Damballa released Failsafe 4.2, an advance in detecting criminal command-and-control behavior in corporate networks.
Failsafe pinpoints corporate assets under criminal control, terminates the criminal communications and provides all the evidence a security or incident response team needs to prioritize and organize their response.
To determine if an asset is infected and under criminal control, Damballa Failsafe monitors communication traffic and patterns from endpoint devices to the Internet. Damballa Failsafe looks for behaviors that indicate that the asset has been infected and is talking to criminal operators.
In Release 4.2, the Threat Conviction Engine correlates all suspicious activity observed for a particular asset and automatically calculates and displays a Threat Conviction Score, indicating that a threat has been identified and that the asset is compromised. To accomplish this, the Damballa Failsafe sensors analyze the following behavior:
DNS query behavior. Is the asset issuing an unusual number of domain look-ups that do not resolve to an IP address (NXDomains)? This is a popular technique criminals use to hide the command-and-control servers, and renders “block lists’ useless.
Destination reputation. Is the location the asset is trying to connect to suspicious?
Connection behaviors. Is the destination of the communications suspicious? Have connection attempts been successful?
Automation. Does the query/connection behavior act like a user or seem more automated like it would be software-driven?
Malware downloads. Have suspicious binaries been downloaded by this asset?