New field

Subscribers who add (or modify) a device on threatstop now have a radio button option to select between static and dynamic address types (see above). By clicking on dynamic they are able to add the DNS name of the device

Now, every 15 minutes when we update our blocklists and ACLs we will attempt to resolve the DNS name and use that IP address we get back in the relevant ACLs. If the DNS name does not resolve correctly then the firewall will not be able to download the blocklists.

Improved Reporting

In addition to the dynamic IP support we have also add some more information sources to our drilldown menu for reporting and modified the “Research” page to change the summary whois information shown there. While neither of these changes is huge, we believe that they will help our customers and partners get better use out of the log data they submit to us.

Speed Improvements

Behind the scenes we have made a number of other improvements that increase the scalability and performance of our service but these are, we hope, transparent to our subscribers.

The problem was that every day about 1,000 visitors, mostly students, connect their devices to the library’s free Wi-Fi network. The result was recurring malware infections on the network and the public access terminals. Before ThreatSTOP, security consisted of blacklisting on a SQUID proxy and OpenDNS as a backup. This clearly wasn’t enough.

“We had to delete data from the public PCs every night, clean it up, and start all over again every day!” said Nikola Nikolic, Bibliotheek’s Contracts and Services Manager. “It was a nightmare, with constant escalations with the ISP and service stoppages.” With the ThreatSTOP/Juniper SRX 240 solution, more than 4,000 pieces of outbound malware are blocked every day. “Now we have no service stoppages, no escalations with the ISP, and no manual cleanups. We just look at the ThreatSTOP reports and respond to any issues very quickly. ThreatSTOP has solved a big headache for us,” said Nikolic.

“The ThreatSTOP service was very easy to install with a simple script and integrated with the SRX nicely as if it’s part of the firewall,” said Dennie Spreeuwenberg, manager of services networking and security at Avnet Benelux. “ThreatSTOP on the SRX worked exactly as it should, and immediately blocked the botnets that have been plaguing the library for years.”

This success story again shows that ThreatSTOP is the most effective and easily implemented botnet/malware protection service. We turn customers’ existing firewalls into much more powerful enforcement devices, enabling them to protect against the worst and latest threats.  ThreatSTOP currently supports more than 80% of the global firewall installed base, including: Juniper SRX, Cisco ASA/PIX/ISR, Checkpoint, Vyatta, pfSense and iptables-based products.

This also shows that existing AV, anti-spam, IDP and other traditional products don’t work against advanced persistent threats. Before ThreatSTOP, The Juniper SRX 240 with its Unified Threat Management bundle (Kaspersky AV, Sophos spam filter etc.) was used as a solution, but it did not solve the problem of malware “calling home” to botnet command and control hosts, and then doing their bidding. After a year of analysis, reconfiguration, troubleshooting—and mounting frustration—to no avail, the library and its managed service provider Avnet finally found ThreatSTOP through a recommendation from Juniper. Within two months, after a quick trial activated directly from ThreatSTOP’s website, ThreatSTOP was up and running and immediately solved the problem.

Our ISR support is very similar to our support of Cisco’s ASA and PIX platforms in that it requires an external management device to download and apply the lists and also to upload logs to us. It also requires a certain specific version of IOS – 12.4(22)T5 – as earlier versions did not correctly implement a required feature. It should be possible to obtain this version of IOS by contacting Cisco support (reference this url: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8119.shtml). ThreatSTOP has not tested other versions of IOS apart from 12.4(22)T5.

By adding support of IOS firewall to ThreatSTOP, we have brought IP reputation support to one of Cisco’s largest selling firewall products for the first time. This means that thousands of organizations, large and small, can now benefit from our unrivalled protection from botnets, trojans and other malware.

Our pfSense support integrates tightly with the pfSense webConfigurator GUI, providing a new page under the Firewall section of the menu. Installation requires no more than a simple paste of text into an SSH session to start and all subsequent enabling/disabling of the feature is performed using the new page. pfSense support is limited to the current 2.x version of pfSense but supports all varieties of pfSense deployment from VM to hard-disk to flash.

ThreatSTOP’s Botnet Defense Cloud is offered as a value-add malware/botnet  protection service which can be activated and provisioned within the Kwick Key interface.  With this win, we are continuing to demonstrate the wide applicability and integrability of our service and platform across a wide variety of devices that sit in various parts of the network and serve different markets.  We have several more partner projects in the pipeline, and a couple done deals that we will announce next quarter that extend our reach even further.  Stay tuned.

