USE CASES

One Platform for Threat Analysis

Organizations trust TwinWave to fully analyze both credential phishing and malware threats due to our unique approach of automatically exploring the entire attack chain and gathering rich artifacts during the analysis process.

This richness of analysis, along with our breadth of detection coverage, powers a wide range of use cases within security organizations including SOC triage, deep IR analysis and user reported phishing analysis.

SOC Triage

Analysts need to quickly and accurately disposition suspected threats and determine the potential severity of a threat in order to identify next steps.

Actionable indicators like credential phishing form script locations and payload download URLs enable analysts to quickly determine potential impact.

TwinWave gives SOCs:

  • deep inspection and analysis

  • breadth of detection techniques

  • support for credential phishing & malware

  • rich indicators for threat hunting

IR Analysis

Once a suspected threat has been escalated to the IR team they need to pull it apart to better understand what it is, how it works, identify indicators and more.

TwinWave’s static and dynamic analysis extracts key information to help IR team’s initial assessment of a threat.

TwinWave gives IR teams:

  • malware config extraction

  • macro source code & emulation

  • full webpage DOM

  • OCR text extraction from images

User Reported Phish

Let’s face it, most of what users report as “phish” is really spam or unwanted bulk mail. But, there can be critical threats hidden in these user submissions if you have the time and resources to look at them.

TwinWave’s unique attack chain following technology ensures reported threats are thoroughly analyzed.

TwinWave for user reported phish:

  • URL extraction & link following

  • attachment extraction & analysis

  • email headers and screenshots

  • decoding of rewritten URLs

Integrating TwinWave into existing workflows and security tools is easy.

Manual Submissions

Security analysts and researchers can directly submit suspected threats to the TwinWave platform using the web interface or command line tools.

Once a threat is submitted, the TwinWave platform will perform the actions required to fully execute the attack chain including clicking and following links, extracting out attachments & embedded files, dealing with archives, and much more.

While the analysis is running analysts can watch the attack chain being built out in real-time along with detections and scores as they become available.

TwinWave’s UI has been optimized to make it easy for users to navigate the incredibly rich data that gets generated by static and dynamic analysis systems.  Screenshots and key indicators help give analysts a quick high level understanding of the threat while our Normalized Forensics provide an in-depth view.

 

API Submissions

TwinWave’s API provides the same full functionality available through the web interface. This means that organizations that have implemented a SOAR or other automation solution can add TwinWave to existing, or new, playbooks for deep automated threat analysis.

While the analysis is running SOAR platforms can periodically check on submission results with detections and scores being available as they are generated. This allows responses to be taken immediately as soon as TwinWave has determined a suspected threat is actually malicious.