Message platform for automated threat simulation, reporting, detection, and remediation
摘要
說明書
Network Weighted—Network based indicators are weighted higher than content-based indicators
Message Weighted—Content based indicators are weighted higher than network indicators.
Average Weight—Both network and content indicators receive a roughly equal value.
Weight sets can be used to help identify specific types of clusters depending on the need or types of clusters that are required. This allows the same indicators to be used to identify different clusters depending on the configured values of the indicators.
Pre-Clustering (Quick Clusters)
There are characteristics of an email that can be used to quickly link it to related emails. This quick or pre-clustering technique can be used speed ingestion of new items for analysis. These items would then later be fully analyzed where the results would be improved generating additional links and details. Items clustered during pre-clustering can be processed in a way that ensures the cluster is not broken or fundamentally changed during the full analysis of the item. Processing can use methods that favor speed and accuracy over inclusion.
Attachment Clusters
If two emails have exactly one attachment, compare the SSDeep score of the two. If the score is greater than the minimum cluster value (Note: Not the minimum link score) generate an attachment-based cluster.
Message Clusters
This method assumes that emails will often be delivered to an organization containing the same Subject, delivered within close proximity to other emails and will be sent from the same sender.
Header Analysis
