There are a lot of different approaches to try and block malware and protect users from being exploited. Percipient Networks is taking a new approach to protecting organizations with its Strongarm platform, which was updated on December 14 with new mobile and always-on capabilities.
Todd O'Boyle, co-founder and CTO at Percipient Networks helped to start the company in November 2014, after previously spending 15 years working as an engineer at the Mitre corporation. Mitre is a not-for-profit organization that helps to lead and operate a number of U.S government funded research efforts. O'Boyle and fellow Mitre researcher Stephen Di Cato decided to start Percipient Networks in an effort to bring a new approach to security.
"Strongarm is a DNS Blackhole that is fed by indicators of compromise that our team cultivates," O'Boyle told eWEEK. "When we do find a victim that is attempting to communicate with a hacker control node, we take control of that connection."
DNS (Domain Name System) is the technology that connects IP addresses to domain names. A DNS Blackhole is an approach whereby when a request to a a specific domain domain is sent, the request is either denied or re-routed, in an attempt to prevent a malware infection. O'Boyle explained that rather than just dropping an outgoing connection, the Strongarm technology will communicate with the malware installed on a victim's system.
Many forms of malware are deployed by attackers as part of some form of botnet, that will attempt communicate, or 'phone home' to a command and control (C&C) server. In the case of a ransomware infection, Strongarm will actually help to stop a compromised system from downloading the executable file that will encrypt a user's data.
The way most ransomware works, O'Boyle explained that attackers typically don't email the actual executable file as part of the initial stage of an attack. What happens is there is often a script, that is in the email, or an attachment, that when clicked will download the second stage of the attack, which will include the ransomware executable.
"By paying attention to where ransomware is hosted on websites, we can stop end-users from downloading the ransomware executable," O'Boyle said.
O'Boyle explained that even if the user clicks the ransomware link in an email, Strongarm will communicate with the malware on the user's system, pretending to deliver the requested ransomware executable, but instead delivering a benign file.
From a deployment perspective, Strongarm can be deployed in several ways. One approach is to set up Strongarm as the recursive resolver for DNS on a router or in a Microsoft ActiveDirectory server. With the new always-on capability, Strongarm can be set as a resolver for an individual workstations and is also available as a mobile app.
O'Boyle commented that overall his firm sees very little sophisticated mobile malware. Among the main use-cases for Strongarm on mobile devices is to protect users from potential phishing emails.
The idea of using a DNS based approach to help protect users from risks is not an entirely new model. OpenDNS, which was acquired by Cisco in a $635 million deal in 2015, also makes use of DNS as a means to provide security.
"What makes us different is our ability to speak with the malware on an infected system and our focus on finding the victim and providing context and recommendation for how to remediate if anything is required," O'Boyle said.
Looking forward, in 2017 O'Boyle said the plan is to further improve the Strongarm platform in an effort to provide organization's with visibility into what is happening on their network.
"Early in 2017, we're going to launch a feature that provides network insight in a variety of different ways," O'Boyle said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist