Understanding Cisco’s New Anti-Malware Tech — ETA (Encrypted Traffic Analytics)

To start, this is a game-changing approach. Hackers have been utilizing encryption for years to hide themselves in commercial environments. And generally speaking, this has been highly effective since much of commercial traffic is already encrypted. Truly a needle in a haystack scenario. However, since Cisco hardware market share has been decreasing, they have to build advantages where their competition can’t… yet.

Recently announced at the June 2017 Cisco Live Event, Encrypted Traffic Analytics will be built into the Cisco DNA Center (the single window UI for Cisco Apic-Em) and will provide the ability to detect Encrypted Malware throughout your enterprise network.

Let’s see how it works.

Initial baselines of normal network traffic patterns are established. Then when new behavioral patterns are found, they are compared with two methods to detect if the traffic itself is malware moving through the network.

Packet Lengths/Times

The first method is comparing traffic packet lengths and times with normal traffic.

TLS Client Fingerprinting

The second method is then used to identify the type of TLS utilized based off of fingerprinting from known libraries/clients. From the Client Hello packet ETA can detect if the network anomaly will be utilizing Open SSL or maybe a Tor based method.

Combined Approach

Utilizing this combined approach, Cisco has felt confident that their new technology is worth a platform release. This will be a great tool for enterprises as it reduces false positives and increases detection accuracy.

Importance of Speed

And rightfully so, this is a powerful method for detecting Malware without needing to decrypt the data which is a painstakingly long process.

A time saving solution is made more necessary by the fact that it usually takes corporations weeks or even months to detect intrusions. This leaves a wide window for the malware to do incredible damage to enterprise information systems.

How It Might Be Countered (take with a grain of salt)

I imagine the counter to this type of detection is utilizing fingerprints that more closely resemble industry standard clients (massive amount of work) along with forcing fake data streams into the malware communication process to more closely resemble traffic from normal network patterns. This could be a solution to bypassing this type of behavioral analytics simply because Cisco’s tech is built from measuring baselines of normal network traffic and their detection methods are built from how far the malware traffic deviates from these patterns.

The more you can make your malware present itself as a normal network pattern, the harder it is to detect. Of course this would be a lot more work on the side of reconnaissance for developing/discovering exploits, but it could be worth it’s weight in gold depending on your motives/target. Or maybe one just utilize a different vector altogether…