Detect Cyber Threats with Securonix Proxy Traffic Analyzer

www.securonix.com

Security Analytics. Delivered. w w w.securonix.com2

IntroductionMany organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100 GB to over 1 TB an hour. Legacy security infor-mation and event management (SIEM) solutions struggle to handle this flow of data and still identify high-fidelity threats. As part of its next-generation SIEM platform, Securonix uses several propriety machine learning-based algorithms in its proxy analyzer to analyze billions of events daily and identify high-fidelity threat actors or compromised endpoints.

Malware Persistence Beaconing Exploit Kits (Angler) APT Detection

Fewer High-Fidelity Results, Context Enriched Events

Alexa’s 1 Million Safe

Domains

Threat Intelligence (malicious IP,

domains, requests, user

agents)

User Agent Analysis

Failed Redirected Requests

Request URL

Analysis

File Type

Analysis

Robotic Behavior Algorithm

Algorithmically Generated

DomainAnalysis

Domain Rarity Scores

Multi-Language Dictionary

Entropy Estimation

Principal Component Analysis

Logistic Regression

Proxy Logs

3

Proxy Analyzer TechniquesSecuronix proxy analyzer combines multiple behavior based algorithms in real time to detect anomalies and highlight potential threat actors.

Securonix Domain Visit ScoreThe proxy analyzer detects the presence or ranking of a domain as seen in your organization’s proxy behavior. The proxy analyzer assigns a score to a domain based on the following factors:

• the number of distinct users, IPs, and endpoints visiting the domain• the amount of bytes transmitted or received from the domain• http response codes associated with the domain• the reputation of the top-level domain (TLD) for the domain

After taking all the above indicators into consideration, the proxy analyzer assigns a score between 0 and 1 for the domain. A score close to 1 indicates a rarer domain, while a score closer to 0 indicates a more common domain. The domain visit score (DVS) is used as a basis for all additional analysis.

Domain Generated Algorithm The domain generated algorithm (DGA) attempts to detect domains that are created by malicious algorithms or actors in an attempt to communicate externally. The Securonix DGA is a proprietary algorithm developed to detect malicious domains in over 80 languages.

The DGA utilizes principal component analysis and natural language processing to identify normal dictionary words and thereby detect domains that are algorithmically generated. The DGA also utilizes the DVS in order to ensure high-fidelity results and identify DGA domains that are rarely seen in the organization. Domains that are visited by a small population (using the DVS score) could indicate a possible outbreak of malware due to multiple infected endpoints contacting the same domain. This is also helpful in detecting targeted attacks.

Security Analytics. Delivered. w w w.securonix.com4

Robotic Beaconing DetectionProxy analyzer detects persistent communication from a source to a destination which could be an indicator of a compromised system communicating to a command and control (C&C) site. It analyzes the following characteristics to filter out false positives and bring out true threats:

• Detect the frequency of communication patterns between source and destination. Develop clusters based on the different harmonics of frequencies and number of occurrences of each harmonic.

• Detect bytes transmitted and received between source and destination to detect robotic packets or instructions.

• Differentiate user browsing behavior such as streams, videos, tickers, etc. and malicious robotic beaconing by analyzing referrer URLs, http response, and destination IPs to determine nature of request transmitted.

Based on the above characteristics, combined with the DVS, the Securonix proxy analyzer can detect malicious robotic beaconing.

Angler EK DetectionSecuronix proxy analyzer analyzes URLs to detect patterns that could be similar to domains known to host angler root kits. It detects changes in the nature of requests, bytes transmitted, and URL referrers in order to detect angler hosts containing angler exploit kits.

URL Analysis: Proxy Avoidance Securonix proxy analyzer analyzes URLs to detect possible proxy avoidance to malicious domains. This can include embedded URLs or domains within search engine queries or utilizing a change in the URL request protocol—such as between TCP and FTP—in an attempt to avoid static black lists. This is correlated with the DVS to highlight true threats.

User Agent Analysis Securonix proxy analyzer analyzes user agents to detect the number of user agents utilized across the organization. It develops a user agent rating again based on the number of us-ers using a user agent based on the domain that is visited.

5

User agent analysis is based on the following factors:

• user agent used• domain visited (DVS score)• known vulnerabilities based on user agent string • email client-based user agents to detect domain visits based on email clicks

Other Indicators and TechniquesIn addition to the above techniques Securonix proxy analyzer also adds other enriched data segments during real-time analysis including the following:

• detected content delivery networks (CDN) and other cloud based providers• detected ad tracking domains • detected embedded files within GET requests• detected threat intelligence collisions (only used as risk boosters)

Proxy Analyzer Threat Models

Once all the above algorithms kick in during real time proxy ingestion, the resulting output consists of super-enriched high-fidelity threats. Using Securonix tiered analytics, the proxy analyzer maximizes the number of true positives and increases the yield-to-hit ratio. In most engagements, we notice that from billions of events and thousands of endpoints the analyzer picks out a few 10-20 endpoints and a few hundred associated events that are all high fidelity threats.

A sample threat model that is included as part of the analyzer is as follows:

Domain Anomalies• Domain presence

using DVS • DGA detection• Angler EK detection• User agent analysis

Network Persistence • Robotic beaconing

Abnormal Packet Downloads• Detect suspiciously high

byte levels associated with malicious domains. This is associated with a command and control server.

The above threat model is a sample that combines different layers of the proxy analyzer. When it detects anomalies from the above categories, it associates them with an endpoint or an entity in order to find high-fidelity threats.

Security Analytics. Delivered. w w w.securonix.com6

ABOUT SECURONIXSecuronix is redefining the next generation of security monitoring using the power of machine learning and big data. Built on Hadoop, the Securonix solution provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and intelligent incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements.

CONTACT SECURONIXwww.securonix.cominfo@securonix.com | (310) 641-1000

1118