DEVNET-1158Cognitive Threat Analytics - Behavioral Breach Detection & Security Intelligence Interchange via TAXII/STIX API

June 2015 Product Manager

Cognitive Threat Analytics Behavioral Breach Detection & Security Intelligence Interchange via TAXII/STIX API

Petr Cernohorsky

2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

There’s a new cyber-threat reality

Hackers will likely command and control

your environment via web

You’ll most likely be infected via email

Your environment will get breached


Only Cisco Cloud Web Security Premium delivers full threat visibility

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

Web Filtering

Web Reputation

Application Visibility & Control

Anti-Malware

Outbreak Intelligence

File Reputation (AMP)

Dynamic Malware Analysis (AMP)

File Retrospection (AMP)

Cognitive Threat Analytics (CTA)


Web Reputation

Web Filtering Application

Visibility & Control

Before

X X X

Cisco Cloud Web Security (CWS) Talos

www

Roaming User Branch Office

www www

Allow Warn Block Partial Block Campus Office

ASA Standalone WSA ISR G2 AnyConnect Admin

Traffic Redirections

www

HQ

Reporting

Log Extraction

Management

STIX / TAXII (APIs) CTA

Anti-Malware

File Reputation

Webpage Outbreak

Intelligence

After During

X

www.website.com

X X

Dynamic Malware Analysis

File Retrospection

Cognitive Threat Analytics

CWS PREMIUM CTA Layered Detection Engine

Layer 1 CTA

Anomaly detection

Trust modeling

Layer 2

Event classification Entity modeling

CTA Layer 3

Relationship modeling

CTA 1K

incidents per day

After

10B requests per day

Recall Precision

Anomalous Web requests (flows)

Threat Incidents (aggregated events)

Malicious Events (flow sequences)


Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUM AMP

CTA Layer 3

File Reputation Anomaly detection

Trust modeling Event classification Entity modeling


File Retrospection


CTA

Identify suspicious traffic with Anomaly Detection

Normal

Unknown

Anomalous HTTP(S) Request

HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request HTTP(S)

Request HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request



HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request



HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request



HTTP(S) Request

HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Anomaly Detection

10B+ requests are processed daily by 40+ detectors

Each detector provides its own anomaly score

Aggregated scores are used to segregate the normal traffic


Layer 1

During After

Layer 2

AMP

CTA

AMP

CTA Layer 3




File Retrospection


CTA

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Reduce false positives with Trust Modeling

Anomalous

Normal

Unknown

Unknown

Normal

Unknown

Unknown

Unknown

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request



HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request



HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Trust Modeling

HTTP(S) requests with similar attributes are clustered together

Over time, the clusters adjust their overall anomaly score as new requests are added


Layer 1

During After

Layer 2

AMP

CTA AMP

CTA Layer 3




File Retrospection


CTA

Categorize requests with Event Classification

Keep as legitimate

Alert as malicious

Keep as suspicious

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Media website

Software update Certificate status check

Tunneling Domain generated algorithm Command and control

Suspicious extension

Repetitive requests

Unexpected destination

Event Classification

100+ classifiers are applied to a small subset of the anomalous and unknown clusters

Requests’ anomaly scores update based on their classifications


Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUM AMP

CTA Layer 3




File Retrospection


CTA

Attribute anomalous requests to endpoints and identify threats with Entity Modeling

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

THREAT

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

THREAT HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

THREAT

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

THREAT

HTTP(S) Request

THREAT

Entity Modeling

A threat is triggered when the significance threshold is reached

New threats are triggered as more evidence accumulates over time


Layer 1

During After

Layer 2

AMP

CTA

CWS PREMIUM AMP

CTA Layer 3




File Retrospection


CTA Company B

Company C

Determine if a threat is part of a threat campaign with Relationship Modeling

Attack Node 1

Attack Node 2

Company A Company A Company A Phase 1 Phase 2 Phase 3

Threat Type 1

Threat Type 1

Threat Type 2

Incident Incident

Incident

Incident

Similarity Correlation Infrastructure Correlation

Company B

Company C

Company B

Company C

Incident Incident

Incident Incident

Incident

Incident

Incident

Incident

Global behavioral similarity

Local behavioral similarity Local &

global behavioral similarity

Shared threat infrastructure

Entity Modeling


CWS Proxy

How CTA analyzes a threat 0

+

Webrep

AV

domain age: 2 weeks

0

domain age: 2 weeks -

domain age: 3 hours

- domain age: 1 day

Domain Generation Algorithm (DGA)

