Shulou(Shulou.com)05/31 Report--

This article is about using NTA to achieve malicious behavior detection tool Awake Security Platform how to use, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, say no more, follow the editor to have a look.

As enterprises and various organizations gradually shift the use of the network to the cloud and remote, the definition of the traditional network is gradually changing. Similarly, with the increasing use of Internet of things devices and the increasing use of encryption and shadow systems, we can understand why the problems in maintaining network and system security have not been properly solved.

More importantly, cybercriminals are constantly changing tactics: they increasingly rely on malware and begin to shift their targets to stealing legitimate credentials and survive by using tools that have been deployed in conventional environments, such as python scripts, powershell, WMI, PsExec or Microsoft Office macro commands.

The detection of malicious behavior is a challenge, especially when it has been combined with legitimate behavior, enterprises try to solve these problems through traditional network forensics tools (such as RSA NetWitness) and some network traffic analysis (NTA) tools such as Darktrace. Now, more and more service demanders begin to develop in the direction of the combination of the two, which is the reason for the emergence of Awake Security.

Network individual tracking

The Awake security platform can be used to analyze traffic, whether it is traditional network packets, or vSwitch traffic, or API calls from the cloud and against SaaS applications, no service computing instances, can be achieved through the Awake platform, while it also focuses on operational technology networks that are invisible to the security team.

Rahul Kashyap, CEO of Awake, said that this security platform uses traditional network SPAN or TAP/ cloud TAP/ virtual switch TAP/SaaS API links to access data packets, communications, etc., and then, through real-time analysis of the resulting data, we discover the "assets" in the enterprise or organization (devices, users, applications, etc.) and the domain of the other side of the communication to build a security knowledge map (we call it EntityIQ).

Awake Security Platform automatically identifies and tracks business assets on the network

The discovery and analysis of individuals on the network is autonomous, and the platform performs full packet and encrypted traffic analysis without relying on (changeable) IP addresses for tracking.

Detect malicious behavior and intention

Once the network goals are analyzed, the platform classifies behaviors and their relationships. Then targeted solutions will detect new attacker strategies through the extraction of millions of signals from the attributes and behaviors of these individuals, as well as raw communication and network data, threat intelligence and user behavior analysis. These signals will be handed over to Awake's neural network and machine learning model for analysis. In this process, the platform clusters the network individuals through similarity analysis, so that the abnormal data showing malicious intention can be better found.

This approach effectively avoids time factors, multiple network protocols and flow attacker strategies, and technology and programs (TTP), and the company's research team is committed to ensuring wide coverage of TTP through consistency between MITRE ATT and CK framework newspapers.

The platform successfully identified 4 IP phones to provide voice call information

Kashyap pointed out that through the analysis of time and individual behavior tracking, we can find threatening behavior, malicious behavior and known indicators in the network. The security team can also supplement the target information on its own. The platform provides a similar risk rating credit score for each network target, as well as detailed behavior and timestamps to explain to users the reasons for the high risk.

The Awake platform scores goals in the network environment based on risk.

Each result information can be accessed through the product interface, or it can be used with the SIEM of an enterprise or organization and integrated into the EDR. Can be integrated with the business process platform, can be connected with firewalls / agents, etc.

Additional features added

With the development of network attack technology, Awake platform can also develop synchronously.

Similar to Amazon's Alexa platform approach, Awake provides an open platform that allows users to specifically solve new problems through currently available methods, rather than forcing the entire solution to deal with the latest threats.

In response, Kashyap said that the Awake platform, which analysts can access and other operations through a language called QueryIQ. The language has a vocabulary to add new detection and response skills to the platform. Specifically, Awake allows users to use the language themselves and change it according to their actual needs.

The Awake platform can create new detection capabilities to adapt to changing network threats

Join an ordinary network attacker who is using the tool powershell to connect to a known site like Twitter, so it can be detected through a simple way of "command and control-detect this behavior", which is very easy to operate and does not even require time-consuming processing. Similarly, when a customer is using the platform, if he is worried that their employees will be deceived by phishing, he can build a detection mechanism to detect fake website or email accounts.

Users of any Awake platform can access attack information against domain names

In short, the advent of Awake Security Platform has made its company a provider of advanced network traffic analysis (NTA) solutions that can be widely used by all kinds of security workers, threat hunters and CSO.

The above is how to use Awake Security Platform, a tool for malicious behavior detection with NTA. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.