Cisco catches thousands of hidden threats on a massive public network
Contributors: Kural Arangasamy
The GSMA Mobile World Congress in Barcelona, Spain, is the largest exhibition for a mobile industry. This year, Mobile World Congress attracted more than 107,000 attendees. But high profile, public networks also attract a lot of cyber threats.
Providing Internet connectivity to each of these attendees is a technological and logistical challenge, and Cisco has helped meet that need for more than 10 years. Each year we add new and innovative technologies to provide the best and most secure experience. This year we deployed Cisco Stealthwatch Enterprise, including Cisco Encrypted Traffic Analytics, on the public wireless network.
The use of encryption is growing rapidly, both for legitimate Internet users and threat actors. At the same time, many applications utilize outdated encryption methods, which leave traffic vulnerable to man-in-the-middle attacks. Cisco Encrypted Traffic Analytics detects threats hiding in encrypted traffic and continuously monitors for compliance with strong encryption – all without decryption.
We have seen how successful Encrypted Traffic Analytics was on enterprise networks but what about a tradeshow where devices were unmanaged and incredibly diverse, with users from over 200 countries? How would Encrypted Traffic Analytics perform in those circumstances? The results were awesome and we are excited to share.
Cisco used Stealthwatch Enterprise and Encrypted Traffic Analytics to monitor Mobile World Congress’ public wireless network, and found a number of threats and vulnerable traffic. Here are just a few of the highlights:
Eighty-five percent of web traffic was encrypted
The amount of traffic monitored by Stealthwatch Enterprise and Encrypted Traffic Analytics was astounding. Over 20,000 flows per second were received at peak, for a total of 55 million flows, including Encrypted Traffic Analytics data, recorded over the course of the event.
One of the most significant observations from Mobile World Congress was that 85 percent of web traffic was encrypted, for a total of 19.5 million HTTPS flows. In addition, Stealthwatch identified more than 30 applications using TLS 1.0, an outdated cryptographic protocol with known vulnerabilities. The Payment Card Industry Security Standards Council (PCI SSC) suggests organizations migrate from TLS 1.0 to TLS 1.1 or higher by June 30, 2018.
Other general traffic observations include:
- More than 29 million TCP sessions
- More than 23 million UDP sessions
- More than 1.8 million ICMP sessions
- More than a million streaming audio/video sessions
- More than 850,000 flows of peer-to-peer file transfer traffic
More than 32,000 security events boiled down to 350 significant security detections
In this case, Stealthwatch Enterprise detected more than 32,000 individual security events, but managed to drastically reduce that to 350 significant security detections using cloud-based security analytics and multilayered machine learning techniques. That is a massive reduction in security noise without requiring manual intervention from an analyst.
Stealthwatch Enterprise detected numerous types of threats, including:
- Several types of Android malware
- Cryptomining activity
- Worms such as Conficker
- SALITY malware
- SMB discovery malware
- Possibly unwanted applications such as Tor and BitTorrent
Cryptomining activity is significant and is becoming an increasingly common tactic for threat actors to generate revenue. Cisco Talos has observed cryptomining attacks in which threat actors infect a large number of machines and utilize them for mining cryptocurrency, which often goes undetected by the end user.
The traffic Cisco observed on Mobile World Congress’ public wireless network represents a number of trends we are seeing in the wild. A large majority of the traffic was encrypted. While not all detected threats were utilizing encryption, the ones that were using it ranked as some of the most severe. Cisco Encrypted Traffic Analytics detected these threats with high confidence and without the use of decryption. In addition, there are still a lot of applications using insecure cryptographic protocols such as TLS 1.0, and Encrypted traffic analytics were able to identify that activity.
Lastly, the presence of mobile malware and cryptomining activities was significant. Cryptomining malware is an emerging threat that uses victim resources for monetization. These threats often go undetected and represent an emerging threat vector to businesses.
To learn more about Cisco Encrypted Traffic Analytics, visit http://cisco.com/go/etaTags: