Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Threat Research Process

Ingrid

The Bitsight Threat Research team is a specialized function that requires particular expertise. They’re tasked with identifying malicious and potentially unwanted programs (PUP) that can be monitored through remote telemetry. This allows us to gain insight into how companies around the world are affected.

The team is composed of several members who are experienced with varying knowledge (including threat intelligence, reverse engineering, digital forensics, penetration testing, and security engineering) that allows us to obtain the remote telemetry at a large scale, while keeping a focus on the quality of the produced data.

Learn more about our Data Collection Methods.

Data Quality

Quality is an ongoing process; our team of 30+ data scientists and security researchers are continuously developing and tuning our ratings algorithm and identification criteria. Each of our new risk vectors undergoes rigorous analysis before going into the wild.

To ensure we provide the most relevant and comprehensive ratings on cyber security performance; we are committed to continuously expanding the data quality, breadth and innovation used in security ratings. We will continue to add breadth to our data sources and risk vectors to continuously expand the visibility of a company’s performance.

Our data sources are carefully curated for their technical reliability due to the daily volume of processed data. We do this by owning proprietary data streams and working closely with partners around the globe to ensure access to multiple and diverse data feeds. We do rigorous analysis on the quality, origin, and confidence of all collected data. Because of the breadth, we can cross-correlate and improve confidence based on multiple observation points and methods.

In addition, we can provide historical data going back 1 year, giving organizations a long-term view of security performance across the enterprise.

Our priorities are to reduce the amount of false positives and to accurately classify malware and PUPs.

Reduction in False Positives

All generated events are the results of verified connections to our systems that originate from the source IP (provided by checking the completeness and validity of the established TCP sessions or by doing additional checks on UDP). They're verified to strictly respect the malware or PUP communication protocol. This allows us to eliminate false positives that are due to network spoofing or to accidental or episodic accesses to the monitoring systems.

Accurate Classification

When a suspicious program is identified, we collect as many samples as possible and verify the results of signature-based detection and antivirus classification of these samples. There are three possible outcomes:

  • It is consistently identified as a specific malware family. After validation that the publicly available indicators of compromise (IOC) of the identified family match those that we are observing, we use the public information that have already been provided as an authoritative source on the matter.
  • It is detected by antivirus signatures in an inconsistent or generic way, in which case, we research the malware and create a set of supporting documents and IOCs, that allow for easy third-party validation that the software we are detecting and is in fact detected by many antivirus companies, although with generic detections;
  • It is not detected by antivirus, but we have observed something suspicious about the software in which case we will reverse engineer the software to verify if it includes malicious capabilities, perform an in-depth study and document the malware capabilities and IOCs so that these can be independently validated by any interested party.

Event Inclusion

Most malware have already been identified by at least one reputable antivirus vendor, which includes validation via verified indicators of compromise (IOC). This allows us to use the readily available information as an authoritative source. In cases where a malicious file that was previously unknown or undocumented is detected, we reverse-engineer the malware.

Once the legitimacy of a source is qualified, our inclusion criteria is straightforward and the event is included in security rating reports.

Learn more about how malware is classified into a particular risk vector.

  • January 16, 2020: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.