Cisco has turned research published nearly a year ago into a product it hopes will protect enterprises against malware hidden in encrypted traffic.
As The Register reported in July 2016, a group of Cisco researchers have been working on how to spot dangers entering networks through TLS.
Since you can't see inside encrypted packets (unless you proxy the connection for decryption, a solution troubling both from privacy and security viewpoints), the paper's authors (Blake Anderson, Subharthi Paul and David McGrew) looked for malware signatures in those parts of the traffic that's not encrypted – TLS negotiation packets like
serverHello among them.
Flow metadata, the sequences of packet length and time, and byte distribution also contributed to malware fingerprinting.
That academic work, or something an awful lot like it, has now appeared in a product as Encrypted Traffic Analysis (ETA), which watches three characteristics that Cisco says provide enough information to spot malware. Those three factors are:
- The initial data packet in the connection;
- The sequence of packet lengths and times, which Cisco's post says “offers vital clues into traffic contents beyond the beginning of the encrypted flow”; and
- Byte distribution across packet payloads within a flow, a detection process that improves over time, because it helps build machine learning models.
The first ETA offering uses NetFlow information from Cisco's Catalyst 9000 switches and its 4000 series Integrated Services Routers, integrated with Cisco StealthWatch security analytics.
Swichzilla says its newest silicon means ETA can run without hogging resources and slowing traffic. ®