back to article Cisco can now sniff out malware inside encrypted traffic

Cisco has switched on latent features in its recent campus and office routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July …

  1. Christian Berger

    Yes, there are concepts for that...

    ... but no, they don't really work against malware.

    Essentially the idea is that you could fingerprint certain traffic patterns, just like you can fingerprint the HTTP-requests going out from visiting a website. That way you can, for example, determine what Google-Maps place people are looking at....

    However we are talking about malware here. The attacker will just get one of those systems and tweak their malware until it won't get detected anymore. Or they will randomize and adapt their traffic so much, there is no way to differentiate it from normal web traffic.

    So as with many such ideas, it's great for any oppressive government, but rather useless for security.

    1. DropBear

      Re: Yes, there are concepts for that...

      I think it's a bit like a fancy, "extra secure" lock on your door - will it keep out 100% of burglars and be un-defeatable? Hell no. Will it rise the difficulty of entry beyond what typical burglars are willing to deal with? Probably yes...

      1. Charles 9

        Re: Yes, there are concepts for that...

        Problem is, in cyberspace, burglars tend to blog their exploits, meaning newcomers come in already at a certain level of skill which keeps rising. That said, it can be tricky to obfuscate destination packets (masking post destinations) without getting proxies and the like fingered unless you've previously compromised legitimate sites for it.

        1. Christian Berger

          Re: Yes, there are concepts for that...

          "Problem is, in cyberspace, burglars tend to blog their exploits,"

          Actually one of the first things you learn at any decent cyber security course is how to circumvent malware scanners. It's something we teach early on to make sure they understand that those solutions cannot work.

          1. Charles 9

            Re: Yes, there are concepts for that...

            That's what I mean. They don't conceal their techniques but pass them on to newcomers, raising the baseline knowledge. Sort of like how in WW2 the US would send pilots who survived their tours home to teach what they knew to the new pilots so they would be going in already with some useful knowledge.

            1. DropBear

              Re: Yes, there are concepts for that...

              I don't think the ease of access to the required extra knowledge is the relevant issue, but rather the typical required level of effort - It doesn't matter if circumventing your lock would only require "level 11" effort instead of "level 10", if most locks can be bypassed at 10; most crooks just won't bother making the extra effort if 10 gets them where they want to go most of the time. Not that I think this offers much serious protection; but I don't think it's flat-out useless either as long as it's not the single thing you rely on for protection and as long as the average level of malware doesn't include randomization of traffic as standard feature (it might already for all I know). Rather like obscurity - it's piss-poor security by itself, but that doesn't mean it isn't useful all else being equal.

              1. Christian Berger

                Re: Yes, there are concepts for that...

                "the typical required level of effort"

                We are talking about software here, not locks. You only need to put in the effort once. Compared to the other efforts you need to put in (like writing a CNC-Server, designing protocols, etc) this is only a tiny amount of extra effort, and no extra effort per use. It's just a minor change to a tool.

                The "lock" analogy is rather bad here, as with locks you have a few generic tools which require lots of effort per use, with IT security it's usually the other way round, all the effort goes into making those tools, using them is comparatively simple.

                1. h4rm0ny

                  Re: Yes, there are concepts for that...

                  No, I get what they're saying. They're not arguing that it's not possible to spread knowledge of how to beat the extra layer of security easily. They're saying that if you stand out from the crowd in terms of security, you'll be in that group that people don't bother going to the extra effort for. Like how there is a tonne of malware for Windows but less (at least the user-focused kind) for GNU/Linux. It's not because GNU/Linux can't be compromised it's because why go to the extra effort to get a few more systems when you're best directing your efforts to the large majority. If you have "Security Level 11" and everyone else has "Security Level 10", you've effectively created your own little microcosm of the same effect.

                  The worthwhileness of spreading around and implementing that extra knowledge only applies if the security measures are spread around and implemented. Otherwise it's extra work for small gain.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Yes, there are concepts for that...

                    Except it can have the opposite effect, too. If you're the only one with Level 11, why are you going the extra mile? It paints you as a high-value target, meaning hackers may single you out thinking you have stuff worth taking the effort.

          2. Amos1

            Re: Yes, there are concepts for that...

