessary to close out this case.

ATA Premier Analysis

ATA Premier includes full PCAP capabilities, so the investigator his complete visibility into whether or not the host allowed the malicious attachment to enter the user’s inbox. If the email server’s attachment policy denied the file, the investigator can then determine not to ticket the event, because the malware was removed from the email and never opened by the user. Only with access to full PCAP can we examine this chain of network activity to confirm whether or not a machine would have been able to download the malicious attachment.

Pulling PCAP data takes roughly 2-3 minutes. Depending on the PCAP’s complexity, the investigator may spend another 5 minutes on analysis.

This sample PCAP data confirms that host prevented the email attachment from entering the user’s inbox (550 denied by policy’):


Note: Email server logs would also enable this resolution, but in this case the customer had not yet configured their email server to log messages, so PCAP just grabbed it off the wire and enabled the investigator to complete the investigation.

With the additional context of Netflow and PCAP data, the investigator can determine that the email attachment was blocked from entering the user’s inbox and that no callouts are being observed from the host. This confirms that the threat by the malicious file has already been successfully mitigated. The investigator will not ticket the incident for customer remediation, because it does not pose a threat to their network at the present time.

With a veritable flood of alerts rolling in daily, every bit of context and insight helps to reduce complexity, save time, and focus efforts in the right places. ATA Essential provides the background necessary to identify attacks with confidence, allowing our investigators to reveal the wolves in sheep’s clothing. Increased context with ATA Enhanced enables effective prioritization of threats, as well as a degree of threat validation. Deep visibility into specific threats at the ATA Premier level empowers validation of confirmed threats, as well as false-positives, so the customer knows with certainty exactly where and how the host network is compromised. At this point, we know which sheep appear in wolf’s clothing – or, at least, which wolves have no teeth.

Around 15 minutes of investigation by expert ATA investigators can confirm the true nature of a threat and the extent of the risk it poses to the customer. A false-positive alert such as this one can cost the customer security staff hours of time and energy to investigate and remediate, and it distracts them from focusing on confirmed threats. Over time, this really adds up. Appropriate and efficient threat management requires the ability to allocate resources wisely. Don’t chase wild geese if you don’t have to.

To learn more about the three tiers Cisco Active Threat Analytics service, visit our Managed Security Services site.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    I like the title "Sheep in Wolf's Clothing". Great input on having all the necessary resources on-hand to reduce wasted time/energy by allowing for efficiency to find both positive and negative threats....

    Martin, thanks for helping me to understand the differences between ATA Essential, Enhanced, and Premier Analysis. This article was very interesting and you made ATA easier to understand--I appreciate that.