With ThreatCHECK, users can make sure that when they are going to their favorite online retailers, their computer isn’t also sending all their keystrokes to criminal syndicates.  Simply checking with ThreatCHECK for a few minutes can potentially save a consumer thousands, and businesses millions, of dollars from stolen credit card numbers or credentials, lost data, cost of remediation and even fines for failing to comply with data security regulations.

As more and more shopping moves online, more and more crimes are committed there.  The holidays are the busiest days for online merchants as well as for the cybercriminals.  Botnets, advanced persistent threats and criminal malware are widely recognized as the most serious information security problem today.  The average number of web attacks globally doubled in 2010 from 10 million to 20 million[1], and the cost to consumers and organizations runs in the billions.  Despite $20 billion spent annually on network security, 99% of networks are infected by malware.[2]  Criminals clearly have the upper hand as they attack—and profit—with very little cost and total impunity using victims’ own computers.  No one, from the individual to the largest organizations, is immune.

The surprise and shock come from 3 misconceptions:

1.  There is still a lack of general awareness about the vastly different nature of botnets and active malware and the damage they can do compared to virus and spam which are yesterday’s nuisances.  The whole category of botnets, active malware and advanced persistent threats are the primary security problems of the day and the foreseeable future.

2.  “I’ve got XYZ that’s protecting me already.”  In WMSD’s case, Gary thought he was protected by Vyatta’s NAT (network address translation), a M86 content filter administered statewide by the state, and a free OpenDNS as a backup.  In fact, time and time again, wherever we go, we find very bad stuff lurking inside a customer’s network regardless of what they were using as security solutions.   Cisco, Symantec, Checkpoint, SonicWall, Palo Alto Networks, doesn’t make a difference. That’s why we say that the current products, which are primarily signature and packet inspection-based, are ineffective in catching this “new” class of malware.  They were designed for the old class of problems and give a false sense of security.  We call them the “70% and 3 days late” solutions.

3.  Finally, there is naivete. “Why should someone from Latvia attack me?  I’ve got nothing valuable!”  Welcome to the reality of sophisticated criminal syndicates from around the world attacking anyone connected to the Internet with impunity almost for free using victims’ own computers.  Talk about the perfect crime!  While the Fortune 1000 organizations can afford the best security money can buy–and even they are not immune to breaches–it is the vast number of small-medium organizations that are prime targets of cybercrime precisely because they don’t have the resources and the vigilant attitude.  Two stats suffice here:

1.  Visa reports that 95% of credit card data breaches come from small issuers.

2.  Verizon and the U.S. Secret Service reported that the % of reported attacks on SMEs (small-medium enterprises) rose from 27% to 63% from 2009-2010.

What’s the message?  There are 3:

1.  Botnets/active malware is the network problem of the day that is not solved by the prevailing security products in the market.

2.  Everyone is a a target and potential victim, especially small organizations.  Lack of awareness, naivete and a false sense of security are dangerous and expensive attitudes to have.

3.  ThreatSTOP offers the most cost effective cloud service based on IP Reputation that solves this big problem by enabling your existing firewalls to block bad traffic bidirectionally.  It can be deployed within the hour and protect you immediately.  You can sign up for a free trial right on www.threatstop.com.

The first is very simple: please clear your browser cache before visiting the reporting section of the ThreatSTOP website because otherwise it will look very strange as there are clashes in the javascript/css code. The second is that one of the new features – filter report by feed – is not working consistently on the production server/database, although needless to say it worked and still works flawlessly on our test servers. We are, of course, working on identifying why it does not always work, but in the mean time be aware that if you do filter by feed and get 0 responses this may not be accurate (if you get a non-zero number then this will be correct, the issue is that sometimes we get 0 results back when we should have had some) Update: The search by feed only works with logs parsed by the new log parser system and thus is unlikely to work for logs uploaded before last Friday.

Ok beyond the niggles what will our customers notice? the log parsing code is effectively invisible, but the recent delays between log submission and being able to view reports should now be gone. On the reporting front the changes are rather more obvious:

There are some new choices to filter data by and, for users with multiple devices, we have improved the information in the pulldown that allows you to choose the device. You can filter the results based on a specific feed or IP address and can use the “*” wildcard when searching for an address. Examples are “192.168.*.*” and “192.*.100.*”. Also we note the last time we processed a log in addition to the summary statistics of the report.

