At the Cisco Live San Diego 2025 conference Security Operations Center (SOC), the SPAN (Switched Port Analyzer) traffic that we receive from the NOC is nearly 80% encrypted traffic. This means if we only investigate unencrypted traffic, we are missing most of the packets flying across the network. The Encrypted Visibility Engine (EVE) is a feature in Cisco Secure Firewall that provides visibility into encrypted TLS (HTTPS) traffic without needing to decrypt it. It leverages TLS fingerprinting to detect and classify applications, malware, and other behaviors in encrypted flows while preserving privacy.

We observed a machine with multiple alerts for malwareUpatre, a malware variant often used to deliver other payloads. The Upatre detections are associated with requests topcapp[.]store, a site that can serve legitimate software download functions, but which is also associated with adware and malware payload downloads. While investigating we also observed regular RDP connections to an Italian IP belonging to Expereo, a data management service.

Investigation Steps

1. Network Context- The investigation begins in the Firewall Management Center (FMC) unified event viewer. Adding a column for EVE detections and filtering for "High" and "Very High" EVE confidence scores.
2. Pivot to Fingerprint Analysis and Secure Malware Analytics Indicator- Pivoting from the FMC to the TLS fingerprint analysis shows the details of what the fingerprint is looking for and the relevance ofUpatre. Selecting 'Malware Upatre' opens the indicator in Secure Malware Analytics (SMA -formerly Threat Grid) to further understand the behaviors of malwareUpatre.
3. Pcap Deep Dive- Pivoting to Endace to pull a pcap (packet capture) of traffic in Wireshark reveals the server SNI (Server Name Indication) field ofpcapp[.]store. The clienthelloTLS cipher suite offering also validates what was in the Fingerprint details.
4. Using XDR Investigate- We then launched an investigation ofpcapp[.]storein XDR to investigate and saw that SMA shows multiple malicious files connecting topcapp[.]store. We also saw multiple DNS (Domain Name Service) lookups for that domain from the Cisco Live wireless network.
5. Using Splunk to Search for Additional Connections- Using Splunk to find additional connection topcapp[.]storerevealed that there were 1,200 other connections to the same URL, but only this host triggered the EVE detection for the fingerprint.
6. Using Flow Data in XDR Analytics- In XDR Analytics, we noticed this host had observations for long RDP (Remote Desktop Protocol) connections showing more than 20 gigabytes of data leaving outbound to an Italian IP. This turned out to be a red herring as the IP turned out to be a company known for cloud migrations and the regularly scheduled nature of the uploads indicated that this may not be malicious traffic.

Takeaway and Response

Using Splunk to search the DHCP data, the host name indicated that the client was a Windows machine on the general Wi-Fi. We escalated an incident report to the NOC. Potentially the device could have been located using Wi-Fi access point data. Also, with endpoint telemetry we could truly validate a malwareUpatreinfection.

This investigation shows just how powerful network telemetry can be in an investigation, especially when the devices on the conference Wi-Fi network are unmanaged by the SOC.

Want to learn more about what we saw at Cisco Live San Diego 2025? Check out our main blog post - Cisco Live San Diego 2025 SOC - and the rest of the Cisco Live SOC content.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X