Showing results for 
Search instead for 
Did you mean: 

CTA Updates in Detail: November 2017

Cisco Employee

This blog extends information from Cognitive Threat Analytics (CTA) Release Notes.


November 2017 Updates


  • Advanced Detection from Encrypted channels
    • ETA Analytics. New and updated algorithms that use ETA features in StealthWatch-flows to detect: Malware families Cryptowall, Sality, and Ramnit, Malicious file download, Phishing, DNS sinkhole, Vulnerability scanning, Typo-squatting, Unicode typo-squatting. Note that CTA support for ETA works specifically for customers providing StealthWatch-flow telemetry. For customers providing ProxyLog telemetry CTA now provides HTTPS-based detection capability (see next item)
    • Detection from HTTPS telemetry without decryption. From now on CTA provides industry-unique technology allowing to detect multiple infection types in HTTPS channel without decryption. The technology is the result of year-long research effort motivated by the fact that the increasing adoption of encryption across the Internet may diminish capabilities of industry-standard detection techniques. CTA makes the most of combining and correlating multiple very weak indicators available in HTTPS telemetry.



Example 1: Here the HTTPS classifier attributed the https communication to the ad injector activity. Connection to server is not shown as successful to cause harm, nevertheless the client node is clearly infected.



Example 2: Note the https flows in the bottom, that in this case proved sufficient to trigger the incident.


  • Verification

    • Possibility for customers and field to generate on-demand test incidents in their lab


Can you expand on Detection from HTTPS telemetry without decryption.   How is CTA getting the HTTPs information?  Is it from WSA logs sent to Stealthwatch or is it from WSA https logs sent directly to CTA. 

My Customer has WSA fully deployed today and want to get HTTPS telemetry without decryption in their environment.  They do not have Stealthwatch.   What do they need to deploy and configure/integrate to make this work?

Cisco Employee

Detection from HTTPS telemetry without decryption currently works on proxy logs sent from WSA directly to CTA and on proxy logs sent from CWS to CTA. This technology does not need any special setup; all existing or future WSA or CWS customers have the technology enabled as part of the standard CTA service.

StealthWatch customers currently can leverage this technology only if they enable ProxyWatch. However, CTA team now works on updates that will enable the technology for all StealthWatch customers who use CTA in standard setup. This is planned to be ready in early spring.


Thank Petr

What are the CTA differences between ETA/Stealthwatch and HTTPS logs/WSA?

Is CTA able to get the same visibility and analytics in encrypted traffic with both solutions?

Cisco Employee

The technologies are principally different and are intended to complement each other. ETA/StealthWatch provides the stronger detection capability, allowing to apply many of existing detectors that would normally work only with unencrypted data. HTTPSlogs/WSA is in contrary a statistical technique based on combining multiple very weak indicators to provide strong enough conviction of attack. ETA/StealthWatch is a general purpose technique aimed at covering the maximum of threat landscape. HTTPSlogs/WSA discovers well a large number of malware families but at this moment can not provide complete coverage of threat landscape.