Technologies

The DNS system offered by Yoroi is "armed" through a complex network of Threat Intelligence. The DNS- Defence service is able to recognize whether a domain resolution is malicious or not because it is present or not within Yoroi's threat intelligence. In case the domain resolution turns out to be malicious, then the domain name desired by the victim is present within the threat intelligence with a high confidentiality and with a high "score" (compromise index), the DNS server does not resolve the domain name with the real IP address but resolves the latter through a pre-configured IP address (syncHoling technique) with controlled content thus avoiding the initiation of the malicious connection. DNS (Domain Name System), was originally developed as open protocol and, for this peculiarity, today has to be considered vulnerable to cyber attacks. To better understand the associated risks it is sufficient to remind the vulnerability areas to whom we are all subjected:

• ● Footprinting: process potentially used by an attacker to learn the domain names, computer names and critical network resources IP addresses.
• ● Denial of Service Attack: attempt to deny network services availability via recurrent queries to the principal network servers.
• ● Data modification:: attempt by attackers who, after performing a successful footprint using DNS queries, try to use self generated IP packets to look like a valid network
• ● Participant causing, potentially, huge damages or infections..
• ● Redirection: Query redirection to servers controlled by the attacker in order to perform any possible malicious activity including, potentially, malware infiltration.

How threats are blocked

Every real connection needs a domain resolution in order to pick up the IP address on which to set the communication itself. Nowadays more and more often DNS services are used by attackers to prevent the simple technology called "black list" from blocking their threat. Through FastFlux and Domain Name Generation Algorithm (DGA) techniques simultaneous attackers abuse the use of the DNS protocol (UDP 53) to bypass perimeter filters both in data transmission and data reception. The DNS Defence service blocks this resolution avoiding any type of connection to domains considered infected or infectious. For example, an infected host attempts to contact their C2 to send information and/or request actions to be taken on the victim. The connection by the victim takes place after the IP address of the public host to be contacted has been obtained. The DNS Defence Service is inserted in this phase by returning an IP address controlled by the defender thus preventing Malware activation.

Available filters

The Service offers DNS filters for the following categories:

• ● Advertising
• ● Search engines
• ● News
• ● Job hunting
• ● Generic websites
• ● Unwanted websites
• ● Dangerous Websites (Also thanks to the Yoroi Threat Intel)
• ● Social Networks
• ● Technology
• ● Messaging
• ● Free time

Today's malware requires a fast and competent response. As the level of difficulty introduced by increasingly complex attacks continues to increase, interaction with the infected system is necessary to ensure the best possible response. From this need was born Kanwa, the "mitigator" (translation from Classic Japanese). Connecting an analyst directly with the infected system is Kanwa's objective, which silently and without weighing down the host system carries out mitigation operations guided directly by the analyst and Threat Intelligence of the Yoroi system.

Solution Features

The solution includes two separate functionalities available to the Company's defence analysts:

1) "Detection" functionalities allows you to verify the existence of particular processes, files and/or registry keys in order to make possible the timely identification of any infections in progress.

2) Targeted intervention functionality to proceed to the possible deletion of these malicious processes, files or registry keys remotely, mitigating the threat in a timely manner without direct intervention of the IT department.

Kanwa is an end-point protection software solution that can monitor the operation of the host PC for the presence of Indicator of Compromise (IoC) in order to mitigate any threats related to the host PC. PC status monitoring and threat mitigation, if any, can occur in two different ways:

• ● Automated (i.e. without human interaction) but accessing mitigation specifications through Yoroi's Threat Intelligence
• ● Manual (i.e. with human intervention) led by Yoroi Analysts

In addition, Kanwa allows Yoroi Analysts to conduct in-depth investigations on board the host PC by providing the following information upon request:

• List of files in the system (manual investigation)
• List of processes in progress This information is essential in the case of a digital investigation.

Possible mitigations

In case the security solution determines the existence of one of the malicious components mentioned above, it will attempt the resolution following the Automatic/Manual methods previously set. Possible resolutions include:

• ● Deletion or quarantine of malicious files
• ● Deleting malicious registry keys
• ● Termination of suspicious processes

Genku is our cyber sonde, a complete system for the analysis and mitigation of cyber threats developed to defend our clients. Key features of Genku are:

• Threat detection, geo localisation and monitoring
• Alerting system in real time reaching out our malware team
• E-mail protection
• E-mail domains analysis, verifying unwanted communication
• User friendly interface providing a visual match for any information collected
• Vulnerabilities check for corporate networks
• Correspondence between vulnerability and malware propagation.

Genku integrates seamlessly with the corporate Active Directory and identifies vulnerable users. It provides tools to analyse what happens in the corporate networks: possible leakage of information, targeted attacks, opportunistic malware and unwanted programs that slow down the overall company performance. Genku combines dynamic analysis on the malware propagation with static analysis of enterprise vulnerability, by continuously scanning the company devices. It can integrate with several systems: AlienVault, Fire Sight, Splunk, Fortinet, Last Line, Source Fire, Websense, Blue Coat, CheckPoint, IronPort, RSA OpSec, and much more.

Cyber criminals are beginning to learn and understand more about the most common methods of security detection and are specifically focusing their efforts on them. What sandbox technology does is help to expose invasive new threats, as well as old threats in new disguises. What sandboxing does is providing an additional security layer to the modern-day threat environment. A network security sandbox in fact is an analysis environment in which a suspicious program is executed ('detonated') and its behaviour observed, noted, and then analysed.

Traditional sandbox technology is ineffective if the attacker adopts evasion techniques able to recognise the environment simulated by the sandbox and deny their true intentions in future runs.

Yomi, unlike traditional sandboxing techniques, has been conceived and developed according to a different method of analysis which provides, within the controlled perimeter, the presence of multiple sandboxes where the suspicious code will be injected in parallel. By checking all the different sandboxes responses our analysts will be able to evaluate if even one of them has shown an abnormal behaviour. The presence of the tiniest difference between the parallel results will raise the threshold of potential hazard and a more in depth analysis will then be carried on, including - if necessary - reverse engineering.