The AWARE (Attack Warning and Response Engine) platform is the core technology underlying TaaSera’s NetTrust ecosystem, and provides NetTrust with the means to collect, correlate and analyze forensic cyber evidence over time and across multiple attack vectors.
AWARE Technology Components
- Network Sensors
- Infection Profile Correlation
- Threat Classification
- Threat Pattern Analysis
- TaaSera Threat Center
- Web Services API
AWARE network sensors watch mirrored traffic from an internal tap point to identify the communication sequences that occur during an infection process.
AWARE employs a heavily modified version of Snort to generate network dialog events between and among internal hosts and external entities. A dialog correlation engine then maps raw events against a 12-stage Infection Lifecycle Model. The core platform includes pre-defined rules updated continuously from the TaaSera Threat Center, as well as a portal for optionally building custom rules and mapping them to the AWARE infection lifecycle.
Infection Profile Correlation
When network patterns match multiple stages in the lifecycle model, and enough evidence is acquired to declare a host infected, the platform produces an "Infection Profile" summarizing all evidence it has gathered regarding the infection.
As evidence of correlated behavior patterns accumulates over time, AWARE dynamically calculates the depth and diversity of evidence to produce a “Forensic Confidence Score” that indicates the level of risk associated with each trusted host system.
As AWARE continuously collects and correlates forensic evidence over time, it also performs ongoing threat classification. When enough evidence exists to classify infections as a known threat category (e.g., a worm, Trojan, Botnet, etc.), AWARE will identify the infection with an English language definition. Users may optionally assign or classify custom threat categories when they see new emerging threats.
Threat Pattern Analysis
To gather additional evidence of infection, AWARE also performs pattern analysis to match new infection profiles against known behaviors from its community repository, and looks for systems that communicate with external IP addresses observed behaving badly. When AWARE finds Infection Profiles seen across multiple systems, or when a trusted host system communicates with known malicious IPs, the Forensic Confidence Score will grow.
TaaSera Threat Center
The TaaSera Threat Center provides shared services among deployed AWARE platforms.
Included with every NetTrust subscription is integrated live threat intelligence from the AWARE IP Reputation Service; a community repository of anonymized Infection Profiles shared across the installed based; live rule updates based on emerging threats for event collection; and software maintenance and updates.