When looking at the detailed reporting pages users will immediately notice that IP addresses are all underlined with a dotted line. Hovering a mouse over a particular IP address brings up a menu of drill down options.

The top link on the drilldown list (Research) is a report on what we at ThreatSTOP know about the address, that is to say it is essentially the same as the what we used to report in a separate popup window. The astute will note that the new popup window has options to allow the user to add this ip address to either a custom block list or a custom white (allow) list.

Clicking on the Add to White list button leads to a dialog like this (The block list button has an equivalent one):

The next item down (Domains) is a popup that displays a report from the SIE passive DNS database about what DNS queries have resolved to that address. This is generally more useful for outbound analysis where the list can identify a phishing site or a known botnet C&C host domain name. Although the example above shows just three names, frequently these ip addresses will have been used by thousands of different domains (note that we do not display more than 10,000 domains).

The remainder of the links open external windows to other (malware) research sites that we find useful in identifying information about a particular ip address. If anyone has other sites they find useful we will be glad to add them too.

All these reporting changes are also added, where relevant, to other sections of the website such as the check logs feature.

Finally – if you are still reading this far – here is a worked example of how to use the new features to confirm a bot C&C host and thus identify infected machines on your network. This is a real customer but the internal infected addresses have been obfuscated to preserve some anonymity. First run a report for recent outbound traffic filtering on the “BOTNET” feed and then click on “outbound connections” list.

Next click on the “Research” tab for the Destination IP to learn that this address is a known C&C host:Then confirm by checking on the Domains link to see what sorts of names have been resolving to this address:10k domains” src=”http://threatstop.files.wordpress.com/2011/09/ts-report-10.png” alt=”Botnet C&C with >10k domains” width=”416″ height=”590″ />Finally click on say the McAfee link to confirm that this is not just a figment of ThreatSTOP’s imagination. Now that it has been confirmed that the IP address is bad the source IP addresses (192.168.x.51 and 192.168.x.52 in this case) should be noted down and the computers using them identified for immediate remediation.

Although to be honest, when I say we block it, we stop you being tempted to pay €100 and probably having your credit card details nicked in the process. We may also stop machines from getting infected but that is less certain as there are various infection paths. However we are sure that we block the website where you have to pay – www.buylicens.com. This domain resolves to the IP address 91.217.153.15 which is in the Ukraine and also in a couple of our feeds – Spamhaus and the Russian Business Network. Hence users who either blocked Eastern Europe, the Ukraine specifically or use our Advanced block list wuld be protected.

John Troemel, IT Manager at Krueger Wholesale, was intrigued by  ThreatSTOP technology. Given the noticeable rise of criminal malware and challenges associated with a dynamically changing threat landscape, Troemel was intent on implementing a solution that would deliver proactive defense against these exploits. By simply checking the botnet category in the iPrism URL database, Troemel was immediately alerted to potential security risks he didn’t know existed. “Enabling the botnet defense showed me that there were some desktops trying to connect with Skype that should not be,” said Troemel. “This could have resulted in a potential security issue, but because of iPrism, I was able to fix that problem. I keep a really clean network, and iPrism really helps things stay even more secure.”

Read the story at Sys-Con Media.

DDoS is a major problem that’s growing exponentially as the cyber criminals’ resources and their rapidly declining cost overwhelm their victims.  The only DDoS defense solutions previously available were either inadequate or overly expensive to service providers and their customers.  This meant that many service providers have gambled—i.e. hoping—on not being attacked.  This is an increasingly risky and untenable strategy for service providers given the prevalence of attacks and the increasing calls by customers and government agencies for greater accountability and compensation for breaches.

“The impetus for developing this solution was that we were deeply concerned at the growing risks, and were simply unable to find an adequate solution that works economically,” said Simon Woodhead, Managing Director of Simwood.  “We identified a number of best-of-breed partners to weave a solution that offers protection at a price point workable for customers of all sizes, and ThreatSTOP clearly is a cost effective front-line defense for us.”

As part of this partnership, Simwood has become ThreatSTOP’s first distributor in the UK for our IP reputation service.