Review: How Awake Security uncovers malicious intent

Good cybersecurity these days is more complicated than just matching signatures against known malware. In fact, many of the most devastating attacks made against enterprises may not involve malware at all, instead relying on social engineering, insider threats, and tools and processes already approved for use within a network that are hijacked for a malicious purpose.

To stop many of these advanced attacks requires the ability to detect and diagnose malicious intent, even in the absence of any smoking gun. That concept may seem a little bit like Tom Cruise predicting crimes Minority Report style, but it’s essentially what the world’s best threat hunters do that puts their skills in high demand. They are able to look at seemingly disparate events, form a hunch, and sometimes uncover major threats or even threat campaigns. The problem is that good threat hunters are as rare as painite crystals.

The Awake Security Platform can fill that gap. While it ultimately performs what could be considered innovative threat hunting, it’s technically a traffic monitoring platform, though a very advanced one that concentrates on potential threats that other defenses often miss.

Deploying Awake

The heart of the platform is the Awake Hub, which can be deployed on-premises or in the cloud. Traffic data moving throughout a protected network is fed to the Hub from sensors placed at strategic points. The sensors are mostly software-based, though they can exist as hardware if needed for unusual network deployments. They can be placed anywhere and everywhere within a network, but the choke points that are often used include the link to the datacenter, the network gateway, the authorization servers for the user network, within the internet of things (IoT) infrastructure, at the point where data flows to the cloud, as a connector for software as a service programs, and within the operational technology (OT) network if an organization has one. The deployment footprint has no effect on pricing, which is based on the aggregate throughput of traffic being monitored.

Once deployed, the Awake Platform begins discovering all the devices on a protected network. It does this without conducting any scans or deploying any agents. Because it sits at the points where all network devices eventually check in or send communication through, such as the authorization servers, it will eventually discover every active device. Based on its previous experience protecting networks, it can identify almost every kind of network device just using those interactions with the choke points. For example, it was able to properly identify both an IoT medical device and an electronic water bottle from their network activity.

John Breeden II

After identifying everything on a network, a process that is, of course, ongoing as new devices arrive, the platform begins building out profiles. Every device gets a digital fingerprint that is both unique to it and also comparable to other similar devices within the network.

It’s important to note that unlike many programs that always take previous activity as part of the acceptable baseline, the Awake Platform does not necessarily trust something just because it was happening on the network before it arrived. For example, the Hub was able to flag the activity of a network camera that was connecting to a unique server that none of the other cameras ever touched, even though this activity was happening for months before the Awake Security Platform came online.

Finding and identifying malicious activity

The Hub works in much the same way as an advanced threat hunter. It looks at the current activity of fingerprinted devices for any anomalies. Simply having a laptop suddenly log in from a remote location is not enough to trigger an alert, as that might indicate that the employee who owns it is traveling. Instead, Awake looks for indicators such as the laptop connecting to something like a database that it has never touched before, or reaching out and trying to log into other devices inside the network.

John Breeden II

Once the Hub has found something strange, it then looks to see if similar activity is happening on any other devices. That might indicate that more than one device has been somehow compromised, or it might simply be a new procedure that the organization is implementing. To find out, the Hub can contact the cloud-based Awake Expert System, named Ava. Very security conscious organizations such as financial institutions and three letter government agencies can have Ava installed on premises instead of using the cloud version, though it will require regular updates to remain current and valid.

Ava is a storehouse of human cybersecurity knowledge and is constantly updated with information about the tools and techniques being used by hackers. The Hub can ask Ava questions about its discoveries and quickly narrow down all possible solutions until it has identified the anomalous activity and its intentions – sort of like a giant game of 20 questions. During our testing, the Hub spotted odd activity and Ava was able to identify it as a new technique being used by a particular hacker group.

It was able to do that just based on the network activity. It never looked at the content of the data packets themselves and didn’t need agents or any active scanning. Because Awake never opens packets, it would be a good choice for organizations like healthcare facilities or places where privacy is either at a premium or legally protected.

John Breeden II

Once the malicious activity was identified, the Awake Security Platform was able to explain how it arrived at its diagnosis, which not every form of artificial intelligence can do. It even graphs the attack technique, showing not only how the attack worked but what systems have been affected.

The Awake Security Platform can provide detailed checklists about how to remediate problems that it finds. It can also connect to other systems, such as endpoint protection platforms, to remediate threats. It does not actually fix problems on its own but can provide a detailed roadmap about how to deploy a fix and keep similar threats from ever harming the protected network again.

John Breeden II

A final feature worth mentioning is The Workbench. From that section of the program, users can search all of the data collected by the sensors and the Hub. They can use Boolean expressions or simply click on a drop down list to string a query. This is optional because it’s unlikely that a human user would be able to discover something that the Awake Hub and its sensors could not detect or that Ava would not have experienced. But it’s a powerful threat hunting tool for those who wish to use it.

The last word

Concentrating on hidden threats or those that don’t use traditional malware makes the Awake Security Platform extremely powerful and useful in today’s threat environment. It’s easy to deploy, has a good user interface, and should be able to uncover the kinds of threats that most defenses are not able, and are not even designed, to detect.