What is Dekeneas?
Dekeneas is an early detection system powered by artificial intelligence that identifies emerging threats using browser as an attack vector, assisted by powerful code instrumentation and analysis.
Browser attacks
also called "watering hole attacks" are currently the most insidious and stealth cyber attacks. Instead of sending the victim an e-mail or social media message with a link, the attackers compromise a vulnerable legitimate website the victim regularly visits, and implants code that eventually takes full control over victim's device, through vulnerabilities either in the browser itself, or underlying technologies, such as Java or Flash. This behavior makes the attack very hard to spot and acknowledge because, as opposed to the much more common spearphishing attacks, there is no direct link between the attack and user's behavior.
Browser attacks focus on traditional browsers, such as Chrome, Edge or Firefox, but they also target mobile devices, which makes them even harder to identify. Most of the vulnerabilities used in watering hole attacks are either very new or unknown at the time of the attack. After a successful attack, the attackers either implant a rootkit or use victim's device to mine for cryptocurrency.
A browser attack usually implants an iframe element inside a legitimate website, which redirects the victim to an exploit kit server, where the actual attack is performed.
The problem
The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation of these protocols.
Once with the introduction of Javascript, the web pages began to act dynamically, instead of serving static content. This means that the final form of the website will only be interpreted by user's browser, after all Javascript is executed in user's browser context. This also means that the security products should know exactly how user's browser interprets and executes the Javascript in the webpage it loads.
Traditional antivirus products or intrusion detection sensors would use signature scanning to identify watering hole attacks, looking for known code snippets that are involved in these attacks. But in the recent years, watering hole attacks evolved using Javascript obfuscation to hide relevant code snippets, making it impossible for traditional security products to detect such attacks.
To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request, or a HTTPS connection, the attack goes totally undetected.
So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find watering hole attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers, certain technologies or users from a certain geographical area or IP range.
If the client-side honeypot doesn't guess all of the above, the attack never happens, so the security product fails to identify an offensive web page.
Do watering hole attacks actually happen?
These features of watering hole attacks made them the perfect candidate in penetrating highly secured networks from banks, defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist groups, investigative journalists or political disidents all over the world.
Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years, sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.Dekeneas APT Hunter
Dekeneas APT Hunter uses artificial intelligence to understand the contents of a web page before performing further dynamic instrumentation, looking for certain features such as obfuscation, delayed execution, redirection or fingerprinting.
If an HTML element shows signs of suspicious behavior it gets instrumented in a series of sandboxes which emulate user behavior according to the features identified. For instance, if the HTML element tries to identify certain browsers, then those browsers get emulated.
Also, if the HTML element tries to identify if the user has a certain language, the emulated browser sets that particular language.
This behavior greatly reduces the amount of time needed for analysis, as only suspicious HTML elements get analyzed, but also, it greatly increases the chances of detection by creating the exact environment the suspicious HTML element is looking for.
These unique features allowed Dekeneas APT Hunter to uncover a series of complex attacks carried by APT groups, but also carried by cybercriminals, all of them using either very new or unknown exploitation vectors.
Dekeneas APT Hunter
Dekeneas APT Hunter is a unique product, being the only publicly available tool able to identify with great accuracy both known and unknown browser exploits ("0day") and attacks by the means of artificial intelligence algorithms, instead of traditional signature scanning. Our approach is mainly focused on detection of unknown attack vectors for the vast majority of existing desktop browsers, such as Chrome, Edge, Firefox or Safari, but also mobile devices browsers for Android and iPhone. Our artificial intelligence algorithms understand the code of the website before actually executing it, and tries to understand if the code constructs encountered are malware specific or they are benign. Also it tries to figure out if there are special conditions for certain code to run, such as specific User-Agent strings, language settings or IP addresses. All this information is later used during the instrumentation performed by Dekeneas Sandbox, which comes as a double check, actually executing the suspicious code in a real environment according to the special conditions requested by the analyzed code, launching a specific browser with specific language or country settings in a specific environment (desktop or mobile), and analyzing how the code interacts with the browser. In addition to code instrumentation Dekeneas Sandbox also analyzes the traffic generated looking for exploitation gadgets, therefore maximizing the chances of identifying unknown attacks.
- Signature less scanning - browser malware looks different from infection to infection so signature scanning is mostly useless
- In-depth scanning of websites - most attacks are not placed in the first page
- Code interpretation without actually executing the code - greatly optimizing analysis time
- Detection of attacks in the early stage - as opposed to traditional methods who detect post-exploitation stage of infection
- Anti anti analysis capabilities - most browser attacks are highly obfuscated and have anti analysis capabilities
- Anti evasion capabilities - most browser attacks are able to evade detection by targetting specific browsers, technologies or settings
Dekeneas On-Premise WSG
The Dekeneas WSG range is a family of secure web gateway appliances, integrating the advanced artificial intelligence malware scanning capabilities of the Dekeneas APT Hunter into your network, protecting your users from some of the most elusive attacks used by hackers.
WSG-010
Virtual Appliance
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on Dekeneas APT Hunter
- Integrated Dekeneas APT Hunter engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
WSG-100
Hardware Appliance
![]()
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on Dekeneas APT Hunter
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated Dekeneas APT Hunter engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification
WSG-200
Hardware Appliance
![]()
- High availability setup
- Administration interface
- Transparent Proxy (network traffic redirector, WCCP redirect)
- Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
- HTTP/S inspection
- URL filtering based on Dekeneas APT Hunter
- Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
- Inline sandbox
- Bandwidth management
- Integrated Dekeneas APT Hunter engine
- Supports both IPv4 and IPv6 protocol stacks
- Supports integrations with external threat intelligence feeds, commercial or open source
- Custom and automated whitelisting of websites
- Custom and automated blacklisting of malicious websites
- Automated antivirus scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Automated YARA scanning of files in transit
- Automated updates of AV signature database
- Automated blocking of malicious files in transit
- Data leakage prevention through artificial intelligence classification