Cybersecurity Analysis

Mining Web Traffic Data to Find Threats

Steven Wimmer
by Steven Wimmer
category Cybersecurity Analysis

A recent blog written by privacy advocate and cybersecurity researcher, Sam Jadali provides an in-depth analysis into the catastrophic data leaks that can occur via several browser extensions, commonly considered Potentially Unwanted Programs or Applications (PUP/PUA). Browser extensions are something that many users install because they can—even if the enterprise policy states otherwise.  And many enterprise security teams dismiss such software as more of a nuisance, not something that is traditionally considered a real threat needing attention.

The reality is that PUP/PUAs can no longer be treated as something that can be easily ignored.  Jadali’s blog documents multiple organizations that exposed or leaked internal documents to creators of browser extensions.

This demonstrates just how malicious and dangerous PUPs/PUAs are to an enterprise. But identifying systems that have malware installed on them can be a challenging task—especially for smaller security teams that are likely overworked with more emergent tasks.  One great place to start identifying system malware through PUPs is at your Internet gateway where you can inspect user web traffic with a content/web filter.

Web traffic is a gold mine of threat activity, but just like a gold miner you have to work to find the gold within all the clutter (or in our case, threats within the sensor noise).  The challenge is that PUP malware attempting outbound connections, also known as beaconing, may or may not occur on a regular interval and that interval may be hours, days, or even weeks apart. A human analyst cannot be expected to keep track of all the web requests generated by a single host for an hour let alone a day or week. This is where Robotic Decision Automation software steps in to help.

With an intelligent decision engine monitoring web filter logs in real-time, security teams can defend against PUP malware.  Decision automation software, like the Respond Analyst can consider over 30 factors specific to web filtering data.  This can include factors such as vendor category, user agent, site/domain specific information, content filter action, historical incident data about the internal host, along with many others.

With an army of virtual analysts across millions of data points, decision automation software can analyze and make decisions on web filter data in real-time and at machine speed.  It can inform security teams when to take action on a host that likely has beaconing malware installed or malware that may be performing some other unapproved activity via web traffic.

Want to learn how you can mine and more importantly, find the malware you might be missing through browser extensions?  Check out the quick demo below to see how the Respond Analyst escalated a recent incident for one of our customers.