|
Evolving Web-based Threats
An increasingly common characteristic of malware is the presence
of a URL that a user must visit to be attacked. Spam, URL based
viruses, phishing attacks and spyware all direct the user to
a malicious URL. If these URLs can be accurately analyzed and
a reputation associated with them, then stopping these attacks
can be done much more quickly and accurately and the URL can
be avoided, in whatever method it is disseminated.
Cisco IronPort Web Reputation Technology
provides dynamic
analysis and protection against sophisticated blended threats.
Cisco IronPort Web Reputation Tracking—an Innovative Approach:
Cisco IronPort Web Reputation tracking helps protect against
a broad range of URL-based threats. This solution asks a simple
but powerful question: "What is the reputation of the URL?"
When assessing the trustworthiness of a URL, a great deal can
be determined by analyzing data that is hard to forge, such
as how long the domain been registered, what country is the
Web site hosted in, is the domain owned by a Fortune 500 company,
is the Web server using a dynamic IP address and more.
Cisco IronPort Web Reputation tracking is enabled by IronPort's
common security database?the SenderBase Network, the world's
largest email and web traffic monitoring network. SenderBase
tracks over 50 distinct parameters that are excellent indicators
of a URL's reputation.
Cisco IronPort Web Reputation tracking differs from a traditional
URL blacklist or whitelist in that it analyzes a broad set of
data and produces a highly granular score of -10 to +10, instead
of the binary "good" or "bad" categorizations of most malware
detection applications. This granular score offers administrators
increased flexibility; different security policies can be implemented
based on different Web Reputation scoring ranges.
Cisco Security Intelligence Operations (SIO)
Cisco IronPort Web Reputation Filters also
leverages Cisco Security Intelligence Operations (SIO), an advanced
security infrastructure that provides threat detection, correlation
and mitigation to continuously facilitate the highest level
of security for Cisco customers. Using a combination of threat
telemetry, a team of global research engineers and sophisticated
security modeling, Cisco SIO enables fast and accurate protection
- allowing customers to securely collaborate and embrace new
technologies.
Advanced protection powered by Cisco Security
Intelligence Operations (SIO) delivers current and complete
security information to Cisco customers and devices. Threat
mitigation data is provided through:
- Dynamic rule updates for Cisco products, such as firewall,
web, IPS, or email devices
- IntelliShield vulnerability aggregation and alert services
- Security best-practice recommendations and community
outreach services
When a new threat is detected (based on processing data in
Cisco SensorBase), it is extracted and correlated, rules and
signatures are generated, and systems are dynamically updated.
Updates are then immediately sent to Cisco security devices
- enabling customers to stay ahead of the latest threats.
Web Reputation in UseWeb Reputation data increases
efficacy and catch rate of every URL-based type of malware.
This powerful technology is used in Cisco IronPort's C-Series
email security appliances.
Spam and URL based Viruses: Traditional
spam solutions ask the following questions to evaluate whether
an email is spam or not by answering the basic question of "what",
such as "What is the nature of the content of a message?". The
difficulty with this approach is that spammers have found a
variety of techniques to fool these filters such as adding blocks
of legitimate text (called Bayesian busters) or using numbers
not letters (L0ve). As a result, first generation anti-spam
filter efficacy has decreased. Almost every spam message contains
a URL link in it as a way to enable the reader to view the advertising
website. Web Reputation adds another dimension to spam analysis
by asking "Where"—where does the URL take me?
Phishing: Phishing site creators can spoof
the content of their websites to perfectly replicate legitimate
banking and e-commerce sites. Phishing sites cannot, however,
spoof the URL on which they are located. Cisco IronPort Web
Reputation has a detailed and up-to-date score for the vast
majority of URLs and can therefore protect users from phishing
attacks.
Blended Attacks: In late December 2005 a
WMF vulnerability that allowed the execution of potentially
malicious code was discovered. To become infected, a user merely
had to browse to a site that had a WMF file (usually a picture)
embedded in it. No explicit end-user action was required to
download the malicious code.
Initially, this vulnerability was exploited by spyware vendors
who placed spyware infected WMF files on URLs that were typos
of legitimate popular websites.
Traditional anti-spyware solutions were not quick enough
to determine this new presence of spyware and write signatures
for it. And anti-spam and anti-virus solutions were not able
to recognize that emails sent by infected hosts contained links
to sites that exploited WMF vulnerabilities. Cisco IronPort
Web Reputation technology, however, sees the presence of new
URLs on the web and immediately assign them a Web Reputation
score based on factors such as the use typos of popular domains,
the rapid increase in volume, and presence of downloadable code.
And only Cisco IronPort Web Reputation technology has the power
to block users from accessing these sites whether they were
attempted to be viewed through a typo in a website query or
by a link in a spammed email. Finally, the broad Web Reputation
scoring range allows administrators to configure security policies
to fit their specific security profile.
Botsite Defense and URL Outbreak Detection:
Existing solutions that rely on traditional URL filtering
have not been effective because most rely on manual classification
techniques. The infected sites hide behind a variety of benign
categories (including finance, entertainment and news), thereby
rendering traditional classification-based URL filtering ineffective
as a defense.
Cisco IronPort's URL Outbreak Detection
is designed to identify and defend against URLs that have no
reputation or signature - typically hosted on a botsite and
controlled by a botnet.
The Cisco IronPort SenderBase Network has
one of the largest email and Web-traffic footprints in the industry,
allowing Cisco IronPort to detect and block these new URL outbreaks
rapidly. Real-time analysis of global Web traffic allows analysts
in the Cisco IronPort Threat Operations Center to proactively
publish reputation scores for such URLs prior to signatures
being available from anti-malware vendors. Ironport's security
modeling techniques provide dynamic protection against threats
that target legitimate websites as well as "always on" detection,
which tracks the infrastructure behind malware attacks, then
adjusts to rapidly block them.
Exploit Filtering: According to Cisco IronPort's
Threat Operations Center, which provides real-time monitoring
and analysis of Web traffic, exploited websites are responsible
for more than 87 percent of all Web-based threats today, with
an increasing number of malware writers targeting well-known,
trusted websites.
Ironport Exploit Filtering utilizes Cisco
IronPort's distinctive Web reputation technology to protect
users from malware delivered through compromised websites, which
may not be identified by traditional URL filtering or signature
scanning. Exploit Filtering is available now on the Cisco IronPort
S-Series™ family of Web security appliances. Exploit Filtering
zeros in on the latest security threat: trusted websites that
have been compromised to deliver Trojans or phishing attacks
through techniques such as cross-site scripting (XSS) exploits,
buffer overflow attacks, SQL injections and invisible iFrame
redirects.
Documentation:
Download the
Web Reputation Whitepaper (PDF).
|
