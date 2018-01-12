Become a fan of Slashdot on Facebook

 


Security Encryption Technology

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic

Posted by msmash
Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic

  • And obviously ... (Score:5, Interesting)

    by nospam007 ( 722110 ) * on Friday January 12, 2018 @09:45AM (#55914561)

    ...malware is torrents.

    • Sounds like its just a proxy server that takes your request, gets the data and then sends it back to you after it checks it ... these have been around for years. Non-news and if it is patented, should never have passed the obious or prior art tests.

  • Not analyzing payload (Score:5, Informative)

    by sinij ( 911942 ) on Friday January 12, 2018 @09:49AM (#55914585)
    They are not analyzing payload/application data, this is not possible with end-to-end. They are not analyzing metadata, as most malware C&C now pretends to be web traffic. So how? Packet sizes and frequency? This would be trivial for malware creators to circumvent.

    • Re:Not analyzing payload (Score:5, Insightful)

      by 110010001000 ( 697113 ) on Friday January 12, 2018 @10:01AM (#55914663) Homepage Journal
      "users need to sign up for Cisco's StealthWatch service and let traffic from their kit "

      "Sign up for" means "pay monthly for". It sounds like they are analyzing forwarded flow data and looking for flows to/from a particular port/IPs. It would catch malware that uses C&C to known rogue IPs, etc.

    • Re:Not analyzing payload (Score:5, Informative)

      by ShanghaiBill ( 739463 ) on Friday January 12, 2018 @10:01AM (#55914667)

      So how?

      According to TFA they look for "dodgy destinations" and self-signed certificates.

      So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

      • Re:Not analyzing payload (Score:4, Insightful)

        by ugen ( 93902 ) on Friday January 12, 2018 @10:17AM (#55914751)

        The amount of bycatch will be nontrivial. This will inevitably result either in a lot of valid traffic being blocked, or no meaningful blocking of malware.

        Except this time they slapped AI label on the service, so it's very modern and cool and costs more money.

        We've seen this before.

      

        by Anonymous Coward

        

        According to TFA they look for "dodgy destinations" and self-signed certificates.

        So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

        Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation. They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

        

          by sinij ( 911942 )

          

          According to TFA they look for "dodgy destinations" and self-signed certificates.

          So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

          Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation. They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

          If there are patterns in the encrypted data, then encryption is leaking information. I highly doubt they found a vulnerability in AES and decided to commercialize it.

          They can look at the destination, they can look at handshakes, they can look at timing, they can look at frequency of communication. Am I forgetting something else?

          • That was what I was thinking. Patterns in transmission not really anything in the traffic itself. Sends a dozen packets out, receives 18 back, then every 30 seconds, sends 2 packets, receives 2 packets (some kind of heartbeat) and occasionally several minutes of non-stop streaming from the infected PC.

    

      by Anonymous Coward

      devices can't do the job alone: users need to sign up [...] and let traffic [..] flow to a cloud-based analytics service

      Then use TLA-provided stolen/coerced root certs to peer into the data stream, in exchange for "data sharing" with the TLA.

      Oh, and they will "flag malware for you", sometimes. Maybe.

       

    

      by mysidia ( 191772 )

      They are not analyzing metadata, as most malware C&C now pretends to be web traffic.

      They could look at the IP addresses of the connections (Check against blacklist of malicious IPs); SSL Metadata, e.g. the SNI hostname from TLS, then look at reputation data regarding the hostname; certificate and public key information, common crypto parameters (Maybe some malware configures a HTTPS client uniquely). They can detect whether the SSL connection "Looks like" a normal web connection, or whether

    • Packet sizes and frequency, along with metadata. I saw a similar analysis of encrypted video streams being used to detect drone video:

      https://www.wired.com/story/a-... [wired.com]

      Looks like the next big thing in cryptography will be data padding...

  • Seems near (Score:4, Interesting)

    by symes ( 835608 ) on Friday January 12, 2018 @09:50AM (#55914593) Journal

    But what happens when they detect something?

    

      by Chrisq ( 894406 )

      But what happens when they detect something?

