Detect Cyber Threats with Securonix Proxy Traffic Analyzer
Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100 GB to over 1 TB an hour. Legacy security information and event management (SIEM) solutions struggle to handle this flow of data and still identify high-fidelity threats. As part of its next-generation SIEM platform, Securonix uses several propriety machine learning-based algorithms in its proxy analyzer to analyze billions of events daily and identify high-fidelity threat actors or compromised endpoints. Proxy Logs Alexa s 1 Million Safe Domains Domain Rarity Scores Threat Intelligence (malicious IP, domains, requests, user agents) Multi-Language Dictionary User Agent Robotic Behavior Algorithm Algorithmically Generated Domain Entropy Estimation Principal Component Failed Redirected Requests Request URL File Type Logistic Regression Malware Persistence Beaconing Exploit Kits (Angler) APT Detection Fewer High-Fidelity Results, Context Enriched Events 2 Security Analytics. Delivered.
Proxy Analyzer Techniques Securonix proxy analyzer combines multiple behavior based algorithms in real time to detect anomalies and highlight potential threat actors. Securonix Domain Visit Score The proxy analyzer detects the presence or ranking of a domain as seen in your organization s proxy behavior. The proxy analyzer assigns a score to a domain based on the following factors: the number of distinct users, IPs, and endpoints visiting the domain the amount of bytes transmitted or received from the domain http response codes associated with the domain the reputation of the top-level domain (TLD) for the domain After taking all the above indicators into consideration, the proxy analyzer assigns a score between 0 and 1 for the domain. A score close to 1 indicates a rarer domain, while a score closer to 0 indicates a more common domain. The domain visit score (DVS) is used as a basis for all additional analysis. Domain Generated Algorithm The domain generated algorithm (DGA) attempts to detect domains that are created by malicious algorithms or actors in an attempt to communicate externally. The Securonix DGA is a proprietary algorithm developed to detect malicious domains in over 80 languages. The DGA utilizes principal component analysis and natural language processing to identify normal dictionary words and thereby detect domains that are algorithmically generated. The DGA also utilizes the DVS in order to ensure high-fidelity results and identify DGA domains that are rarely seen in the organization. Domains that are visited by a small population (using the DVS score) could indicate a possible outbreak of malware due to multiple infected endpoints contacting the same domain. This is also helpful in detecting targeted attacks. 3
Robotic Beaconing Detection Proxy analyzer detects persistent communication from a source to a destination which could be an indicator of a compromised system communicating to a command and control (C&C) site. It analyzes the following characteristics to filter out false positives and bring out true threats: Detect the frequency of communication patterns between source and destination. Develop clusters based on the different harmonics of frequencies and number of occurrences of each harmonic. Detect bytes transmitted and received between source and destination to detect robotic packets or instructions. Differentiate user browsing behavior such as streams, videos, tickers, etc. and malicious robotic beaconing by analyzing referrer URLs, http response, and destination IPs to determine nature of request transmitted. Based on the above characteristics, combined with the DVS, the Securonix proxy analyzer can detect malicious robotic beaconing. Angler EK Detection Securonix proxy analyzer analyzes URLs to detect patterns that could be similar to domains known to host angler root kits. It detects changes in the nature of requests, bytes transmitted, and URL referrers in order to detect angler hosts containing angler exploit kits. URL : Proxy Avoidance Securonix proxy analyzer analyzes URLs to detect possible proxy avoidance to malicious domains. This can include embedded URLs or domains within search engine queries or utilizing a change in the URL request protocol such as between TCP and FTP in an attempt to avoid static black lists. This is correlated with the DVS to highlight true threats. User Agent Securonix proxy analyzer analyzes user agents to detect the number of user agents utilized across the organization. It develops a user agent rating again based on the number of users using a user agent based on the domain that is visited. 4 Security Analytics. Delivered.
User agent analysis is based on the following factors: user agent used domain visited (DVS score) known vulnerabilities based on user agent string email client-based user agents to detect domain visits based on email clicks Other Indicators and Techniques In addition to the above techniques Securonix proxy analyzer also adds other enriched data segments during real-time analysis including the following: detected content delivery networks (CDN) and other cloud based providers detected ad tracking domains detected embedded files within GET requests detected threat intelligence collisions (only used as risk boosters) Proxy Analyzer Threat Models Once all the above algorithms kick in during real time proxy ingestion, the resulting output consists of super-enriched high-fidelity threats. Using Securonix tiered analytics, the proxy analyzer maximizes the number of true positives and increases the yield-to-hit ratio. In most engagements, we notice that from billions of events and thousands of endpoints the analyzer picks out a few 10-20 endpoints and a few hundred associated events that are all high fidelity threats. A sample threat model that is included as part of the analyzer is as follows: Domain Anomalies Domain presence using DVS DGA detection Angler EK detection User agent analysis Network Persistence Robotic beaconing Abnormal Packet Downloads Detect suspiciously high byte levels associated with malicious domains. This is associated with a command and control server. The above threat model is a sample that combines different layers of the proxy analyzer. When it detects anomalies from the above categories, it associates them with an endpoint or an entity in order to find high-fidelity threats. 5
ABOUT SECURONIX Securonix is redefining the next generation of security monitoring using the power of machine learning and big data. Built on Hadoop, the Securonix solution provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and intelligent incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, fraud, and application security monitoring requirements. CONTACT SECURONIX info@securonix.com (310) 641-1000 1118 6 Security Analytics. Delivered.