USE CASES
One Platform for Threat Analysis
Organizations trust TwinWave to fully analyze both credential phishing and malware threats due to our unique approach of automatically exploring the entire attack chain and gathering rich artifacts during the analysis process.
This richness of analysis, along with our breadth of detection coverage, powers a wide range of use cases within security organizations including SOC triage, deep IR analysis and user reported phishing analysis.
SOC Triage
Analysts need to quickly and accurately disposition suspected threats and determine the potential severity of a threat in order to identify next steps.
Actionable indicators like credential phishing form script locations and payload download URLs enable analysts to quickly determine potential impact.
TwinWave gives SOCs:
deep inspection and analysis
breadth of detection techniques
support for credential phishing & malware
rich indicators for threat hunting
IR Analysis
Once a suspected threat has been escalated to the IR team they need to pull it apart to better understand what it is, how it works, identify indicators and more.
TwinWave’s static and dynamic analysis extracts key information to help IR team’s initial assessment of a threat.
TwinWave gives IR teams:
malware config extraction
macro source code & emulation
full webpage DOM
OCR text extraction from images
User Reported Phish
Let’s face it, most of what users report as “phish” is really spam or unwanted bulk mail. But, there can be critical threats hidden in these user submissions if you have the time and resources to look at them.
TwinWave’s unique attack chain following technology ensures reported threats are thoroughly analyzed.
TwinWave for user reported phish:
URL extraction & link following
attachment extraction & analysis
email headers and screenshots
decoding of rewritten URLs
Integrating TwinWave into existing workflows and security tools is easy.
Manual Submissions
Security analysts and researchers can directly submit suspected threats to the TwinWave platform using the web interface or command line tools.
Once a threat is submitted, the TwinWave platform will perform the actions required to fully execute the attack chain including clicking and following links, extracting out attachments & embedded files, dealing with archives, and much more.
While the analysis is running analysts can watch the attack chain being built out in real-time along with detections and scores as they become available.
TwinWave’s UI has been optimized to make it easy for users to navigate the incredibly rich data that gets generated by static and dynamic analysis systems. Screenshots and key indicators help give analysts a quick high level understanding of the threat while our Normalized Forensics provide an in-depth view.
API Submissions
TwinWave’s API provides the same full functionality available through the web interface. This means that organizations that have implemented a SOAR or other automation solution can add TwinWave to existing, or new, playbooks for deep automated threat analysis.
While the analysis is running SOAR platforms can periodically check on submission results with detections and scores being available as they are generated. This allows responses to be taken immediately as soon as TwinWave has determined a suspected threat is actually malicious.