Cisco Cognitive Threat Analytics (CTA)

Malefactors invent more and more sophisticated methods to compromise security systems of the organizations and to get access to the necessary network segments and critical data, including know-how, the financial and commercial information. Cyberthreats became so difficult that only one defense of perimeter is not enough.

In the report of Cisco on information security researchers of the company analyzed threats and studied the most dangerous trends in operation of vulnerabilities, vectors of the attacks and their methods. For example, harmful expansions for browsers usually are not considered as serious threat. However, according to the report, more than 85% of the studied organizations suffered from them. Therefore, such expansions can be a serious source of date leak.

To detect harmful, including advertizing, and to eliminate with software date leak, multi-layer systems of the information security (IS) are necessary. It is necessary to implement new methodologies of detection which will allow to trace and analyze web traffic and will help specialists in the field of cybersecurity more quickly to reveal new sources of threats and methods of the attacks.

Cisco Cognitive Threat Analytics (CTA) is a cloud service which detects vulnerabilities in a security system, the malware and other threats in the protected networks, making statistical analysis of network traffic. CTA improves process of determination and blocking of threats, revealing symptoms of infection with a malicious code or date leaks by the analysis of behavior and opening of anomalies. CTA uses modern methods of statistical modeling and machine learning which allow to find independently new threats, to study and adapt gradually.

HUNDRED analyzes more than 10 billion web requests daily and finds the malware which is missed by control facilities of security or got to a system via uncontrollable channels (for example, removable mediums). Service works in a working environment of the organization, for nanoseconds answering the following questions:

• whether such traffic is typical for this website?
• whether are reliable a source and the receiver?
• whether other users in the organization contact this receiver?
• whether these devices among themselves communicated earlier?
• whether they use applications for anonymous connection (for example, Tor)?
• whether some files and what their size are transferred?

Thanks to a number of analytical techniques of CTA detects different types of abnormal traffic:

• data theft. CTA uses statistical modeling of network of the organization to identify abnormal web traffic and to reveal plunder of confidential data. STA will recognize it in HTTPS traffic even without interpretation.
• Algorithms of generation of domain names. Malefactors generate any quantity of domain names that they were not detected and did not enter in the black list of hosts with the malware. CTA will recognize the harmful and obfustsirovanny domain names generated according to the dictionary, analyzes the frequency of connections, contents of headings and hundreds of other parameters on each HTTP/HTTPS request.
• Exploit sets. STA analyzes web requests and reveals infection at:
  • visit of the harmful web page;
  • redirection on the domain about an exploit set;
  • to loading of an exploit without the knowledge of the user;
  • successful operation of vulnerability;
  • to loading of a body of an exploit.

• Tunneling through HTTP/HTTPS requests. Malefactors often try to cover up tracks and to organize leakage of confidential data (including accounting) using HTTP/HTTPS requests on the servers. STA uses complex indicators of a compromise (Indicators of Compromise, IoC) which help to compare detailed global and local statistics. It allows to define with guarantee, tunneling is for what purpose used.

Earlier service could use only within Cisco Cloud Web Security, but since February, 2016 it is available according to the optional license to the Cisco Web Security Appliance device and as an independent product. STA does not require installation of the special equipment and software. After collecting of basic network statistics of CTA will reveal the infected devices in only several hours. On average, in the company from 5,000 employees we weekly detect 45 infected devices.