Inside Securolytics Advanced Threat Defense

By Sergey Mozgovoy 19 Nov, 2015 Leave a comment

Securolytics offers multiple integrated security services.  Recently we extended our portfolio with a new advanced add-on to our Web Security called- Advanced Threat Defense.

This service allows us to detect and stop zero-day exploits and Advanced Persistent Threats (APTs) while users are surfing the Internet through our cloud infrastructure.

Our Advanced Threat Defense runs on top of our core layer-7 web proxy.  This project required us to create a custom application which we then integrated with Cyphort’s behavioral analysis engine.  (Cyphort is one of Teknas’ key technology partners.)

 picture1b

On the surface this project seemed straightforward to us.  However, during development we faced a number of challenges and quickly discovered adding ATD was going to require an architectural change.  We love a good challenge and wanted to share our approach to solving this problem.

First, web proxies were never designed to detect the actual MIME type of each file.  Instead, the proxy simply uses the HTTP header information received from the remote web server.   This allows an attacker to send an executable file down to a client by masking it as something other than application/x-msdownload.

Second, the declared MIME type of many binary files is simply “text/html”.  For example, Roshal Archive files (RAR) are often seen by web proxies as “text/html”.

picture2b

 

To properly detect the actual MIME type we implemented an engine that looks at the actual file signature.  A good source of file signatures is available on Wikipedia.

 

picture3-2

In this example our application located block 52 61 72 21 1A 07 00” confirming we had a binary RAR file and not a text/html object as indicated by the web server.

After some additional post-processing this file is submitted to a Cyphort core for detonation and malware identification.  If a zero-day exploit or another type of malware is detected our system automatically adds the file hash signature to our malware database.  Now any future download of this file by any customer will automatically be blocked without us having to reanalyze the file each time.

picture4

At Securolytics- your organization’s security is job #1.

Sergey Mozgovoy | Director, Network Operations | Securolytics

Share/Follow Us:
LinkedIn115
Twitter49
Facebook
RSS
Email

Leave a Reply

Your email address will not be published. Required fields are marked *