The DarkPoint platform is organized around four major analytic steps: Identification, Analysis, Remediation, and Verification. Base sets of small programs called Analyzers are run against any sample submitted to DarkPoint. As metadata is generated for each sample and stored, decisions can be made on follow-on actions. A collection of analyzers working together is called a workflow. DarkPoint provides an initial set of workflows, while advanced users can customize these workflows and add new workflows to support their own business needs and practices. The newly released intelligent workflow engine allows users an incredible level of control in what processing takes place upon sample submission. For example, in a high throughput scenario, it may not be prudent to run each sample through sandbox execution or automated disassembly. The following screenshot, taken directly from DarkPoint shows an example of what kind of customized control is available:
Users have the ability to design, draw and update their intelligent workflow(s) on the DarkPoint Intelligent Workflow Canvas. The biggest benefit of this canvas is that you gain control over the conditional gateway condition(s) in a workflow. This logic determines which analyzer runs next. The initial view of this canvas is shown in the following screenshot:
From this canvas you can:
As you save your workflow, it is automatically validated to ensure it will compile and execute properly when invoked.
In this particular example, this condition will evaluate to true if the portable executable (PE) machine type (found in the PE header) equals 34404 which equates to a 64-bit executable.
In our most recent release, Intelligent Workflows can also execute actions to include:
These actions increase connectivity to the outside world of cyber security tools and operators or analysts. For example, sending an email allows you to notify parties such as your Security Operations Center (SOC) that an artifact has been received and processed. The email editor is shown in the following screenshot:
DarkPoint includes advanced analytics fueled by CyberPoint's research into the application of machine learning to cyber security. CyberPoint has conducted extensive research in the field of non signature-based detection of malware and APT based on both network and host-based forensic artifacts. Included in this work is an extensive set of experiments in supervised and unsupervised learning to detect or cluster malware and APT using a variety of novel features and approaches.
CyberPoint has investigated the use of a variety of machine learning algorithms and model synthesis techniques, including measures of model fitness and performance, to provide a robust non-signature based detection capability to DarkPoint. If a virus signature is not available, DarkPoint can still provide a threat score to a sample under analysis. This threat score provides a similarity measure of how close the sample is to known malware, using a variety of mechanisms. For example, if a common Trojan or RAT is customized slightly to avoid an Anti-Virus solution, DarkPoint will still score the sample as likely malware.
DarkPoint contains novel ranking methods so that its threat score has maximal utility for triage. CyberPoint has developed a ranking algorithm which models probability distributions in a way that addresses the "base rate fallacy" when interpreting the relative ranking of a subset of a corpus of examples. Given a binary classifier, such as our threat score, the "base rate fallacy" is the mistaken assertion that the False Positive Rate (FPR) can be used to assess the operational efficacy of the algorithm – that is, the rate at which it produces false alarms. In truth, the operational efficacy may be much lower than the FPR, and is a function of both the classifier's precision and recall, and the base percentage of examples that actually belong to positive category. Given a set of examples labeled as positive examples (e.g., "malware") by one of several final classifiers, DarkPoint used an advanced algorithm to produce a ranking of the set. An analyst can use this ranking to work in orderly fashion through the examples of the set, to confirm the ones that indeed represent true alarms, and to weed out the false alarms, paying attention at any given moment to the example deemed mostly likely to represent a true alarm, of those remaining to be confirmed. This process lends additional structure to the methods of binary classification, as an aid to mitigating the operational impact of false alarm rates illustrated by the "base rate fallacy" phenomenon.
CyberPoint has also investigated the clustering and hierarchy of malware. It is not enough, we believe, to simply say a sample is malware with some probability, even if we are usually correct. Instead, it is useful for an analyst to know why a sample is malware, and what other samples it relates to. DarkPoint's Similarity score will produce a measure of similarity between samples through an innovative use of distance metrics and efficient data representations. DarkPoint can quickly provide a similarity score between a given sample and others in its corpus of over 5 Million samples. In addition, CyberPoint has investigated hierarchical clustering of malware into families to better understand their relationships.
