detect threats in encrypted traffic without decryption...

Detect threats in encrypted traffic without decryption, using network based security analytics

Sarav Radhakrishnan, Distinguished Engineer

BRKCRS-1560

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-1560Cisco Spark spaces will be available until July 3, 2017.


Agenda

• The Problem Statement

• The Research

• The Solution

• The Demo

• The Conclusions


I am a Distinguished Engineer, been in Cisco for 18 years.

I work in Cisco’s Enterprise Networking group, and is focused on advanced network security research and development. I was intimately involved in the development of the Catalyst 3850 platform and Cisco’s QoS strategy across several platforms. I have 8 approved patents and is driving new innovations in the IoT security space. He’s also looking into newer initiatives related to Blockchain, LiFi etc.

Sarav [email protected]

Distinguished Engineer

By Way of Introduction …

mailto:[email protected]

The Problem Statement

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-1560 7

Encrypted Traffic is increasing

Volume of encrypted traffic increased

21% 40% from 2015 2016 (90%

year over year)

Gartner Predicts - 80% of all the web

traffic will be encrypted by 2019

77% of all requests to Google servers are encrypted (in Feb 2016)

97% of Youtube traffic is encrypted

SSL/TLS encrypted traffic grew 90% year

over year from July 2015 to July 2016.*

* Source: NSS Labs

2015

40%

2016

75%

2019

21%


Straight line

Projection

16%

20% 19%

22%23% 23%

25%27%

30%

34%

41%

10%

20%

30%

40%

0%

FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2017 2019

60%

Extensive deployment of encryption

Percent of the IT budget earmarked for encryption

50%

BRKCRS-1560 8

Enterprises are embracing encryption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCRS-1560

But…the Threat Actors are also leveraging encryption


Uninspected Encrypted Traffic Threats

Employees’ web browsing over HTTPS

• Malware Infection

• Channel with command and control server

• Data Exfiltration

Employees on an internal network connecting

securely to DMZ servers

• Lateral expansion from infected hosts

Threat Vectors Opened by Encrypted Traffic

10BRKCRS-1560


An Example of a Recent Attack!


Additional Threat Vectors in the Enterprise

Phishing

Email Link

Email attachment

Malware on

Personal device

Social Media Site with Malware1

Initial CompromiseMalware Propagation2

Botnet creation /

Privilege Escalation3

DDoS Attack /

Data Exfiltration4

Perimeter Security

ineffective


Users, Devices and Things are Coming onto the Network Securing these Devices is Hard

Sensors

Badging System

HVAC

Lighting

SecurityCameras

Fire Alarm System

Unsophisticated Devices

Limited security & crypto capabilities,

prone to hacks

Endpoint Identity

No support for standard authentication

mechanisms

BonjourAudioVideo

Health-care

Printer

s

Laptops/Pc

s

Mobile

ITUsers

No

n-I

T

IoT device Proliferation

IT

BRKCRS-1560 13


Impact of an Attack

BRKCRS-1560 14


ETA

15BRKCRS-1560

Network Requirements from Security

Before

Malware & Threat Detection through behavioral analytics

Rapid threat containment through automated incident response

Reduce Attack Surface by Segmentation,

Access Control & Encryption

Software

Defined

Access

During After

NaaE


• End to end confidentiality

• Channel integrity during inspection

• Adapts with encryption standards

Malware in Encrypted Traffic

Is the payload within the TLS session

malicious?

16BRKCRS-1560

Visibility and Malware Detection without Decryption

• Audit for TLS policy violations

• Passive detection of Ciphersuite vulnerabilities

• Continuous monitoring of network opacity

Cryptographic Compliance

How much of my digital business uses strong

encryption?

Encrypted Traffic Analytics

The Research


Normal Behavior

Endpoint Internet

. . .

BRKCRS-1560 18


Malicious Behavior

Endpoint Internet

. . .

?