      This is what I was going to ask. Do they block traffic (risking false positives) or merely alert you to the fact that some thing(s) on your LAN are acting suspiciously?

    • It alerts you or you have the option of having it blocked or quarantined. All of that is in the customization of the software.
      More technical info it feeds the information into pxGrid using Cisco Identity Services Engine (ISE) with Cisco TrustSec and Software-Defined Access (SDAccess). From the marketing info.
    • Well, probably the logical thing to do: they set the evil bit.

  • Great for now (Score:4, Interesting)

    by TimothyHollins ( 4720957 ) on Friday January 12, 2018 @09:50AM (#55914595)

    That's wonderful news. I wonder how long it will be until Cisco caves to NSA pressure and starts looking for other "mal"traffic as well. And then how long until Russia learns how to do it as well.

  • kind of like... (Score:5, Insightful)

    by supernova87a ( 532540 ) <kepler1@@@hotmail...com> on Friday January 12, 2018 @09:59AM (#55914641)
    I suppose this the the banks (hubs of the financial world) being made to detect money laundering by the pattern and size / frequency of money transfers. They don't know about the source or nature of the transaction underlying the money, just that when it obeys certain flows, they're supposed to flag it.

  • Other surveillance? (Score:3, Insightful)

    by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Friday January 12, 2018 @10:03AM (#55914679) Homepage Journal

    Cisco researchers found that malware leaves recognisable traces even in encrypted traffic.

    "Malware" can't be the only thing... Can the same algorithms not be used to detect bomb-making instructions, racism, and counter-revolutionary activities?

  • No they can't (Score:5, Informative)

    by ByteSlicer ( 735276 ) on Friday January 12, 2018 @10:06AM (#55914687)

    They can recognize traffic patterns in TLS streams, created by malware on IP connected devices.
    They can't detect the malware itself in the stream.

  • This just sounds really fishy to me. What's the encryption, A Ceaser cypher? The whole point of modern encryption is that the same input renders wildly different outputs. Their is no pattern to speak of. I'm sorry, I'm just not buying it... (figuratively or literally)

    

      by Kurdy ( 1697480 )

      I agree with you; if there is recognizable patterns, that means that current encryption methods are not strong enough....

    • I've seen the demo of this software and it look very impressive. No this is not Snake Oil. The "patterns" of traffic once mapped a number of times, even encrypted, apparently can be detected to be a certain kind of traffic. One would need to know what the pattern would look like, or certain behaviors to make a mapping of a new pattern. So it's not really so much the "know" what's in the payload, but by seeing the same encrypted pattern of traffic they can "know" the payload. Kind of like a part of chao
    • It does not break the encryption. It is combination of a netflow analyser and looking at unencrypted info such as the certificate and the first couple of frames.
      With the certificates it is looking for self-signed or known bad fields. With the netflow you can look for patterns, for example a n internal clients connects to an external server every hour and exchanges just a few bytes.
      This software goes a little further by linking those all together from all the sites running this.

  • Smells like BS (Score:1)

    by Anonymous Coward

    You can sniff packets without decrypting them and tell the difference between "regular" data and "malicious" data? Smells like BS to me.

  • smells like shit (Score:3)

    by jm007 ( 746228 ) on Friday January 12, 2018 @10:38AM (#55914885)
    and this time it's not just my hygiene

    "switched on latent features in its recent routers and switches"

    and

    "users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic"

    it's what is NOT being revealed that truly is scary

  • https://www.cisco.com/c/dam/en... [cisco.com]

    "Encrypted Traffic Analytics extracts four main data elements: the sequence of packet lengths and times, the byte distribution, TLS-specific features and the initial data packet."

  • This seems somewhat "old news" certain applications still have fingerprints on packets that can be detected even if you can't read the data being exchanged.

    Our Sophos XG firewall does this with many different torrent applications, and it ends up blocking non-VPNed, but still encrypted connections.

    I'm a little sketchy about the "upload your traffic to us" part, but I guess that allows for more analysis across more hsots

    SV