CyberPoint has integrated DarkPoint with the Suricata IDS using the DarkPoint Connector API. Files carved from live TCP streams can be automatically sent to DarkPoint for analysis. The DarkPoint Connector API is the basis for integration of DarkPoint with other technologies.
CyberPoint is a cyber security company; we take seriously the responsibility to protect what is invaluable to you. The DarkPoint Cloud platform relies on a variety of approaches to safeguard your data. We follow industry standards and publications for the design, operation, administration, and maintenance of our systems. Any adequate approach to cloud implementation must allow an engineer to conveniently design and implement a secure cluster. These publications include:
Additionally, DarkPoint supports users and groups, for role-based authentication. Data is private within each group, and sharable by users within each group.
DarkPoint contains a powerful Expert System that provides goal finding capability through a large set of rules and observations held in working memory that are used to provide automated conclusions about samples under analysis, based on the results of Analyzers (e.g., disassemblers, decompilers, debuggers, virtual or bare-metal instrumentation including static and dynamic analyses).
DarkPoint has a robust ontology of malware types, and leverages expert system algorithms to provide both a normalized threat score (out of 100) and a plain English description as to the perceived classification, intention, and behavior of the sample and even keystroke level syntax as to how to remediate the threat posed by a submitted sample.
Most cyber security products claim that they can identify, analyze and even eliminate malware whereas DarkPoint inks a deliberate distinction where a threat is more than simple malware. Threats include both exploits and traditional malware (e.g. remote access Trojan, keystroke logger, etc.) but they can also include techniques, commands, insider user threat and even user mistakes.
DarkPoint also provides network analysis of pcap (packet capture) data, either generated by a sandbox or submitted by a user for analysis. DarkPoint uses the same Expert System with network-centric rules to accomplish this effectively, in a scalable manner.
DarkPoint wants to help you recover from a malware infection or exploit as fast as possible without requiring forensic investigators, malware analysts or reverse engineers. DarkPoint analyzes nearly all evidence it has collected for a particular sample and based on the type threat and even the type of activities undertaken by that threat, can provide you with keystroke level syntax to apply to infected or even potentially infected machines to identify, confirm and even eliminate the threat if it is present on your system(s).
NOTE: As of June 1, 2016, DarkPoint will only provide remediation syntax for threats on Windows families of operating systems. Support for additional file formats and platforms is in progress.
DarkPoint considers Remediation providing either or both of the following services for a threat to one of your endpoint systems (that we support):
Sometimes a system cannot be rebooted, services can't be disabled, IP subnets can't be blocked. We understand this. Treatment is designed to disable the threats posed by specific hosts (C2) servers or IP addresses, services or processes or programs on your machine. Treatment only stems an infection, it doesn't remove it.
Sometimes you need to simply remove the threat. Delete the files or registry keys, or remove the application. DarkPoint leverages the power built into most systems available today to help you find the threat and attempt to remove it completely. A DarkPoint remediation cure has greater potential to cause harm to normal system operation and thus its application should be treated carefully.
While we make every effort to insure the syntax generated won't harm any system you apply it against there is always the possibility for errors in the process. We urge users to take this into consideration when applying the recommended remediation.
We coupled Remediation together with DarkPoint Expert so that our users will get the best remediation available but only after enough analysis has been conducted. DarkPoint Expert (Analytic Summary) runs automatically for supported sample types and generates any relevant remediation syntax. The following image shows how DarkPoint Expert can be invoked manually by a user.
Once DarkPoint Expert is invoked, if enough intelligence has been gathered from all other analyzers, and sufficient detail is available, and the sample is deemed to be a threat, you may see some level of remediation syntax displayed under the Analytic Summary section of the report, as shown in the following image.
DarkPoint will react if insufficient data is available. When there is not enough intelligence for DarkPoint Expert to render any conclusion(s) or possible remediation, you should see a message indicating as such, and may receive suggestions for additional analyzers to run.
We want our users to know about and utilize all of the tools they have in their possession which is why we wanted to mention PowerShell explicitly. We suggest using PowerShell if possible but naturally you and your organizations's needs and requirements may vary from our test environment(s). PowerShell is available for every platform from Windows XP through Windows 8.1 and Windows Server 2012.