Processing Layers
AE runs telemetry through six layers of scoring to identify both known and unknown emerging threats, as described in the subsequent sections. Through deep multi-dimensional processing, we solve the patient zero problem and uncover targeted attacks with no known indicators.
FINGERPRINTING
SCORING
threat blocking providers) we gather live reputation data.
SCORING
AE highlights traffic patterns to rare destinations.
ANALYSIS
long-lived sessions, traffic spikes and beaconing patterns.
CLASSIFICATION
tunneling, DGA traffic and lookalike imposter domains.
CORRELATION
indicator lists to flag traffic to known bad destinations online.
Active fingerprinting
Through an anonymizing proxy layer, AE worker instances actively fingerprint Internet-based destinations as they are seen within customer environments. These workers operate on-the-fly in software to instantly flag cryptomining pools and C2 infrastructure.
Third-party reputation scoring
AE leverages third-party APIs to retrieve context and reputation data for Internet-based destinations as they are encountered by the engine. These include the Google Web Risk API, DNS threat blocking providers (e.g. Quad9), WHOIS providers, and malware analysis platforms. Through these integrations, AE is able to highlight young domains and malicious destinations in real-time without threat feeds.
Prevalence scoring
AlphaSOC processes billions of events from hundreds of environments on a daily basis. Through measuring prevalence of an Internet destination across all of the networks we monitor, we are able to flag destinations that are unique or rare. This in-turn enables AE to flag targeted attacks (e.g. spear phishing campaigns) with high fidelity.
Time series analysis
AE performs quantitative time series analysis of events to flag long-lived network sessions, traffic spikes, and events that fall into regular beaconing patterns over time. By overlaying time series data with other material and context, AE is able to highlight both data exfiltration and C2 patterns (e.g. beaconing to a unique young domain with a suspicious TLD).
Feature extraction and classification
As AE processes Internet-based telemetry, it performs feature extraction and classification to identify Base64-encoded content, perplexing values (e.g. DGA domains), long values (e.g. DNS tunneling traffic), homoglyphs, and other patterns. By processing data on-the-fly in this manner, the engine can uncover targeted attacks without relying on stale indicator lists.
Threat intelligence correlation
We maintain a threat intelligence platform and curate our own threat intelligence as we investigate ongoing attacks against customer environments. By combining our own intelligence with vetted third-party open source indicators we can flag known threats, e.g.
- C2 and malware distribution infrastructure
- Traffic to known phishing destinations
- Publisher infrastructure associate with potentially unwanted programs (PUPs)
- Remote access software infrastructure (e.g. TeamViewer and ConnectWise Control)
- Traffic to known bad dynamic DNS destinations
- Traffic to malicious VPS / hosting provider destinations
- Anonymized circuit protocols (e.g. Tor, I2P, Freenet)
Threat feed update schedule
The threat feeds and data sources for the AlphaSOC threat intelligence platform are updated on an hourly basis. Third-party sources of threat feed data include open sources (e.g., abuse.ch and other community feeds), sources published via GitHub, and our commercial partners (e.g., VirusTotal).