Hundreds of security teams process network telemetry via AE to uncover infected hosts and highlight anomalies that require investigation. High fidelity alerts can be escalated to SOAR platforms for triage, and lower fidelity items can be used by threat hunting staff to proactively investigate potential threats.

AE solves 59 distinct use cases across the following high-level categories:

  • Traffic indicating a compromised host (e.g. C2 or malware distribution traffic)
  • Data exfiltration patterns, such as DNS or ICMP tunneling
  • Cryptomining traffic indicating infection or resource misuse
  • Targeted phishing campaign traffic (e.g. use of young lookalike domains)
  • Anomalies indicating infection, such as a cluster of suspicious events in a short period
  • Low-level protocol anomalies (e.g. SSH over a common port such as 80 or 443)
  • Policy violations (e.g. potentially unwanted programs and P2P network traffic)
  • Anonymizing circuit traffic, such as Tor, I2P, or Freenet

Data Processing Phases

AE runs telemetry through six layers of scoring to identify both known and unknown emerging threats, as described in the subsequent sections. Through deep multi-dimensional processing, we solve the patient zero problem and uncover targeted attacks with no known indicators.

Threat intelligence correlation

We maintain a threat intelligence platform and curate our own threat intelligence as we investigate ongoing attacks against customer environments. By combining our own intelligence with vetted third-party open source indicators we can flag known threats, e.g.

  • C2 and malware distribution infrastructure
  • Traffic to known phishing destinations
  • Publisher infrastructure associate with potentially unwanted programs (PUPs)
  • Remote access software infrastructure (e.g. TeamViewer and ConnectWise Control)
  • Traffic to known bad dynamic DNS destinations
  • Traffic to malicious VPS / hosting provider destinations
  • Anonymized circuit protocols (e.g. Tor, I2P, Freenet)

Time series analysis

AE performs quantitative time series analysis of events to flag long-lived network sessions, traffic spikes, and events that fall into regular beaconing patterns over time. By overlaying time series data with other material and context, AE is able to highlight both data exfiltration and C2 patterns (e.g. beaconing to a unique young domain with a suspicious TLD).

Prevalence scoring

AlphaSOC processes billions of events from hundreds of environments on a daily basis. Through measuring prevalence of an Internet destination across all of the networks we monitor, we are able to flag destinations that are unique or rare. This in-turn enables AE to flag targeted attacks (e.g. spear phishing campaigns) with high fidelity.

Feature extraction and classification

As AE processes Internet-based telemetry, it performs feature extraction and classification to identify Base64-encoded content, perplexing values (e.g. DGA domains), long values (e.g. DNS tunneling traffic), homoglyphs, and other patterns. By processing data on-the-fly in this manner, the engine can uncover targeted attacks without relying on stale indicator lists.

Third-party reputation scoring

AE leverages third-party APIs to retrieve context and reputation data for Internet-based destinations as they are encountered by the engine. These include the Google Web Risk API, DNS threat blocking providers (e.g. Quad9), WHOIS providers, and malware analysis platforms. Through these integrations, AE is able to highlight young domains and malicious destinations in real-time without threat feeds.

Active fingerprinting

Through an anonymizing proxy layer, AE worker instances actively fingerprint Internet-based destinations as they are seen within customer environments. These workers operate on-the-fly in software to instantly flag cryptomining pools and C2 infrastructure.