As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
New detections are available for Stealthwatch telemetry.
As part of our continuous efforts to improve detections and efficacy, additional classifiers have been added to the hundreds of classifiers already implemented in production. This allows us to detect additional behaviours in ETA telemetry.
Consequently, additional annotations have been incorporated to explain these findings. Stealthwatch customers with Early Access enabled will be able to visualize these additional annotations:
Malicious URL detector:
Using known data related to specific threats that have been already confirmed by human threat analysts (IoCs of confirmed threats), this classifier is trained with the URLs of these campaigns. The classifier learns patterns in both the path and the query that can be found in the URL of a specific threat.
These patterns are traditionally uncovered manually by threat analysts. By having a machine learning algorithm learn from historical data and do this task instead, we can provide detections in a more timely manner and at scale.
The use of this technique allows us to apprehend previously unknown malicious hosts in dynamically changing malware infrastructures.
Figure 1: Detection of URLs that follow the same patterns as known threats
Content Spoofing Detector:
Magic numbers, also known also magic bytes, are a list of file signatures used to verify the content of a file. This classifier evaluates HTTP traffic and decides if the file downloaded from the server corresponds to the extension of the requested file. To make this prediction, it uses the magic numbers present on the server’s initial data packet as input data.
As a result, the classifier inspects all the cases where an executable file was downloaded. If it finds any discrepancies between the extension of the file downloaded and their magic bytes, the behavior gets flagged. Depending on the behavior detected, different annotations are shown.
Figure 2: Anomaly corresponding to one of the behaviours detected by the content spoofing detector
Anomalous TLS Fingerprint:
TLS fingerprinting techniques are used to create a database of commonly used TLS client configurations tailored for each customer network.
This visibility has allowed us to use an algorithm to detect suspicious TLS fingerprints that could be flagging malicious applications establishing TLS sessions.
Figure 3: Anomalous TLS client settings are being used. The destination of these connections is shown (both domain and IP address)
New Confirmed Threat
List of new Confirmed Threat types in June:
Confirmed Threat ID
Malware/ Remote access trojan
A threat related to a recently discovered campaign that researchers call “Vicious Panda.” It operates through Rich Text Format files which, once opened, execute a remote access trojan (RAT) that takes screenshots of the device, develops a list of files and directories, downloads files and more.
Hi ,I try to configure to setup NAT with ASA firewall.i see a lot of reference guide and tried so many time but i only can do outgoing nat.i would like to do below design.All outgoing traffic of web server,server2 and server 3 are nat with 10.1.1.1 to acc...
Hi,can any one help on this issue,as we are recieving consistent alert from the Ironport ( Async C390 12.5.37 ) , is this bug or any activity at Cisco side. Unable to connect to Cisco Web Security Service.URL Filtering will not work correctly.P...
Hi,We are setting a loadbalanced ISE PSN infrastructure by using F5 LTM. ISE nodes and F5 internal interface are on the same vlan and f5 external interface is on a different vlan which. We have configured the infrastructure as described below link. h...
I am trying to configure one weekly summary report of AMP for Endpoints , where i did not have option to send that report to distribution email address. ( example SecurityIT@domain.com) , where i see that i can receive on my own email address( xyzna...