Autorun tagging and authentication technology
FireTower Guard Security Solutions
Sampan Security’s Autorun tagging and authentication technology, the underpinning of FireTower Guard security solutions, is designed to detect the presence of malware on your internet-connected computer and to specifically prevent zero-day attacks that bypass traditional anti-virus software.
A zero-day attack is a malicious attack that utilizes an unknown, undiscovered exploit to gain entry and cause harm to a computer system. Traditional anti-virus software fails to detect and prevent a zero-day attack because of their reliance on signature-based detection. Thus, they only succeed in detecting previously discovered malware. The main purpose of FireTower Guard technology fills this need in computer security.
Persistence Key Marker Event through Windows Autorun Settings
Establishing persistence on a computer is a common goal for malware because it allows the malware to remain on the computer and execute through system restarts. Persistence is typically achieved through the insertion of malicious Autorun entries and has long being recognized in the cyber security community as indicators of compromise.
The Autorun entry is used by Windows to determine what software is required to be executed automatically each time your computer boots up. While it is a common tool used by legitimate software, it can also be used by malicious software in order to establish persistence on your PC.
Autorun settings have been long used by support professionals to diagnose and resolve crashes/instability, degraded performance, unwanted programs, and virus incidents. There is a myriad of Autorun utility software available such as “Hijack This” from Trend Micro and “Autorun.exe” from Microsoft TechNet. Most, if not all, of the current Autorun utilities are only capable of identifying Autorun settings with metadata through a scan. Understanding and utilizing the data recovered from current Autorun utilities typically requires expert subject-matter knowledge in system security, performance, and recovery. It takes a trained forensic investigator to make the assessments necessary for resolving system issues and for authenticating suspicious Autorun entries. Furthermore, current Autorun utilities only allow for these assessments to begin long after attacks have occurred which make them incapable of providing real-time security.
Autorun Tagging and Authentication Technology
FireTower Guard Autorun Tagging and Authentication Technology is the first in the industry to provide a cloud-assisted, real-time Autorun authentication service coupled with a unique Inter-Host Intrusion Prevention System (IHIPS) for enterprise protection against zero-day attacks and Advanced Persistent Threats.
Real-Time Autorun Tagging
FireTower Guard software installed on a Windows-based computer will record static metadata on existing Autorun settings upon initialization. Both static and dynamic metadata are recorded in real-time when Autorun settings change. Static metadata includes: Autorun categories (file or registry), Autorun type, entry name, target file metadata. Dynamic metadata includes timestamps, “who” (the process) creates/changes the Autorun settings, footprints left behind by the “who”. A temporal threat database is updated continuously by the Autorun tagging operation for use in the Autorun authentication process.
Real-Time Autorun Authentication
FireTower Guard, with the assistance from a cloud-based Autorun Setting Repository (ASR), uses the local PC protection profile to assess security ratings of incoming/changed Autorun tags. Based on the live temporal threat database, FireTower Guard detects, stops, and quarantines malicious Autorun entries.
Autorun Setting Repository (ASR)
As an integral part of FireTower Guard operation, endpoint computers record and upload static metadata of all Autorun entries and folder path information to an Autorun Setting Repository database for authentication. These uploaded data are stripped of all personally identifiable information.
ASR Proxy for FireTower Guard Business Enhanced Edition (Enterprise)
The FireTower Guard Business Enhanced Edition is a locally-hosted ASR proxy database in enterprise’s intranet which is accessible to only the company’s FireTower Cyber Console administrators. By using ASR Proxy UI, the root administrator is able to configure “proprietary” and regular Autorun entries with appropriate ratings within the enterprise network. Furthermore, the administrator can direct FireTower Guard at end point computers to carry out detection and quarantine operations. FireTower Guard can then perform enterprise-wide Autorun interdiction based on these ASR proxy (a private and customized ASR) data instead of the public ASR.
Inter-Host Intrusion Prevention Systems (IHIPS)
For enterprise-wide deployment, FireTower Guard will upload the local threat database to an enterprise threat database for further IHIPS data mining. IHIPS facilitates the automation of APT detection by performing data mining against the FireTower enterprise threat database on persistence key marker events in order to identify at-risk hosts and to detect and disrupt the malware kill chain
Traditional APT Investigative Technique
When an intrusion is suspected, traditionally a team of forensic investigators will have to manually inventory, validate, and stack up Autorun settings (persistence mechanisms) to compare and contrast among thousands of computers in the enterprise (a typical Windows PC has several hundred such Autorun entries) and identify those entries with malicious intent. However, with FireTower Guard installed, all of these Autorun settings from each PC will be automatically examined, inventoried, monitored, and validated for their authentication by FireTower Guard software at the endpoint host computers and update the FireTower Guard Enterprise Threat Database in real-time.
Under IHIPS, IT staff, with system security training, can concentrate on at-risk systems with unauthenticated persistence mechanisms which most likely have been infected by APT attackers during initial intrusion or subsequent lateral movement.
FireTower Guard Can Serves as a Security Monitor for Enterprise
FireTower Guard can also serve as a security monitor at the enterprise’s security operation center already installed with traditional Anti-virus solutions to identify infected or at-risk systems through Autorun tagging and authentication technology.
In summary, FireTower Guard provides company administrators the tool to identify and neutralize zero-day attacks when any number of end point PCs are threatened. FireTower Guard significantly increases the likelihood of managing malware threats. |
