Forensics for advanced threat activity

Damballa announced Failsafe 5.0, a solution that hunts for undetected threats by correlating a variety of observed network behaviors that indicate malware-infected devices (PCs, Macs, servers, smartphones, iPads, etc.) are communicating with criminals.

Failsafe 5.0 now includes automated malware analysis in its advanced threat detection capabilities. The new features inspect unknown, zero-day and targeted malware, identifying changes the malware makes to the targeted device and the malware’s intended communication behaviors.

Today’s persistent threats and network breaches are driven by modern malware infections that easily evade detection by traditional signature-based endpoint solutions. The malware-infected device then communicates with criminal operators using techniques that imitate a legitimate user to evade detection by traditional network security solutions designed to prevent obvious illegitimate traffic.

The malware analysis feature in Failsafe 5.0 utilizes cloud-based dynamic malware analysis, which occurs at Damballa Labs in real-time. Customers can opt to automatically submit all suspicious files for analysis, or selectively submit files as desired.

A cloud-based approach offers many advantages over in-network malware analysis technologies:

Malware analysis is conducted in “dirty’ (anonymous, non-production) networks with Internet access
Much of today’s malware is “Internet aware’ and won’t execute without Internet access or will act “benign’ to fool analysts. Letting the malware complete its initial beaconing allows Damballa to gain further intelligence regarding subsequent downloads and command-and-control behavior.

Multiple inspection and analysis techniques, tools and resources
Much of today’s malware will not execute if it detects a virtual machine or sandbox. With Damballa Failsafe 5.0, suspicious files undergo multiple inspection and analysis techniques including bare-metal platforms.

Unlimited processing capacity, no need for box upgrades
Unlike in-network technology, which can have difficulty handling the traffic and corresponding level of malware to analyze, cloud analysis provides unlimited processing capacity.

Constant, real-time updates on malware information
Using a cloud-based approach, customers receive real-time updates as new threat intelligence is discovered. With an in-network approach, suspicious files are analyzed once and the behaviors archived.

Adding analysis techniques and tools without appliance or software upgrades
Damballa can continue to add malware “gaming’ or analysis and scanning options without requiring any change to the customers’ installation. With an in-network approach, any significant change to how the malware is analyzed requires an upgrade to the on-premise appliance and/or software.