BRKCRS-1560 19


Encrypted Traffic Analytics – Cisco Research

Known

Malware Traffic

Known

Benign Traffic

Extract Observable

Features in the Data

Employ Machine

Learning techniques

to build detectors

Known Malware

sessions detected

in encrypted traffic

with 99% accuracy

“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)

BRKCRS-1560 20


Sequence of Packet Lengths and Times

Malware Behavior Network Behavior

Communication with command

control server

Sequence of packet lengths

Write to the disk Time interval between packet

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Initial Data Packet

TLS field (in ClientHello) Inference

Offered Cyphersuites Browsers prefer heavy weight

and more secure encryption

algorithms,

Mobile applications prefer

efficient encryption

Extensions

ClientHello

ServerHello/Certificate/

ServerHelloDone

ClientKetExchange/ChangeCipherSpec/

Finished

ChangeCipher/Finished

Application Data

Client: I support crypto

Server: I support that crypto, and I’m me

Client: Take this secret and let’s encrypt

Server: Your secret looks good, let’s encrypt

Client/Server: encrypted data

BRKCRS-1560


Attempts to collect a user's online banking data and sends out information to a control server – known for keylogging and data

exfiltration

BRKCRS-1560 23

Case Study: Bestafera


Bestafera

Self-Signed Certificate

Data Exfiltration

C2 Message

Google Search

Initial Page LoadPage Refresh

Autocomplete

Behavioral Patterns w.r.t. Packet Lengths/Times

BRKCRS-1560 24


TLS ClientHello Possible Clients True Client

(v: 1.0.1r)

TLS Client Fingerprinting (Bestafera)

BRKCRS-1560 25


Why This Approach is Successful

26BRKCRS-1560

(v: 1.0.1r)

(v: 52.0)

+

+

=

=


Applying ML (Packet Length/Time Data Features)

219b

Dir: >

1336b

Dir: <

134b

Dir: >… 186ms 157ms 42ms …

Packets Times

219 -1336 134 37 186 157 42 153… …

𝑝𝑙0 𝑝𝑡0𝑝𝑙1 𝑝𝑙20 𝑝𝑡1 𝑝𝑡20

BRKCRS-1560 27


{ECDHE/

RSA}:

{AES256/

CBC}:

SHA

{ECDHE/

ECDSA}:

{AES256/

CBC}:

SHA

{DHE/

RSA}:

{AES256/

CBC}:

SHA

…ec_

points_

formats

elliptic_

curves

Session

TicketHeartbeat

0 1 1 0 0 1 0 0 1 0 1 1 0 1

Cipher suites Extensions

𝑐𝑠0 𝑐𝑠1 𝑐𝑠175 𝑒𝑥𝑡0 𝑒𝑥𝑡1 𝑒𝑥𝑡20

… …… …

Applying ML (TLS Data Features)

BRKCRS-1560 28


Applying ML (Classification)

Model*: 𝑓 𝐱 where 𝑓 ∶ 𝐱 → {malware, benign}

𝑙𝑎𝑏𝑒𝑙𝐱 = malware if 𝑓(𝐱) ≥ 0benign otherwise

Decision Surface in 2 Dimensions

*Examples of 𝑓(∙) : Deep NN, Random Forest,

Logistic Regression

BRKCRS-1560 29


In Summary…

• The Sequence of Packet Lengths and Times (SPLT) provides:

»a behavioral profile of the application/user

• The cipher suites and extensions in the ClientHello (TLS) suggest:

»the library the application/user is using to talk TLS

• Combining both views has improved accuracy while reducing false positives

30BRKCRS-1560

What are we building to enable this solution?


ETA

Data

Features

Outcomes

Network

Exporters of Netflow

SPLTIDP

ETA Enhanced Analytics

CryptographicCompliance

Encrypted MalwareDetection

Analytics

srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets, IDP, SPLT


The SPLT field gives us visibility beyond the first packet of the encrypted flows.

Initial Data Packet

The first packets of any connection contain valuable data about the content.

BRKCRS-1560 32

Encrypted Traffic Analytics – Building Blocks


Enhanced analytics and machine learning

Global-to-local knowledge correlation

Higher PrecisionFaster InvestigationLeveraged Network

Enhanced NetFlow from Cisco’s newest switches

Cognitive

Analytics

Encrypted

Traffic

Exporters

Stealthwatch

Collector(s)

Malware

detection and

cryptographic

compliance

Encrypted Traffic Analytics Technical Solution Overview


Flow Collector(s)

CTA

Stealthwatch

SMC

CTA alerts embedded in SMC

cognitive.cisco.com

SMC is the single pane of glass

providing aggregate malware

detection that is cloud enabled

Enhanced Network as a Sensor and Enforcer Rapidly Mitigate Malware and Vulnerabilities in Encrypted Traffic

pxGrid

Cisco ISE

Mitigation Action

Context Information

Enhanced Netflow with

Encrypted Traffic Analytics

BRKCRS-1560 34

https://cognitive.cisco.com/

• Advanced Network Telemetry

• Stealthwatch

• Cognitive Analytics

• Availability

Solution Architecture


Encrypted

TrafficNon-Encrypted

Traffic

Industry’s first network with ability to find threats in encrypted traffic without decryptionAvoid, stop or mitigate threats faster then ever before | Real-time flow analysis for better visibility

