As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
New detections are available for Stealthwatch telemetry.
As part of our continuous efforts to improve detections and efficacy, additional classifiers have been added to the hundreds of classifiers already implemented in production. This allows us to detect additional behaviours in ETA telemetry.
Consequently, additional annotations have been incorporated to explain these findings. Stealthwatch customers with Early Access enabled will be able to visualize these additional annotations:
Malicious URL detector:
Using known data related to specific threats that have been already confirmed by human threat analysts (IoCs of confirmed threats), this classifier is trained with the URLs of these campaigns. The classifier learns patterns in both the path and the query that can be found in the URL of a specific threat.
These patterns are traditionally uncovered manually by threat analysts. By having a machine learning algorithm learn from historical data and do this task instead, we can provide detections in a more timely manner and at scale.
The use of this technique allows us to apprehend previously unknown malicious hosts in dynamically changing malware infrastructures.
Figure 1: Detection of URLs that follow the same patterns as known threats
Content Spoofing Detector:
Magic numbers, also known also magic bytes, are a list of file signatures used to verify the content of a file. This classifier evaluates HTTP traffic and decides if the file downloaded from the server corresponds to the extension of the requested file. To make this prediction, it uses the magic numbers present on the server’s initial data packet as input data.
As a result, the classifier inspects all the cases where an executable file was downloaded. If it finds any discrepancies between the extension of the file downloaded and their magic bytes, the behavior gets flagged. Depending on the behavior detected, different annotations are shown.
Figure 2: Anomaly corresponding to one of the behaviours detected by the content spoofing detector
Anomalous TLS Fingerprint:
TLS fingerprinting techniques are used to create a database of commonly used TLS client configurations tailored for each customer network.
This visibility has allowed us to use an algorithm to detect suspicious TLS fingerprints that could be flagging malicious applications establishing TLS sessions.
Figure 3: Anomalous TLS client settings are being used. The destination of these connections is shown (both domain and IP address)
New Confirmed Threat
List of new Confirmed Threat types in June:
Confirmed Threat ID
Malware/ Remote access trojan
A threat related to a recently discovered campaign that researchers call “Vicious Panda.” It operates through Rich Text Format files which, once opened, execute a remote access trojan (RAT) that takes screenshots of the device, develops a list of files and directories, downloads files and more.
Hello,I'm have the device:Cisco Adaptive Security Appliance Software Version 9.12(4)24SSP Operating System Version 2.6(1.230)Device Manager Version 7.16(1)========================== Please help to find mistake in configuration : Here is wha...
I have a guest portal for wireless clients and in the authorization policy I use the condition of "Guest Flow", and in the WLC I have disabled the "Session Timeout" of the WLAN.The documentation indicates that with this configuration the guests will only ...
I have three network devices (as Authenticator of Radius), and none of supplicant is connected to any of them.On Live Logs, however, there are a lot of authentication failed log from the one of Authenticator as shown below.why do these log appear?please h...
Hi All, Need to integrate my umbrella dashboard with Checkpoint. Need to know is it any prequiste need to follow before doing that and also would it be any kind of traffic impact for users due to this.