PLATFORM

Built for Threat Analysis

The TwinWave platform was purpose built from the ground up to streamline the analysis process by eliminating the manual actions and switching between multiple tools that security analysts and researchers are forced to do today.

By automating the actions required to get full attack chain execution, security analysts and researchers can shift their focus from generating forensics and analysis data to analyzing and taking action on the data generated by TwinWave.

“Before TwinWave each of our analysts had their own process for investigating a suspected threat resulting in inconsistent results. TwinWave has revolutionized our threat analysis process by accelerating our investigations, improving our detection efficacy and providing rich analysis of user reported phishing.”

VP of Incident Response
Fortune 500 Company

How It Works

7

Submission

URLs and files are submitted for analysis to the platform through either web interface or API.

6

Routing

Samples are routed to one or more engines in the platform that perform static or dynamic analysis.

7

Analysis

Dedicated engines analyze the submission and perform actions like image analysis, OCR text extraction, macro source code detection and more.

6

Reinjection

As new objects, such as a file or link to a website, are detected during the analysis these objects are reinjected into the platform for additional analysis.

7

Normalization

The results from all the analyses, including any 3rd party results, are normalized into a single forensics format for optimal presentation and API consumption.

Submission

URLs and files are submitted for analysis to the platform through either web interface or API.

Routing

Samples are routed to one or more engines in the platform that perform static or dynamic analysis.

Analysis

Dedicated engines analyze the submission and perform actions like image analysis, OCR text extraction, macro source code detection and more.

Reinjection

As new objects, such as a file or link to a website, are detected during the analysis these objects are reinjected into the platform for additional analysis.

Normalization

The results from all the analyses, including any 3rd party results, are normalized into a single forensics format for optimal presentation and API consumption.

Attack Chain Following

Throughout the analysis process TwinWave’s platform is continuously identifying additional objects, which can be URLs or files, to analyze. Once a new object has been identified it gets reinjected into the platform for additional analysis. Our mission is to identify all the components of the attack chain and ensure that they are fully executed during the analysis process.

Our extraction and reinjection technology goes much further than traditional systems which often focus on dropped files for additional analysis. URL extraction actions include extraction from text, images, macro source code, website contents, and more. Similarly files are extracted from a variety of sources including embedded objects, website downloads, dynamic analysis and more.

Example of Attack Chain Following

After the analysis has completed, and the full attack chain has been analyzed, users are presented with a tree that shows the relationship between elements of the attack chain.

This unique presentation helps analysts and researchers quickly understand even highly complicated attack chains including which elements of the attack were determined to be malicious.

Automated Analysis

The platform includes multiple layers of automation to interact with the roadblocks that attackers intentionally include in attack chains to evade detection and analysis.

TwinWave eliminates the tedious manual work typically associated with investigating a suspected threat.

Automations include:

  • clicking and following links

  • downloading files

  • decrypting password protected content

  • and much more

Benefits

Save Time

TwinWave saves security teams substantial time by automatically performing the actions an analyst would normally have to perform to get a threat to fully execute. These time savings enable analysts to look more deeply at each threat as well as increasing the number of threats they can analyze per day.

Improve Detections

Our unique blend of detection techniques, along with our ability to easily integrate 3rd party commercial solutions, provides enterprise security teams with confidence that they are getting defense-in-depth for both credential phishing and malware threats.

Analyze More

Flexible integration options include a REST API and email gateway making it easy for security teams to integrate TwinWave into existing systems and processes. These integration options, combined with our deep automated analysis, enable enterprises to analyze more potential threats that often go unanalyzed today.