Moving Beyond Indicator Lists
AlphaSOC processes network telemetry to highlight both known and unknown emerging threats. Using our layered analytics approach, security teams uncover three times more malware than with indicator lists alone.
Introducing AE
Our Analytics Engine (AE) processes customer DNS, IP, HTTP, and TLS telemetry from any source (e.g. Splunk, Elastic, Snowflake, Amazon S3) to generate high fidelity signals for security teams. Splunk users can leverage our native integration to render findings for quick investigation, as below.
In this example, AE flags microsoflonline.link as a high-severity threat through live feature analysis and prevalence scoring. The domain isn’t known to threat intelligence, but highlighted due to a combination of three signals:
- The TLD is statistically associated with malware infrastructure
- The domain label contains “microsof” and has other odd features
- Traffic to the destination has not been seen within other environments
Combining weak signals in this fashion enables security teams to instantly identify suspicious traffic patterns and proactively engage in threat hunting.
AE Processing Phases
The analytics stack within AE is made up of six distinct layers, as follows:
If we take a look at these layers across the Network Traffic Analysis (NTA) products in the marketplace today, we can demonstrate the delta between AlphaSOC and other vendors with regard to processing depth, as below.
Identifying Threats in Practice
Along with measuring prevalence, AE correlates network telemetry with third party services, and actively fingerprints destinations to provide useful context. The example below shows the flags generated by the platform as it encounters a known malware distribution site.
The engine reports the domain as young, with a significant sandboxing engine score (i.e. malware samples associated) and an open directory listing. If we take a look at the destination, we find it was registered on 7 June 2021, and is serving Remcos RAT malware.
Automating the Hunt
Security teams use this capability to process gigabytes of network telemetry in real-time and uncover traffic to C2 infrastructure, malware dropper domains, cryptomining pools, anonymizing services (e.g. Tor and I2P), and many other suspicious destinations.
Check out our documentation for further details!
