Understanding Cisco’s New Anti-Malware Tech — ETA (Encrypted Traffic Analytics)

Hackers have been utilizing encryption for years to hide themselves in commercial environments. And generally speaking, this has been highly effective since much of commercial traffic is already encrypted. Truly a needle in a haystack scenario. However, since Cisco hardware market share has been decreasing, they have to build advantages where their competition can’t… yet.

Recently announced at the June 2017 Cisco Live Event, Encrypted Traffic Analytics will be built into the Cisco DNA Center (the single window UI for Cisco Apic-Em) and will provide the ability to detect Encrypted Malware throughout your enterprise network.

Let’s see how it works.

Initial baselines of normal network traffic patterns are established. Then when new behavioral patterns are found, they are compared with two methods to detect if the traffic itself is malware moving through the network.

Packet Lengths/Times

The first method is comparing traffic packet lengths and times with normal traffic.

TLS Client Fingerprinting

The second method is then used to identify the type of TLS utilized based off of fingerprinting from known libraries/clients. From the Client Hello packet ETA can detect if the network anomaly will be utilizing Open SSL or maybe a Tor based method.

Combined Approach

Utilizing this combined approach, Cisco has felt confident that their new technology is worth a platform release. This will be a great tool for enterprises as it reduces false positives and increases detection accuracy.

Importance of Speed

And rightfully so, this is a powerful method for detecting Malware without needing to decrypt the data which is a painstakingly long process.

A time saving solution is made more necessary by the fact that it usually takes corporations weeks or even months to detect intrusions. This leaves a wide window for the malware to do incredible damage to enterprise information systems.

How It Might Be Countered (take with a grain of salt)

“This is only effective in specific cases. For example, an lz compressed tunnel over 443 to a compromised relay node with a simple pcap replay or random traffic generator (5 lines of code) can obfuscate c&c in view of this ETA tech.

You could even wrap the tunnel using a host header of ‘google.com’ in reference to the node IP.

One rule of thumb, if it is encrypted and you cant read it (proxy decrypt), block it and isolate the host. Problem solved (for IPv4 that is…)” — n4rc