Sangfor Technologies

Cyber Command
White Paper

November 2020

Sangfor Technologies

Block A1, Nanshan ipak, No.1001 Xueyuan Road, Nanshan District, Shenzhen, China

+60 12711 7129 (7511) | E.: sales@sangfor.com | W. : www.sangfor.com

Copyright Statement

The copyright of this document belongs to Sangfor Technologies Inc., which shall reserve the right for final
interpretation of and modification to this document as well as this statement.

The copyright or other related rights for all information in this document, including descriptions, formats,
illustrations, photos, methods and processes, shall be attributed to Sangfor Technologies Inc. unless
otherwise specified. This document may not be reproduced, extracted, backed up, modified, transmitted,
translated or used wholly or partially for commercial purposes in any way without the written consent of
Sangfor Technologies Inc.

Disclaimer

This document is only intended to provide information to end users, and is subject to change or
withdrawal without prior notice. Sangfor Technologies Inc. has taken measures to ensure the accuracy
and reliability of this document, but does not provide any form of guarantee for accuracy and reliability.
In any case, Sangfor Technologies Inc. is not responsible for (including but not limited to) direct or indirect
loss or damage caused to the end user or any third party for the use of this document.
Feedback

For feedback or suggestions, please contact us through the following:

Global Service Center: +60 12711 7129 (7511)

Tel.: 0755-86627888

Fax: 0755-86627999

You can also visit our website for the latest technology and product information:

www.sangfor.com
 Table of Contents

1. Introduction .............................................................................................................................................................. 6

1.1 Background................................................................................................................................................................. 6

1.2 New Threats ............................................................................................................................................................... 7

1.3 Countermeasures ....................................................................................................................................................... 7

2. Design Concept ..................................................................................................................................................... 7

2.1 Product Concept......................................................................................................................................................... 7

2.2 Product Positioning .................................................................................................................................................... 8

2.3 Solution Design........................................................................................................................................................... 8

2.4 Overall Value .............................................................................................................................................................. 9

3. Product Architecture ......................................................................................................................... 10

3.1 Hierarchical Design...................................................................................................................................................10

3.2 Big Data Architecture ...............................................................................................................................................12

3.3 Product Components ...............................................................................................................................................14

4. Application of Key Technologies ................................................................................................................. 15

4.1 UEBA .........................................................................................................................................................................15

4.2 Visible Traceability ...................................................................................................................................................16

4.2.1 Traffic Visualization ..................................................................................................................................................................... 16

4.2.2 Threat Hunting ............................................................................................................................................................................. 17

4.2.3 Unified Retrieval ........................................................................................................................................................................... 17

4.3 Application of Machine Learning Technology .........................................................................................................17

4.3.1 Accurate Detection of Known Threats ........................................................................................................................................ 18

4.3.2 Identification of Inside Attackers and Unknown Threats ......................................................................................................... 18

4.4 Deep Analysis of Threats ..........................................................................................................................................19

4.4.1 Deep Mining of Attack Events ...................................................................................................................................................... 19

4.4.2 Detection of Successful Attack Events ......................................................................................................................................... 20

 4.5 Integration with Threat Intelligence ........................................................................................................................20

4.5.1 Hot Events ...................................................................................................................................................................................... 20

4.5.2 Sources of Intelligence .................................................................................................................................................................. 21

5. Product Deployment ........................................................................................................................ 22

5.1 Traffic Monitoring (Advanced Threat Monitoring) ..................................................................................................22

5.2 Security Operations Center ......................................................................................................................................23

5.3 Traffic Detection for Third-Party SOC/SIEM Platforms............................................................................................25

6. Functional Values ............................................................................................................................. 25

6.1 Valid Data Extraction ................................................................................................................................................25

6.2 Comprehensive Real-Time Monitoring System .......................................................................................................27

6.2.1 Vulnerability Detection ................................................................................................................................................................. 27

6.2.2 Inbound Threat Detection ............................................................................................................................................................ 28

6.2.3 Internal Threat Detection ............................................................................................................................................................. 29

6.3 Multi-Dimensional Early Warning for Visible Security ................................................................................................31

6.3.1 Macro-Level Monitoring ............................................................................................................................................................... 31

6.3.2 Micro-Level O&M .......................................................................................................................................................................... 34

6.4 Easy-to-Operate O&M & Response .............................................................................................................................35

6.4.1 Emergency Response .................................................................................................................................................................... 35

6.4.2 Analysis of Infected Areas ............................................................................................................................................................ 37

6.4.3 Proactive Traceability ................................................................................................................................................................... 39

6.4.4 Session Analysis ............................................................................................................................................................................. 39

6.5 Perceivable Threat Alerts .............................................................................................................................................40

6.6 Practical Toolkit ............................................................................................................................................................41

6.6.1 Data Sharing .................................................................................................................................................................................. 41

6.6.2 Security Event Database ............................................................................................................................................................... 42

7. About Sangfor .................................................................................................................................... 43

Introduction
1.1 Background

With the rapid growth of internet technology, the Internet has brought more and more value to today's enterprises. In
turn, it has also increased the size and complexity of enterprise networks and given hackers more and more ways to
steal confidential information and resources, and even damage enterprise assets. The low cost of launching cyberattack
has even led enterprises in some industries to hire hackers to maliciously attack their competitors. For example,
launching a medium-sized DDoS attack may cost only a few thousand U.S. dollars. Unfortunately, most enterprises do
not take cybersecurity issues seriously enough or have no clear understanding of their own security posture, which is
why hackers have frequently succeeded and have caused significant damage in recent years.

According to a survey on security events made by Verizon, regardless of the initial reconnaissance and information
acquisition processes used, it takes only a few hours for an attacker to successfully compromise a network. However,
although the attack happens very quickly, more than 62% of enterprises often spend up to a month before an attack is
actually detected, and it takes days to weeks to respond to and remediate the attack. In a statistical survey of 1,928
attacks from 252 organizations around the world, the Ponemon Institute found that the average resolution time for an
attack is 46 days, and for every day that an attack is delayed in being discovered and resolved, the enterprise loses an
average of 21,155 USD.

Figure 1-1 The time it takes to discover and remediate an attack is significantly longer than the time it takes to launch
a successful attack (Source: Mandiant Research Report)

Hence, faced with higher network complexity and an ever-growing number of network vulnerabilities, it is increasingly
difficult to prevent hackers from invading the enterprise network, even when there is a perimeter security device in
place, causing an imbalance between attacks and security defense.
1.2 New Threats

Over the past few years, the number of network attacks has grown exponentially, affecting enterprise networks of all
sizes and industries. However, traditional threat detection methods based on blacklists and whitelists, signatures and
detection rules are no longer adequate to cope with constantly evolving network threats and IT environments. Among
these threats, newly emerging and advanced persistent threats (APT) are especially hard for enterprises to prevent
effectively.

Traditional security defense measures are not enough to solve the problem of advanced threats. Rather, they often
lead to fragmented security and do not provide complete network protection. In addition to this, security is made even
more complicated by the integration of multiple security devices operating simultaneously in the network. In the
absence of unified visibility and correlation capabilities, organizations are unable to bridge data islands and implement
fully coordinated defense.

