Huge steps forward have been taken in version 2.5.3 of Perception, including the long-awaited open Beta of the KnowledgeBase function, and several new hugely powerful behavioural identification techniques.
KnowledgeBase sits at the top menu bar alongside ForensicAI and is a function that allows the user to dive deep into a full record of every connection that’s happened on the network. This has been trialled extensively and has quickly become one of the analyst’s favourite features, as it allows them to quickly confirm a suspicion by searching for specific connections made using its great filtering capability. KnowledgeBase is now open to all users, and will continue to be developed over the coming months.
New behavioural logics have also been developed to identify specific behaviours at play on the network. The Suspected New Host Online behaviour has the capability to detect hosts not seen before on the network. This behaviour can be indicative of a planned system installation or an unauthorised device being connected to the network. This enables security teams to quickly identify the introduction of potentially vulnerable devices to the network. This information may then be correlated with subsequent suspicious behaviour in the event that the newly introduced device presents a threat to the network.
The New Service Activity Detected Behaviour identifies when a host starts a new service resulting in network activity on a previously closed port. Under normal operation a given host will run a particular set of services. In the event that a new service is started, this may typically result in network activity on a previously closed port. This behaviour can be indicative of a new application being installed on a host or an existing application suddenly going live. A new service/port coming online can be due to either a planned configuration change, and configuration error, or an unauthorised application or user modification. This activity may be of interest to a security team who expected a defined set of services to be running on the machine present on the network. The network activity as a result of the new service may be benign or may be indicative of malicious software now running on the host, unknown to the user.
Finally, the Loss of Service Activity Detected Behaviour detects when a host ceases to run a service. This behaviour can be indicative of a system or hardware failure or a planned outage. This can help security teams to identify potential issues in the network in particular where a failed service related to a security incident.
A full list of updates are below:
Introduction of KnowledgeBase (beta). This is a new tool available on Perception to enable users to perform in depth analysis on host statistics collected by the system. Data selection can be achieved through filtering and grouping where filtering options are by time, by sensor and by grammar-based metadata selection. The result of the selections can be plotted on a timeline diagram for reporting and review purposes.
Three new behavioural classifiers have been added to the system. These are: Suspected New Host Online, New Service Activity Detected and Loss of Service Activity Detected.
Improved loading time of behaviours and Forensic AI views.
This update will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own systems using the software upgrade processes. If you have any further questions about this upgrade please contact us at firstname.lastname@example.org