The DarkPoint platform is built using community tested and proven technologies. Individual analyzers can be written in Python, Java or C#, and we offer a software development kit (SDK) that allows developers to construct their own analyzer without requiring access to specialized DarkPoint or CyberPoint systems. The core building blocks of DarkPoint are:
Docker allows us to create a plugin-based architecture. This allows DarkPoint to monitor and start/stop/restart individual components without affecting others. Sometimes we find samples we analyze will cause unpredictable behavior (CPU, memory) in our algorithms and without Docker, our work would be substantially harder to stay afloat.
Elements of the DarkPoint core and more than two dozen individual DarkPoint analyzers are powered by Python. The Python language is favored by malware and forensic analysts and data science researchers all over the world.
DarkPoint workflows are scheduled and executed using the jBPM Suite. This engine and the underlying Business Process Model and Notation language are important building blocks for complex workflows designed to take on tomorrow's threats in minutes and not months.
DarkPoint produces a wide variety of analysis output(s) depending on workflows executed. Possibly the most important output type is indicators of compromise (IOC). DarkPoint produces multiple forms of IOC for users. This data can be downloaded and used in scripts or imported into other platforms for automated recognition. The IOC formats DarkPoint supports today are:
Yara is a widely accepted method of automatically scanning files for known feature(s) and malware signature matches. Users will benefit from all of the signatures we have amassed, can upload their own signatures, and we can even automatically generate Yara signatures for analyzed samples.
DarkPoint can generate a STIX package for a sample. STIX is an XML-based form of Indicator of Compromise used in forensic investigation and with select cyber security platforms. The XML content found in a STIX package will vary depending on the amount of analysis that has been performed for a sample.