Blog :: Network Operations :: Security Operations

Tracking Malware Hidden in Encrypted Traffic


I feel comfortable saying that all of us know what encrypted data is. Web encryption, specifically, has been around for quite some time now. Secure Socket Layer (SSL) did take a long time to be considered widely adopted, however—twenty-two years, to be exact! 2017 marks a milestone because there is now officially more encrypted web traffic than not.

This is great news; the more encrypted data the better off we are, right? But while that certainly is true, we’ve also seen an enormous rise in attacks leveraging SSL/TLS to mask their activities. Hackers commonly use it to hide communications between compromised hosts and the command and control server that issues instructions, payloads, or other bits of information. Fortunately, this hasn’t gone unnoticed, and vendors are tackling ways to overcome the issue. In this blog I’d like to take a glimpse into the future and talk about leveraging Cisco’s Encrypted Traffic Analytics (ETA).

Cisco ETA Explored

Cisco recently announced their intent-based networking solutions, a suite of both hardware and software aimed at bringing in the new era of networking. One of the innovations that caught my eye was Cisco ETA.

Cisco ETA leverages the existing NetFlow architecture and extracts four main data elements from the encrypted packet:

  • Sequence of Packet Lengths and Times (SPLT)
    • SPLT conveys the length (number of bytes) of each packet’s application payload for the first several packets of a flow, along with the interarrival times of those packets.
  • Byte Distribution
    • The byte distribution represents the probability that a specific byte value appears in the payload of a packet within a flow.
    • The major data types associated with byte distribution are:
      • Full byte distribution
      • Byte entropy
      • The mean/standard deviation of the bytes
    • TLS-Specific Features
      • Unique elements observed from the initial 4-way handshake
        • Cipher suites
        • TLS versions
        • Client public key length
      • Initial Data Packet
        • Used to obtain packet data from the first packet of a flow
          • HTTP URL
          • DNS hostname/address

Encrypted Traffic Analysis

By exporting these unique elements as flow data, Cisco opens the door for additional traffic analytics to be applied. This is hugely important because it brings more industry experts into the fold by allowing them to use these unique elements to build a new profile of malware’s ebb and flow.

But we also can’t ignore that this will be a cat-and-mouse game with bad actors. They will be aware of these elements and attempt to obfuscate their tracks. For example, a part of Cisco’s logic here is to look for ‘odd’ certificates. Hackers can subvert this by mirroring a standard certificate from a popular website.

Another method for obfuscation would be to randomize the traffic inside the attack. Cisco is monitoring for uniform and consistent payload sizes/interval times. By adding in extra traffic and varying the timing/size of the payload, hackers could avoid being flagged. This is why having more industry experts analyzing and creating algorithms/policies to monitor for these types of attack vectors is paramount.

Scrutinizer is uniquely positioned in the industry to automatically detect and support these new elements. Once Scrutinizer receives the template deciphering the information elements, we will have unique reports included on deployment as well as providing end users the ability to design their own reports. Beyond that, Plixer will also be able to apply our algorithmic approach to recognizing and alerting on suspicious traffic patterns.

Insight is key

Defense-in-Depth Protects Against Malware

Lately, we’ve seen a growing trend toward encrypted traffic analysis in the industry. With vendors like Gigamon and Ixia doing full packet decryption, it shows that there is an obvious need in the market for in-depth analysis of encrypted traffic. Cisco sets itself apart by providing in-depth analysis without having to decrypt the packet. This is incredibly important since we’re always trying to balance insight and performance. Cisco’s aim with this release is to provide the deep contextual awareness without causing a bottleneck by attempting to decrypt every packet.

That said, a defense-in-depth approach is always the best bet. For example, one might leverage Cisco’s ETA exports for high-level and real-time security profiles, but Gigamon and Ixia may be my sanity check. When I see suspicious traffic in ETA’s elements, Scrutinizer allows you to easily pivot to Gigamon or Ixia to look at the full decrypted packet for verification. By collecting flows from across the network, independent of vendor or flow type, Scrutinizer becomes the platform that provides true end-to-end visibility.

Cisco ETA Exported Elements

It’s worth mentioning the timeline of research involved here. Cisco has been working toward this for some time with their investment into Cisco Joy. According to Cisco, Joy has helped pave the way for Cisco ETA. Also worth noting, Joy is open source and available here on GitHub.

Below is a table of Cisco ETA’s IPFIX elements:

Data element name Description
Sequence of packet lengths and times (SPLT) An array of LENGTH values followed by an array of INTERARRIVAL TIME values describing the first N packets of a flow that carry application payload. Each LENGTH is encoded as a 16-bit integer to form a 20 byte array. Immediately following this, each INTERARRIVAL TIME is encoded as a 16-bit integer to form another 20-byte array
Byte distribution A histogram giving the frequency of occurrence for each byte value or (range of values) in the first N bytes of application payload for a flow. Each “frequency of occurrence” is represented as a 16-bit integer
Initial data packet (IDP) The content of the first packet of this flow that contains actual payload data, starting at the beginning of the IP header
TLS records An array of LENGTH values, followed by an array of INTERARRIVAL TIME values, followed by an array of CONTENT TYPE values, followed by an array of HANDSHAKE TYPE values. These arrays describe the first N records of a TLS flow
TLS record lengths A sequence of record lengths for up to the first N records of a TLS flow
TLS record times A sequence of TLS interarrival times for up to the first N records of a TLS flow
TLS content types A sequence of ContentType values for up to the first N records of a TLS flow
TLS handshake types A sequence of HandshakeType values for up to the first N records of a TLS flow
TLS cipher suites A list of up to N cipher suites offered by the client, or selected by the server in a TLS flow
TLS extensions An array of LENGTH values followed by an array of EXTENSION TYPE values describing the TLS extensions observed in the Hello message for a TLS flow
TLS extension lengths A list of extension lengths for up to the first N TLS extensions observed in the TLS Hello message for a flow
TLS extension types A list of extension types for up to the first N TLS extensions observed in the TLS Hello message for a flow
TLS version The TLS version number observed in the TLS Hello message for a flow
TLS key length The length of the client key observed in the TLS ClientKeyExchange message
TLS session ID The session ID value observed (if any) in the TLS Hello message for a flow
TLS random The random value observed in the TLS Hello message for this flow

Supported Devices

Like the rest of us, I’m sure you’re wondering “When can I get my hands on these exports?” If you already own one of Cisco’s newest Catalyst 9300 series, you’ve already got it! If you don’t happen to own a Catalyst 9300, you’ll have to wait for IOS-XE 16.7 to be released. Below is a full list of ETA-compatible devices and the expected IOS release containing Cisco ETA:


  • Cisco Catalyst® 9300 Series (starting with the Cisco IOS XE 16.6 release)
  • 9400 Series and 9500 series (starting with the Cisco IOS XE 16.8.1 release)


  • ASR 1001-X, ASR 1002-X, ASR 1001-HX, ASR 1002-HX, ASR 1004, ASR 1006-X, ASR 1009-X, 4221 ISR, 4321 ISR, 4331 ISR, 4351 ISR, 4431 ISR, 4451-X ISR, Integrated Services Virtual Router (ISRv) including the 5400 Enterprise Network Compute System, Cloud Services Router (CSR) 1000V (starting with the Cisco IOS XE 16.7 release)

For a more in-depth review of Cisco ETA, or flow and metadata analysis, contact us here for an overview.