Advanced Stealthwatch flow record classification capability and lateral services monitoring
Enhanced anomaly detection: Cognitive Analytics added a new set of anomaly detectors for Stealthwatch flow records based on global reputation and TLS features. This enhancement improves contextual information of individual incidents and increases the efficacy of the detection engine.
New types of incidents: Cognitive Analytics added a new set of classifiers for detecting:
Stealthy Command and Control communication channels by analyzing long-term behavior of users and devices.
Unexpected DNS usage caused by DGA-based malware or data tunneling.
Malicious SMB service discovery typical for fast-spreading malware such as WannaCry.
Following is an example screen shot of a malicious SMB service discovery incident; note that the infected user is contacting unexpected server IP addresses and countries with SMB service protocol:
Note: You must have Cisco Cognitive Analytics configured on your Stealthwatch System to use these features. Cognitive Analytics quickly detects suspicious web traffic and/or Stealthwatch flow records and responds to attempts to establish a presence in your environment and to attacks that are already under way. For more information, go to the Cognitive Analytics website or the Cognitive Analytics documentation.
Following is an example screen shot of unexpected DNS usage, caused by DGA-based malware or data tunneling; note that the user has abnormally high number of DNS requests, valid or invalid, and transfers large amount of data in both directions:
Enhanced P2P analytics
The new detection mechanism is able to detect BitTorrent clients in the network. The detection is independent of used ports and transferred data, as well as any other network flow statistics. Therefore, the detector is able to detect active BitTorrent clients in the network that use non- standards (randomized) ports and do not actively participate in file sharing activity. Following is an example screen shot of a torrent incident; note that the user is contacting 972 server IP addresses:
Enhanced data filtering
The data sent to the Cognitive Analytics engine is filtered so that only flow records that cross the network perimeter are sent to the cloud. This filter is based on the Host Groups configuration – the flows that are going from the inside to outside host groups are sent for analysis (+DNS requests flows which are sent even for internal DNS servers). The enhancement in v6.10 adds the possibility for the user to modify the data that is sent by adding internal host groups to be monitored by the Cognitive Analytics engine. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the cloud for analysis. Adding specific host groups to Cognitive Analytic monitoring is especially useful for company internal servers – adding traffic from the end users to those servers can improve a visibility of the exposure of the data that can be potentially misused by malware running on the affected devices.
Following is a telemetry processing diagram for Lateral Services Stealthwatch flows from selected host groups:
There is a new pivot point from within the CTA portal over to Stealthwatch Management Console (SMC) to further investigate an activity of a particular remote IP. There are new links next to the remote IP addresses that will open up the Stealthwatch Management Console (SMC) Host Reports for that particular IP.
Threat Response Basics
What is Threat Response and how can it help my organization?
What is the cost of Threat Response?
What are the deployment options for Threat Response?
Is Threat Response available outside of the United States?
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-product configuration details.
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs here.
Threat Response is free with selected Cisco Security products. To get access, simply go to the login page for your region - NA, EU, or APJC* - and either log in or click to create an account. You can also watch this 1 min video on creating...