1.3 Countermeasures

As advanced threats have continued to evolve, the cost of post-attack detection has continued to increase, as has the
overall impact of security events. As a result, people's perspective on detection and defense has changed dramatically.
More and more professionals are recognizing the need to shift from systems that rely on a single device, a single
approach and a single defense focus, to an adaptive protection system that integrates detection, defense and response.
This includes providing overall security visibility across the entire attack chain. According to Gartner, by 2020,
enterprise security departments will be devoting an estimated 60% of their budgets to security detection and response
just to cope with the increasingly complex cybersecurity environment.

Therefore, threat detection products based on big data technology and intelligent analysis have been created to
address these problems. Sangfor Cyber Command is designed to help enterprises detect hacker intrusions, attacks and
malicious insiders faster and more accurately, thus increasing the security of networks and reducing the losses caused
to enterprises by malicious attacks.

2. Design Concept
2.1 Product Concept

Analyzing Verizon's survey results, we found that there are many reasons for the balance between attacks and security
defense, including bypassing traditional defense, application of advanced threat techniques and attack automation.
These factors are naturally a growing concern for security operators and enterprises.

Even after deploying multiple security devices, I still don't know if it is safe or not. If it is unsafe, which parts are unsafe？

How do I know that my network isn't impacted already？

What should I do now？

Based on years of experience in cybersecurity operation and maintenance (O&M), Sangfor believes the above-
mentioned concerns represent a common problem with internal cybersecurity in the current industry.

That is why we have designed Sangfor Cyber Command based on the following objective:

objective:

Develop an intelligent and accurate cybersecurity platform with visibility and integrated network defense at its core,
which facilitates expert emergency response and allows operators to monitor, alert and deal with threats in real time.

2.2 Product Positioning

Traditional cybersecurity solutions often lead to fragmented defense systems which make security O&M exceedingly
complicated and makes it difficult for enterprises to build an effective, comprehensive security system.

Therefore, just like the human brain that controls the whole body in a coordinated way, security defense also needs a
central command center.

That is the basis for the proposition of Cyber Command:

Build a unified operations platform that serves as the "brain" of the security center, which leverages visualization
technology and big data analytics, and combines coordinated defense capabilities with expert emergency response to
make security simpler and easier to operate.

2.3 Solution Design

As shown in the figure above, Cyber Command, which is designed for full traffic analysis, collects key data from the
whole network based on security components such as STA (see Section 3.3). With Cyber Command acting as the brain
of the security center, it ensures network service visibility and accurate threat detection by monitoring traffic
throughout the whole network. It combines threat intelligence, user and entity behavior analytics (UEBA), machine
learning, big data correlation analysis, visualization and other techniques to fully detect stealth threats. At the same
time, it provides an easy-to-operate support system, which allows for intervention and emergency response from
security experts, and reduces security event response times and improves the capability of detecting advanced threats.

2.4 Overall Value

The key values of Sangfor Cyber Command include:

1. Visible Global Security

Using full traffic analysis, effective multi-dimensional data collection and intelligent analysis capabilities, Cyber
Command monitors the network's security situation in real time, including internal lateral threats, risky outbound
connections and server vulnerability risks across the whole network. Administrators can determine clearly whether the
whole network is secure, which parts are vulnerable and where the attack points are located. Security capabilities are
built to facilitate "pre-event monitoring, mid-event analysis and post-event detection" centered around the attack
chain, and enhance decision making by identifying all threats throughout the network.

2. Big Data Analysis and Information Retrieval

Cyber Command, which is designed based on the big data framework of Hadoop and Elasticsearch engine, supports
the storage of terabytes of mass data and correlation analysis by default, and allows expansion through clustering and
other means.

Cyber Command is also created from the accumulation of years of R&D achievements in big data performance
optimization made by the Sangfor data analysis team, which gives it the ability to manage trillions of data points and
perform second-level query.

3. Intelligent Analysis to Cope with Unknown Threats

Because attack techniques, variants and evasion techniques continue to evolve, traditional security devices with
defense mechanisms based on static rules cannot meet new security demands. Relying on such rules can only defend
against a small number of known threats, and it is not effective for detecting new attacks and unknown threats. With
intelligent analysis technology and new technologies such as machine learning, correlation analysis and UEBA, Cyber
Command is able to detect advanced and latent threats such as APT , as well as newly emerging threats, and it can do
so without updating detection rules.

4. Real-Time Monitoring and Accurate Warning

By collecting and analyzing network traffic, endpoint logs and third-party logs, Cyber Command can monitor both
known threats (botnets, Trojans, worms, abnormal traffic, vulnerabilities, etc.) and unknown threats (botnets, APTs, 0-
day vulnerabilities, etc.) in real time. When threats are identified, it can also give accurate warnings and provide a
combination of intelligent analysis and convenient operation support, all of which simplifies security O&M.

5. Efficient Correlated Response and Advanced Closed-Loop Solutions

Cyber Command integrates with other Sangfor security devices (see Section 3.3 for details), not only using them to
collect security data, but also correlating them to respond when security events occur or risks begin to spread internally.
Correlated response includes blocking, internet access management and endpoint security monitoring, which can
effectively allow administrators to implement closed-loop security solutions (see Section 4.1 for details of integration).

6. Evidence Collection and Impact Assessment

Traditional security analysis, which mainly relies on logs and takes IP addresses as the source of analysis, makes it
difficult to collect specific evidence for threat events and determine the overall impacts.

Cyber Command automatically divides IPs by asset type and assesses damage from the perspectives of server security
and host security. Combined with detailed evidence of attacks, multi-dimensional latent threat detection and
GoldenEye Traceback based on visible traffic, it can clearly outline the scope of threat impacts and assess the actual
losses.

7. Traceability Support

The essence of proper traceability lies in effective data extraction. By using full traffic and third-party logs (middleware,
operating systems, security devices, etc.) as the basis for its data extraction capabilities, Cyber Command can extract
key metadata (Section 5.1) that facilitates threat analysis and traceability in real time. And, because it has the ability
to store terabytes of mass data and deploy clusters, it can store metadata for at least one full year. Meanwhile,
visualization technology is applied to establish a traceability support system that mainly focuses on visualized traffic,
GoldenEye Traceback, attack chain visualization, unified retrieval and big data capabilities, all of which provide strong
support for traceability analysis by security experts. (See Section 4.3)

3. Product Architecture
3.1 Hierarchical Design

Cyber Command is designed with a hierarchical data processing architecture that displays a complete logical process
for data processing from data collection to the final presentation of data analysis. The hierarchical design is shown
below:
 Figure 3-6 Hierarchical Design of Overall Framework

⚫ Data Collection Layer

Collection covers host data, traffic collection, middleware data, third-party device logs and integration of threat
intelligence. This layer provides multiple interfaces for collecting and integrating traffic and log data, supporting syslog,
web service, RESTful API, WMI and other collection methods.

⚫ Data Pre-Processing Layer

This layer pre-processes the collected data, which includes data cleansing, data merging, and data enrichment. The
final data is converted into a format that is understandable by the platform and saved in files for further analysis.

