Damballa®
Failsafe, in today’s network environment could be seen as a parallel 'last
line of defense' where prevalent security solutions remain
hand-cuffed with their known limitations.
Malwares can
be broken into categories :
1. Opportunistic and Distributed: These malwares are
distributed geographically by various means like traveling-USB(s), dongles,
web-downloads(drive-by), malware app like online AV-scan, lottery and money
scams etc.
2. Targeted : This is primarily an attempt to focus
on marked target, reconnaissance, gather all info, testing analysis, intrude,
exploit, ex-filtrate. This is an idea and malware is mere a delivery vehicle.
Zero-day malware are one of such type.
Cyber
threats’ stages and behaviors:
As the advance threats become more resilient ,
multi-tiered, focused on survivability, we see them following certain style
which is inevitable for their hidden functioning:
Stages to compromise:
1. Recon: Analysis about the target through physical,
telephonic, malware-pinching techniques. Cyber criminals do deep study/analysis
of the applications/ protocols/ network architecture of the target before
invading them.
2. Weaponization: Once the infiltration mechanisms
are devised, the droppers are tested to get into the endpoints/servers.
3. Cyber contents either might lure the internal user to
open connections which helps penetrate Firewalls/IPS or through sophisticated
methods malware will be injected via injection vectors manually. This is known
as delivery stage.
4. Exploitation: The dropped malware attaches itself
to important OS process to evade being caught at endpoints levels. Like for ex:
attaching itself to TCP/IP and NDIS processes where in sniffing tools fails to
capture malware hidden packet movements.
* Some malwares, before behaving ensures that they are
not being run on VMs, sandbox or where the machine is not to be operated by
human being.
Stages leading to business loss, functional/operational
loss & brand value loss:
5. Command & Control communication: The dropped
malware escalates its privileges to establish CnC for updates of new-codes(to
avoid any possible AV detection), new instructions, to forward sensitive data
etc.
6.Exfiltrate: This is the last stage, if successful
causes huge loss. This stage ends with malware destroying itself so as to
be not caught and can be used again.
Remember, on an average there is
a gap of nearly 6 months before the advance malwares are detected.
AV/HIPS,
N-IPS/N-IDS, Firewalls, Web security appliances, DLP has limitations(false
sense of security against adv. malwares):
1. Antivirus relies on signature to match malwares. A
must on all endpoints to meet compliance and protection against known threats
but is no-where when comes to unknown threats.
2. Intrusion Prevention System relies on signature/heuristics,
anomalies & SPA(protocol profiling, not a true sense DPI). Majorly
built to protect against attacks on Operating systems, TCP/IP stack, servers
and systems. These threats exploiting at L3/L4 and L7 were addressed but
advance threats at L7 which comes in stages and uses the genuine code structure
of such protocols do get to perforate inline-IPS. It doesn't save
administrators from false-positives & requires baseline for anomalies, not
an ache for malwares.
3. Firewall(Network) does packet filtering/inspection
and may use application layer intelligence but often suffer from the problem
with true sense DPI. There are many genuine app often not adhering to RFC
compliance. Attackers might infect such non RFC compliant apps to infect the
endpoints.
Next gen malware easily absorbs advantage of state-ful
connections and its rapidly changing behavior takes exception to FW policies.
UTM solutions which pulls endpoint protection at network layer, but is not at
pace of dynamically changing behavior of advance malware.
4. Web security & content filtering, like proxy
using black/white list doesn't keep up with DNS fluctuation. Non-browser
traffics by-passes proxies to establish CnC communication.
5. DLP helps in data leak/loss inadvertently/on
purpose. It doesn't protect against data theft. Advance malwares forwards/steal
interesting data by changing the data there by evading scripts/categories of
host/network based DLP so that it may not look like business related
information. One way is by modulating the data info into sound bites and then
demodulating it(can be achieved via .dll file). Malwares opening a backdoor on
SSL is beyond understanding of above technologies.
Verizon ‘Data Breach Incident Report’, 2011
states that 28% of Data breaches occurred due to advance malware/targeted
attacks.
Damballa®
Failsafe automates the discovery
of your organization’s highest risk devices under
criminal control. Damballa Failsafe provides:
1. Protection against unknown and hidden threats.
Earliest possible threat discovery (by means of DNS queries (like fast fluxing
and domain fluxing) which targeted malwares uses to update & receive
instructions, by DPI of the packet to see non/executables, pdf, binaries etc.
Failsafe distinguishes for automated and human driven behavior to look for
malware behavior).
2. Protection for any endpoint device.
3. Actionable intelligence for rapid and prioritized
incident response with complete forensic analysis.
4. Protection from new and emerging threats in the beginning
of malicious communication so you don't have to wait till your IP/sensitive
data is at stake.
5. An easy and automated solution for fighting
advanced threats.
6. Being out-of-band it remains out of sight of cyber
criminals while at any/reconnaissance phase. Addresses and stops malicious
malware communication with very high rate of true positive so your security
experts concentrate on genuine cyber threats.
Note: Damballa doesn't compete with layered security
solutions as discussed above, rather, it address the limitations imposed on
their functionality by their means of definition & use.
