Skip to main content

Processing Layers

AE runs telemetry through six layers of scoring to identify both known and unknown emerging threats, as described in the subsequent sections. Through deep multi-dimensional processing, we solve the patient zero problem and uncover targeted attacks with no known indicators.

ACTIVE
FINGERPRINTING
Through an anonymizing proxy layer we actively fingerprint destinations to identify C2 infrastructure in real-time.
REPUTATION
SCORING
Leveraging third-party APIs (e.g. sandboxing engines and
threat blocking providers) we gather live reputation data.
PREVALENCE
SCORING
By measuring prevalence across customer environments,
AE highlights traffic patterns to rare destinations.
TIME SERIES
ANALYSIS
AE performs quantitative time series analysis to identify
long-lived sessions, traffic spikes and beaconing patterns.
FEATURE
CLASSIFICATION
AE performs feature classification work to identify DNS
tunneling, DGA traffic and lookalike imposter domains.
INTELLIGENCE
CORRELATION
We maintain a threat intelligence platform and curate
indicator lists to flag traffic to known bad destinations online.

Active fingerprinting

Through an anonymizing proxy layer, AE worker instances actively fingerprint Internet-based destinations as they are seen within customer environments. These workers operate on-the-fly in software to instantly flag cryptomining pools and C2 infrastructure.

Third-party reputation scoring

AE leverages third-party APIs to retrieve context and reputation data for Internet-based destinations as they are encountered by the engine. These include the Google Web Risk API, DNS threat blocking providers (e.g. Quad9), WHOIS providers, and malware analysis platforms. Through these integrations, AE is able to highlight young domains and malicious destinations in real-time without threat feeds.

Prevalence scoring

AlphaSOC processes billions of events from hundreds of environments on a daily basis. Through measuring prevalence of an Internet destination across all of the networks we monitor, we are able to flag destinations that are unique or rare. This in-turn enables AE to flag targeted attacks (e.g. spear phishing campaigns) with high fidelity.

Time series analysis

AE performs quantitative time series analysis of events to flag long-lived network sessions, traffic spikes, and events that fall into regular beaconing patterns over time. By overlaying time series data with other material and context, AE is able to highlight both data exfiltration and C2 patterns (e.g. beaconing to a unique young domain with a suspicious TLD).

Feature extraction and classification

As AE processes Internet-based telemetry, it performs feature extraction and classification to identify Base64-encoded content, perplexing values (e.g. DGA domains), long values (e.g. DNS tunneling traffic), homoglyphs, and other patterns. By processing data on-the-fly in this manner, the engine can uncover targeted attacks without relying on stale indicator lists.

Threat intelligence correlation

We maintain a threat intelligence platform and curate our own threat intelligence as we investigate ongoing attacks against customer environments. By combining our own intelligence with vetted third-party open source indicators we can flag known threats, e.g.

  • C2 and malware distribution infrastructure
  • Traffic to known phishing destinations
  • Publisher infrastructure associate with potentially unwanted programs (PUPs)
  • Remote access software infrastructure (e.g. TeamViewer and ConnectWise Control)
  • Traffic to known bad dynamic DNS destinations
  • Traffic to malicious VPS / hosting provider destinations
  • Anonymized circuit protocols (e.g. Tor, I2P, Freenet)

Threat feed update schedule

The threat feeds and data sources for the AlphaSOC threat intelligence platform are updated on an hourly basis. Third-party sources of threat feed data include open sources (e.g., abuse.ch and other community feeds), sources published via GitHub, and our commercial partners (e.g., VirusTotal).