⚫ Big Data Analysis Layer

This layer extracts the pre-processed data for offline computing or extracts Elasticsearch (ES) data for real-time
computing. It detects, analyzes and performs statistical calculation of security data across the whole network, and
presents the current situation of security threats by applying threat intelligence, behavior analysis, intelligent analysis
and other techniques. In addition, merging and alerting of data are realized using multiple built-in security association
rules.

⚫ Data Storage Layer

Analysis data and results are stored in the ES engine, ensuring fast retrieval. Data of recent statistical results that needs
to be presented quickly is stored in MongoDB and can be read quickly without rendering and consuming memory
compared to ES engine.

⚫ Data Service Layer

Data visualization is designed in an app-like way, by obtaining the data interface from the data storage layer, reading
display data and providing secure visualized service and external interface service.

In terms of visualization, it uses Ext as the JS framework, ECharts as the graphics library and Vue architecture for security
monitor visualization.

3.2 Big Data Architecture

The overall design framework has the following big data features:

⚫ Big Data Technical Architecture

Referencing the Hadoop computing framework, the MapReduce parallel computing framework is used for parallel
processing, which ensures reliability and fault tolerance, and provides support for large-scale cluster deployment and
analysis of massive data sets.

SparkSQL is used for structural SQL statement processing ES engine, a general engine for big data analysis, is used to
allow fast retrieval of basic metadata, analysis data and analysis results.

⚫ Cluster Deployment

Based on the Hadoop computing framework, it enables improvement of data storage and analysis performance in the
database-based cluster deployment mode.

It also supports cluster node management and up to 64-device clusters.

⚫ Intelligent Analysis Technology

Libraries such as MLib are embedded for supporting machine learning (e.g. clustering, classification algorithms, etc.),
as well as correlation analysis. Currently, techniques such as machine learning and UEBA baseline analysis are available
on the platform.

Moreover, the intelligent analysis engine based on app-like design can be upgraded online or offline to quickly update
existing detection capabilities and integrate new detection techniques.

⚫ Big Data Processing and Visualization

Logstash is used as a log collection and pre-processing framework. Logstash, an open-source data collection engine
that supports real-time data pipeline functions, allows dynamic integration of dispersed data sources and standardizes
data according to different definitions. Any type of event can be analyzed and converted through the input, filter and
output plug-ins.

RocksDB is used to improve the performance of data service support. RocksDB is a high-performance embedded
database for Key-Value data storage (non-relational), which is optimized for multi-core CPU, SSD and I/O bound
workload and is very suitable for the data storage required for big data analysis.

ECharts is used as the visualized presentation framework for big data. ECharts is a commercial data chart library that
runs smoothly on PC and mobile devices and is compatible with most currently available browsers (IE6/7/8/9/10/11,
Chrome, Firefox, Safari, etc.). The underlayer provides intuitive, vivid, interactive and highly customizable data
visualization charts based on the lightweight Canvas class library ZRender, enabling it to mine and integrate big data.

⚫ High Performance Analysis

A single device can analyze 100 million logs in real time every day, generating about 3 TB of data in total. The table
below shows the performance of data processing:

Data Processing Performance

Procedure

Move to active A single device supports 20,000 + EPS

Analysis A single device supports 100,000 + EPS

Query ⚫For 32 GB memory, supports second-level query of over 100

billion logs.

⚫Supports the real-time distributed search and analysis.

3.3 Product Components

The above figure shows the data processing flow of Cyber Command, and data sources are provided via the accessed
components. Components include basic components and expansion components, as shown below:

1. Basic Components (STA)

Stealth Threat Analytics (STA) is based on the X86 hardware structure and is deployed in critical WAN areas to monitor
the mirroring traffic of core switch. It also collects and detects full traffic, extracts valid data and reports it to Cyber
Command.

STA, which is embedded with web application attack detection rules and vulnerability exploit attack detection rules,
supports IDS detection and can detect known threats from traffic and send security logs to Cyber Command. In addition,
the built-in abnormal behavior detection engine matches traffic in real time. When abnormal behavior is found, traffic
fragments will be marked in the collected traffic data, and then transmitted to Cyber Command for deep correlation
analysis and identification of potential threats.

2. Expansion Components (IAM, Endpoint Secure, NGAF, SSL VPN, Central Manager)

The following components are Sangfor proprietary devices which compose the Sangfor security system and are used
as expansion components of Cyber Command. These components not only provide targeted security data input, but
also perform security protection and detection based on correlation rules.
 Component Name Description

Internet Access Sangfor IAM, which uses X86 hardware architecture, is connected to the network port for
Management (IAM) monitoring users' online activities.

After being integrated into Cyber Command, IAM can locate users (e.g., accurately locate IPs
under DHCP) and freeze the internet access of risky endpoints.

Next-Generation With X86 hardware architecture, NGAF is generally deployed at the egress of the internet or
Application Firewall Data Center. After being integrated into Cyber Command, NGAF is used to collect data on
(NGAF) external attacks and unauthorized access that violates policies. It is also used to implement
coordinated blocking of attack sources and implement ACL policy control of abnormal access,
thus equipping Cyber Command with basic defense capabilities.

At the same time, because Cyber Command is capable of detecting unknown threats, these
two platforms coordinate effectively to defend against unknown threats and provide
targeted policy control on vulnerable entry points, so as to prevent attackers from bypassing
the security system at the egress.

Endpoint Secure Sangfor Endpoint Secure can effectively guarantee the security of the endpoints on the
network. After being integrated into Cyber Command, Endpoint Secure can collect endpoint
security logs from servers and hosts, enhancing the endpoint analysis, traceability and
evidence collection capabilities of Cyber Command. At the same time, assisted by the virus
scanning capabilities of Endpoint Secure, a closed-loop response solution can be quickly
initiated from Cyber Command.

SSL VPN After being integrated into Cyber Command, Sangfor SSL VPN can synchronize user logs and
management logs of SSL VPN to Cyber Command. After SSL VPN data is merged merged Cyber
Command, when a security event occurs, the corresponding host accessed through VPN can
be identified. If a serious security event occurs, Cyber Command can notify the user to go
offline.

Sangfor Central Sangfor Central Manager is a solution developed for the centralized access, data display and
Manager management of Sangfor’s different hardware and SAAS services. It allows for the access and
management of a variety of different types of devices and software versions deployed by
medium and large-sized enterprises. It serves as a one-stop branch networking solution
featuring rapid deployment and high scalability based on business development and
centralized management, and ensures "ZERO IT" of branches.

4. Application of Key Technologies

4.1 UEBA

User and entity behavior analytics (UEBA) is a new analysis technology in the network security field which aims to
identify behavior anomalies based on analysis of users or entities. UEBA can identify different types of abnormal user
behaviors which could be interpreted as indicators of intrusion, inside attackers or other threats.
Cyber Command uses UEBA to analyze the behavior of internal users and assets, and constructs continuous learning
and behavior profiles. It first establishes a baseline for normal behaviors and then combines analytics to detect
abnormalities that deviate from the baseline. Finally, it gives a comprehensive score to the user or asset, so as to
identify inside attackers or latent threats and send early warnings.

During UEBA, Cyber Command also identifies and divides groups with similar behaviors and attributes through
clustering to recognize events which have a small probability of occurring, and can also predict trends of future risks
through group analysis:

⚫ Identification of anomalies through groups

For example, if different servers (such as web and database servers) are identified in the same group, it is possible that
servers are infected with the same botnets, Trojans and worms, thus having similar group behaviors. Based on what
was identified, Cyber Command can find anomalies and locate the source of the problem. This model can be extended
to detect anomalies in account behavior.

⚫ Prediction of future risk trends based on abnormal group relationships

With UEBA, Cyber Command can predict whether an abnormal or compromised endpoint will affect core assets within
the same group and whether it should be isolated from core assets based on the access relationship within the group.

4.2 Visible Traceability

Cyber Command innovatively visualizes network access and traffic, and also allows tracing by "identifying anomalies
based on normal behavior". A set of visual tools is formed by collecting full traffic and combining it with the deep
analysis of dozens of protocols and the collection, storage and correlation analysis of metadata. In this way, security
analysts can quickly trace traffic sources and distinguish abnormal behaviors from normal ones.

4.2.1 Traffic Visualization

Cyber Command performs in-depth auditing and data correlation on traffic collected network-wide and identifies
access relationships. It organizes and visualizes traffic according to lateral access, outbound access and inbound access.

Lateral (LAN to LAN) access analysis focuses on lateral scanning behavior, suspicious active access, risky application
access, etc., and can quickly analyze potential scanning behavior by ranking the number of accessed targets.

Outbound access analysis reveals the areas accessed by servers or hosts, allowing security analysts to search and trace
from "suspicious areas" and "suspicious applications and ports".

By visually narrowing down layer by layer, Cyber Command can pinpoint the owner of a specific source endpoint,
accessed applications, access duration and transmission data size, and it can uncover abnormalities hidden under
normal traffic.
4.2.2 Threat Hunting

Cyber threat hunting is a cyber defense that actively searches for latent threats.

Cyber Command develops a local threat intelligence center and combines it with the threat intelligence from Sangfor
Neural-X and visible local traffic to build a unified threat hunting portal. Analysts can search for a suspicious IOC to find
the detailed access relationships and clearly see who accessed it or who was accessed by it, as well as the ports and
applications used.

4.2.3 Unified Retrieval

To quickly retrieve the correlated data of the specific IOC intelligence, Cyber Command provides a unified retrieval
portal for threat hunting and uses a unified retrieval engine for retrieving security logs, third-party logs and traffic
metadata based on the Kibana framework. This refines the correlated queries using log data and combines with queries
based on multiple additional conditions. Moreover, it allows the second-level query of hundreds of millions of logs,
thus facilitating rapid traceability analysis.

4.3 Application of Machine Learning Technology

Traditional rule-based detection technology cannot detect the newest threats. However, Cyber Command’s detection
model based on machine learning can be used to identify unknown threats and suspicious activities, greatly improving
detection rates and reducing the dependence on the rule database.

Machine learning technology is applied to each process of the attack chain, thereby providing the basis for threat
tracing/hunting, as well as attack path and security visualization. It is mainly applied to the following two scenarios to
enhance Cyber Command's ability to handle known and unknown threats.
4.3.1 Accurate Detection of Known Threats

Scenario: Combined with signature detection to improve accuracy and detection rate.

Objective: Solve the shortcomings of existing technologies in handling known threats, such as low detection rate and
performance consumption, and eliminate rule-based detection with machine learning models to identify known threats.

Example: Integrate machine learning algorithms such as LSA, Auto Encoder, Logic Regression and SVM with signature
detection, and apply them to ensure email communication security by recognizing threats such as spoofed and spam
emails.

4.3.2 Identification of Inside Attackers and Unknown Threats

Scenario: Identify variant behaviors, unknown threats and inside attacker

Objective: When rule-based detection does not work, apply machine learning technology to behavior analysis to
identify small probability events and abnormal user behaviors.

Example: Sangfor Engine Zero, which is similar other software such as Cylance and WebRoot, can detect malicious file
threats based on machine learning technology without relying on virus databases.

Sangfor Engine Zero is an AI-powered malicious file detection engine which analyzes and synthesizes hundreds of
millions of original signatures using deep learning technology and selects thousands of the most effective high -
dimensional signatures according to the domain knowledge of security experts. Compared with traditional detection
engines based on virus signature databases, Engine Zero has the following advantages:

1 It has powerful generalization abilities, which can identify unknown viruses without the need for updating the model.

2 It has the strong ability to scan known family variants. For example, the detection rate of ransomware such as
WannaCry, BadRabbit and other wide-spread viruses is among the best in the industry.

3 It combines Neural-X and host correlation. Using operation analysis made by Sangfor Neural-X based on massive big
data, Engine Zero is constantly evolving to improve detection capabilities.
4.4 Deep Analysis of Threats

4.4.1 Deep Mining of Attack Events

Assets which are exposed to the internet may suffer a large number of attacks every day. The generation of tens of
thousands to millions of log alerts are prone to cover up targeted attacks and potential threats, which complicates IT
O&M. However, it is difficult to effectively recognize real risks manually, and the result is that operators becomes likely
to overlook important threats and fail to identify risks in time to mitigate them.

Cyber Command performs deep mining and analysis on attack logs, and correlates hundreds of millions of logs to events
using the built-in correlation analysis model. This reduces the large number of redundant alerts. Different from
traditional merging, Cyber Command correlates similar attack intentions to events, mines targeted attacks and gives
specific recommendations for remediating those events, thus creating a closed loop strategy for responding to attacks.
The results of deep mining of attack events are as follows:

Scenario 1: Multiple attack sources attack the same target during a very short duration.

Analysis: A targeted attack has occurred. There may be a vulnerability risk or an exposed entry point such as an open
port.

Recommendation: Scan for an identify vulnerabilities or seek expert verification and fix the vulnerabilities.

Scenario 2: The target is continuously attacked by a certain attack source (or multiple similar attack sources), involving
many types of attacks and no contextual continuity.

Analysis: There is a scanning attack. You can determine whether the attack source shifted from scanning to planning a
targeted attack (that is, the attacker has stopped scanning for vulnerabilities and has begun targeted probing)
according to the duration of the attack and the current attack position.

Recommendation: Block the IP address. In case of targeted probing, it is recommended to scan the target location for
vulnerabilities and fix them.
4.4.2 DETECTION OF S UCCESSFUL ATTACK EVENTS
For internal attacks or external attacks bypassing the security system, if we cannot know the impact on compromised
endpoints in a short period of time, it is difficult to identify which devices are controlled in time to prevent further
damage, thus leading to more unknown risks.

Therefore, based on years of research from the Sangfor security laboratory, Cyber Command builds an "attack
command and response model" based on machine learning and develops the ability to detect whether significant
attacks are successful. This is combined with the baseline learning of normal network requests from endpoints to assist
in assessing damages.

Cyber Command mainly focuses on critical vulnerability exploits, brute-force attacks and other attack types that have
a significant impact if they are successful. For example, for a Struts2 vulnerability attack, it can identify whether the
attack is successful, as well as the command statement and execution result of the attack, and can even identify the
impacts of the attack. For a brute-force attack, it can identify the protocol, the account which has been attacked and
other valuable information. Combined with traffic auditing, it can directly determine whether an endpoint has been
logged into or compromised.

