Questions and Answers

ThreatSTOP stops botnets and criminal malware stealing from you by plugging the holes in your firewall.

ThreatSTOP is a cloud-based IP reputation service that automatically delivers a real-time threat list to your firewalls to enable them to block both inbound and outbound traffic to and from known botnet and criminal malware sites.

IP reputation is the identification and profiling of IP addresses to determine whether they are “good or bad” that enables network administrators to set a policy to manage, usually by allowing or blocking based on the reputation, communication to and from that address. In contrast to the currently dominant approach of security solutions, which tries to track the attack signatures, IP reputation tracks who is doing the attacking. The approach works due to the fundamental fact that all Internet communications start and end with an IP address. Instead of trying to chase after each attack signature which by definition is unknown a priori, IP Reputation profiles the history of a known item—the address.

You should care because botnets and criminal malware are the biggest information security problem today for three reasons:

1) Botnets are designed to steal your most valuable data, be it credit card numbers, your personnel data, or your engineering designs. They can also take control of your network resources (computers, databases, phones etc.) to do other nefarious activities without you knowing. The spamware (spam, phishing and viruses) we are all unfortunately used to is designed to be annoying, waste your time and slow down your machines.

2) Spam is an old problem that has plenty of solutions, and starting in 2010, show signs of decline. Botnets, in contrast, is a malicious and new problem that is growing rapidly. Cisco’s Q4 2010 Global Security Report shows that spam volume reduced by 75% in 2010 while botnets grew by 139%.

3) Why? Because that’s where the money is, and thus a breach is very expensive if you are the victim. To cybercriminals the Internet represents an infinite treasure trove of data that can be harvested for big illicit gains. In a well-known study by the Ponemon Institute, the average cost of a security breach for a large enterprise is almost $7 million, with a range of $750,000-31,000,000.

They address the old spamware problem, not this new class of botnets, which are much more malicious and sophisticated. Major surveys have all documented how current security solutions do not effectively combat botnets.

An analysis by NSS Labs shows that the chance of infecting a machine by standard web malware is 10-45%, but 25-97% by an active exploit such as a botnet. Depending on your perspective, that’s either 2X the likelihood, or near-certainty that you network will be breached.

Another study by Cyveillence shows the initial detection rate of confirmed active malware by leading AV products ranges from a low of 7% to a high of only 37%. As time goes on, detection rates improve over a 30-day period, with most of the improvement occurring within a week. While this is good, the top rate achieved is still only 90%, with many topping out in the 30-50% range.

So the question to ask is: is this an acceptable risk to you? We believe the answer should be a resounding “no”!

We won’t be so sure. Survey upon survey shows that botnet infestation is a pervasive problem, for organizations of all sizes, across all industries. To quote just one, in a survey of 130 large corporations by TrendMicro, it found them to have the following infestations:

Active malware
Information stealing malware
One or more IRC bots
Network worm
100 %
This phenomenon has also been seen by ThreatSTOP, where customers initially claim they have this or that network equipment, AV or IDS/IPS which should take care of the malware problem, but as soon as ThreatSTOP is installed, virtually all users find malware-infected hosts inside their network.

Our list is derived from public and proprietary malware monitors across the Internet and cross correlated and prioritized by our heuristics engine. This list is constantly monitored, renewed and culled to ensure the best coverage and accuracy. It is currently updated every 15 minutes, with the full list containing 30,000 entries (22,000 addresses + 8,000 /24 networks).

This capability is what makes ThreatSTOP truly unique. No other IP reputation service has it. The ThreatSTOP threat list is automatically distributed via DNS to your firewalls. We propagate lists of IP addresses as Multi-Host DNS A records, so that firewalls and other traffic management devices can use them as rules. This is particularly useful for dynamic lists that you want to propagate to multiple devices, but only change in one place. It also allows you to have your own custom allow and block lists. (For more details, please read Technical FAQ)

The current generation of firewalls and security devices don’t stop the latest breed of malware effectively in two areas:

1. Protocol and signature based. No way to keep up.

Firewalls essentially use a static block list based on protocol and signature patterns of suspicious traffic. While they do a good job, they are reactive to what already exists and are always behind the “cat and mouse” game with cyber criminals who are constantly changing their methods to infiltrate and circumvent the defense. The reality is that there is no way to keep up with the infinite combinations of methods, applications and protocols used to attack the network. For example, Symantec alone is writing about 20,000-25,000 anti-virus signatures per day! And we all know how irregular, time consuming and cumbersome the update/patching process is. Thus firewalls are vulnerable to 0-day attacks or insufficient updating of the signatures. They can’t stop what they don’t recognize.

