Supercharge Your SOC

Chris McNab
Jun 19, 2018 · 4 min read

Uncovering emerging threats with Network Behavior Analytics

Telemetry used by SOC analysts to identify compromised hosts stems from IDS sensors, EDR and antivirus running on endpoints, and SIEM platforms which aggregate and process logs from firewalls and other security apparatus.

An entire industry exists to serve customers with threat feeds to identify infected systems, and help security teams to identify malicious actors and campaigns using known signatures (e.g. IP addresses, domain names, and hashes). Indicator lists are commonly used in a one-dimensional fashion:

Raw data is correlated with a feed, and an alert is generated if there’s a hit

Many adversaries are aware of this level of maturity within enterprise SOCs. To bypass detection they simply avoid re-use of IP addresses, domain names, executables, and other materials between campaigns. There are a plethora of threats that cannot be identified through one-dimensional correlation alone.

Introducing the Analytics Engine

To defend against unknown malware campaigns and determined attackers, security teams are turning to security analytics to dig deeper into their data. Building a robust analytics stack and performing such heavy lifting in-house is often cost prohibitive, and so hundreds of security teams turn to our Analytics Engine (AE) to uncover anomalies within large environments.

AlphaSOC AE performs fast multi-dimensional analysis of raw DNS and IP network events via an on-premise or cloud analytics instance. Individual classifiers and features that we have built and refined include:

  • Volumetric and quantitative analysis (identifying patterns and spikes)
  • Resolving FQDNs and domains to gather context (e.g. sinkhole traffic)
  • Breakdown and analysis of each FQDN label (i.e. hostname, domain, TLD)
  • Gathering of reputation data (e.g. WHOIS and sandboxing engine scores)
  • Categorization of traffic based on known patterns (e.g. C2, P2P, VPN)
  • Tracking of state and traffic patterns (uncovering lateral movement)

DNS and IP events can be gathered and sent to the Analytics Engine via:

Upon processing, AlphaSOC AE generates alerts describing anomalies (e.g. beaconing to a young domain, or a spike in ICMP traffic indicating tunneling) and known threats (e.g. C2 callbacks or Tor circuit setup). NFR retrieves alerts in JSON format and send them via Syslog into any SIEM or SOAR platform.

Network Behavior Analytics for Graylog is our content pack used to render alerts sent over a GELF input into the platform, as below.

Our native integration for Splunk provides multiple dashboards to support threat hunting and investigation of anomalies. Policy Violations (e.g. P2P activity, third-party VPN use, and potentially unwanted programs) can be quickly escalated via ticketing (e.g. ServiceNow), freeing SOC analyst cycles to focus on hunting and triage of compromised hosts.

Multi-dimensional analytics solves many difficult use cases and addresses blind spots that security teams face. We are able to instantly flag the following threats via the analytics engine:

  • DNS and ICMP tunneling and exfiltration of data
  • Phishing attacks using new permutations and homoglyphs of brands
  • C2 callbacks, IRC traffic, and anonymized circuits (e.g. Tor, I2P, Freenet)
  • Lateral movement and odd egress traffic patterns indicative of infection
  • Cryptomining and cryptojacking attacks
  • Traffic to unknown / new dynamic DNS and hosting provider domains
  • Policy violations (e.g. unwanted programs, third-party VPN, and P2P use)

Identifying Gaps in Your Coverage

Finally, use Network Flight Simulator to identify blindspots and test escalation paths within your SOC. The utility is open source, free to use, and synthesizes many malicious traffic patterns including C2 callbacks, requests to sinkholes, DNS tunneling, port scanning, and DGA traffic, as below.


AlphaSOC Blog

Chris McNab

Written by

Author of Network Security Assessment (O’Reilly Media) and co-founder of AlphaSOC, Inc.



AlphaSOC Blog