            On a recent internal penetration test the red team worked for two weeks and the company's fancy dancy Intrusion Detection System, which we shall refer to by its code name of SnortFire, missed 100% of the activity.

            Why? Apparently they saw a job posting for someone with skills on that system so they just proactively evaded it. Double why it missed everything? Because the vendor's own people told the company that many of its detections had to be disabled because they were too "performance-impacting".

            If a company really wants to improve their security, they need to get rid of the well-liked 20-year tenure managers who have let their skills and training erode to the point where all of their recommendations sound great to the uneducated but in reality are worse than useless. They'll also save a buttload of money.

            1. Charles 9

              Re: Yes, there are concepts for that...

              "If a company really wants to improve their security, they need to get rid of the well-liked 20-year tenure managers who have let their skills and training erode to the point where all of their recommendations sound great to the uneducated but in reality are worse than useless. They'll also save a buttload of money."

              Except that's usually due to them being on the board and over your head. Suggesting getting rid of them short of a shareholder revolt is considered suicide.

          3. Dinsdale247

            Re: Yes, there are concepts for that...

            Cisco says "Who F'ing cares if it doesn't work? We just convinced hundreds of thousands of business to send their traffic through our servers and they've all signed agreements to LET us analyze their data."

            CHA-CHING!

        2. Amos1

          Re: Yes, there are concepts for that...

          "... unless you've previously compromised legitimate sites for it."

          And according to our proxy, a LOT of attackers have gone that route. The vendor's block page says "Compromised Site" so we changed the wording to "This website has been HACKED!" and we still get maroons complaining that they HAVE to get to that site for some kind of obviously personal business. We tell them they'll need to do it from their phone or home computer. That should tie them up for hours getting that mess cleaned up and thus out of our hair. Darwin's First Law of Computer Users, I guess.

      2. Christian Berger

        Re: Yes, there are concepts for that...

        "Will it rise the difficulty of entry beyond what typical burglars are willing to deal with?"

        Well actually probably not, because it's not much effort to randomize your traffic. Essentially it's a few random sleeps here and there and some calls to random() instead of using constant values. It takes maybe 10 minutes to circumvert such a problem, and it'll probably take days for companies like Cisco to catch up.

        This is not "one lock" you need to stand 10 minutes in front of, this is 10 minutes for a solution which works globally.

    2. The Man Who Fell To Earth Silver badge

      Re: Yes, there are concepts for that...

      "Those devices can’t do the job alone: users need to be signed up for Cisco’s StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic."

      My experience running software through Virus Total is that the so-called AI machine learning antivirus companies have enormous false positive rates compared to the others, plus a lot of the AI AV vendors don't have a false positive submission procedure (or don't have one unless you are a customer).

      Good luck with that, Cisco.

      1. Muscleguy

        Re: Yes, there are concepts for that...

        Indeed, I recently on a curiosity escapade downloaded an adware detection app to my Android phone. It proceeded to finger every single app which could send messages to the taskbar. It found no malware. It is pretty obvious what it was set to look for. I want WhatsApp and the Calendar and XKCD etc to put notifications up. I chose that.

    3. JLV

      Re: Yes, there are concepts for that...

      Personally, if they want to be fancy, how about scanning database accesses for unusual patterns like "select * from personal_id_table;", for an unusual type of access. Some of those must have been churning through Equifax networks back in the days.

      1. J. Cook Silver badge
        Boffin

        Re: Yes, there are concepts for that...

        that requires setting up full auditing on the database servers, which usually are dealing with a good load already; having it log every single query and transaction puts a fairly good dent in performance, not to mention that you will then need to put all that extra data somewhere, run an analysis against that data set to look for those patterns, eliminate false positives (admins checking things, poorly designed applications inflicting brute force and ignorance queries on the engine, etc.) and then look at the 'interesting' ones closer.

        that can be a significant amount of overhead for what may essentially be nothing.

        I'm not saying that it's not possible, I'm saying that it's expensive.

  2. Craigie

    Hopefully vapourware?

    Can someone explain how, if this works, it isn't a 'very bad thing' for encryption? Surely it should be impossible to compare or there's a hole in your encryption scheme?

    1. Dave 126 Silver badge

      Re: Hopefully vapourware?

      The encryption remains unbroken - this articles headline is ambiguous. The meta-data (who, where, when) gives clues about to the still encrypted and thus unknown 'what'.

