New detections are available for Stealthwatch telemetry.
As part of our continuous efforts to improve detections and efficacy, additional classifiers have been added to the hundreds of classifiers already implemented in production. This allows us to detect additional behaviours in ETA telemetry.
Consequently, additional annotations have been incorporated to explain these findings. Stealthwatch customers with Early Access enabled will be able to visualize these additional annotations:
Malicious URL detector:
Using known data related to specific threats that have been already confirmed by human threat analysts (IoCs of confirmed threats), this classifier is trained with the URLs of these campaigns. The classifier learns patterns in both the path and the query that can be found in the URL of a specific threat.
These patterns are traditionally uncovered manually by threat analysts. By having a machine learning algorithm learn from historical data and do this task instead, we can provide detections in a more timely manner and at scale.
The use of this technique allows us to apprehend previously unknown malicious hosts in dynamically changing malware infrastructures.
Figure 1: Detection of URLs that follow the same patterns as known threats
Content Spoofing Detector:
Magic numbers, also known also magic bytes, are a list of file signatures used to verify the content of a file. This classifier evaluates HTTP traffic and decides if the file downloaded from the server corresponds to the extension of the requested file. To make this prediction, it uses the magic numbers present on the server’s initial data packet as input data.
As a result, the classifier inspects all the cases where an executable file was downloaded. If it finds any discrepancies between the extension of the file downloaded and their magic bytes, the behavior gets flagged. Depending on the behavior detected, different annotations are shown.
Figure 2: Anomaly corresponding to one of the behaviours detected by the content spoofing detector
Anomalous TLS Fingerprint:
TLS fingerprinting techniques are used to create a database of commonly used TLS client configurations tailored for each customer network.
This visibility has allowed us to use an algorithm to detect suspicious TLS fingerprints that could be flagging malicious applications establishing TLS sessions.
Figure 3: Anomalous TLS client settings are being used. The destination of these connections is shown (both domain and IP address)
New Confirmed Threat
List of new Confirmed Threat types in June:
|
Confirmed Threat ID |
Name |
Category |
Risk |
Description |
|
CVPC01
|
Vicious Panda
|
Malware/ Remote access trojan |
Medium |
A threat related to a recently discovered campaign that researchers call “Vicious Panda.” It operates through Rich Text Format files which, once opened, execute a remote access trojan (RAT) that takes screenshots of the device, develops a list of files and directories, downloads files and more. |
Leveraging Cognitive Intelligence
Cognitive Intelligence capabilities are available to AMP customers (with a compatible web proxy such as the Cisco Web Security Appliance) and all Stealthwatch Enterprise customers. Reach out to your account executive to learn how to turbocharge your existing cybersecurity investment with Cognitive Intelligence.
