Securolytics offers multiple integrated security services. Recently we extended our portfolio with a new advanced add-on to our Web Security called- Advanced Threat Defense.
This service allows us to detect and stop zero-day exploits and Advanced Persistent Threats (APTs) while users are surfing the Internet through our cloud infrastructure.
Our Advanced Threat Defense runs on top of our core layer-7 web proxy. This project required us to create a custom application which we then integrated with Cyphort’s behavioral analysis engine. (Cyphort is one of Teknas’ key technology partners.)
On the surface this project seemed straightforward to us. However, during development we faced a number of challenges and quickly discovered adding ATD was going to require an architectural change. We love a good challenge and wanted to share our approach to solving this problem.
First, web proxies were never designed to detect the actual MIME type of each file. Instead, the proxy simply uses the HTTP header information received from the remote web server. This allows an attacker to send an executable file down to a client by masking it as something other than application/x-msdownload.
Second, the declared MIME type of many binary files is simply “text/html”. For example, Roshal Archive files (RAR) are often seen by web proxies as “text/html”.
To properly detect the actual MIME type we implemented an engine that looks at the actual file signature. A good source of file signatures is available on Wikipedia.
In this example our application located block “52 61 72 21 1A 07 00” confirming we had a binary RAR file and not a text/html object as indicated by the web server.
After some additional post-processing this file is submitted to a Cyphort core for detonation and malware identification. If a zero-day exploit or another type of malware is detected our system automatically adds the file hash signature to our malware database. Now any future download of this file by any customer will automatically be blocked without us having to reanalyze the file each time.
At Securolytics- your organization’s security is job #1.
Sergey Mozgovoy | Director, Network Operations | Securolytics