Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Can Now Sniff Out Malware Inside Encrypted Traffic (theregister.co.uk)

Posted by msmash on from the next-up dept.

Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

18 of 97 comments (clear)

  1. And obviously ... by nospam007 · · Score: 4, Interesting

    ...malware is torrents.

  2. Not analyzing payload by sinij · · Score: 5, Informative

    They are not analyzing payload/application data, this is not possible with end-to-end. They are not analyzing metadata, as most malware C&C now pretends to be web traffic. So how? Packet sizes and frequency? This would be trivial for malware creators to circumvent.

    1. Re:Not analyzing payload by 110010001000 · · Score: 4, Insightful

      "users need to sign up for Cisco's StealthWatch service and let traffic from their kit "

      "Sign up for" means "pay monthly for". It sounds like they are analyzing forwarded flow data and looking for flows to/from a particular port/IPs. It would catch malware that uses C&C to known rogue IPs, etc.

    2. Re:Not analyzing payload by ShanghaiBill · · Score: 4, Informative

      So how?

      According to TFA they look for "dodgy destinations" and self-signed certificates.

      So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

    3. Re:Not analyzing payload by ugen · · Score: 4, Insightful

      The amount of bycatch will be nontrivial. This will inevitably result either in a lot of valid traffic being blocked, or no meaningful blocking of malware.

      Except this time they slapped AI label on the service, so it's very modern and cool and costs more money.

      We've seen this before.

    4. Re:Not analyzing payload by GameboyRMH · · Score: 4, Interesting

      Packet sizes and frequency, along with metadata. I saw a similar analysis of encrypted video streams being used to detect drone video:

      https://www.wired.com/story/a-...

      Looks like the next big thing in cryptography will be data padding...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:Not analyzing payload by sinij · · Score: 2

      So how?

      According to TFA they look for "dodgy destinations" and self-signed certificates.

      So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

      Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation. They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

      If there are patterns in the encrypted data, then encryption is leaking information. I highly doubt they found a vulnerability in AES and decided to commercialize it.

      They can look at the destination, they can look at handshakes, they can look at timing, they can look at frequency of communication. Am I forgetting something else?

    6. Re:Not analyzing payload by ShanghaiBill · · Score: 2

      Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation.

      Or the presenter was wrong.

      Or you misunderstood what was said.

      They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

      That is implausible. Extraordinary claims require extraordinary evidence, and so far there is none.

    7. Re:Not analyzing payload by dstrupl · · Score: 2

      The reports are created by Cognitive Analytics Engine - see https://cognitive.cisco.com/. The reports do not necessarily lead to an immediate blocking - it's up to your policy and security response team to define what happens with the findings. To the amount of "bycatch" - we carefully look for precision and recall of the individual detectors so the amount of "bycatch" is not as high as you expect. I said we because I work in the "Cognitive" team.

    8. Re:Not analyzing payload by phorm · · Score: 2

      Not to mention that most decent security products already do "dodgy destinations". One of the common methods is to intercept the DNS calls and re-inject them with an internal IP address, thus blocking attempts to hit the remote baddie but also allowing further capture of data.
      Hell, I can (and have) do this with a raspberry pi for a select number of machines.

  3. Seems near by symes · · Score: 3, Interesting

    But what happens when they detect something?

  4. Great for now by TimothyHollins · · Score: 4, Interesting

    That's wonderful news. I wonder how long it will be until Cisco caves to NSA pressure and starts looking for other "mal"traffic as well. And then how long until Russia learns how to do it as well.

  5. kind of like... by supernova87a · · Score: 4, Insightful

    I suppose this the the banks (hubs of the financial world) being made to detect money laundering by the pattern and size / frequency of money transfers. They don't know about the source or nature of the transaction underlying the money, just that when it obeys certain flows, they're supposed to flag it.

  6. Other surveillance? by mi · · Score: 3, Insightful

    Cisco researchers found that malware leaves recognisable traces even in encrypted traffic.

    "Malware" can't be the only thing... Can the same algorithms not be used to detect bomb-making instructions, racism, and counter-revolutionary activities?

    --
    In Soviet Washington the swamp drains you.
  7. No they can't by ByteSlicer · · Score: 5, Informative

    They can recognize traffic patterns in TLS streams, created by malware on IP connected devices.
    They can't detect the malware itself in the stream.

    1. Re:No they can't by amorsen · · Score: 2

      It is trivial to distinguish between random noise and malware in TLS. Just look at packet sizes and timing.

      Even worse, if the adversary has access to the same static web pages, it can't be much trouble to detect which pages the victim is trying to access.

      It is ridiculous that neither IPSEC nor TLS do anything to mitigate against that type of attacks. The least they could do was to put everything into predictable full-MTU packets as far as possible. The only tunnelling protocol that attempts anything like that is SEAL, as far as I know. And no one implements SEAL (possibly because the author seems a bit abrasive).

      --
      Finally! A year of moderation! Ready for 2019?
  8. smells like shit by jm007 · · Score: 2

    and this time it's not just my hygiene

    "switched on latent features in its recent routers and switches"

    and

    "users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic"

    it's what is NOT being revealed that truly is scary

  9. Evil bit by Errol+backfiring · · Score: 4, Funny

    Well, probably the logical thing to do: they set the evil bit.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!