UPDATED 14:02 EDT / FEBRUARY 11 2019

SECURITY

Telemetry and machine learning provide foundation for Cisco’s cyberattack defense

Ransomware is so 2018.

As online criminals have realized that ransomware didn’t yield a recurring revenue stream, they have turned instead to cryptojacking, the takeover of computer networks by massive botnets to mine cryptocurrency. This land grab of networks has proven difficult to stop or even detect because cryptomining code can work in the background with hapless users not suspecting a thing.

Evidence is piling up that cryptojacking has shot up the hacking pop charts. AdGuard Software Ltd. has documented a 31-percent growth for in-browser cryptojacks and Check Point Software Technologies Ltd. noted that 40 percent of the top malware it had discovered was running cryptomining operations.

Engineers at Cisco Systems Inc. have been working on an intriguing approach to detect network attacks faster and more accurately, driven by a sense of urgency as cryptojacking grows and enterprise systems run, out of necessity, on encrypted data nearly from end to end. Dark data has made the process of detecting malware and attacks more difficult, so security researchers have to get creative.

It starts with basic economics. “If I can make it more expensive for criminals to hide and operate, then I’m doing my job,” said TK Keanini (pictured), distinguished engineer and product line chief technology officer of analytics at Cisco. “That means not only using techniques of the past, but developing new techniques.”

Keanini spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the recent Cisco Live event in Barcelona, Spain. They discussed Cisco’s plan to disrupt malicious activity, the use of data analytics to identify attacks, and the importance of DevOps and a recent new Web security protocol in defending networks. (* Disclosure below.)

This week, theCUBE features TK Keanini as its Guest of the Week.

Encryption complicates inspection

In the case of cryptojacking, the challenge is to defend against malware that is sophisticated and can command systems in multiple ways. A report by the Cyber Threat Alliance detailed how one version stole Windows credentials and then leveraged instrumentation tools to spread rapidly. Another cryptojacking investigation by Comodo Group found the use of a PowerShell script to inject malware in a running process.

The method for discovery is also complicated because enterprises have gone to great lengths to encrypt data, so decrypting it to find intrusions won’t fly.

“We have to now infer malicious activity from behavior because the direct inspection is no longer available,” Keanini said. “We came up with a technique called encrypted traffic analytics.”

Cisco’s solution is baked into what Keanini described as a “three-layered cake” whose ingredients are telemetry, analytics and analytical outcome. Taking the broader view of the network as one large sensor, routers and switches send rich telemetry or data that can be used to infer malicious activity without decryption.

Machine learning targets malware

Using machine learning to train on all of this rich data, security engineers can craft a more helpful picture of what malicious actors may be doing on the network based on the shape and the size of the metadata over time.

“I can model on that timing, and this is where machine learning comes in,” Keanini explained. “I can train on all this data and determine if the malware looks like this at minute five, minute 10, minute 15, and if I see that exact mathematically precise behavior on your network, I can infer that’s the same malware.”

How does Cisco do this without decryption? Keanini was careful not to give away too may details on this subject, but he did offer one brief explanation.

“All encrypted traffic starts out unencrypted,” he stated. “It’s a very small percentage, but everything in that startup is visible.”

Network defenders gain speed

There are two tailwinds providing some support for Keanini’s work in the security arena. One is the rise of developers building networks as code and programming operations much faster than before, also known as DevOps.

This has morphed into a process that Keanini references as the “OODA loop.” Conceived by United States Air Force Colonel John Boyd as a way to train fighter pilots in combat operations, the letters stand for Observe-Orient-Decide-Act. The faster OODA can be applied, the more disoriented an adversary becomes.

OODA can now be applied in cybersecurity to neutralize the bad actors. “The speed of DevOps has really brought this to defenders,” Keanini said. “They can essentially push code and reorient themselves in a cycle that’s frankly too small of a window for the adversary to get their bearings. You create a knowledge margin by which they’re disoriented.”

The other factor benefiting the security community is the release last year of version 1.3 of Transport Layer Security or TLS. The protocol plays a fundamental role in securing internet connectivity, and the latest TLS version shed a fair amount of obsolete encryption.

“It is faster; it is stronger. It’s just better,” Keanini said.

Behind Cisco’s approach to security and Keanini’s work is a basic belief that we are now at a point where attackers have the resources and knowledge to direct specific attacks with clear purpose and mask their presence while doing so. The solution is to combine the right telemetry with machine learning classifiers and give an adversary a taste of their own medicine.

In a blog post last year, Keanini summarized this philosophy in the same way a bear pursues prey in the woods. “We will play the same game and target that bear like they have never been targeted before,” Keanini wrote.

It’s eat or be eaten in the cybersecurity world these days. Perhaps the security community can finally turn today’s attackers into the main course.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the Cisco Live event. (* Disclosure: Cisco Systems Inc. sponsored this segment of theCUBE. Neither Cisco nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU