Features of AI-Hunter™
Today’s advanced backdoors are extremely hard to detect. Simple signature detection cannot detect encrypted and malleable Command and Control (C2) sessions.
Rather than focus on signatures for known bad actors, AI-Hunter detects consistencies and patterns in the behavior of backdoors. How? It utilizes a mixture of detection techniques that rely on attributes like an interval of connections, data size, dispersion, and advanced algorithms.
But using only one way to detect advanced backdoors is not an effective detection strategy. All the attacker would have to do is change one aspect of the C2 traffic to avoid detection. To address this, we allow the analyst to filter and re-sort the criteria they are looking at on the fly!
Long Connections Module
Rather than calling home on a regular basis, attackers may try to simply call home and leave the connection open indefinitely. To spot this traffic, you can use our long connections module.
Most legitimate connections run for one hour or less. By tracking down connections that remain active for many hours or even many days, you can quickly spot suspicious activity.
The blacklisted module identifies when known-to be-compromised systems are communicating with hosts on your internal network. We aggregate results from multiple threat intelligence feeds so that you have a single interface to spot highly suspect activity.
DNS C2 is one of the most common means for attackers to exploit highly-secure environments. For most organizations, DNS is a required protocol and it is usually between two trusted endpoints. For example, most DNS traffic will use a Domain Controller or use “trusted” DNS providers like Google.
We detect this by looking at the number of subdomains per domain and will flag suspicious quantities. AI-Hunter easily identifies excessive sub-domains.
User Agent Module
The user agent field identifies the operating system, browser and plug-ins used to create an HTTP connection.
Since most environments standardize their platforms (Example: Windows 10 using Chrome), unique user agent values can be an indication of unexpected software communicating on your network.
Deep Dive Module
Ever have the need to look deeper at a system? Sure, there may be something interesting, but what about the whole picture?
AI-Hunter has the ability to show a total snapshot of a host in one view, and allows you to dive deeper into the different endpoints and protocols used by that host.
Because sometimes you just have to dig in.