Hyas Blog | HYAS Product Enhancements - Part 1 - February 2024
February Product Release News
If you’ve been following HYAS or using a HYAS cybersecurity solution, you know that HYAS is unique among Protective DNS providers. A lot has already been said about HYAS Protect’s position as the most effective Protective DNS solution, with independent testing showing >80% effectiveness in stopping malicious traffic in real-time and helping you achieve better organizational resiliency as part of a defense-in-depth strategy.
You may also know that our solution is highly adaptable to almost any IT environment, unlike other vendors which don’t necessarily prioritize integrations into the rest of your IT/security stack. But we’re also the only major Protective DNS provider that also offers a world-class threat intelligence solution for threat investigators, fraud researchers, and sensitive law enforcement and agency work.
Our two very different footprints in cybersecurity - Protective DNS and threat intelligence - are actually quite similar and complementary in terms of the relevant data, underlying logic, and data science techniques that we employ. And so far in 2024, there has been a notable uptick in how we’re borrowing from one product to improve the other to deliver on some pretty incredible new features.
The Latest and Greatest From HYAS
In just the first two months of 2024, we have shipped some eye-popping improvements to HYAS Protect and HYAS Insight. These help drive better value to IT, engineering, and SecOps on the one hand, but also security and fraud investigators, CTI analysts, and threat hunters on the other. But there are common threads across the products in the areas of automated verdicts on IPs and domains, self-serviceable single sign-on capabilities, and many of our API endpoints that help senior security leaders remove silos between teams, improve communication, and reduce costs.
So, HYAS’s recent enhancements summarized below are helping security teams perform their individual jobs better, but are also helping to bring those teams together to enable more secure, proactive security operations.
Part 1 of this 2-part blog highlights some of the latest improvements with HYAS Insight. A subsequent post will summarize recent enhancements with HYAS Protect.
HYAS Insight: Generated Verdicts and Verdict Feedback
We’ve made our first big steps towards an exciting “pivot crawling” capability designed to crawl through the truckloads of data available in HYAS Insight and provide concise, consumable nuggets that help you get more done more quickly. We have some big plans on pivot crawling so keep an eye out for future announcements, but for now our first major step in this direction is HYAS-generated verdicts for IPv4, IPv6, and domains. HYAS verdicts compress the outputs of over 50 proprietary rules, machine learning algorithms, and processes into a single Benign, Suspicious, or Malicious verdict.
Now, you can get an immediate understanding of the threat without the time-consuming manual investigation. If you or members of your team are newer to cybersecurity, you now have a reliable “easy button” to get information you may not have been able to get previously.
Or if you’re a seasoned operator, our judgment on an IOC and supporting evidence is more data you can use to quickly ascertain the meaning of a threat for your organization. So HYAS verdicts speed investigation time and simultaneously enable a broader spectrum of users who can get value from HYAS Insight to better protect your organization.
For now, we don’t unpack and expose all of the details and logic involved in this, but we know this is of great interest to security and fraud researchers and will be doing more in this area. We do, however, display a small set of high-level “evidence” that backs up our verdicts.
Has there been known association of the IOC to malware or threat actor command and control (C2)? Is the IP a TOR exit node? Or do we have timely and actionable community intelligence indicating malicious behavior? These are just some types of high-level evidence that we’ll succinctly provide in support of our verdicts.
Verdict Feedback
Verdicts are never perfect, and we recognize that you may have useful information that may help improve HYAS verdicts. So we’ve also added a feature to help you share your perspectives and evidence on a verdict. Sharing your feedback can help improve verdicts for a specific IOC, but can also help HYAS identify systemic improvements we can make to our pivot crawling engine to improve the verdict process at large.
Infrastructure Analysis
One of the primary values of HYAS Insight is the ability to investigate threats across a wide range of data types that other providers don’t offer - passive DNS, dynamic DNS, geolocation, and host posture among many others. That’s why you use HYAS Insight - to provide a 360-view of an adversary’s infrastructure and get a picture of the threat landscape you can’t get elsewhere.
Well, we’re sweetening the deal with the addition of a new Infrastructure Analysis feature that allows you to analyze IPs and domains in bulk. We want to give you the same insights and outcomes you’re used to for single IOCs, but do it against, for example, 7 IOCs you believe represent Risepro malware, or 17 that are part of a new attack campaign, or 117 flagged indicators coming out of your XDR, SIEM, or other part of your security stack.
In this first phase of our new feature, you can ingest up to 1000 IPs and domains and get an immediate read-out of the HYAS verdict and supporting evidence influencing the verdict. This should help you identify benign or malicious outliers, learn about relationships between the IOCs, and speed time to understanding the threat. Pivot into individual IOCs for more information just like you would with single IOCs.
This feature is designed to replace the manual pivoting and synthesis that can take time you usually don’t have, and does it at scale against many IOCs. We expect it to be a big time saver and a differentiator you won’t find in other products.
Future phases of Infrastructure Analysis will add additional “pivot crawling” and other capabilities designed to help you get better insights and also take actions that allow you to leverage those insights downstream.
If you don’t already have it, contact HYAS client success to learn how to get access to this feature.
Malware Infrastructure Dashboard
Building on last year’s improvements to our malware detonation pipeline, we’ve launched a brand new dashboard that makes consuming the latest malware infrastructure easier. The new dashboard helps you access and action malware infrastructure intelligence based upon groupings that matter. You can group by malware family, malware tags, and C2 ASNs. Summary intelligence provides the relative prominence of the malware based upon volume of detonations and correlates additional information to get a high-level perspective on the malware family, tag, or C2 ASN. Open the panels to reveal the tactical infrastructure intelligence used by the malware which you can then export, pivot on, and otherwise action.
Slick, interactive charts at the top of the dashboard summarize detonation volume by malware family over time and the distribution of the malware tags by malware type. The default window for this data is 1 day, emphasizing the recency of the data. What about a longer time horizon, you ask? Change the time window to 7 or 30 days to get a longer-term view.
The new Malware Infrastructure Dashboard demonstrates the HYAS commitment to driving improvements in both the data and context the platform provides, in addition to simplicity, sizzle, and content mash-ups that provide more value in a more consumable way.
If you don’t already have it, contact HYAS client success to learn how to get access to this feature.
Tag Pivot
You know all of those rich tags you see decorating intelligence in HYAS Insight? You know, the malware families, the botnets, the TTPs, and so on? Well, now the tags in HYAS Insight are clickable, allowing you to easily pivot to other data with the same tag. Even better, we go the extra step and perform additional lookups for IOCs with Malware Samples and C2 attribution to facilitate your security and fraud investigations. The feature applies to both system tags (blue), as well as your team’s own private tags (red). Now you can connect the dots faster, build a better picture of a threat, and make it easier for both novice and expert users alike to get the answers they need.
WhoIs for ASN
Current WhoIs data is now populated for ASN objects. Previously this data was available for domains, IPs, and other objects. But now ASNs also include current WhoIs in order to help users understand who is managing the ASN and the netblocks defined for the ASN. It may also help you better understand an attack or attacker by shedding light on the ASN on which attack infrastructure is run.
Additional Reading
What is Adversary Infrastructure?
Why Care about Proactive Threat Intelligence?
Discovery of Russian Threat Actor Using HYAS Insight
How HYAS Protect Stacks Up Against the Competition