How EVE Detects Malicious Uses of Trustworthy Cloud Services

To evade detection, attackers will often live-off-the-land by using pre-installed binaries like powershell.exe and communicating with legitimate cloud services like dl.dropbox[.]com. The recently released Secure Firewall feature, Encrypted Visibility Engine (EVE), is well-suited for detecting these types of stealthy evasion. EVE extracts two primary types of data features from the initial packet of a network connection:

• Information about the client is represented by the Network Protocol Fingerprint (NPF), which extracts sequences of bytes from the initial packet and is indicative of the process, library, and/or operating system that initiated the connection, and Information about the server such as its IP address, port, and domain name (e.g., TLS server name or HTTP Host).

EVE then identifies the client process by using machine learning built on top of an extensive collection of labeled data that is updated daily, allowing EVE to identify malicious, encrypted traffic even when it is destined for a trustworthy service.