Log in using OpenID

This chapter

Advanced Threat Detection
• Overview, page 1
• Benefits, page 1
• CTA Incident, page 2
• AMP Incident, page 2
Cisco Cloud Web Security Premium provides additional features that enhance the protection of your network
from advanced cyber threats. Cisco Cloud Web Security Premium adds these two Advanced Threat Detection
(ATD) services to Cisco Cloud Web Security Essentials:
• Cognitive Threat Analytics (CTA)—Cloud-based service that reduces the time to discover threats
operating inside the network. Extends Cisco Cloud Web Security into the after-breach phase of the attack
continuum. Identifies the symptoms of malware infection or data breach using behavioral analysis of
network traffic and anomaly detection. Uses advanced statistical modeling and machine-learning to
identify new threats.
• Advanced Malware Protection (AMP)—Comprehensive service that provides malware detection, inline
blocking, file sandboxing, and continuous analysis with retrospective alerting. Combines file reputation,
behavioral analysis in file sandboxing, and retrospective analysis to identify threats across the attack
CTA and AMP are activated as part of the provisioning process for Cisco Cloud Web Security Premium. No
additional configuration within Cisco ScanCenter is required.
• Identifies hosts infected by malware that was able to sneak by other security measures.
• Uncovers persistent, complex infections that penetrated other defenses to establish command-and-control
(C&C) channels.
• Reduces time-to-detect and helps you prioritize the investigation of attacks on your network.
Cisco ScanCenter Administrator Guide, Release 5.2
Advanced Threat Detection
CTA Incident
• Provides context information including user identities, threat indicators, descriptions of malicious
behavior, and precision ratings of verdicts.
• Proactively detects and blocks malware by analyzing Web traffic metadata, making it harder for the
attack to evade the ATD system.
• Provides a bigger picture of the threat by focusing on the attacker rather than just the exploit or particular
• Through the use of advanced statistics and predictive modeling, helps you stay ahead of the attacker
rather than just react to attacks.
• Sandboxing allows for behavioral analysis of files in a virtual environment to prevent malicious files
from affecting your network. Cumulative analysis and information about the files collected from the
community are shared through the sandboxing report.
CTA Incident
CTA analyzes network traffic collected in Web proxy logs to detect anomalies as possible threats. Behaviors
that do not conform to an established standard are reported to Cisco ScanCenter as incidents. In the example
below, the CTA behavioral analysis and anomaly detection engine has identified a user device infected with
malware exhibiting malicious data activity over HTTP(S) communication. The row shows a user with the
user ID "jfaroll" and IP address "" is most likely infected with malware. The detected symptom
of the infection is the transfer of data through a URL. Data transfer through URL is a method used by attackers
to perform data exfiltration by embedding code in a Web URL. This code is usually encoded and encrypted
making it difficult to differentiate them from legitimate requests. The malware appends the data to the URL
and connects to a Web server monitored by the attacker. This type of symptom includes not only data exfiltration
but also malware updates and commands from the botnet master. Also, the incident risk is 8 and confidence
is 75%, indicating a relatively high priority and probability of a valid threat.
AMP Incident
AMP examines the reputation of files traversing your network perimeter. Every file that goes through the
Cisco proxy is scanned for its reputation. If the file reputation is malicious, AMP will block and report the
file to Cisco ScanCenter as an incident. Information on malware blocked by AMP is found in the Malware
Analysis section of the Reports tab. In cases where the file reputation is clean or unknown at the time of
download, but later the file reputation changes to malicious, AMP will report a retrospective incident. In the
example below, AMP has identified a malicious file download.
Cisco ScanCenter Administrator Guide, Release 5.2
Advanced Threat Detection
AMP Incident
In the example below, the activity presents the actual request that led to a malicious file download. The label
W32.AF4BDA9F54-100.SBX.VIOC is an internal name and is not publically referenced.
In the example below, the activity presents other requests that occurred around the time the malicious file was
downloaded. You can search for other suspicious activity hidden in these requests.
In cases where the size of the executable file is larger than 128KB, streaming of the file to the browser
begins before the file scan is completed. If the AMP scan finds the file to be malicious, a TCP Reset is
sent to the browser to stop the file download. However, if the TCP Reset gets blocked, the connection is
closed, but the partially downloaded file remains available.
Cisco ScanCenter Administrator Guide, Release 5.2
Advanced Threat Detection
AMP Incident
Cisco ScanCenter Administrator Guide, Release 5.2
Пожаловаться на содержимое документа