Why It's Okay to Be Underwhelmed by Cisco ETA

June 26, 2017
Oliver Tavakoli
Chief Technology Officer, Vectra AI
Why It's Okay to Be Underwhelmed by Cisco ETA

Cisco recently announced the term “intent-based networking” in a press release that pushes the idea that networks need to be more intuitive. One element of that intuition is for networks to be more secure without requiring a lot of heavy lifting by local network security professionals. And a featured part of that strategy is Cisco ETA:

"Cisco's Encrypted Traffic Analytics solves a network security challenge previously thought to be unsolvable," said David Goeckeler, senior vice president and general manager of networking and security. "ETA uses Cisco's Talos cyber intelligence to detect known attack signatures even in encrypted traffic, helping to ensure security while maintaining privacy."

I’m always intrigued (and quite often amused) by the claim that an unsolvable problem has been solved. So, let’s dig into how Cisco ETA is constructed:

  • Take lots malware samples which are already classified into malware families and labeled to reflect this classification
  • Run each one in a sandbox for 5 minutes
  • Capture the traffic the samples emit
  • Isolate the TLS-encrypted sessions from among the traffic
  • Extract information about these sessions from their TLS handshakes – there is a Client Hello sent from client to server and a Server Hello (including a server certificate) with which the server responds
  • Extract information about the ebb and flow of data (size of the packets, time delays between packets, bytes present in the packets, etc.) in the session
  • Take features from (5) and (6) and use them to train a model to create mappings from this data to the families of malware in (1)

We welcome Cisco’s steps to build metadata extraction natively into the network and applaud their efforts to apply machine learning to it to detect threats. This is something that we’ve been deploying into customer networks for years, and we have seen the benefits that it can provide when done right (and wrong – since we’ve certainly had our stumbles along the way). Maybe not surprisingly—this stuff is hard—Cisco’s initial steps into this space are a bit underwhelming.

There are undoubtedly some novel approaches in the feature selection and machine learning techniques employed in Cisco ETA. But the overall idea of using session metadata to create precise signatures for malware communications feels like a rewind, taking us back to the release of the first signature-based IDS, circa 1995. Assuming it is successful with the current generation of malware, it will take little time for malware developers to change their encrypted communications in easy ways that evade this form of detection. The changes the attackers would make are pretty obvious:

  • Use standard forms of current crypto even if you don’t need protections afforded by it
  • Don’t make your certificate look obviously bad (hint: copy a standard cert from a popular website and use it as a template for your certificate)
  • Randomize the traffic inside your TLS connection by periodically throwing in some extra traffic and varying the timing of communication and the size of requests and responses

And then the cat-and-mouse game begins again. Except now Cisco will need to collect large volumes of samples in an attempt to retrain ETA. And then the attackers can quickly break it again.

Unlike most machine learning applications, cyber security involves matching wits with an intelligent adversary who will adjust to the defender’s capabilities. For this reason, our application of machine learning against network-extracted metadata focuses on finding durable patterns of behavior that would require fundamental changes in attacker methodologies to counter.

One example is External Remote Access, a model that Vectra shipped over two years ago to find the fundamental pattern of humans controlling systems from outside the network. It works independent of the attacker’s tool, and whether or not the traffic is encrypted. Last year when ShadowBrokers leaked the nOpen RAT, the Vectra model detected attempts to use it without any changes required. Turns out that inventing entirely new attack methodologies is much harder than changing superficial patterns of communication.

Deploying ETA won’t be simple or cheap either. ETA will require either an upgrade to new network switches or the deployment of flow sensors. Switches are a revenue mainstay and profit generator for Cisco, so tying new security functionality to switching doesn’t come as a surprise. Upgrades take time and are disruptive, and in this case all that money will likely deliver 1990s-level security functionality.

If you want an alternative that can provide a 29X reduction in security operations workload for a fraction of the cost of a switch upgrade, contact us for a demo.