Everyone who reads the news knows that new cyber threats emerge on a daily basis. It came to a point where cybercriminal organizations function as businesses. This is especially true for ransomware groups, many of which even have a working support contact for their involuntary “customers.” How to stay secure in today’s ever-changing world, where new threats emerge with increasing frequency?
Traditionally, malware detection has been based on recognizing known patterns – once it identifies a file as malicious via various means, it stores its unique fingerprint (hash) and distributes it to all protected devices. Once we have the hash of the malicious file, we create a hash of every new file on the protected device, and if the hash is then found in the database of known malicious files, it gets blocked. The issue with this approach is that it takes some time until a newly encountered malicious file gets into the database.
Luckily, there are other means to recognize malicious files, like monitoring their activity. If it is outside the parameters describing benign behavior, the activity gets flagged for further examination. However, this kind of protection utilizes more computing power, so not every device can be protected this way, and even if it would be possible, it’s hard to be sure that every portable device (phones, tablets, or laptops, etc.) is protected enough. The last thing you want is to have your users connect their already infected devices to your otherwise well-secured network.
Then there also are Internet of Things (IoT) or Industrial Internet of Things (IIoT) devices on which - in most cases - you simply cannot install anything. How to protect these devices and ensure that every device in your network is secured? Naturally, they can be partially covered by a firewall, but it is not a fix-all type of solution, and it is the most basic type of network security tool you can use. With the help of an Intrusion Prevention System (IPS), you can stop more attacks, but as the name suggests, the focus is on stopping the incoming malicious traffic. IPS checks the outgoing traffic also for communication with malicious websites and more, but it detects only the ones it knows. What if the malware is more sophisticated and doesn’t communicate with just one domain, but seemingly with an unlimited number of random domains that change over time? This makes blocking one domain redundant, since a different one will replace it soon with the help of a Domain Generating Algorithm – DGA. How can you stop something that is designed to avoid existing security means?
Enter Whalebone. Whalebone solutions focus on detecting malicious patterns in the DNS traffic, which accompanies any network communication that doesn’t use a hard-code IP address. Known malicious websites are blocked automatically, but that’s not the end of it. Whalebone’s solutions can recognize domains generated by DGA using our unique machine learning features. We can even block domains that are completely new. By analyzing the DNS traffic, we protect the whole network, not just devices that can have agents installed on them. This means we are able to protect devices such as cameras, fish tank thermometers (this was really used as an attack vector, see here), or other, similar IoT/ IIoT devices.
So, how can you stay ahead of malicious hackers and keep your company secure? You need to use a solution to protects your whole network from unknown or “zero-day” threats (threats that were previously unseen and are invisible to regular pattern recognition), not just the workstations and servers, a solution which is not defeated by unknown attacks or evasion techniques. Whalebone offers solutions designed to protect you against the unknown.
Learn more about how we do this.