    2. Christian Berger

      It's not that hard

      "Can someone explain how, if this works"

      Imagine going do a map service website over https. Your browser will load the tiles from the website over TLS links. In the extreme case of bad HTTP(s) implementations, you create a connection, send your get, and get your tile. Since it's encrypted you don't know what's inside that tile.

      However all those tiles are encoded in JPEG (or PNG) which means that their filessizes differ. Encryption doesn't obscure the filesize so you'll be able to see how big that tile was. Since your browser likely loads tiles from roughly the same location, you can use the file sizes to find out what tiles were loaded.

      With malware the hope is that the malware will always behave predictibly. For example an initial state always loads a secondary stage that is 123532 octets big, then after 3,21 seconds a terciary stage that's 4235431 octets in size. The idea is that if you 2 downloads 3,21 seconds appart of those sizes in succession, you'll have detectet the malware...

      ...obviously that's extremely trivial to circumvent, just add padding or other forms of randomness.

      This is not a new attack for encryption, but a common thing encryption cannot do by itself.

      1. Joe Harrison

        Re: It's not that hard

        I don't care. I understand an attacker using whatever side-channel inference is available, but at the end of the day if I am inside a VPN or otherwise encrypted session and people outside can figure out what I'm doing then I want a fix to that as I don't think it should be happening.

        1. Alister

          Re: It's not that hard

          Using an encrypted tunnel between endpoints (a VPN) is not the same thing as using HTTPS on web connections.

    3. Adam 1

      Re: Hopefully vapourware?

      You can do broad stroke heuristics. How many connections are attempted, where are they destined, how big is the payload, how long between connects, what ports are used, and the sorts of DNS queries these things make.

    4. Dinsdale247

      Re: Hopefully vapourware?

      You don't have to break the encryption to know enough to make informed decisions about the traffic.

      https://www.theregister.co.uk/2016/01/27/nsa_loves_it_when_you_use_pgp/

      (doesn't fit on one line, concatinate these two)

      https://www.theregister.co.uk/2016/01/27/

      nsa_loves_it_when_you_use_pgp/

      Just because you encrypt the message doesn't mean they can't track you down and as the article above states, encryption makes your traffic stand out like a massive billboard. The truth is, when it comes to encryption and online security, most people will put a big padlock on their front door and then unknowingly leave all their windows open.

      So great, use encryption. Did you surf Facebook on the same computer you sent sneaky encrypted traffic from? Ooops, got ya!

      Did you upload something to Google Drive and then forget to sign out before you opened your VPN? Ooops got ya!

      The list is endless, and if you're mom uses the a computer on the same network as you do... Oooops, got ya! (Only one external IP address...)

  3. James12345

    So you need to double the bandwidth but don't actually stop it?

    You need one chunk of bandwidth to download and then an equal amount to upload to Cisco. Then there is a delay while it gets processed at that remote location - what happens when Cisco say you just let in some malware a few seconds ago? Isn't this just letting you know you have a cleanup job a bit earlier than you would otherwise have known?

    If this concept does work and can't be defeated by randomisation, wouldn't it be better for Cisco just to run the service as some sort of proxy, so you only download once after it is checked, and block the malware before it gets to you?

    1. Christian Berger

      Well Cisco wants to make more money

      Obviously you cannot get richt just by selling those (probably already overpriced) products. You can get way more money by selling customers data.

  4. Wolfclaw
    Big Brother

    Image what US spooks will do with this research ?

    1. Christian Berger

      They are already using it for decades.

      Traffic analysis, even of encrypted traffic has been done for decades if not centuries. Workarounds for it also have been deployed for those times. A good example are "number stations". Those broadcast messages encrypted as numbers. If they would broadcast only when something has happened, the opponent could determine the amount of "chatter". Therefore they broadcast at precise schedules.

      A simmilar thing has been done during the cold war. You make a passenger plane steer a bit into enemy country, then look at where you suddenly get radar pulses from you previously didn't. Those are previously hidden radar stations. If your enemy is rather stupid you can even find new radio communications links being established.

      1. Aitor 1

        Re: They are already using it for decades.

        And that is how you get passanger planes shotdown for "accidental invasions of airspace".