Data tunneling via URL (C&C)

DGA

C&C

DGA

DGA

DGA

C&C

Attacker techniques: Active channels


Utilizing a layered detection engine CWS PREMIUM

CTA Layered Detection Engine

Layer 1 CTA

Anomaly detection

Trust modeling

Layer 2

Event classification Entity modeling

CTA Layer 3


CTA

After

Recall Precision

Anomalous Web requests (flows)

Threat Incidents (aggregated events)

Malicious Events (flow sequences)

Incidents Data

Correlation & Memory

Filtering

Trust Modeling

Unsupervised Learning

Classification / Layer 1

Tunneling via URL

Generated Domain

Data Exfiltration

Supervised Learning

Classification / Layer 2

Threat 1

Threat 2

Threat N

Individual Detectors

Detection

Agent 1

Agent 2

Agent 3

Agent N


CTA presents results in two categories Confirmed Threats

Confirmed Threats - Threat Campaigns •  Threats spanning across multiple users •  100% confirmed breaches •  For automated processing leading to fast reimage / remediation •  Contextualized with additional Cisco Collective Security Intelligence


CTA presents results in two categories Detected Threats

Detected Threats – One-off Threats •  Unique threats detected for individuals •  Suspected threat confidence and risk levels provided •  For semi-automated processing •  Very little or no additional security context exists


Here’s an example of how it works

Near real-time processing

1K-50K incidents per day 10B requests per day +/- 1% is anomalous 10M events per day

HTTP(S) Request

Classifier X

Classifier A

Classifier H

Classifier Z

Classifier K

Classifier M

Cluster 1

Cluster 2

Cluster 3

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Cluster 1

Cluster 2

Cluster 3

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request


Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

HTTP(S) Request

CONFIRMED threats (spanning multiple users)

DETECTED threats (unique)


Breach Detection: Ransomware 1

Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4

Threat activity continuously detected by CTA !

CTA Detection

AV removing trojan

AV signatures updated & trojan

removed

Worm removed by daily scan

CryptoLocker confirmed & endpoint

sent for reimage

Example

< Malware operational for more than 20 days >

Time

AV removing worm & signatures found

outdated


1Example

Local Context First detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days.

Global Context Also detected in 5+ other companies affecting 10+ other users.

Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and-control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device.

9 THREAT 100% confidence AFFECTING 3 users


AFFECTING winnt://emea\user1

Amazon.com, Inc

LeaseWeb B.V.

intergenia AG

Qwest communication..

95.211.239.228

85.25.116.167

54.240.147.123

54.239.166.104

63.234.248.204

54.239.166.69

63.235.36.156

54.240.148.64

6 Http traffic to ip addr…




Activities (8) Domain (8) IPs (8) Autonomous systems (5)

9 Url string as comm…

9 Url string as comm…



95.211.239.228

85.25.116.167

54.239.166.69

63.235.36.156

54.240.148.64

54.240.147.123

54.239.166.104

Amazon.com Tech Tel…

63.234.248.204

1Example

http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…

Encrypted Command & Control

9 THREAT 100% confidence

18 C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential


CTA Exports STIX / TAXII API

TAXII Log Adapter: https://github.com/CiscoCTA/taxii-log-adapter

STIX formatted CTA threat intelligence

Poll Service

Transform

Adapter CTA

Incident


CTA Exports STIX Sample Message Payload

1 CTA CONFIRMED threat campaign

2 CTA CONFIRMED or DETECTED threat incident

3 Malicious events (flow sequences)

4 Anomalous web requests

1

2

3

4


CTA Exports

id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1"> <stix:STIX_Header> <stix:Information_Source> <stixCommon:Tools> <cyboxCommon:Tool id="cta:tool-CTA"> <cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> <cyboxCommon:Tool id="cta:tool-AMP"> <cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> </stixCommon:Tools> </stix:Information_Source> </stix:STIX_Header> <stix:Incidents> <stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="incident:IncidentType" id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75"> <incident:Title>malware|transferring data through url </incident:Title> <incident:Time> <incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action> </incident:Time> <incident:Victim> <stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name> </incident:Victim> <incident:Leveraged_TTPs> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>favicon</ttp:Title> </stixCommon:TTP> </incident:Leveraged_TTP> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz

STIX Language Mapping


Technology

DEVNET-1158Cognitive Threat Analytics - Behavioral Breach Detection & Security Intelligence Interchange via TAXII/STIX API