Threat Clustering is a method applied to every detector, aggregating new leads with other similar leads. The clustering is based on similarities in malicious intent, impact, and/or context, which are uniquely defined for each detector. Threat Clustering uses two levels of aggregation, allowing analysts to quickly identify and scope the root cause of a threat, its prevalence, and its impact on the organization.
When a new lead is generated, it can either be clustered into an existing cluster or form a new cluster (minimum cluster size is 1 lead). For a lead to be added to an existing cluster it has to answer the following conditions:
- The lead originated from the same detector as the existing cluster.
- The lead detected the same WHAT (malicious intent) or WHO (malicious actor) value as the existing cluster.
In addition to clustering leads based on the same WHAT and WHO, clusters also provide an additional context level, based on WHERE the action in the lead happened or WHO it happened to.
- WHAT refers to the malicious intent that occurred in the lead, like a process that was executed.
- WHERE refers to the location or machine the actions were performed on. For instance,
- WHO refers to one of the following:
- The malicious actor that performed a suspicious action, such as a specific IP address, or a user email.
- The victim of the suspicious activity, such as the affected asset or user agent.
Example
Here’s what happened in the example below:
- 11 leads were clustered based on the source of the lead (the detector) and on WHAT happened in the lead (an alert about potentially personal information was generated by Orca).
- 6 of those leads were then grouped based on the context of WHERE it happened (VM-name: hunters-eu-eks).
- The remaining 5 leads were grouped as well based on the context of WHERE it happened (VM-name: k8s).
- Cluster life span - Each cluster has a limited lifespan. Once 30 days pass from the last time the cluster was updated, it will automatically close and any additional similar leads will create a new cluster. This does not impact or change the status of the leads.
- Cluster logic - When two or more clustering attributes are configured on a detector, only leads with the same values for all specified attributes are grouped into a single cluster, as the clustering operates on an "AND" logic. Meaning, if only one of these attributes is identical, leads will not be grouped into the same cluster.
That said, for some detectors, the clustering logic actually utilizes the Levenshtein distance method, which groups attributes based on similar strings (not necessarily identical) if the distance is within the configured ratio.
If you have email notifications set up for new alerts, Hunters will send only one email notification per cluster or context per 14 days to avoid spamming your email box. This means that if a new alert is created from a cluster or context you were already informed about, you will not get an email notification unless 14 days have passed.
Continue reading about clusters: