Yoroi technologies aim to empower cybersecurity analysts in order to give them better results, quick overviews and thanks to our artificial intelligence becoming more and more performant. Yoroi developed a Cyber Security Defence center able to detect, to correlate and to manage threats and incidents. Correlation engines, DNS protections, Multilevel sandboxing analyses, Business eMail Anticipators, eMail protection and much more held in a unique user interface designed to reduce friction and to promote resolution speed. Every single bit in Yoroi technology looks help cybersecurity analyst, we don’t believe in fully automated analyses, we believe in hybrid analyses where performant technology meets human brain. This and much more in Yoroi Human Centric Technologies.
- ● Footprinting: process potentially used by an attacker to learn the domain names, computer names and critical network resources IP addresses.
- ● Denial of Service Attack: attempt to deny network services availability via recurrent queries to the principal network servers.
- ● Data modification:: attempt by attackers who, after performing a successful footprint using DNS queries, try to use self generated IP packets to look like a valid network
- ● Participant causing, potentially, huge damages or infections..
- ● Redirection: Query redirection to servers controlled by the attacker in order to perform any possible malicious activity including, potentially, malware infiltration.
How threats are blockedEvery real connection needs a domain resolution in order to pick up the IP address on which to set the communication itself. Nowadays more and more often DNS services are used by attackers to prevent the simple technology called "black list" from blocking their threat. Through FastFlux and Domain Name Generation Algorithm (DGA) techniques simultaneous attackers abuse the use of the DNS protocol (UDP 53) to bypass perimeter filters both in data transmission and data reception. The DNS Defence service blocks this resolution avoiding any type of connection to domains considered infected or infectious. For example, an infected host attempts to contact their C2 to send information and/or request actions to be taken on the victim. The connection by the victim takes place after the IP address of the public host to be contacted has been obtained. The DNS Defence Service is inserted in this phase by returning an IP address controlled by the defender thus preventing Malware activation.
Available filtersThe Service offers DNS filters for the following categories:
- ● Advertising
- ● Search engines
- ● News
- ● Job hunting
- ● Generic websites
- ● Unwanted websites
- ● Dangerous Websites (Also thanks to the Yoroi Threat Intel)
- ● Social Networks
- ● Technology
- ● Messaging
- ● Free time
The solution includes two separate functionalities available to the Company's defence analysts:
1) "Detection" functionalities allows you to verify the existence of particular processes, files and/or registry keys in order to make possible the timely identification of any infections in progress.
2) Targeted intervention functionality to proceed to the possible deletion of these malicious processes, files or registry keys remotely, mitigating the threat in a timely manner without direct intervention of the IT department.
Kanwa is an end-point protection software solution that can monitor the operation of the host PC for the presence of Indicator of Compromise (IoC) in order to mitigate any threats related to the host PC. PC status monitoring and threat mitigation, if any, can occur in two different ways:
- ● Automated (i.e. without human interaction) but accessing mitigation specifications through Yoroi's Threat Intelligence
- ● Manual (i.e. with human intervention) led by Yoroi Analysts
In addition, Kanwa allows Yoroi Analysts to conduct in-depth investigations on board the host PC by providing the following information upon request:
- List of files in the system (manual investigation)
- List of processes in progress This information is essential in the case of a digital investigation.
In case the security solution determines the existence of one of the malicious components mentioned above, it will attempt the resolution following the Automatic/Manual methods previously set. Possible resolutions include:
- ● Deletion or quarantine of malicious files
- ● Deleting malicious registry keys
- ● Termination of suspicious processes
- Threat detection, geo localisation and monitoring
- Alerting system in real time reaching out our malware team
- E-mail protection
- E-mail domains analysis, verifying unwanted communication
- User friendly interface providing a visual match for any information collected
- Vulnerabilities check for corporate networks
- Correspondence between vulnerability and malware propagation.
Genku integrates seamlessly with the corporate Active Directory and identifies vulnerable users. It provides tools to analyse what happens in the corporate networks: possible leakage of information, targeted attacks, opportunistic malware and unwanted programs that slow down the overall company performance. Genku combines dynamic analysis on the malware propagation with static analysis of enterprise vulnerability, by continuously scanning the company devices. It can integrate with several systems: AlienVault, Fire Sight, Splunk, Fortinet, Last Line, Source Fire, Websense, Blue Coat, CheckPoint, IronPort, RSA OpSec, and much more.
Traditional sandbox technology is ineffective if the attacker adopts evasion techniques able to recognise the environment simulated by the sandbox and deny their true intentions in future runs.
Yomi, unlike traditional sandboxing techniques, has been conceived and developed according to a different method of analysis which provides, within the controlled perimeter, the presence of multiple sandboxes where the suspicious code will be injected in parallel. By checking all the different sandboxes responses our analysts will be able to evaluate if even one of them has shown an abnormal behaviour. The presence of the tiniest difference between the parallel results will raise the threshold of potential hazard and a more in depth analysis will then be carried on, including - if necessary - reverse engineering.