Barracuda Advanced Threat Detection Next-Generation Protection against Advanced Malware, Targeted Attacks, and Zero-Day Threats
What‘s an Advanced Threat? Zero-Day Exploits and Unknown Malware for which no AV/IPS signatures exist yet, thus bypassing traditional defences. Advanced Malware that can evade detection and/or establish CnC (Botnet) connections Advanced Persistent Threats (APTs) are a cybercrime category directed at business and political targets. APTs require a high degree of stealth over a prolonged duration of operation in order to be successful. Advanced Threats may with very sophisticated techniques covering its tracks on an infected device, like setting up call-back routines for botnets and deleting themselves after successful infiltration. Kevin Mitnick opened an exclusive brokerage service for zero-days-exploits selling exploits for USD 100k. Though, he officially stated that they won‘t sell to competitors of a company or governments but for figuring out a company‘s vulnerabilities. But it is still an alarming business case…
How Advanced Threats work in general… Malware is delivered into the network bypassing traditional security systems Detection Tests, Evasion and Deployment Establishing Callback Connections Data Exfiltration Deleting itself and covering the tracks Unknown or zero-day-exploit Advanced malware may run anti-sandbox detection mechanisms (e.g. going into sleep mode) It esablishes (mostly encrypted) phoning home connections to command and control centers Data is exfiltrated The code is deleted in order to cover up the breach
Why you should really care …. In 2013 93% of examined organizations had malware detected on their networks 79% were exfiltrating data via CnC callbacks Source: ©KPMG 2014
Why you should really care …. 49% Of the detected malware was UNKNOWN … … and thus not detectable by Traditional Security Systems like AV ,IPS and RBL solutions RBL = Reputation Blacklists aka IPs, Hosts & URLs that are known to spread malware Source: ©KPMG 2014
Why Traditional Security Defenses are not Enough… Invisible to IPS and AV Systems – NO signatures yet Reactive URL- Blacklists and Reputation Databases cannot keep up Attackers are refining their tactics Constantly refined obfuscation and evasion techniques Even off-the-shelf toolkits can evade traditional Sandbox detection Bypassing IPS and AV solutions: zero-day malware exploits, targeted attacks, advanced persistent threats and other advanced malware can routinely bypass traditional signature based IPS and anti-virus engines, since the vendor did not publish the respective signatures URL Filter and Reputation databases simply cannot keep up in this armsrace. Attackers are refining their tactics, e.g. by using public cloud services to bypass monitoring that flags suspicious traffic (e.g., Box.com) Obfuscation and Evasion Techniques, e.g. sleeping or polymorphic malware (adding bits of garbage code to evade hash-based detection) Off-the-shelf Toolkits like PoisonIvy or BlackHole
HOWEVER What you should know Traditional Protection Systems are Essential and Important! HOWEVER Opportunity Window between infection and detection! Ultimate need for quarantining infected clients to block malware callbacks and to avoid data theft Advanced Threat Detection is an additional Line of Defense Additional Line of Defense, i.e., ATD is added on top of the AV and IPS solutions to guarantee the best possible protection.
How Barracuda ATD works… File is checked by the on-box AV and IPS solution and then – if considered to be OK – sent to the ATD Cloud. Depending on the cloud check the file is either available for download, or is blocked (if maliciousness detected).
The Barracuda ATD Ecosystem All Barracuda NG Firewalls using the ATD features improve the central ATD hash database in the cloud. This way, if a signature is already known, the file will be processed without any further delay.
Instant Threat Visibility and Protection For each ATD-scanned file a detailed report on its behaviour is available for download via the NG Admin.
Instant Threat Visibility and Protection Sage-Invoice.zip Highlights for drawing the attention to: Disabling all Security Suites, Disabling all Updates, Disabling system restore, Using obfuscation techniques to evade detection, Establishing and hiding CnC callback traffic, and –last not least- DELETING ITSELF AFTER EXECUTION (!)
A system with this malware is f#&$ed…
Deliver the File after Analysis Scan the file first in the ATD cloud and deliver it after the security check in case the file is not malicious. By doing this only benign files will be delivered to the client. Bear in mind that this may take a while (especially for signatures unknown to the ATD ecosystem) and, therefore, should not be done for any traffic.
Deliver the File after Analysis
Deliver file while Scanning & Quarantining This routine delivers the „unknown“ file simulatenously to the ATD cloud and the downloading user/IP/system. If the file is detected to be a malicious one, the user is automatically moved from quarantine to a black list and the adminstrator is informed to take corresponding actions. The quarantine blocks any outgoing traffic from the user/IP/system that is potentially at risk.
Easy testing via manual upload feature The manual file upload is also available on the corporate website: http://www.barracudacentral.org/atd
How to buy File caps/minute (burst limits) & file caps/month F10 F100 Virtual Public Cloud Energize Updates Malware Protection Advanced Threat Detection Only available for HW models F200 and higher Firmware Version 6.0 and higher Available for ALL BNG virtual appliances (incl. Public Cloud) File caps/minute (burst limits) & file caps/month
How to buy File caps/minute (burst limits) & file caps/month F10 F100 Virtual Public Cloud Energize Updates Malware Protection Advanced Threat Detection Only available for HW models F200 and higher Firmware Version 6.0 and higher Available for ALL BNG virtual appliances (incl. Public Cloud) File caps/minute (burst limits) & file caps/month
How to buy File caps/minute (burst limits) & file caps/month F10 F100 Virtual Public Cloud Energize Updates Malware Protection Advanced Threat Detection Only available for HW models F200 and higher Firmware Version 6.0 and higher Available for ALL BNG virtual appliances (incl. Public Cloud) File caps/minute (burst limits) & file caps/month
Advantages for Customers Fully fledged Next-Generation Firewall and VPN in the data path! Converged solution reduces management overhead Built-in auto quarantine feature for infected clients Cloud-based emulation – small load on device Install based: only OPEX – no additional equipment needed!
Wrap – Up: Key Features Extra Layer of Protection - preventing malicious files – even unknown ones – from entering the organization and avoid network breaches Granular Control over PDFs, EXEs/MSIs/DLLs, Android APKs, Microsoft Office files, and compressed files and archives Instant Visibility, Protection and Remediation Automatic User and IP Blacklisting - Infected users can be automatically separated from the corporate network – CnC callbacks will be blocked Cloud-based emulation - resource intensive file emulation is offloaded to the Barracuda Cloud
Advanced Threat Detection - Rate Limits F200 F201 F280 F300 F301 F380 F400 F600 F800 F900 F1000 # of files inspected per month 100K 200K 260K 300K 540K 750K 1 000K on request Vx VF25 VF50 VF100 VF250 VF500 VF1000 VF2000 VF4000 VF8000 # of files inspected per month 40K 100K 200K 300K 430K 540K 640K 750K 1,000K AWS Level 2 AWS Level 4 AWS Level 6 AWS Level 8 Azure Level 2 Azure Level 4 Azure Level 6 Azure Level 8 # of files inspected per month 40K 100K 200K 300K 430K 540K 640K 750K Only available for HW models F200 and higher Firmware Version 6.0 and higher Available for ALL BNG virtual appliances (incl. Public Cloud) File caps/minute (burst limits) & file caps/month apply A valid malware protection or web security subscription is mandatory