Menu
Network Detection & Response
The Cyber Threat Edge Node inspects and logs every data packet moving into and out of your network and applies advanced threat intelligence, intrusion detection, deception technology, and network security monitoring to detect and block threats.
Threat Intelligence data is gathered via automaton in our SOC. These lists are composed of de-duplicated, filtered and enhanced lists from public, private, internal and government sources. Our end result threat intelligence list contains 500 million plus indicators of compromised infrastructure, botnets, command and control servers, etc.
As packets are ingested into the system, they are inspected by an Intrusion Detection System (IDS) looking for threats, anomalies, misconfigurations, protocol mismatches, data exfiltration and other indicators of compromise.
The Cyber Threat Node has the ability to provide deception nodes, both externally and internally. Deception is a very high quality, low false positive (zero or close to zero) indicator of nefarious activity on the network.
In addition to external deception, we can also run deception internal to the network. We have several deception models as shown below that can run internally. Internal deception events trigger an immediate alert to the SOC.
Since every packet is inspected, the metadata and flow data of every packet and conversation is stored in the storage/ search engine. This allows the system to run non-signature based anomaly detections, such as Domain Generation Algorithm detection, and Malware Beacon analysis using machine learning and Fast Fourier Transforms (FFTs).
Learn how Blueshift’s Comprehensive Cybersecurity Operations protect all devices and data across your entire IT infrastructure, including in-depth information Blueshift’s:
The Cyber Threat Edge Node inspects and logs every data packet moving into and out of your network and applies advanced threat intelligence, intrusion detection, deception technology, and network security monitoring to detect and block threats. Automation reduces alerts to the SOC.
Threat Intelligence data is gathered via automaton in our SOC. These lists are composed of de-duplicated, filtered and enhanced lists from public, private, internal and government sources. Our end result threat intelligence list contains 500 million plus indicators of compromised infrastructure, botnets, command and control servers, etc.
This list is updated in our SOC every hour and the nodes pull this threat intelligence data every hour. Attempts to communicate to the infrastructure on this list will be blocked by our detection algorithms. Aggregated attempts from the same endpoint(s) to communicate with infrastructure on this list will result in an alert being sent to the SOC for investigation.
As packets are ingested into the system, they are inspected by an Intrusion Detection System (IDS) looking for threats, anomalies, misconfigurations, protocol mismatches, data exfiltration and other indicators of compromise. The IDS does NOT break or inspect SSL/TLS encrypted traffic, but the system does fingerprint SSL/TLS/encrypted traffic in order to detect anomalies in encrypted traffic. Signatures for the IDS are managed in our SOC, updated every hour.
Signatures are a combination of public, private, and Blueshift-specific signatures and classifications. Signatures and classifications are pulled from the SOC by the node every hour. Blocking on IDS results are done via a proprietary algorithm that runs every 60 seconds. Aggregated IDS alerts for network devices are sent to the SOC for analysis and investigation.
The Cyber Threat Node has the ability to provide deception nodes, both externally and internally. Deception is a very high quality, low false positive (zero or close to zero) indicator of nefarious activity on the network. External Deception For customers who want to utilize this feature, we ask that they take a few commonly attacked services, like Remote Desktop Protocol (RDP), Telnet, FTP, and SIP (ports 3389, 21, 23, and 5060 respectively) and port forward those services from their firewall to our Cyber Threat Node. The Deception services are low-interaction, meaning that we are not trying to attribute behaviors or collect malware samples, we are simply looking for a complete TCP three-way handshake, and collecting the source IP addresses and destination port. Since there is no production or advertised use of these services, any connection to these services is malicious in nature (attack or reconnaissance).
Once an attack is detected, the egress communication to that IP address is blocked, and the indicator is sent to our SOC via API, and this is added to our Threat Intelligence list—if an adversary attacks one customer, all of our customers are protected. In addition, the harder an adversary attacks with the detected indicators, the longer they stay blocked in our feeds. As adversaries move onto newly compromised infrastructure, the unused indicators decay off of our lists. Utilizing this method of deception also protects our customers from Open Source Intelligence (OSINT) such as shodan.io, since these are always caught and blocked by our deception services.
In addition to external deception, we can also run deception internal to the network.
Internal deception events trigger an immediate alert to the SOC. The system can also be configured to block all egress (Internet) traffic from the offending internal device as an automated response should the customer require such a response. Internal deception is again a very low false positive, high quality, non-signature based indicator of nefarious activity on the network.
Since every packet is inspected, the metadata and flow data of every packet and conversaton is stored in the storage/ search engine. This allows the system to run non-signature based anomaly detectons, such as Domain Generaton Algorithm detecton, and Malware Beacon analysis using machine learning and Fast Fourier Transforms (FFTs). In additon, the NSM aspect of the system combined with the storage/search engine enables our SOC to perform network forensics and threat huntng when investgatng alerts and anomalies.
Since every packet is inspected, the metadata and flow data of every packet and conversation is stored in the storage/ search engine. This allows the system to run non-signature based anomaly detections, such as Domain Generation Algorithm detection, and Malware Beacon analysis using machine learning and Fast Fourier Transforms (FFTs). In addition, the NSM aspect of the system combined with the storage/search engine enables our SOC to perform network forensics and threat hunting when investigating alerts and anomalies.
Types of Network events that are monitored by the SOC include, but are not limited to: