Collective Threat Analysis FAQ

What is collective threat analysis?

ExtraHop RevealX 360 and RevealX Enterprise continuously refine detections through a cloud-based Machine Learning Service. Collective threat analysis (CTA) is a feature that helps improve the accuracy and precision of detections by allowing the ExtraHop system to process, store, and analyze select network data.

On RevealX Enterprise systems, administrators can opt in to CTA to send select data about domain names, hostnames, file hashes, and external IP addresses to the ExtraHop system. On RevealX360 systems, the CTA setting is enabled by default and cannot be disabled.

For a full list of data types sent to the ExtraHop Machine Learning Service, and to see how the data is applied to improve threat detection, see the Machine Learning section of the ExtraHop Security, Privacy and Trust Overview.

How secure is my data?

When CTA is enabled, select data is sent to ExtraHop Cloud Services through TLS 1.2 or TLS 1.3 connections. Both data in transit and data at rest is stored securely in an encrypted, highly-protected datastore.

Data is de-identified so that any personally identified information (PII) or data that uniquely identifies a network participant (such as an IP address or username) is encrypted with a key that is stored on the sensor and to which ExtraHop has no access.

ExtraHop does not share your data with other customers or apply the data in any way outside of the ways described in this document and in the ExtraHop Security, Privacy and Trust Overview.

Is my data shared with other ExtraHop customers?

No. Data is only sent to ExtraHop and cannot be accessed by customers.

Why should I opt-in?

Here are the ways that you benefit from contributing to collective research and analysis.

Improve context about your detections

Detections powered by the cloud-based Machine Learning Service factor in data sent through CTA to assess if network behavior appears suspicious. If CTA is disabled, these detections can be less accurate.

For example, consider a scenario where a local coffee shop website has misconfigured web analytics. When your employees visit this website, their browsers repeatedly contact an external analytics server to send performance metrics. On the network, this might appear as 30-second rapid beaconing—an activity that also resembles patterns found in malicious command-and-control (C&C) communications.

When ExtraHop has access to the plaintext hostname and IP address of the analytics server through CTA, the system can more accurately assess whether the behavior is linked to a known threat. This additional context enables ExtraHop to better distinguish between benign and malicious traffic, reducing the likelihood of false positives.

Help stop novel attacks on your network

ExtraHop performs big-data analytics to hunt for stealthy and advanced attacks that individual organizations might overlook. CTA enables ExtraHop to identify novel attacks and to develop detections that benefit all ExtraHop customers.

For example, ExtraHop might observe that devices across multiple networks are establishing reverse SSH tunnels to a suspicious IP address. Upon further analysis, the suspicious IP address appears to be hosting a C&C server that is exhibiting behaviors previously associated with a known threat group. ExtraHop can quickly update all deployed sensors with detections to protect all cloud-connected deployments from the newly identified threat.

Improve machine-learning models in your detections

ExtraHop incorporates CTA data as input when training machine-learning algorithms and building new models designed to detect attacks on user networks. By analyzing behavior patterns across a diverse range of industries, organization sizes, and geographic regions, ExtraHop continually enhances its understanding of what typical, benign activity looks like.

What is the difference between expanded threat intelligence and collective threat analysis?

The de-identified data sent to CTA is stored for analysis and helps enhance machine-learning detections, identify new attack types, generate detections for malicious file hashes, and improve the accuracy of existing detections. When expanded threat intelligence is enabled, the data sent to CTA is immediately matched against an extended collection of threat intelligence, and then is discarded.

Both services are enabled automatically in RevealX 360, but RevealX Enterprise administrators must opt-in from the Administration settings.

Can I opt out?

This service is enabled in RevealX 360 by default and cannot be disabled. CTA is disabled in RevealX Enterprise systems by default and administrators can opt in to the service in Administration settings.

Detectors that support collective threat analysis show all users a reminder notification in the Group by Detection Type view and Detection Detail view. Administrators can opt to hide the in-product reminders.

Will opting out stop Malicious File Hash detections?

Will opting out disable the ExtraHop Machine Learning Service completely?

No. As long as ExtraHop Cloud Services are enabled you still share data with the ExtraHop Machine Learning Service as part of your license, but you will not contribute to improved detections and you do not receive detections related to malicious file hashes.