Amritam Putatunda
Technical Product Manager
Blog

New Daily Cloud Update Service for BreakingPoint Application and Threat Intelligence (ATI)

April 19, 2018 by Amritam Putatunda

Why did we need this?

The Short-Lived Nature of Malware.

The most advanced malware are extremely capable shapeshifters. Malware coders generally implement several mechanisms to change malware after a certain duration of time to evade detection. This basically means that it’s not as useful to test with older versions of malware, as it may have morphed into something else, has subtly changed its behavior, or has changed its hash. To properly test such malware, we need an update mechanism that keeps pace with malware evolution.

1

Shape-shifting malware is a huge detection challenge 

The Specific Focus of Malware.

The most popular malware is an executable designed to target a specific type of victim. The attackers generally create the malwares targeted for a certain domain, platform, or business vertical. For example, a Scada malware targeting an oil and gas factory may be absolutely useless in a financial exchange environment, and vice-versa. This means that many malware relevant for one domain is useless for another. Therefore, to validate the security efficacy of next-gen firewalls (NGFW), intrusion detection and prevention systems (IDS/IPS), and the likes, you need to simulate a diverse group of malware that can be used to test a diverse set of domains and environments. 

2

Fig:1 Targeted Malware attacks specific domains like finance or healthcare, or devices like IoT or Android

What is Cloud-Updated and How it is Delivered?

Malwares Updated Daily.

Ixia is partnering with ReversingLabs to accelerate and broaden the threat intelligence coverage that we deliver to our customers, especially around malware. This new service enables ATI to deliver nearer real-time threat intelligence gathered through the intelligence provided by ReversingLabs coupled with our RapSheet system, our analysis engine that collects malicious Internet activities with 100% confidence and zero false positives. The daily malwares will be selected from a significantly large pool of malware samples provided to us by Reversing labs. Once selected, the package with all the relevant metadata be uploaded in the cloud. The available metadata in each malware can be used by customers to create targeted strike lists based on domains, malware types, dates, etc.

3

Fig 2. Testing with new malware everyday helps differentiate the most agile security systems from the rest

Download Updates Right From the BreakingPoint GUI.

Beginning May 4, 2018, this feature is available to any BreakingPoint customer with an active Application and Threat Intelligence (ATI) Subscription at no extra cost. The update, downloaded directly from the cloud, will allow users to select, install, or uninstall the packages of malware that are updated on a daily basis. Customers who have a lapsed ATI subscription can get this feature by renewing their subscription.

4

Fig 3: The snapshot shows the daily packages that can be installed/removed from the BreakingPoint GUI

How Many Malwares are too many? 

The Detection Efficacy Test.

Considering 2017 was on track for close to 7.5 Million malwares released, it’s not realistic or scalable to test your network security with every malware out there. It’s also quite difficult to maintain this as a practice, as every day, thousands of new ones are added. Hence, the cloud update’s main purpose is not to gauge coverage, but the efficacy, of your security tool by measuring its ability to block the most recent high-impact malware from a diverse set of domains. The more successful your detection/inspection engine is in identifying and blocking the daily set of malware, the better are their chances against the majority of the other malware seen in the wild.  

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides daily updates of the latest application protocols and attacks for use with Ixia test platforms.