4.5 Integration with Threat Intelligence

Cyber Command obtains machine-readable threat intelligence from Sangfor Neural-X and uses the local intelligent
analysis engine to analyze and compare traffic metadata collected in the local network in real time. This identifies
known threats and suspicious access behaviors while enhancing the accuracy and detection rate. For example, the
stealth tunnel communication behavior (such as DNS tunnel) found through behavior analysis alone is only cause for
suspicion. But if the IP address accessed by it is correlated to botnet, Trojan or worm information from threat
intelligence, then it is detected as remote control behavior by the analysis model.

At the same time, distributed threat intelligence can be combined with local traffic data to form local threat intelligence.
Security experts can use this local intelligence to swiftly and accurately identify the early signs of security threats faced
by assets and easily understand the latest threat trends, implement proactive defense and develop a quick response
strategy to precisely trace threats and attacks.

4.5.1 Hot Events

Cyber Command uses threat intelligence from Neural-X to build a threat intelligence detection model for "hot events".
This model extracts the most recent events and those with high impacts on business services (such as ransomware and
cryptomining) and quickly detects whether the hot events are present in the local environment. Moreover, Cyber
Command also provides fast alerts and convenient shortcuts to the home page to allow operators to handle high impact
events as quickly as possible.

4.5.2 Sources of Intelligence

Neural-X is a big data analysis platform for threat intelligence built by Sangfor which utilizes years of intelligence and
expert security experience. Neural-X data comes from Google's VirusTotal, CnCert's ANVA data sharing, data exchange
with other collaborating organizations, as well as data analyses of tens of thousands of Sangfor security devices
deployed in customer clusters in various industries. Neural-X mines and extracts data to develop precise, machine-
readable threat intelligence which is vital for providing early warnings for threats and attacks.
5. Product Deployment
Cyber Command is typically deployed in the management area and displayed as a management platform. (Switch
access is required to facilitate management and display.)

STA connects to a switch via span port to receive mirrored traffic from the switch for collection and detection, and
sends the results to the platform via network links for comprehensive analysis.

5.1 Traffic Monitoring (Advanced Threat Monitoring)

Pain Point:

Organizations often struggle with inadequate security measures, and are faced with serious inbound threats such as
botnets and ransomware. Many organizations may even suffer from APTs or advanced targeted attacks. They hope to
discover compromised internal endpoints and detect inside-attacker behaviors by constructing a security monitoring
system, so as to avoid impact on services and critical data leaks.

Deployment:

Sangfor Cyber Command and its base component, STA, constitute a traffic-based real-time monitoring system. Using
NTA, the system realizes continuous detection and early warning of known and unknown threats. Here is an example
of specific deployment:
The above figure shows a common scenario for traffic monitoring. For a relatively critical area (such as the server and
financial office areas), the STA can be deployed on the L2 access switch in the area to collect traffic (see STA 2). Traffic
in other areas can be collected from the critical aggregation switch (see STA 1. It is recommended to filter mirrored
traffic to avoid duplicates).

If there is a multiple branch scenario (such as management of multiple organizations), decentralized monitoring can be
made possible by deploying the STA in each of the branches. In that case, the traffic from STA should be allowed to
pass through the Cyber Command platform.

Combined with the file threat identifier component, it can also rapidly form a scenario for monitoring threats across
the network in the form of NTA.

5.2 Security Operations Center

Pain Point:

Organizations have deployed a large number of security devices but lack an integrated security operations center.
Fragmented security information also renders complete security analyses very difficult to achieve. As a result, it is often
impossible for those organizations to confidently know whether the entire network is secure. Security operations are
further complicated because more security devices are continuously added making it difficult to bridge data islands.

Deployment:

Sangfor Cyber Command is designed to be the brain of the security operations center. It can receive workflow data
collected by STAs deployed in various areas, and can access other various types of date (see figure below):

1. Access to Sangfor proprietary devices. These include Sangfor's award-winning security devices, such as the NGAF
and IAM, which cover all O&M data across the network and in the cloud.

2. Access to third-party logs. The continuously enriched data collection and data normalization capabilities enable
Cyber Command to collect and merge logs of third-party devices.

This data is collected and sent to Cyber Command for correlation analysis, comprehensive presentation, and
convenient unified searching, thus fulfilling the needs of the security operations center and simplifying security O&M.
5.3 Traffic Detection for Third-Party SOC/SIEM Platforms

Pain Point:

Large-scale enterprises (such as banks) have constructed their SOC/SIEM platforms to collect logs from security devices
across the network, such as IDS/firewalls. However, because these devices can only detect traditional attacks and are
unable to cope with advanced/unknown threats, the SOC/SIEM platforms constructed are limited to only monitoring
known threats within the network. They cannot provide insight for advanced/unknown threats and internal data leaks.

Deployment:

Based on the traffic monitoring deployment scenario, data sharing is available for Sangfor Cyber Command deployed
with SOC/SIEM. By using syslog (including SEF/CEF/LEEF data formats) and a custom RESTful API, important analysis
results and data visualization content from Cyber Command are easily transmitted to third-party platforms. Cyber
Command's powerful analysis capabilities can serve as a useful threat analysis component or traffic collection and
analysis component for third-party SOC/SIEM platforms for O&M. In this way, it can quickly and easily equip third party
security devices with enhanced security analysis and visibility.

Cyber Command also supports access and transmission to multiple third-party platforms.

6. Functional Values
6.1 Valid Data Extraction

In terms of data sources, Cyber Command can proactively collect valid data and prevent false positives caused by
excessive reliance on inbound threat intelligence, heterogeneity of internal network devices or inaccurate data. This
allows for intelligent, accurate, real-time security monitoring and early warning and provides powerful support for
effective tracking, traceability analysis and threat hunting.

To facilitate this, collected data should have the following properties:

1) It should allow for repeated analyses, such as traffic metadata.

2) It should be collected from the same sources, making it possible to understand and control false-positives, such
as data of Sangfor's proprietary products.
3) It should be relevant to or directly generated by assets, such as logs of operating systems and middleware.
4) It should include associated information to support evidence collection, such as logs of third-party security devices
and network devices.

Based on the above properties, the data we collect and extract include:

Data Type Description

Traffic 1. Data from TCP, UDP, etc. in the form of NetFlow, recording all session
Metadata information, state, size, etc.
 2. Metadata in the form of xFlow (e.g., NetFlow and DNSFlow), which is
extracted from data audited by dozens of network protocols common to hacker
attacks and services (HTTP, DNS, SMTP, FTP, SMB, database protocols, etc.).
Data is transmitted to the platform and includes all critical data of protocol
traffic on layers higher than L4.

3. The collected metadata includes the common fields of network traffic and the
key fields in every protocol. The former includes time, Src IP, Src port, Dst IP, Dst
port, protocol, and key data packets. The relevant specific key fields vary across
protocols. For example, those of the HTTP protocol include the version number
requested, URL, HOST, header fields, BODY (length specified), status code,
length, etc.