2. Do not stop outbound “call home” traffic

Botnets by definition need to connect to its command and control (C & C) hosts to be activated. Firewalls are not designed to stop outbound traffic, especially any encrypted traffic such as SSL. In fact, they can’t inspect the secure traffic without breaking the security model anyway. So this is a major vulnerability that cyber criminals are exploiting by burying the “call home” call in these secure packets. Once the “call home” is successful, your network is instantly breached, and data theft is near certain.

ThreatSTOP stops all “call homes” to C & C hosts on its threat list. Your log will show which device attempted the call to which IP destination so you can take remedial action after the attempt has been stopped. There are some much more expensive and complex hardware solutions that alert you to, but not block, suspicious outbound calls. Better than nothing of course, but it’s too late. By then your network has already been breached and your valuable data has been stolen.

We’d like to say ThreatSTOP is your 1st line of defense and your best last hope.

Current firewalls and security products are designed to mostly block malware from coming in. But by and large they don’t address what happens when malware is already in your network. They need to “call home” to be activated. This is a big problem because you have to be 100% right and the criminals are banking on just one slip.

Furthermore, the mobile workforce is a huge security problem from this perspective. Your office network might be absolutely protected, but when an employee goes on a business trip or goes home over the weekend and returns Monday, his laptop may contain untold amounts of malware ready to do mischief like a bunch of ticking time bombs. Would anyone know what’s on those laptops and smartphones? This is like locking the front gate but leaving the back door open. ThreatSTOP solves this big problem.

Yes, once ThreatSTOP is installed, it will block inbound and outbound "call home" traffic to and from the banned IP addresses. This adds another security blanket over your existing security measures.

Our approach to dealing with inbound traffic is also fundamentally different from that of other products in that our filtering decision is very simple: accept or reject the packet from this address. If yes, we pass it through; if not, we drop the first syn packet. In contrast, firewalls, IDS, UTM devices perform deep packet inspection (DPI) on every traffic stream. Bandwidth usage: 74 bytes vs. 800-4000 bytes, or 10-50X advantage for us.

This advantage provides several other technology benefits:


  • 1. 10-25% reduction in bandwidth utilization

  • 2. “Cloak of invisibility” reduces threats and junk traffic
    Since we drop the first packet from a bad site and don’t acknowledge it, it has the added benefit of making your network “disappear” from the attacker’s view, as if it doesn’t exist. So they will just go away and probe some other target. This reduces materially the junk and recon bot traffic hitting your network. In contrast, a network which has rejected a probe through a packet inspection approach has made itself known by accepting the traffic, and the attacker will attempt a series of other exploits to get in, so your network will be subject to constant probes and attacks.

  • 3. Reduce network capacity costs The combination of dropping the first packet and the “cloak of invisibility” reduces your bandwidth utilization and load on your firewall, mail server, load balancers etc. and the need for more of them.

  • 4. All protocols and applications covered (HTTP/S, VPN, P2P, PDF, FaceBook etc.) While practically every other security vendor approaches the problem from a protocol and signature perspective, we approach it from a simpler way via IP reputation. Our message is simple: we know where the criminals are, so we block all communications to and from those sites, regardless of what disguises, protocols or exploits they use. We constantly scrub the list to make sure it is accurate and distribute it every two hours to make sure we are up to date at every instant. Thus we don’t have to play catch-up with the criminals who have an infinite number of ways to fool network defenses.

  • 5. Prevents 0-day attacks Because we update our database in real time and distribute the updates every two hours, ThreatSTOP is an effective way to stop 0-day attacks, irrespective of the specific exploit used by the perpetrator. To stop such an attack without ThreatSTOP, it requires your vendor to discover the newest exploit, notify the appropriate people, and develop a patch and distribute it, and then have your IT staff implement it across the network. Oftentimes this takes days and weeks, so it’s too late.

Beyond preventing significant damages from data theft, ThreatSTOP delivers several other business benefits:

1. Lowest cost of ownership

Software as a Service is simple and easy to use, without complex reconfiguration of your existing infrastructure. It is also cost effective from total cost of ownership perspective. One annual subscription covers everything.

2. No need for forklift upgrades

The major security vendors still have a “box” mentality that supports their business model. Whatever you need comes in another box, plus the reconfiguration, retesting, recertification and training that goes with it. ThreatSTOP is connected to your firewalls by a simple script or direct rule changes. That’s it.

3. Extend life of existing equipment

ThreatSTOP plugs the holes in your firewall and enhances its functionality. It protects your existing investment and extends its useful life.

4. No vendor lock in

ThreatSTOP works with most enterprise firewalls from major vendors, and thus doesn’t require you to lock yourself in with any vendor.

5. Automation reduces maintenance drudgery

Since ThreatSTOP’s updates are distributed automatically via DNS into the firewall, there is no need for manual updates. This not only saves time but is much more effective and allows the CSO/network admin to do higher-level work.