Explanation
Cisco Tetration platform studies the behavior of the various processes and applications in the workload,
measuring them against known bad behavior sequences. It also factors in the process hashes it collects. By
studying various sets of malwares, the Tetration Analytics engineering team deconstructed it back into its basic
building blocks. Therefore, the platform understands clear and crisp definitions of these building blocks and
watches for them.
The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the process
lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault bursts.
Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is
accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the lineage
of each command over time. Any new command or command with a different lineage triggers the interest of the
Tetration Analytics platform.
[Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/whitepaper-c11-740380.html, ]