Enhanced Network as a Sensor

BRKCRS-1560 37


Flow Monitoring

Exporter Collection Analysis StorageObservation

Observation

Observation

srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets

BRKSEC-2809 38


Enhanced Telemetry

Exporter Collection Analysis StorageObservation

Observation

Observation

srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets

New Data Features

39

Flow Record

▹ SrcAddr : 15.15.1.3

▹ DstAddr : 216.58.220.1

▹ SrcPort: 52621

▹ DstPort: 443

▹ Protocol: TCP (6)

▹ Octets: 88

▹ Packets: 28

▹ Type 44941 (SPLT): Value (hex bytes): 00 b4 00 e3 …

▹ Type 44940 (IDP): Value (hex bytes) : 00 b4 00 a2 …

BRKCRS-1560


Cisco Catalyst 9300 Family enables enhanced network as a sensor with ETARapidly mitigate malware and vulnerabilities in encrypted traffic

StealthWatch®

pxGrid

MitigationISEMachine learning

with enhanced

behavior analytics

Encrypted Traffic

Analytics

• Industry’s most pervasively deployable

solution for Encrypted Traffic Analytics

• Complements other encrypted traffic

management solutions

Network

telemetry based

(no decryption)

Line-rate

performance

Investment

optimization

Simplified

management

Globally

correlated

threat intel

BRKCRS-1560 40


Catalyst 9300 ETA Implementation

• UADP 2.0 copies 10 packets of the flow to

software

• Software calculates the SPLT and identifies

the right IDP to be sent to the collector

• The ETA records are sent once for the life

time of the flow

• The size of the SPLT per flow – 40 bytes [10

packets * 2 bytes for lengths * 2 bytes for

times]

• No Data path performance impact – only

copied packets sent to software

• Number of flows – 2000 flows per second per

stack number

• No HA implications as every stack member

will send out records independently

Software

Data Path

Copy 10 packets

to software

Enhanced

Netflow Export

UADP 2.0

Software

Data Path

Copy 10 packets

to software

Enhanced

Netflow Export

UADP 2.0Stack Interface

BRKCRS-1560 41


Deployment modes

42BRKCRS-1560

Wireless - Fabric Based

deployments – Cat 9300

Wired – Fabric as well as non-Fabric

Deployments (at Access switch) –

Cat 9300

Network element that will collect and export ETA fields


Catalyst 9300 ETA – Wired Mode

Switch(config)#et-analytics

Switch(config-et-analytics)#ip flow-export destination 10.109.16.213 2838

Switch(config-et-analytics)#inactive-timeout 10

Switch (config)#interface gigabitEthernet 1/0/1

Switch (config-if)#et-analytics enable

Enabling ETA on the switch

Switch#show platform software et-analytics global

ET-Analytics Global state

=========================

All Interfaces : Off

IP Flow-record Destination: 10.108.16.213:2838

Inactive timer: 10

ET-Analytics interfaces:

GigabitEthernet1/0/1

ET-Analytics VLAN:

None

Verifying the configuration

BRKCRS-1560 43

Switch (config)#interface gigabitEthernet 1/0/1

Switch (config-if)#no et-analytics enableDisable ETA on the interface


Verifying the exports Catalyst 9300 ETA

Switch# show flow monitor etta-mon cacheCache type: Normal (Platform cache)

Cache size: 10000

Current entries: 4

Flows added: 6

Flows aged: 2

- Inactive timeout ( 15 secs) 2

IPV4 DESTINATION ADDRESS: 15.15.15.35

IPV4 SOURCE ADDRESS: 72.163.128.140

IP PROTOCOL: 17

TRNS SOURCE PORT: 53

TRNS DESTINATION PORT: 12032

counter bytes long: 128

counter packets long: 1

timestamp abs first: 06:23:24.799

timestamp abs last: 06:23:24.799

interface input: Null

interface output: Null

Verifying that the exports on happening from the switch

BRKCRS-1560 44


Verifying the exports Catalyst 9300 ETA

Switch#show platform software fed switch active fnf et-analytics-flow-dumpET Analytics Flow dump