File Data of specific files and attachment information, which is restored from a
transmission specified scope in the protocols able to transmit and download files (e.g., HTTP,
data FTP, mail) and transmitted to the platform for analysis and storage. This type
supports executable files, Office files, script files, files with suffixes inconsistent
with the actual format, media files, etc. and is aimed at discovering file and email
threats (e.g., phishing emails).

Logs of Security logs, audit logs, and login information collected from Sangfor's
Sangfor's proprietary security devices (Section 3.3 Expansion Components). Based on
proprietary the understanding of our own security system and correlation analysis rules,
security this is the most advantageous data for security detection and auditing.
devices

Logs of Logs of endpoints with Windows and Linux operating systems collected via WMI,
operating web service, and syslog. They are used by Cyber Command to store important logs
systems and and conduct correlation analyses, avoid data being cleared by attackers to sabotage
traceability analysis, and also serve as the basis for evidence collection and the
middleware
comprehensive assessment of compromised endpoints.

Management Cyber Command is connected to the VRV's LAN host management platform to
information of collect detailed asset information of registered hosts, including operating systems,
LAN hosts personnel information, authentication information, etc. This is used to visualize
registered users and identify abnormal assets.

Asset status Status of important servers based on SNMP for visualized monitoring and recording
and comparison of historical baselines.

Threat Threat intelligence data deriving from Sangfor Neural-X includes Sangfor's
intelligence proprietary intelligence, intelligence from Google's VirusTotal and shared third-
party intelligence.
 Third-party Data obtained from third-party devices using syslog, JDBC, web service, etc. for log
logs collection and generalization. Currently, more than 30 types of network and security
devices are supported.

6.2 Comprehensive Real-Time Monitoring System

Network-wide threat intelligence requires a multidimensional system for monitoring and analyses. The real-time
security monitoring capabilities are constructed from three dimensions: vulnerabilities, inbound threats, and internal
threats. These three dimensions are combined to form a comprehensive detection system, but they each have their
own ultimate objectives:

⚫ Vulnerabilities: Focus on server assets to discover the entry points that are exposed and vulnerable to attack.

⚫ Inbound Threats: Discover entry points for intrusions and details of detection evasion, adapt defensive policies
according to the vulnerability intelligence, and decide how security needs to be strengthened.

⚫ Internal Threats: Discover compromised endpoints and inside attackers and uncover internal hidden threats, so as
to prevent propagation and further impacts to the network.

6.2.1 Vulnerability Detection

Assets are the most important point for network-wide security protection, especially server assets providing critical
services. All threats must exploit an existing vulnerability to cause damage to a server. The identification and
remediation of server vulnerabilities is thus pivotal in effectively preventing the occurrence of threats.
Server vulnerabilities are located rapidly in both active and passive ways based on vulnerability signatures. This allows
security staff to locate and grasp the condition of vulnerabilities rapidly by taking only basic measures.

Vulnerability detection includes the identification of the following types:

1） Vulnerabilities

Based on the passive traffic information of the STA component and vulnerability signatures, Cyber Command identifies
endpoints/URLs suspected to have specific vulnerabilities, collects evidence for suspected vulnerabilities, provides
suggestions for fixing them and helps security staff locate the vulnerabilities rapidly.

The active scanning based on expansion components (Sangfor Visioner and Sangfor Host Security) can conduct rapid
detection and analyses of endpoints, focus on specific vulnerability information and provide detailed suggestions for
fixing them.

2）Unencrypted web traffic

Identifies risks of data leaks due to critical information being submitted to websites without encryption, making data
susceptible to monitoring.

3）Weak passwords

Utilizes the NLP recognition algorithm and the brute-force dictionary library to identify logins with weak passwords,
which applies to login protocols including HTTP, FTPM and SMTP. A weak password is one that is not strong or complex
enough. For example, a weak password may be one that is a simple combination of numbers, one that is the same as
the username or one that is very short in length. A weak password can be easily cracked by hackers, which would allow
them to use valid usernames and passwords for login control, which is difficult to identify.

4）Risky ports/applications

Identifies open risky ports of server assets and how the ports are used (e.g., standard ports running non-standard
protocols). It also identifies unauthorized connections resulting from exposed access methods of risky applications (e.g.,
RDP, SSH, and database). This relies on Sangfor's application identification capabilities which have been honed for over
a decade, making it able to identify the specific application even over non-standard ports.

6.2.2 Inbound Threat Detection

Inbound threat intelligence refers to the detection of WAN-initiated attack behaviors (from the internet or external
organizations). This monitors abnormal inbound traffic to critical assets, infrastructure, etc., by utilizing the accessing
firewall component. and allows operators to understand defense details, risks after security bypassing, and attacked
servers. This includes:

⚫ Inbound attacks:

Details of attacks incurred (high-severity attacks, brute-force attacks, Webshell backdoor planting and exploit attacks),
statistics of attacked targets, and the distribution of attack sources.
Conducts intelligent analyses of attack details, identifies whether attacks bypass security devices and whether attacks
are successful, and conducts a qualitative assessment of the damages to provide a useful basis for strengthening
security.

⚫ Inbound risky access:

Identifies details of access from internet IP addresses to internal endpoints via remote login, database or other
applications. Administrators can analyze two potential problems based on the actual service condition and decide how
to fix them:

1. If important application ports such as those used for remote access are exposed on the internet, implement access
control to eliminate the risk.

2. If endpoints may have been remotely controlled by a hacker, troubleshoot the compromised endpoints.

6.2.3 Internal Threat Detection

Internal threat detection includes compromised endpoint detection, outbound threat detection, and lateral threat
detection. It is used to detect hidden network intrusions, internal malicious behavior and hidden threats that have
successfully bypassed perimeter security devices.

⚫ Compromised Endpoint Detection

A compromised endpoint is one that is controlled by an attacker as a result of threats such as APT attacks, botnets,
Trojans, and worms.

Cyber Command combines analytics (including the correlation analysis engine, intelligence analysis technology, threat
intelligence correlation, etc.) to discover compromised internal endpoints, and discovers all events occurring in the
endpoints at every stage of the attack by utilizing the attack chain. Based on the details of the event, it also determines
the endpoint status and shows threat levels based on confidence and severity.

Confidence indicates the probability of endpoints being compromised (compromised, high confidence, low confidence
and normal).

Severity indicates the level of threat posed by the endpoints to the LAN and WAN (high-severity, medium severity, low
severity and normal).

⚫ Outbound Threat Detection

Based on the collection of north-south traffic, outbound threat detection uncovers and analyzes abnormal outbound
behaviors from the following aspects:

1. Outbound Attack:

Cyber Command identifies attack behaviors of internal endpoints targeting the internet. In most cases, a controlled
endpoint is utilized by an attacker to launch outbound attacks, such as DDoS and EternalBlue attacks, for the purpose
of profiteering. Discovering outbound attack behaviors helps detect controlled endpoints or malicious internal
endpoints.
2. APT C&C Communication:

Utilizing threat intelligence, Cyber Command discovers outbound connections with threat addresses, including C&C
Trojan communication, to uncover endpoints controlled by attackers.