  5. Norman Nescio Silver badge

    Poor encryption

    As others have pointed out, good encryption is not just about obfuscating the message, but also in removing any information on whether a message is there or not. The intelligence agencies have known for decades about side-channel attacks, and there are plenty of academic papers about breaking encryption by analysing processor power usage, cache usage, clock jitter, audio leakage, and electromagnetic emissions leakage (cf. TEMPEST). Cisco are taking a well known technique and making it easy to use.

    It will be a bit like antibiotics - for a while, this technique will work: but if it is effective at identifying malware, the malware authors will evolve new means of hiding their attacks. Meanwhile, Cisco can make some money.

    I don't know what the heuristics are, but anything as simple as keeping track of message length can be thwarted by adding a random amount of padding before encryption.

  6. Nick Kew

    From reading the article (which confirms prior expectations), this is applying similar principles to spam filtering. It looks for characteristics commonly associated with malware, and aggregates them in a score.

    I'd expect it to have less usable information to work with than spamassassin, but I'm open to having that prejudice challenged.

    That'll make it better than nothing in some situations, but not really much more than that.

  7. Anonymous Coward
    Big Brother

    Remote encrypted traffic bugging in the cloud

    "Cisco’s switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic".

    If you can detect patterns in your encrypted traffic then it isn't really encrypted. Or encryption has been diluted by reducing the set of randomness such that decryption would be trivial on a supercomputer. Of course you would need some method of getting the data back to the NSA, sorry I meant to say Cisco.

    "The new tool has applications beyond defence, as it can also detect the encryption applied to traffic. That’s a useful function for organisations that must encrypt traffic to stay on the right side of industry or government regulations."

    Cause if you used real encryption ETA wouldn't work :]

    "ETA’s already present in IOS XE 16.6 and Cisco says 50,000 of its customers have hardware capable of accessing the service today. They'll just need to turn it on and start sending telemetry to Cisco's cloud."

    Is there a method of remotely switching on such a service :]

  8. Nathan 11

    Content Filters?

    Forgive me if I don't understand this correctly, but hasn't every content filter done this for years?

    I've used Websense (Forcepoint) for several years, it has the ability to un-encrypt, analyse, and re-encrypt traffic to see if something is malicious. I know Barracuda also has an appliance that will do the same thing. I think even the Dell SonicWALLs can do it with the appropriate license...

    What am I missing here?

    1. J. Cook Silver badge

      Re: Content Filters?

      If I understand the article correctly, it doesn't perform a MITM attack and looks at the traffic pattern instead of the actual traffic itself. (that's what the websense/Ironport WSA/ barracuda/etc. do when you boil it down.)

      It's annoying as hell, but I'll keep my transparent https proxy; it's saved our bacon quite a few times.

    2. Doctor Syntax Silver badge

      Re: Content Filters?

      "'ve used Websense (Forcepoint) for several years, it has the ability to un-encrypt, analyse, and re-encrypt traffic to see if something is malicious....What am I missing here?"

      That it doesn't do that. it looks at the characteristics of the traffic instead.

  9. Anonymous Coward
    Thumb Down

    Clickbait subtitle

    It doesn't detect anything inside encrypted traffic.

    It uses metadata to characterise TLS traffic.

  10. PyLETS
    Stop

    Just as well it doesn't work all the time

    In the early days of computer viruses when we used to find new ones every other month while providing a PC helpdesk and support service, I used to send samples encrypted against the public key provided by our then anti-virus vendor to said vendor so they could update their products and we could detect and remove them with less work on our part. Obviously I didn't want the malware I was sending our anti-virus vendor to infect anything else within the transmission channel so PGP encryption was a must.

  11. jms222

    Add randomness

    So when malware adds random time delays and payload ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Add randomness

      They still have to send their information somewhere. That's itself a criterium.

      1. Mark 65

        Re: Add randomness

        What's the chance of the Cisco kit having a handy zero-day they could use to help exfiltrate their bounty? Not like their software hasn't been full of holes in the past is it?

  12. sanmigueelbeer
    Unhappy

    IOS-XE 16.6.X

    Yuck. I wouldn't touch 16.6.X with a ten-foot-pole. This is Cisco's "technology" train and it's riddled with bugs that should've been picked up during internal testing but didn't (didn't pick up & didn't undergo internal testing, you choose).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like