IronPort Web Reputation Technology
Protecting Against URL Based Threats
Evolving Web-based Threats
An increasingly common characteristic of malware is the presence of a URL that a user must visit to be attacked. Spam, URL based viruses, phishing attacks and spyware all direct the user to a malicious URL. If these URLs can be accurately analyzed and a reputation associated with them, then stopping these attacks can be done much more quickly and accurately and the URL can be avoided, in whatever method it is disseminated.
Cisco IronPort Web Reputation Technology provides dynamic
analysis and protection against sophisticated blended threats.
Cisco IronPort Web Reputation Tracking—an Innovative Approach:
Cisco IronPort Web Reputation tracking helps protect against a broad range of URL-based threats. This solution asks a simple but powerful question: "What is the reputation of the URL?" When assessing the trustworthiness of a URL, a great deal can be determined by analyzing data that is hard to forge, such as how long the domain been registered, what country is the Web site hosted in, is the domain owned by a Fortune 500 company, is the Web server using a dynamic IP address and more.
Cisco IronPort Web Reputation tracking is enabled by IronPort's common security database?the SenderBase Network, the world's largest email and web traffic monitoring network. SenderBase tracks over 50 distinct parameters that are excellent indicators of a URL's reputation.
Cisco IronPort Web Reputation tracking differs from a traditional URL blacklist or whitelist in that it analyzes a broad set of data and produces a highly granular score of -10 to +10, instead of the binary "good" or "bad" categorizations of most malware detection applications. This granular score offers administrators increased flexibility; different security policies can be implemented based on different Web Reputation scoring ranges.
Cisco Security Intelligence Operations (SIO)
Cisco IronPort Web Reputation Filters also leverages Cisco Security Intelligence Operations (SIO), an advanced security infrastructure that provides threat detection, correlation and mitigation to continuously facilitate the highest level of security for Cisco customers. Using a combination of threat telemetry, a team of global research engineers and sophisticated security modeling, Cisco SIO enables fast and accurate protection - allowing customers to securely collaborate and embrace new technologies.
Advanced protection powered by Cisco Security Intelligence Operations (SIO) delivers current and complete security information to Cisco customers and devices. Threat mitigation data is provided through:
- Dynamic rule updates for Cisco products, such as firewall, web, IPS, or email devices
- IntelliShield vulnerability aggregation and alert services
- Security best-practice recommendations and community outreach services
When a new threat is detected (based on processing data in Cisco SensorBase), it is extracted and correlated, rules and signatures are generated, and systems are dynamically updated. Updates are then immediately sent to Cisco security devices - enabling customers to stay ahead of the latest threats.
Web Reputation in Use
Web Reputation data increases efficacy and catch rate of every URL-based type of malware. This powerful technology is used in Cisco IronPort's C-Series email security appliances.
Spam and URL based Viruses: Traditional spam solutions ask the following questions to evaluate whether an email is spam or not by answering the basic question of "what", such as "What is the nature of the content of a message?". The difficulty with this approach is that spammers have found a variety of techniques to fool these filters such as adding blocks of legitimate text (called Bayesian busters) or using numbers not letters (L0ve). As a result, first generation anti-spam filter efficacy has decreased. Almost every spam message contains a URL link in it as a way to enable the reader to view the advertising website. Web Reputation adds another dimension to spam analysis by asking "Where"—where does the URL take me?
Phishing: Phishing site creators can spoof the content of their websites to perfectly replicate legitimate banking and e-commerce sites. Phishing sites cannot, however, spoof the URL on which they are located. Cisco IronPort Web Reputation has a detailed and up-to-date score for the vast majority of URLs and can therefore protect users from phishing attacks.
Blended Attacks: In late December 2005 a WMF vulnerability that allowed the execution of potentially malicious code was discovered. To become infected, a user merely had to browse to a site that had a WMF file (usually a picture) embedded in it. No explicit end-user action was required to download the malicious code.
Initially, this vulnerability was exploited by spyware vendors who placed spyware infected WMF files on URLs that were typos of legitimate popular websites.
Traditional anti-spyware solutions were not quick enough to determine this new presence of spyware and write signatures for it. And anti-spam and anti-virus solutions were not able to recognize that emails sent by infected hosts contained links to sites that exploited WMF vulnerabilities. Cisco IronPort Web Reputation technology, however, sees the presence of new URLs on the web and immediately assign them a Web Reputation score based on factors such as the use typos of popular domains, the rapid increase in volume, and presence of downloadable code. And only Cisco IronPort Web Reputation technology has the power to block users from accessing these sites whether they were attempted to be viewed through a typo in a website query or by a link in a spammed email. Finally, the broad Web Reputation scoring range allows administrators to configure security policies to fit their specific security profile.
Botsite Defense and URL Outbreak Detection: Existing solutions that rely on traditional URL filtering have not been effective because most rely on manual classification techniques. The infected sites hide behind a variety of benign categories (including finance, entertainment and news), thereby rendering traditional classification-based URL filtering ineffective as a defense.
Cisco IronPort's URL Outbreak Detection is designed to identify and defend against URLs that have no reputation or signature - typically hosted on a botsite and controlled by a botnet.
The Cisco IronPort SenderBase Network has one of the largest email and Web-traffic footprints in the industry, allowing Cisco IronPort to detect and block these new URL outbreaks rapidly. Real-time analysis of global Web traffic allows analysts in the Cisco IronPort Threat Operations Center to proactively publish reputation scores for such URLs prior to signatures being available from anti-malware vendors. Ironport's security modeling techniques provide dynamic protection against threats that target legitimate websites as well as "always on" detection, which tracks the infrastructure behind malware attacks, then adjusts to rapidly block them.
Exploit Filtering: According to Cisco IronPort's Threat Operations Center, which provides real-time monitoring and analysis of Web traffic, exploited websites are responsible for more than 87 percent of all Web-based threats today, with an increasing number of malware writers targeting well-known, trusted websites.
Ironport Exploit Filtering utilizes Cisco IronPort's distinctive Web reputation technology to protect users from malware delivered through compromised websites, which may not be identified by traditional URL filtering or signature scanning. Exploit Filtering is available now on the Cisco IronPort S-Series™ family of Web security appliances. Exploit Filtering zeros in on the latest security threat: trusted websites that have been compromised to deliver Trojans or phishing attacks through techniques such as cross-site scripting (XSS) exploits, buffer overflow attacks, SQL injections and invisible iFrame redirects.
Download the Web Reputation Whitepaper (PDF).