detect cyber threats with securonix proxy traffic analyzer · the above threat model is a sample...
TRANSCRIPT
Detect Cyber Threats with Securonix Proxy Traffic Analyzer
www.securonix.com
Security Analytics. Delivered. w w w.securonix.com2
IntroductionMany organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100 GB to over 1 TB an hour. Legacy security infor-mation and event management (SIEM) solutions struggle to handle this flow of data and still identify high-fidelity threats. As part of its next-generation SIEM platform, Securonix uses several propriety machine learning-based algorithms in its proxy analyzer to analyze billions of events daily and identify high-fidelity threat actors or compromised endpoints.
Malware Persistence Beaconing Exploit Kits (Angler) APT Detection
Fewer High-Fidelity Results, Context Enriched Events
Alexa’s 1 Million Safe
Domains
Threat Intelligence (malicious IP,
domains, requests, user
agents)
User Agent Analysis
Failed Redirected Requests
Request URL
Analysis
File Type
Analysis
Robotic Behavior Algorithm
Algorithmically Generated
DomainAnalysis
Domain Rarity Scores
Multi-Language Dictionary
Entropy Estimation
Principal Component Analysis
Logistic Regression
Proxy Logs
3
Proxy Analyzer TechniquesSecuronix proxy analyzer combines multiple behavior based algorithms in real time to detect anomalies and highlight potential threat actors.
Securonix Domain Visit ScoreThe proxy analyzer detects the presence or ranking of a domain as seen in your organization’s proxy behavior. The proxy analyzer assigns a score to a domain based on the following factors:
• the number of distinct users, IPs, and endpoints visiting the domain• the amount of bytes transmitted or received from the domain• http response codes associated with the domain• the reputation of the top-level domain (TLD) for the domain
After taking all the above indicators into consideration, the proxy analyzer assigns a score between 0 and 1 for the domain. A score close to 1 indicates a rarer domain, while a score closer to 0 indicates a more common domain. The domain visit score (DVS) is used as a basis for all additional analysis.
Domain Generated Algorithm The domain generated algorithm (DGA) attempts to detect domains that are created by malicious algorithms or actors in an attempt to communicate externally. The Securonix DGA is a proprietary algorithm developed to detect malicious domains in over 80 languages.
The DGA utilizes principal component analysis and natural language processing to identify normal dictionary words and thereby detect domains that are algorithmically generated. The DGA also utilizes the DVS in order to ensure high-fidelity results and identify DGA domains that are rarely seen in the organization. Domains that are visited by a small population (using the DVS score) could indicate a possible outbreak of malware due to multiple infected endpoints contacting the same domain. This is also helpful in detecting targeted attacks.
Security Analytics. Delivered. w w w.securonix.com4
Robotic Beaconing DetectionProxy analyzer detects persistent communication from a source to a destination which could be an indicator of a compromised system communicating to a command and control (C&C) site. It analyzes the following characteristics to filter out false positives and bring out true threats:
• Detect the frequency of communication patterns between source and destination. Develop clusters based on the different harmonics of frequencies and number of occurrences of each harmonic.
• Detect bytes transmitted and received between source and destination to detect robotic packets or instructions.
• Differentiate user browsing behavior such as streams, videos, tickers, etc. and malicious robotic beaconing by analyzing referrer URLs, http response, and destination IPs to determine nature of request transmitted.
Based on the above characteristics, combined with the DVS, the Securonix proxy analyzer can detect malicious robotic beaconing.
Angler EK DetectionSecuronix proxy analyzer analyzes URLs to detect patterns that could be similar to domains known to host angler root kits. It detects changes in the nature of requests, bytes transmitted, and URL referrers in order to detect angler hosts containing angler exploit kits.
URL Analysis: Proxy Avoidance Securonix proxy analyzer analyzes URLs to detect possible proxy avoidance to malicious domains. This can include embedded URLs or domains within search engine queries or utilizing a change in the URL request protocol—such as between TCP and FTP—in an attempt to avoid static black lists. This is correlated with the DVS to highlight true threats.
User Agent Analysis Securonix proxy analyzer analyzes user agents to detect the number of user agents utilized across the organization. It develops a user agent rating again based on the number of us-ers using a user agent based on the domain that is visited.
5
User agent analysis is based on the following factors:
• user agent used• domain visited (DVS score)• known vulnerabilities based on user agent string • email client-based user agents to detect domain visits based on email clicks
Other Indicators and TechniquesIn addition to the above techniques Securonix proxy analyzer also adds other enriched data segments during real-time analysis including the following:
• detected content delivery networks (CDN) and other cloud based providers• detected ad tracking domains • detected embedded files within GET requests• detected threat intelligence collisions (only used as risk boosters)
Proxy Analyzer Threat Models
Once all the above algorithms kick in during real time proxy ingestion, the resulting output consists of super-enriched high-fidelity threats. Using Securonix tiered analytics, the proxy analyzer maximizes the number of true positives and increases the yield-to-hit ratio. In most engagements, we notice that from billions of events and thousands of endpoints the analyzer picks out a few 10-20 endpoints and a few hundred associated events that are all high fidelity threats.
A sample threat model that is included as part of the analyzer is as follows:
Domain Anomalies• Domain presence
using DVS • DGA detection• Angler EK detection• User agent analysis
Network Persistence • Robotic beaconing
Abnormal Packet Downloads• Detect suspiciously high
byte levels associated with malicious domains. This is associated with a command and control server.
The above threat model is a sample that combines different layers of the proxy analyzer. When it detects anomalies from the above categories, it associates them with an endpoint or an entity in order to find high-fidelity threats.
Security Analytics. Delivered. w w w.securonix.com6
ABOUT SECURONIXSecuronix is redefining the next generation of security monitoring using the power of machine learning and big data. Built on Hadoop, the Securonix solution provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and intelligent incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements.
CONTACT [email protected] | (310) 641-1000
1118