Rare destination Country detection
Goal
Looks for an unusual destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity.
This use case can be more of a complement to an already created Delfos’ case rather than a case itself. It can provide some context to the SOC or add extra information.
Description
It is trained using the network traffic from the customer. More concretely, it considers, for every country that presents outbound traffic, the proportion of days with traffic from a certain country. Those with a very high percentage are considered as normal and those with low percentage are considered as unusual.
Traffic from a normal country does not generate alerts, unusual countries generate low confidence signals and countries not recorded in any of those generate high confidence alerts.
Characteristics
Data involved
Firewall and Web Proxies. Even though any device that presents outbound traffic can be integrated in the use case.
Alert Generation
This model can generate two types of signals:
Low confidence signal: these are produced out of connections to countries with sporadic traffic.
High confidence alert: these are produced from countries that basically have never been recorded.
Raw outputs of the model
A float value as follows:
0 for normal countries.
0.3 for unusual countries
1.0 for not recorded countries
SOC Parametrization
We could add the following:
White and Black listing.
Modify the thresholds to consider a country as normal or unusual in order to control noise.
We could even consider suppressing the low confidence signals for customers with large amounts of outbound data.
Confiability estimation
Customers with world wide infrastructure will require extensive use of white / black listing to eliminate noise produced from services or providers associated with the customer.
Last updated