3. Stealth Communication:

Based on machine learning algorithms and analyses of remote control behaviors, it detects stealth tunnels to identify
stealth communications between LAN endpoints and the WAN. Stealth communication is a common means of
communication used during APT attacks, targeted attacks, etc., to avoid being detected.

4. Risky Access of Servers:

Based on Sangfor network traffic and application identification technologies honed over decades, this is used to
discover servers using risky applications (including SSH and remote control programs) to communicate with the
internet. Applications can be accurately identified even if they use non-standard ports. This allows administrators to
discover the risk of servers being remotely controlled by considering service properties.

5. Suspicious Outbound Activities:

This detects suspicious activities that are not outbound attacks but are considered abnormal endpoint behaviors, such
as mining Bitcoin, downloading executable files from unknown sites and accessing malicious links. When an endpoint
(especially a server) shows suspicious outbound connection activity, it indicates that the endpoint may be under the
control of a hacker who is using it for profiteering.

⚫ Lateral Threat Detection

By collecting east-west traffic and utilizing UEBA technology and behavior analysis, lateral threat detection uncovers
abnormal threat behaviors between LAN endpoints and locates abnormal endpoints acting as inside attack sources.
Analyses are conducted from the following aspects:

1. Lateral Attack:

Based on rule detection, baseline analysis, and machine learning algorithms, this identifies LAN endpoints initiating
lateral attacks on other LAN endpoints, including exploit attacks or virus transmission to the SMB server. It can also
discover potential affected endpoints and suspicious insiders.

2. Unauthorized Access:

This provides a form of ACL-based rule. For policies regarding IP addresses, services, ports, access time, etc.,
administrators can establish targeted logic rules for services and application access in the form of whitelists and
blacklists in order to identify unauthorized behaviors as early as possible.

3. Suspicious Activity:

This identifies suspicious LAN to LAN activities which are distinct from specific types of attacks. These include the
downloading of sensitive files, scanning behavior, abnormal traffic behavior, abnormal file uploading, etc. This is used
to discover behaviors that indicate hidden attackers within the network.

4. Risky Access:
This identifies internal endpoints using risky applications (such as remote login or database) to access other lateral
endpoints or servers and audits accessibility. This function provides strong support for administrators to sort out LAN
permissions and identify suspicious endpoints and abnormal logins.

6.3 Multi-Dimensional Early Warning for Visible Security

Visible security is at the core of security detection. Cyber Command's visualization technology helps achieve complete
transparency and early warning of threats throughout the network. The network information and analysis results are
presented to facilitate decision making, operation and maintenance, which help operators in different roles make
better decisions and respond more effectively.

6.3.1 Macro-Level Monitoring

The dashboard displays the network's overall security status, including security ratings and major events that have
occurred. This gives security operators a quick overview from which they can begin to evaluate root causes of security
issues (inadequate defense or internal threats) and decide which areas need to be strengthened.

Cyber Command also helps to facilitate macro-level decision making by providing five full-screen security monitors that
display the overall security status of the network. These security monitors can give corporate leaders and others a clear
understanding of the network's overall security status：

Security monitors display the network’s security status from the five different aspects shown below.

1） Security Event Monitor

This displays real-time information about current pending security events and those having the greatest range of
impacts. The multiple sections within the monitor show the response to, and tracking of each event in real time. It is
used for reporting and monitoring and is particularly useful for monitoring major events (such as ransomware).
2）Global Attack Monitor

Based on global GIS and a map of the country, this function displays current attacks and threats in real time, and can
also show historical attacks. It includes count and ranking of attack sources, as well as separate displays for domestic
and overseas attacks. It reflects the real-time situation of network attacks and draws immediate attention to inbound
threats from outside the country.

3）Outbound Threat Monitor

This displays abnormal access behaviors initiated by all business assets and servers targeting the internet (not including
whitelist communication and normal access). It is used for monitoring the presence of unknown threats on servers and
marking risky outbound access, accessed areas, accessed targets, and the overall current status of outbound
connections.
4） Lateral Threat Monitor

This shows the details of LAN endpoints attacking other LAN endpoints. It is used for visualizing lateral attacks and
abnormal lateral access, as well as identifying suspicious jump servers or potential inside attackers on the LAN.
5）Global Attack Monitor (3D)

This monitors inbound attacks and countermeasures on our part in real time from both domestic and overseas
perspectives. This monitor provides information including attack overview, attackers, victims, attack methods, and
attack trends.

Monitors can also be opened in a slide show display which continually cycles through all five security monitors.

6.3.2 Micro-Level O&M

While security monitors can provide all personnel with an overall view of network security, Cyber Command modules
provide the network’s security operators with more granular capabilities for micro-level operation and maintenance.
These include detailed intelligence for specific threats based on specific endpoint types, as well as detailed evidence
collection and effective response suggestions. This established a logical chain of response and simplifies security O&M
by providing operators with an increased level of security awareness and allowing them to conduct network-wide
operations more efficiently and more effectively.

Home:

This module gives operators an overview of the security situation across the network and instantly displays the
occurrence of critical risks related to services, assets, hosts, and vulnerabilities.
Response:

This module displays all detected and handled events/endpoints from the perspective of O&M. It also guides O&M by
showing security ratings, event descriptions, response suggestions, coordinated operations, and changes in response
status, which simplifies O&M and establishes a fixed logic chain of response (see Section 5.4 for details).

Contents of the Response module include details for risky servers, risky hosts, risky security domains, security events
(correlation mode) and response policy, allowing administrators to quickly respond based on the security focus. For
example, if administrators want to focus only on server security, they can go directly to the Risky Servers page to view
and respond to threats without needing to apply any filters.

Detection:

The Detection module incorporates Cyber Command's technologies such as visual threat tracking, traceability analysis,
intelligence correlation and behavior analytics to provide visualized data. It can also display security events that are yet
to occur but suspected to. By discovering data anomalies, it also assists on-site experts and operators in conducting
analyses to distinguish abnormalities from normal phenomena.

6.4 Easy-to-Operate O&M & Response

To establish a fixed workflow and simplify O&M, this solution constructs a logical chain of analysis and response:
"emergence response > analysis of infected areas > entry point traceability > session analysis (of outbound data)". In
case of a security event, operators can respond rapidly by simply using the fixed logic response workflow.

6.4.1 Emergency Response

In case of a security event, rapid emergency response is critical in order to avoid propagation and serious impact to
critical services.

1. Correlated Response:

Cyber Command originally used bypass deployment and thus was not capable of taking defensive measures by itself.
To give Cyber Command the ability to respond to threats, Sangfor incorporated an innovative security integration
system that specifically allows for coordinated threat response. This gives the platform defense capabilities through
correlation, and even enables active defense mechanisms by coordinating with devices capable of network isolation.
The establishment of three types of correlated response mechanisms transforms Cyber Command into an effective
central security command system. In this way, Cyber Command accurately analyzes unknown threats and targeted
attacks across the network, and utilizes correlation to achieve effective and targeted defense, thus enabling active
defense across the entire network.

Three-Level Correlated Response:

⚫ One-click block:

This function coordinates defensive security devices to block threats and attack sources and block communication with
viruses and Trojans with a single click. The specific approaches are as following:

Correlated Block: achieved by coordinating with Sangfor NGAF and Endpoint Secure. It blocks all configured endpoints
to outbound or inbound access.

