On January 10, Cisco’s officially released its software platform Encrypted Traffic Analytics (ETA) that can keep a check on network packet metadata so as to detect malicious traffic. The software was previously launched in June 2017 but it has remained in private preview ever since because only enterprises were able to use it.
Now, Cisco has released its general version, which is available on current and former generation data center network hardware and most of Cisco’s enterprise routing platforms such as Cloud Services Routers, Integrated Services Router, and its branch office router are compatible with it.
The revamped ETA can now aid enterprises in inspecting encrypted malicious traffic as well without needing to decrypt it. In simple words, ETA is able to perform passive monitoring to infer content from encrypted traffic instead of opening and inspecting the content.
The software would make it easier to detect malicious traffic since cybercriminals have reached such a high level of skills where they can use encryption to hide C&C communications, payloads, data exfiltration and similar other activities from being detected.
Conventional malware detection software is unable to detect encrypted malicious traffic without decrypting it first, which is a not only complicated task but also compromises the privacy of non-malicious encrypted traffic. Given that organizations need to comply with certain data regulations (such as US-CERT prohibits organizations from implementing traffic interception software that compromises TLS security). Therefore, detection of encrypted malicious traffic became a grave issue for companies.
According to the blog post by Scott Harrell, Senior Vice President and General Manager at Cisco “ETA uses network visibility and multi-layer machine learning to look for observable differences between benign and malware traffic.”
With ETA’s arrival organizations can breathe a sigh of relief since the software provides a reliable way to detect and block such threats primarily because it doesn’t need to decrypt for inspecting traffic. It does so by inspecting three features of encrypted data; first is the initial data packet of the network, which stores important data regarding the rest of the encrypted content.
Secondly, it searches for the sequence of packet times and lengths to find clues into traffic content beyond what was identified in the initial packet. The third feature that ETA inspects is the byte distribution process across the packet payloads in the encrypted traffic flow. ETA uses StealthWatch software to compare the metadata of malicious and benign network packets in order to detect encrypted malicious traffic.
ETA can spot malware in encrypted traffic through the research conducted by Cisco to understand the salient difference between the way malicious and benign traffic uses DNS, TLS, and HTTP. Since Cisco offers telemetry services for security, therefore, the administrative and operational costs are fairly low.
Top, featured image via DepositPhotos/FireFix