Damballa® FirstAlert Detects Cyber Threats Weeks Before the Malware is Ever Discovered
Damballa® FirstAlert Detects Cyber Threats Weeks Before the Malware is Ever Discovered Jun 2011
Trials of new inventions unveiled multiple new and emerging botnets that were subsequently taken down
20 June 2011
ATLANTA — Damballa® Labs, the research and cyber intelligence arm of Damballa Inc., today announced Damballa® FirstAlert, a cyber threat early warning system that provides enterprise security teams with the earliest possible protection against cyber attacks. Damballa FirstAlert incorporates two new inventions that represent game-changers in early threat discovery, detecting cyber threats many weeks before the initial malware samples are discovered by the security community and long before the domains or IP addresses are incorporated into common blocking and alerting technologies. This means Damballa FirstAlert will discover cyber threats long before traditional preventative security solutions will have the signatures or blacklists they would need to detect the threat. The new inventions are now entering production after obtaining exceptional real-world results.
Damballa FirstAlert was the cyber threat intelligence system behind the discovery of the IMDDOS botnet that Damballa announced on September 13, 2010. In additional real-world trials of the new inventions, Damballa Labs discovered multiple botnets in the early stages of their mass infection lifecycles. Hundreds of networks and thousands of assets were compromised by these previously undiscovered threats, including large enterprise, government sector and ISP networks. These botnets were taken down as a matter of course. In all cases, the botnets were discovered weeks before the malware was first detected through traditional approaches (on average 30 days).
Damballa FirstAlert is the cyber threat intelligence system that powers the Damballa® Failsafe (for enterprise networks) and Damballa® CSP (for communications service providers) solutions. With Damballa FirstAlert, Damballa customers will be able to detect and terminate threats in the early stages of their infection lifecycle and long before traditional prevention systems would identify the infection or breach.
"The introduction of these new inventions comes at a time when customers are acutely aware of the enormous damage a network security breach can cause," says Val Rahmani, CEO of Damballa. "Any enterprise, ISP or telco network protected by Damballa products will detect and block cyber attacks weeks and possibly months before any malware-dependant solutions will ever be aware of the threat."
"We are truly in an arms race when it comes to fighting cyber crime," said Kenneth A. Minihan, Lt. Gen, USAF (ret) and former Director, National Security Agency. "The criminals have vast resources and patience, and the sophistication of the infection tactics and associated malware continues to outpace our ability to block it or detect it. But even the criminals have to use the basics of the Internet and DNS to communicate with the assets they infect. Advanced detection of malicious domain abuse could be the only way of staying ahead of this threat. Damballa is doing something special."
The two new inventions are named 'Kopis' and 'Notos'. Kopis and Notos are both Damballa patent-pending technology.
Kopis is an early warning threat discovery system that monitors domain look-up behaviors across 'autonomous' networks, uniquely capable of operating at different levels of the internet hierarchy. The Kopis research paper will first appear in the August 2011 proceedings of the 20th USENIX Security Symposium, a top tier academic security conference.
Notos is a dynamic reputation system for DNS, which operates by utilizing the massive historical DNS data aggregated in the Damballa Labs. Its operational merit primarily involves the automatic assignment of DNS reputation scores to new, previously unseen domains. The Notos research paper appeared last year in the proceedings of the 19th USENIX Security Symposium. The Notos technology was originally developed at the Georgia Tech Information Security Center (GTISC), where research in DNS-based monitoring for botnet defenses has been supported by funding from the National Science Foundation, the Department of Homeland Security, the Office of Naval Research, the Air Force Research Labs, the Army Research Office, and Google. Damballa has an exclusive license for Notos and continues to advance the patent-pending technology.
"Damballa Labs has been trailblazing techniques for detecting and enumerating the criminal remote control of victim devices since the company's inception," said Gunter Ollmann, vice president of research for Damballa. "Just as DNS is a critical component of the Internet's functionality, it is also the Achilles' heel of cybercriminals. Our inherent ability to analyze Big Data and apply the latest innovations in machine learning continues to yield new techniques to unveil the victims of cybercrime – passively and remotely. We continue to advance our malware analysis capabilities, machine learning technologies and automated classification systems that all serve to automate and accelerate our knowledge of emerging threats, and our ability to provide early detection and protection for our customers."
About Damballa Labs
Damballa Labs is a team of recognized authorities in cyber threats, malware analysis, and applied scientific research that collaborate with some of the best minds in the academic community to discover new and innovative ways to stay ahead of cyber crime activity. Specifically, Damballa Labs retains some of the most knowledgeable experts on DNS, machine learning technologies and criminal command-and-control infrastructure.
Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal personal and intellectual information, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa are platform and system-agnostic, protecting networks with any type of device including PCs, Macs, smart phones, as well as mobile and embedded systems. Damballa customers include Fortune 1000 companies, Internet and telecommunications service providers, government agencies and educational organizations. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com