=================

Total packets received (27)

Excess packets received (0)

(Index:0) 72.163.128.140, 15.15.15.35, protocol=17, source port=53, dest port=12032, flow done=u

SPLT: len = 2, value = (25600,0)(128,0)

IDP: len = 128, value = 45:0:0:80:f0:6c:0:0:f9:11:


SPLT: len = 2, value = (59649,0)(128,0)

IDP: len = 517, value = 45:0:2:5:c3:1:0:0:f9:11:


SPLT: len = 2, value = (10496,0)(128,0)

IDP: len = 69, value = 45:0:0:45:62:ae:40:0:40:11:


SPLT: len = 2, value = (10496,0)(128,0)

IDP: len = 69, value = 45:0:0:45:62:ad:40:0:40:11:

BRKCRS-1560 45


ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy

Abstraction and

Configuration

Automation

C

Fabric enabled WLC:

WLC is part of LISP control plane

VXLAN from the AP

Carrying hierarchical policy segmentation starting

from the edge of the network

Optimized Distributed Data Plane

Fabric overlay with Anycast GW + Stretched subnet

VLAN extension with no complications

All roaming are Layer 2Fabric enabled AP:

AP encapsulates Fabric

SSID traffic in VXLAN

CAPWAP

Cntrl plane

VXLAN

Data plane

LISP

Cntrl plane

VXLAN

(Data Plane)

SD-Access Wireless Architecture

Automation

DNAC simplifies the Fabric deployment,

Including the wireless integration component

Centralized Wireless Control Plane

WLC still provides client session management

AP Mgmt, Mobility, RRM, etc.

Same operational advantages of CUWN

LISP control plane Management

WLC integrates with LISP control plane

WLC updates the CP for wireless clients

Mobility is integrated in Fabric thanks to LISP CP

BRKCRS-1560 46


Catalyst 9300 ETA – Fabric Enabled Wireless Mode

Switch(config)#et-analytics

Switch(config-et-analytics)#ip flow-export destination 10.109.16.213 2838

Switch(config-et-analytics)#inactive-timeout 10

Switch(config)#vlan configuration 71

Switch(config-vlan-config)#et-analytics enable

Switch(config-vlan-config)#end

Enabling ETA on the VLAN

Switch#show platform software et-analytics global

ET-Analytics Global state

=========================

All Interfaces : Off

IP Flow-record Destination: 10.108.16.213:2838

Inactive timer: 10

ET-Analytics interfaces:

none

ET-Analytics VLANs:

71

Verifying the configuration

BRKCRS-1560 47

Switch (config)#vlan configuration 71

Switch (config-if)#no et-analytics enableDisable ETA on the VLAN


• Stealthwatch


• Availability



Stealthwatch: Collects Netflow and other telemetry

Stealthwatch: Insider Threat Visibilityusing your own Network Devices

Security Enterprise

Networking

Switches and Routers:Produces Netflow

Security for the network• Traffic Behavioral Analytics

• Visibility, Monitoring and Protection

• Maximize network investment

AnalyzeMonitor RespondDetect AnalyzeMonitor Detect Respond

Baseline and summarize

all traffic

Auto-detect targeted

attacks

Provide forensics trail Mitigate and Enforce (FWs

ACLs, ISE & Trustsec)

NaaS

BRKCRS-1560 49


• Stealthwatch


• Availability



Cognitive Threat Analytics

CTA identifies the threats with layers of anomaly detection and classification

used to identify, prioritize and describe difficult-to-find threats

AnomalousWeb requests

ThreatIncidents

MaliciousEvents

Anomaly

detectionTrust

modeling

Event

classification

Relationship

modeling

10Brequests

per day

50Kincidents

per day

BRKCRS-1560 51


• CA models and uses up to 20 features of 150 million of malicious, risky or otherwise security-relevant servers.

• These features are used as input for CA algorithms inside the engine.

