cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cognitive Release Note, June 2020: New detections are available for Stealthwatch telemetry

254
Views
0
Helpful
0
Comments
Cisco Employee

User Experience Enhancements

cx.png

As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.

 

 

New detections are available for Stealthwatch telemetry.

As part of our continuous efforts to improve detections and efficacy, additional classifiers have been added to the hundreds of classifiers already implemented in production. This allows us to detect additional behaviours in ETA telemetry.

Consequently, additional annotations have been incorporated to explain these findings. Stealthwatch customers with Early Access enabled will be able to visualize these additional annotations:

0.png

 

Malicious URL detector:

Using known data related to specific threats that have been already confirmed by human threat analysts (IoCs of confirmed threats), this classifier is trained with the URLs of these campaigns. The classifier learns patterns in both the path and the query that can be found in the URL of a specific threat.

These patterns are traditionally uncovered manually by threat analysts. By having a machine learning algorithm learn from historical data and do this task instead, we  can provide detections in a more timely manner and at scale.

The use of this technique  allows us to apprehend previously unknown malicious hosts in dynamically changing malware infrastructures.  1.png

Figure 1: Detection of URLs that follow the same patterns as known threats

 

Content Spoofing Detector:

Magic numbers, also known also magic bytes, are a list of file signatures used to verify the content of a file. This classifier evaluates  HTTP traffic and  decides if the file downloaded from the server corresponds to the extension of the requested file. To make this prediction, it uses  the magic numbers present on the server’s initial data packet as input data.

As a result, the classifier  inspects all the cases where an executable file was downloaded. If it finds any discrepancies between the extension of the file downloaded and their magic bytes, the behavior  gets flagged. Depending on the behavior detected, different annotations  are shown.

2.png

Figure 2: Anomaly corresponding to one of the behaviours detected by the content spoofing detector

 

Anomalous TLS Fingerprint:

TLS fingerprinting techniques are used to create a database of commonly used TLS client configurations tailored for each customer network.

This visibility has allowed us to use an algorithm to detect suspicious TLS fingerprints that could be flagging malicious applications establishing TLS sessions.

4.png

Figure 3: Anomalous TLS client settings are being used. The destination of these connections is shown (both domain and IP address) 

 

New Confirmed Threat

 

List of new Confirmed Threat types in June:

Confirmed Threat ID

Name

Category

Risk

Description

CVPC01

 

Vicious Panda

 

Malware/ Remote access trojan

Medium

A threat related to a recently discovered campaign that researchers call “Vicious Panda.” It operates through Rich Text Format files which, once opened, execute a remote access trojan (RAT)  that takes screenshots of the device, develops a list of files and directories, downloads files and more.

 


Leveraging Cognitive Intelligence

Cognitive Intelligence capabilities are available to AMP customers (with a compatible web proxy such as the Cisco Web Security Appliance) and all Stealthwatch Enterprise customers. Reach out to your account executive to learn how to turbocharge your existing cybersecurity investment with Cognitive Intelligence.