Lancope’s StealthWatch Labs Conducts Advanced Research to Help Customers Fend Off Heartbleed and CryptoLocker Attacks
Highly skilled research team provides tools for effective and continuous response to today’s most damaging threats
ATLANTA, June 9, 2014 /PRNewswire/ — Lancope, Inc., a leader in network visibility and security intelligence, announces that its security research team, StealthWatch(®) Labs, has conducted advanced research to provide cutting-edge protection against recent, destructive cyber-attacks including Heartbleed and CryptoLocker. Through unique, behavioral-based threat detection, reverse engineering of prominent threats, and sophisticated network forensics, StealthWatch Labs uses a multi-pronged approach to keep customers shielded from devastating breaches. Lancope continues to evolve its technology through in-depth research and the addition of new defense techniques to its award-winning StealthWatch System to allow for continuous response to today’s top threats.
“Malicious attackers have honed their craft to the point where they can evade even the most tried-and-true security technologies and best practices,” said Tom Cross, director of security research and head of StealthWatch Labs at Lancope. “Without constantly dissecting and reverse engineering their attacks, the security industry has no hope of keeping up. StealthWatch Labs relentlessly investigates attacker motives and methods to both educate customers and incorporate enhanced threat protection capabilities into the StealthWatch System, especially in the face of large-scale attacks like Heartbleed and CryptoLocker.”
In April 2014, news of the OpenSSL vulnerability known as Heartbleed rocked the tech world as the biggest software vulnerability of the year thus far. Unfortunately, since OpenSSL is used so prevalently, many organizations may be unsure whether they are vulnerable or compromised. However, using Lancope’s StealthWatch System, organizations can detect Heartbleed attacks in real time through predictive security analytics, as well as search their networks for various indicators of compromise (IOCs) from the attacks to help determine if they were previously a victim.
The StealthWatch System provides real-time detection of long flows that could be indicative of Heartbleed attacks through its “Suspect Long Flow” security event, which was developed years before the Heartbleed vulnerability even surfaced. Additionally, the latest release of the StealthWatch System, Version 6.5, enables users to create custom security events and alarms to assist with detection efforts. StealthWatch Labs has also published a detailed blog post outlining how to use the StealthWatch System to forensically search NetFlow logs for IP addresses and unique traffic characteristics associated with attacks targeting the Heartbleed vulnerability.
CryptoLocker is a very conspicuous piece of malware that surfaced late last year. A type of ransomware, its goal is to encrypt a multitude of files on victims’ systems, then loudly make its presence known in order to collect money in return for a decryption key. This attack is a big problem for IT and security professionals, because unlike with other types of ransomware, it is not possible to restore encrypted files even after removing the CryptoLocker malware from infected systems (unless they were backed up elsewhere).
Fortunately, CryptoLocker does have one Achilles’ heel – the need to use a domain generation algorithm (DGA) to create a multitude of domain names for command-and-control (C&C) operations. Through reverse engineering, StealthWatch Labs has found a way to quickly detect and shut down CryptoLocker attacks by incorporating this DGA into the StealthWatch Labs Intelligence Center (SLIC) Threat Feed.
As detailed in this blog post, obtaining an alert on communication or attempted communication with a CryptoLocker C&C server enables organizations to quickly prevent the CryptoLocker infected host from communicating with the rest of the network, as well as hopefully limit the damage to that host. This capability is key since CryptoLocker not only encrypts local files on the originally infected system, but also tries to encrypt files on connected network drives and cloud storage services.
StealthWatch Labs and SLIC
Members of the StealthWatch Labs research team have decades of combined experience at the forefront of computer security. The team conducts both in-house research and taps into a wide variety of third-party experts and partners to aggregate emerging threat information from around the world.
Through the StealthWatch Labs Intelligence Center, Lancope delivers global intelligence on the Internet’s top threats to customers and the public at large. Additionally, the SLIC Threat Feed continuously monitors customer networks for thousands of known C&C servers to provide an additional layer of protection from botnets and other sophisticated attacks.
For further information on StealthWatch Labs, go to: http://www.lancope.com/slic/. Additional details on detecting advanced attacks with the StealthWatch System can be found at: http://www.lancope.com/solutions/security-threats/.
Lancope, Inc. is a leading provider of network visibility and security intelligence to defend enterprises against today’s top threats. By collecting and analyzing NetFlow, IPFIX and other types of flow data, Lancope’s StealthWatch(® )System helps organizations quickly detect a wide range of attacks from APTs and DDoS to zero-day malware and insider threats. Through pervasive insight across distributed networks, including mobile, identity and application awareness, Lancope accelerates incident response, improves forensic investigations and reduces enterprise risk. Lancope’s security capabilities are continuously enhanced with threat intelligence from the StealthWatch Labs research team. For more information, visit www.lancope.com.
©2014 Lancope, Inc. All rights reserved. Lancope, StealthWatch, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners.
SOURCE Lancope, Inc.