• The features include domain data, whois data, TLS certificate data, usage statistics and behavioral data for each server

Image: http://census2012.sourceforge.net/images.html

Global Risk Map

BRKCRS-1560 52


Cisco Stealthwatch with Cognitive Analytics

Obtain additional visibility and

context into global and local traffic

Utilize machine learning for

continuous analysis and detection of

Command & Control communications

Encrypted

Traffic Analytics

Advanced

Threat Detection

Extended Visibility and

Behavioral Analytics

Detect threats that have bypassed

existing security controls

Identify insiders exfiltrating data

to legitimate cloud services

Pinpoint malicious patterns

in encrypted traffic

Compromised host detection

speeds incident response

BRKCRS-1560 53


Extended Visibility and

Behavioral Analytics

Advanced Threat Detection

Encrypted Traffic AnalyticsWeb Proxy

Cognitive

Analytics

Stealthwatch

Management

Console

Stealthwatch

Flow Collector

Proxy Data

Cisco Stealthwatch with Cognitive Analytics

BRKCRS-1560 54


CTA’s inspection of encrypted traffic

Global risk map Initial Data PacketSequence of Packet Lengths

and Times

Who’s who of the Internet’s dark side

Make the most of the unencrypted fields

Identify the content type through the size and timing

of packets

Broad behavioral information

about the servers on the

Internet.

Self-Signed Certificate

Data Exfiltration

C2 Message


Layer 1

CTA

Anomaly

detection

Trust

modeling

Layer 2

Event

classification

Entity

modeling

CTA

Layer 3

Relationship

modeling

CTA

50Kincidents

per day

10Brequests

per day

Te

lem

etr

y

Fe

atu

res

Threat

CorrelationInternet

Scrapers

Incid

en

ts

Thre

at

Conte

xt

ETA

specific classificationThreatGrid

Global Risk Map

Cognitive Analytics with ETA

BRKCRS-1560 56


Cognitive – Cloud based machine learning

All three elements reinforce each other inside the analytics engine using them.

Global Risk

Map

Initial Data Packet


Machine

Learning and

Analytics

Engine


Encrypted Traffic Analytics: Example Incident

BRKCRS-1560 59


Cognitive Analytics: Confirmed Threats

BRKCRS-1560 60


• Stealthwatch


• Availability



Solution Elements, Licensing and PackagingWhat does the customer buy?

Solution Element Software version License

Enterprise Switches - C9300 IOS-XE 16.6.1 (GA, July) Included in DNA Advantage license

/ C1 Advanced

Stealthwatch v6.9.2 (Sept) Uses existing flow licenses

*Branch Routers (ASR1K, ISR4K, CSR) available for PoC with 16.6.1, GA in 16.7.1 (Nov’17)

C9400, C9500 (future)

Solution FCS – Late summer with Stealthwatch v6.9.2

BRKCRS-1560 62


Cryptographic ComplianceHow much of my digital business is in the clear versus encrypted?

BRKCRS-1560 64


Filter Flows by TLS/SSL/Clear

BRKCRS-1560 65

Conclusion


Conclusion

• Encrypted Traffic Analytics leverages the power of network based telemetry and cloud based analytics to:

• Detect malware in encrypted traffic without decryption

• Do a cryptographic audit of the network

• Enhances Cisco’s Network-as-a-Sensor capability by collecting threat centric metrics from the network

• Helps in reducing the time to detect malware significantly

• Integrates with Network-as-an-Enforcer to mitigate the threat

BRKCRS-1560 67


Credits

• David McGrew, Cisco Fellow

• Blake Anderson, Technical Leader

• Udayan Palekar, Senior Product Manager

• TK Keanini, Principal Engineer

• Martin Rehak, Principal Engineer

• Sandeep Agarwal, Product Manager

• +whole bunch of engineers who made this possible

68BRKCRS-1560


Other Sessions on Encrypted Traffic Analytics

• World of Solutions

• Enterprise Networking & Security Booths

• Breakout Sessions• BRKSEC-2809 Deciphering Malware's Use of TLS (without Decryption)

• INSSEC-1013 Hidden Figures: Securing What You Cannot See

• BRKSEC-2047 Operationalizing Advanced Threat Solutions

• BRKSEC-2026 Building Network Security Policy Through Data Intelligence

• BRKSEC-3014 Security Monitoring with Stealthwatch: The Detailed Walkthrough

• BRKSEC-3106 Detecting Threats with Advanced Analytics

• Devnet Sessions• DEVNET-1218 Understanding Encrypted Traffic Using "Joy" for Monitoring and Forensics

• DEVNET-1215 DevNet Workshop - An Introduction to Monitoring Encrypted Network Traffic with "Joy"

BRKCRS-1560 69


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online

Thank you

detect threats in encrypted traffic without decryption...

Documents