Cognitive Threat Analytics

Sample threat findings

Overview of identified threat categories.


Data exfiltration is commonly used in industrial espionage and as a monetization method for criminal gangs operating botnets.

In this incident, CTA de- tected, with high severity and confidence?

?data being uploaded over an encrypted channel to a destination associated with malware.

The traffic summary for the https data upload informs that 3.0 GiB of data was exfiltrated over roughly 11 days. This size is enough to cover thousands of materials, e-mails and other IP items.

To learn more about exfiltration see an article at Cisco Security Blog.

Banking trojan

Banking trojans and information stealers monitor web activity for access credentials. Once access credentials are obtained by the attackers, they sell or use them to access online accounts and steal money.

The IPs column shows that only one of the active C&C channels is being blocked by repu- tation.

Malware often contains backup C&C channels to avoid getting completely blocked. This malware has found a way around by using another C&C channel.


Ransomware encrypts all your data and demands payment for its decryption. Traditional remediation steps do not resolve the issue, because the data remains encrypted even after the infection is cleaned.

With 100% confidence CTA detected?

?a working C&C channel of the ransomware infection is revealed, al- lowing remediation steps to be performed before a demand for ran- som is made.

To learn more, see this article at Cisco Security Blog.

Exploit kit

Exploit kits probe your web browser for any vulnerabilities and use them to install and spread malware in an automated fashion.

The user visits a legitimate web site about liver diseases, whose server has been hacked by cybercriminals to serve malware?

?additional anomalies indicate that the exploit installed ransomware onto the user?s device, which then encrypts valuable user files in order to hold user data hostage.

To learn more, see this article at Cisco Security Blog.

Click fraud

Click fraud and clickjacking are popular and contemporary monetization methods.

Observing this behavior on an endpoint is like observing a ?fever? - it is a clear sign of an ongoing infection

Click fraud owners take many precautions to make it difficult to detect and get rid of the botnet, such as infrastructure hiding and traffic direction systems.

To learn more about click fraud, see this article at Cisco Security Blog.

Ad injector

Ad injectors are malicious plugins that manipulate pages displayed in the web browser. They own the web browser, track user activity, and can spread additional malware.

CTA can detect malicious plugins on the basis of anomaly detection?

?despite malicious plugins using advanced techniques such as word-based DGA C&C structure.

To learn more about malicious plugins, see this article at Cisco Security Blog.


Possibly Unwanted Applications (PUA) are unwanted because they typically provide little functionality but in turn contain advertisements and install third-party software.

As shown on this Confirmed page, users are trying to optimize their PC performance with questionable software applications.

Creators of PUAs are not very dili- gent with whom they partner with, so the applications open the door to more serious infections.

Money scam

Money scam web sites go beyond just the traditional ?money for nothing? deals, and can also?

?benefit from typos in domain names?

?and while not immediately dangerous?

?they can lure users into installing additional software, which opens the door for further in- fections.

To learn more, see this article at Cisco Security Blog.

Spam tracking

Spam and phishing are known to stand at the beginning of many infections.

CTA detected an exfiltration of the user?s personal email address.

Reaching out to your personal email address is one way to bypass corporate email security.