Access Control: achieved by coordinating with Sangfor NGAF and Endpoint Secure. It is able to block all protocols/traffic
for a specified duration according to the configuration of a specific IP address or port number.

Account Lockout: achieved by coordinating with Sangfor IAM. Based on user authentication scenarios, it prevents risky
endpoints from accessing the internet, thereby avoiding threat propagation or outbound threats that may affect the
reputation of the organization.

⚫ Notification to users:

Achieved by coordinating with Sangfor IAM. It notifies risky users (optional feature) of the affected threats and detailed
response guidance when they access the internet, simplifying IT O&M and allowing for automatic O&M of multiple
users.
⚫ Endpoint scan:

Achieved by coordinating with Sangfor Endpoint Secure products for endpoint security. It constitutes a closed-loop
solution by coordinating Endpoint Secure to scan risky endpoints. For unknown suspicious activities, it traces the
threats and locates process files by collecting host logs and process information from Endpoint Secure.

2. Knowledge Base Guidance

During the process of emergency response, Cyber Command provides a detailed description of all the events it has
discovered, including evidence, principle of the event, and a risk description, which gives operators a complete view of
security events.

By constructing a local knowledge base (with online updates available), Cyber Command provides users with useful
suggestions for remediation based on event responses and security enhancements. At the same time, drawing on years
of experience from Sangfor's security service team, it provides detailed experience-based guidelines for manual
response and detailed guidance for operators who may lack security response awareness.

6.4.2 Analysis of Infected Areas

After the security event response, Cyber Command provides visualization tools based on the analysis of infected areas.
These tools are used to analyze the impact caused by risky endpoints and determine the internal and external assets
that have been impacted, as well as which assets need to be dealt with in subsequent responses. They are also used to
evaluate the overall degree of the damage.
The figure below shows details of the impact to the immediate areas around the selected endpoint, including the
internet and LAN. The colors of nearby endpoints indicate whether they are affected, and can even show if they are
compromised.

For events involving multiple endpoints, Cyber Command provides a visualization of the overall impact, including
details which show the current scope of impact across the network (for example, whether any critical asset is damaged),
in order to evaluate the severity of the event.
6.4.3 Proactive Traceability

Using proactive traceability analysis, Cyber Command analyzes the entry points of attacks and reveals the way the
known threats enter the LAN to reinforce security, prevent intrusion and avoid the occurrence of similar events.

Cyber Command traces attack sources based on timeline, allowing it to trace back and discover the specific attack, the
attack vector (the vulnerability used in the intrusion), and the point at which an endpoint was compromised. This
ultimately deduces the attackers that were most likely responsible for the attack and equips on-site security staff with
the capabilities needed for rapid analysis and tracing.

Combined with the knowledge base, the platform automatically provides targeted suggestions for reinforcing security
based on the results of the proactive traceability analysis.

6.4.4 Session Analysis

Based on the traffic and session data collected, this function analyzes whether compromised endpoints have initiated
suspicious internal or external sessions and whether there are risks of data being sent out or leaked. This facilitates the
analysis of other threats after tracking and response.

Details of communication traffic are visible:

6.5 Perceivable Threat Alerts

To facilitate O&M experience and expert security analysis, Cyber Command incorporates perceivable threat alerts,
making threats highly recognizable and easy to understand.

1） Tag-Based

Every security event alert is attached with colored tags with short captions that include threat category, detection
technology and family name. Tags are also provided with a detailed description. For example, shown below, users can
quickly and easily recognize that the event is related to ransomware.

2）Descriptive Rating

As shown below, to make the importance and urgency of the ongoing security events more understandable, the Cyber
Command provides two descriptive ratings ("Confidence" and "Severity") for each security event. Confidence indicates
the likelihood that the evaluated endpoint has been compromised during the current event (that is, whether there is
direct evidence to prove that the endpoint is compromised). Severity shows the level of impact the event has on the
LAN and WAN.

3） Story-Telling Correlation Analysis

When combined with granular data collection from the STA component, Cyber Command's intelligent analysis
capabilities provide important insights related to attack techniques across the entire attack chain. Cyber Command
detects all security events at each attack stage as well as their resulting impacts.

For every security event that occurs, it conducts correlation analyses of the time sequence, sizes of sent packets,
relevant security logs and vulnerabilities by using the built-in correlation model. This forms a correlated set of security
events that links each event to the next and presents results from the perspective of the attack chain. For example, if
an endpoint suffers the RDP brute-force attack and EternalBlue is present across the LAN, this function will alert for
the possible attack of Globeimposter ransomware. If it finds a server on the LAN suffering from an EternalBlue attack,
it will correlate with the server to determine whether the EternalBlue vulnerability exists and send early warning
notifications.

6.6 Practical Toolkit

Cyber Command provides various practical toolkits to facilitate security O&M.

6.6.1 Data Sharing

For multi-branch management and scenarios featuring multiple lateral organizations (such as cascading scenarios or
multiple platforms in a private network), data sharing is necessary for the platform to cope with new threats. Therefore,
we use the RESTful API standard communication and syslog approach to establish a channel for integration. When all
platforms are security intelligence platforms or are connected using the same formatting standards, rapid data sharing
becomes available.

The figure below shows how it can be configured and what data types can be transmitted to third-party platforms.
Equipped with the RESTful API interface, the platform uses HTTPS to ensure communication security. And, the flexible
interface standard can be easily customized to provide a unique data-sharing channel.

6.6.2 Security Event Database

A database offered by the Sangfor Security team. The Security Event Database provides professional and detailed
descriptions for common vulnerabilities and attack techniques, as well as practical, specialized security solutions.
7. About Sangfor
Sangfor Technologies Inc. was founded in 2000 and specializes in cybersecurity and cloud computing. As a service
provider, it brings users innovative IT solutions that are simpler, safer and more valuable. At present, Sangfor is home
to over 6000 employees and has more than 60 direct branches around the world, including seven international offices
and subsidiaries in Hong Kong, Singapore, Malaysia, Indonesia, Thailand, the United Kingdom, and the United States.

Sangfor has also been highly recognized in the industry for the expansion and development of its scale,. It has been
awarded CMMI5 Certification, and is listed as one of China's "First National High-Tech Enterprises", "Key Software
Enterprises within National Programming Layout" and "Deloitte Technology Fast 500 Asia Pacific". Moreover, it is one
of the main drafting units of Chinese national standards of IPSec VPN and SSL VPN, and was invited to participate in
the preparation of the Second Generation Firewall Standard. In terms of cross-industry cooperation, Sangfor is an
emergency service provider of CNCERT, a member of the China National Vulnerability Database (CNVD), a technical
support provider of the China National Vulnerability Database of Information Security (CNNVD), and a certified partner
of Common Vulnerabilities & Exposures (CVE).

Currently, nearly 40,000 users around the world use Sangfor products, and 80% of Chinese companies among the
Fortune Global 500 are among those users. With excellent product performance, many Sangfor products is the first
choice of various enterprises such as the State Taxation Administration, State Grid Corporation of China, China
Construction Bank, Industrial & Commercial Bank of China, China Mobile, and China Telecom.