Prevailion launched ARKTOS, a malware replication platform that allows companies to safely test their network security readiness against the world’s most challenging early-stage malware.
“Precursor attacks are one of the biggest failures in corporate security today and this is exactly what ARKTOS is designed to address,” said Karim Hijazi, CEO of Prevailion and a former contractor for the US intelligence community. “Most ransomware infections happen days, weeks or months after the initial network breach, so if companies can catch those beacons early on and cut off the malware’s access, they can prevent the actual encryption stage of the attack. ARKTOS replicates malware families like AnchorDNS, used by the Trickbot gang to deploy ransomware, and Nobelium RAT, used by the SolarWinds hackers, so that companies have a safe and effective way to stress-test their networks against determined adversaries.”
Sophisticated network intrusions often begin with a precursor, or initial access, malware – like AnchorDNS. Hackers use this early-stage malware to gain a foothold on the network, establish command-and-control (C2) server communications and collect intelligence on the target before proceeding to the next stage of the attack – which may include ransomware, espionage, IP theft, data deletion or manipulation, and other threats.
Even with the best network security and monitoring tools in place, many companies still fail to detect precursor attacks. This leaves the corporate network exposed to malicious activity for weeks or months at a time and increases the company’s risk of significant damage from a cyber attack.
ARKTOS addresses this problem with “Malware Replication Profiles” (MRPs) which are nearly identical to the APT and commodity malware found in the wild (although without the risk of real malicious activity). This allows companies to go beyond the limitations of security program audits and vulnerability scans to actually test how well their cybersecurity defenses will hold up against early-stage attacks.
ARKTOS’s Malware Replication Profiles are based on the complex network behavior of real APT and commodity malware, including:
- C2 endpoints (domains, IPs, etc.)
- Callback frequency and initiation policy (round-robin, random, user activity triggered, etc.)
- Communication patterns (transport protocol payload contents (i.e. HTTP requests, custom binary protocols)
- Threat descriptions (malware family labels, capabilities, known actors, known outcomes – i.e. ransomware)
Prevailion replicates the behavior of real APT and commodity malware through its unique ability to commandeer and repurpose the attacker C2s which control hundreds of unique malware families currently in use in cyber attacks around the world. This enables Prevailion to collect vast amounts of inside information and performance data on active malware, ranging from criminal to nation-state groups. The company uses this data and the actual de-fanged C2 infrastructure to safely test an organization’s existing security stack against a real world attack scenario.
By collecting real time telemetry data from the ARKTOS Replication Engine and monitoring communication with repurposed C2 infrastructure, companies can quantify and qualify the readiness and response of their end-to-end security controls for emerging and latent threats. It also allows them to qualify the ability of each stage in the communication of a particular threat to bypass security controls.
ARKTOS has already undergone testing and live corporate deployments through a previous beta test program.