[Dailydave] Encrypted Malware Traffic Detection == hilarious?

dave aitel dave at immunityinc.com
Wed Jun 21 10:25:15 EDT 2017 

Let's talk about the giant pile of wrong that is this reporting on
Cisco's new marketing campaign
<http://www.cnbc.com/2017/06/20/cisco-introduces-encrypted-traffic-analytics-to-detect-malwre.html>
around detecting encrypted malware traffic. "This is a seminal moment in
networking" is the quote from their CEO that CNBC decided to run. Let's
revisit the basics of this "new" technology: do statistical analysis on
encrypted data to find malware traffic.

People have literally decoded conversations
<https://www.schneier.com/blog/archives/2008/06/eavesdropping_o_2.html>
from encrypted data using that same basic technique. Not even recently -
that work is from 2008 and was not surprising even then.

"The software, which will be offered as a subscription service, is
currently in field trials with 75 customers, and according to Robbins,
is 99 percent effective."

99% effective with the kind of traffic a normal network sees means you
are FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they don't
specify what that number even means. Is it false positives? False
negatives? Both? Let's just say this: 99.99% is useless when doing a
network-based IDS. All that might get you is an indicator you can use to
remotely load a more sophisticated remote tool onto an endpoint for
further detailed analysis. You essentially, need BOTH if you have this
level of network-based IDS, and the endpoint people will probably say
you don't need the network sniffer anymore, because scaling good
analysis at that level at anything near realtime is nearly impossible
(c.f. Alex Stamos's talk <https://www.youtube.com/watch?v=2OTRU--HtLM>)
to the point where they still try to sell you stuff that has 1% false
positive rates. :)

I'm going to bug our big customers to see if any of them are in this 75
field trial and what they think in real life. And I'm going to be honest
and say that if you are thinking of investing in this sort of thing, but
you haven't tested it against Cobalt Strike
<https://www.cobaltstrike.com/> and INNUENDO
<https://www.immunityinc.com/products/innuendo/>, then you are knowingly
buying snake oil. A good percentage of our consulting business right now
is literally just that because these anomaly detection products are so
expensive and so hard to test.

Anyways, maybe I am wrong! If you are one of the privileged 75 and you
love this and it is amazing, let me/us know!

-dave



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170621/42497c70/attachment.html>

More information about the Dailydave mailing list