Features of AI-Hunter™
Today’s advanced backdoors are extremely hard to detect. Simple signature detection cannot detect encrypted and malleable Command and Control (C2) sessions.
Rather than focus on signatures for known bad actors, AI-Hunter detects consistencies and patterns in the behavior of backdoors. How? It utilizes a mixture of detection techniques that rely on attributes like an interval of connections, data size, dispersion, and advanced algorithms.
But using only one way to detect advanced backdoors is not an effective detection strategy. All the attacker would have to do is change one aspect of the C2 traffic to avoid detection. To address this, we allow the analyst to filter and re-sort the criteria they are looking at on the fly!
In more secure networks malicious backdoors will have trouble getting out. Many standard ports and protocols will be filtered. To get around this, some backdoors will attempt to make multiple different connections outbound from an infected network.
This can be detected by looking at the number of destination ports an infected host attempts to connect to on the C2 server.
Long Connections Module
Rather than calling home on a regular basis, attackers may try to simply call home and leave the connection open indefinitely. To spot this traffic, you can use our long connections module.
Most legitimate connections run for one hour or less. By tracking down connections that remain active for many hours or even many days, you can quickly spot suspicious activity.
A common data exfiltration technique, used by tools such as PowerShell and Meterpreter, is to encode or encrypt information on the internal network and pass it out to the Internet so that it appears similar to normal HTTP traffic.
One of the telltale signs of this activity is extremely long URI fields. The URLs module priority sorts this data so that you can review and spot abnormal patterns.
The blacklisted module identifies when known-to be-compromised systems are communicating with hosts on your internal network. We aggregate results from multiple threat intelligence feeds so that you have a single interface to spot highly suspect activity.
DNS C2 is one of the most common means for attackers to exploit highly-secure environments. For most organizations, DNS is a required protocol and it is usually between two trusted endpoints. For example, most DNS traffic will use a Domain Controller or use “trusted” DNS providers like Google.
We detect this by looking at the number of subdomains per domain and will flag suspicious quantities. AI-Hunter easily identifies excessive sub-domains.
Deep Dive Module
Ever have the need to look deeper at a system? Sure, there may be something interesting, but what about the whole picture?
AI-Hunter has the ability to show a total snapshot of a host in one view, and allows you to dive deeper into the different endpoints and protocols used by that host.
Because sometimes you just have to dig in.