Damballa is revolutionizing network security. Cyber crime is orchestrated using remote control communications via the internet, also known as command-and-control (C&C). Cut the cord and you terminate the threat. That is what Damballa does.
Working ‘out-of-band’, so that network performance is not impacted and the bad guys cannot detect or evade our solution, Damballa sensors automatically detect and terminate the C&C communication that is required for the criminals to operate the malware or bot agents on compromised assets. Once terminated, Damballa provides the necessary forensics to track, plan and execute timely remediation.
In a sentence, Damballa’s Failsafe, working out-of-band, (1) analyzes and correlates (a) specific network traffic behavior associated with DNS servers, proxy servers, and firewalls (egress) with (b) suspicious executables to (2) identify compromised workstations and then (3) terminates the command & control traffic between the compromised workstations and the cyber predators.
The Problem – Advanced Malware, Persistent Threats, Zero-Day Targeted Attacks
Today’s targeted attacks are executed using stealthy malware and command-and-control infrastructure designed to steal corporate data and commit industrial espionage.
The sophisticated malware used in these attacks is engineered to bypass prevention layers and signature-based defenses, providing criminals a conduit to customer data, intellectual property, and trade secrets. Once stealthy malware has infected an endpoint device (PC, Mac, iPad, smartphone, etc.) it communicates with the criminal operator in the same manner a legitimate user would access the internet.
This command-and-control (C&C) communication is used to issue instructions to the malware, steal data and credentials, and update/change the malware to further evade detection or to perform a more targeted task, making these stealthy threats the top priority for security teams across all industries.
According to recent research, on average asset compromises go unnoticed for more than 140 days before they are discovered. Rapid detection of the breach and termination of the criminal communication is critical to stopping data theft.
The Solution – Damaballa Failsafe
Damballa Failsafe is a purpose-built, specialized threat protection solution, which hunts for these hidden threats utilizing an array of patent-pending technologies. Damballa Failsafe:
- Automatically detects and analyzes suspicious executables and PDFs entering the network to uncover zero-day and unknown malware
- Rapidly identifies C&C behaviors and criminal traffic on your network
- Correlates the malware and communications evidence to immediately pinpoint live infections
- Terminates the criminal communications to stop data theft
- Delivers full forensic evidence and playback of events in sequence to provide actionable intelligence to remediate the breach
The Damballa Failsafe sensors monitor DNS, egress and proxy traffic and utilize multi-dimensional deep packet inspection engines to correlate suspicious behaviors to rapidly identify and isolate a breach.
Utilizing the industry’s most advanced cyber threat intelligence from Damballa Labs, Damballa Failsafe accurately detects unknown and zero-day threats and mitigates the risk caused by these breaches by blocking the communication from compromised endpoints to criminal C&C servers.
Factoring Risk, Confirming Infections
Damballa Failsafe rapidly and automatically identifies assets under criminal control and profiles the relative risk of each infected asset. All evidence of criminal network activity is correlated and an Asset Risk Factor is assigned to provide threat response teams a way to prioritize response efforts by identifying which assets pose the biggest relative risk to the enterprise.
The Asset Risk Factor is based on a number of observations including the number and severity of the threats identified on the asset, connection success and frequency, the volume of data leaving the asset or entering the network, as well as the location, user or classification of the asset.
A Threat Conviction Score is calculated for each identified threat, based on behaviors seen across the DNS, egress and proxy sensors. Identifiable criminal communication traits include DNS queries for suspicious domains, domain query behavior such as fast flux (NXDomains), egress and proxy connection attempts to C&C servers, connection behavior (automated versus user-driven), and suspicious binary downloads. A threat report also details what is known about that threat(s) identified on the device and the criminal operator(s) related to the threat(s).
Armed with this correlated evidence, organizations know with certainty which devices need immediate attention, enabling efficient prioritization of remediation efforts.
If you have a question or a comment, or would like more information or a demonstration, please let us know by completing the Contact Us box on the right side of this page.