Barracuda’s Threat Intelligence Infrastructure

Download PDF

The Evolution of Modern Threats

The modern internet threat landscape is complex, varied and sophisticated. In addition to traditional malware infections that randomly affect a large number of systems, modern attacks like Advanced Persistent Threats (APT) target specific individuals and institutions with the aim to steal sensitive high-value information and user identities. Hackers can exploit multiple vectors like web sites, email, social media, web and mobile applications to employ spear phishing and social engineering attacks to gain access to network credentials. They can then launch malware that is designed to evade traditional intrusion detection systems by continually changing code or hiding over common protocols like HTTP and establish back door channels to command and control servers.

With more than 60,000 new malware variants introduced daily, traditional signature database based techniques alone are no longer sufficient to keep up with emerging threats and protect against multiple threat vectors.

Barracuda Threat Intelligence

Barracuda Threat Intelligence is a powerful framework that combines threat data collection from multiple sources, advanced analysis and research as well as a global operations network that supports on-premises gateway defense, end-point security and real-time protection through the cloud. The framework is designed to provide comprehensive, timely, up-to-date threat protection across multiple threat vectors while maintaining the highest level of performance for both onpremises solutions and hosted services.

The components of this framework are:

Threat Data Collection:

Barracuda collects emails, URLs, binaries and other threat data from tens of thousands of honeypots located in more than 100 countries and an extensive web crawler network. This is supplemented by data contributions from more than 180,000 collection points across several types of organizations. This forms the basis for one of the largest bodies of threat intelligence. Expertise across various aspects of security including web, email, network and web applications allows Barracuda to leverage threat data across multiple vectors and rapidly respond to modern, aggressive web based attacks. For example, a Barracuda Web Security solution benefits from malicious URL data that is gathered through email submissions from Barracuda Email Security Gateway customers.

Research and Analysis:

Barracuda leverages a combination of open-source and proprietary technologies backed by human analysis to classify threat data. Some of the key technologies are:
  • Active malware analysis through MalTrace, a virtual sandbox environment for fingerprinting infected files.
  • Malicious URL detection through URLTrace, a multi-component apparatus for detecting malicious HTTP URLs. URLTrace uses heavyweight virtualization in a scalable manner to transitively determine maliciousness of a URL by extracting network actions and heuristically-identified behaviors.
  • Polymorphic virus detection through the Barracuda supercomputing grid using a patented partial checksum approach to detect and identify the unchanged signature portions of a virus body.
  • Malicious code detection through virtual machine based heuristic analysis.
  • Command and Control Bot detection through domain and IP reputation heuristics as well as automated and human analysis to fingerprint spyware behavior.
  • Block Lists compiled through forensic analysis, web crawling, commercial data and human analysis.
Other techniques include:
  • Search Engine Malware Detection
  • Exploit Kit Detection
  • Social Network User Reputation Analysis
Barracuda Labs, a global multi-disciplinary research and threat analysis team backs this analysis by evaluating the threat ecosystem and creating security intelligence to defend Barracuda Networks customers.

Barracuda Labs uses a combination of data sharing partnerships, commercial security data and real-time email and web scans from customers combined with in-depth research from a team of security engineers and research scientists with an array of specializations in computing.

Threat Protection

Real-time Threat Protection:

The Barracuda Real Time Protection (BRTP) cloud infrastructure provides continuous threat protection against zero hour attacks to all Barracuda security solutions. BRTP uses techniques such as:
  • Continuously updated reputation data on IPs and domains to protect against zero-hour threats.
  • Advanced, multi-level intent analysis that recursively follows URL links in emails while performing spam analysis on target pages. The intent analysis engine also analyzes domain attributes, such as age of the referenced/sending domains, to prole email campaigns.
  • Anti-fraud intelligence that utilizes linguistic analysis to protect against fee fraud and spear phishing attacks.

Layered Defense:

Barracuda on-premises and hosted email, web and network security solutions provide multiple layers of native protection such as:
  • Layered virus scanning through multiple gateway anti-virus engines.
  • Static and real-time content analysis to detect requests to known malicious sites.
  • Outbound spyware detection by identifying and blocking “phone home” and other anomalous communications from infected clients through Layer 4 analysis across all ports and protocols.
  • Non-browser-based application regulation through portprotocol as well as Layer 7 deep packet inspection.
  • SSL Inspection to detect threats in encrypted Web traffic.
  • Intrusion Prevention and Intrusion Detection (IDS/IPS) through signature based detection as well as stateful protocol analysis.
  • Policy-based DoS/DDoS protection against IP-based flooding, IP/port scans and application attacks.
  • Network Access Control to secure remote access.
These engines are backed by a set of comprehensive databases that contain automatically updated definitions for URLs, domain and IP reputation, virus and spyware signatures and application behavior. These databases are automatically updated on an hourly basis through Barracuda’s global update infrastructure.

End-point Protection:

In addition to real-time protection in the cloud and gateway security, Barracuda solutions also include software agents to secure end-points:
  • Barracuda Web Security Gateway appliances automatically present the Barracuda Spyware Removal Tool (powered by Malwarebytes) to client machines that exhibit spyware infections.
  • Off-network Windows and Mac laptops can be secured through the Barracuda Web Security Agent (WSA) that transparently redirects Web traffic through a web filter appliance or the cloud. The agent can also be configured to whitelist trusted applications so potentially harmful applications are not allowed, and to ensure that rogue software does not use the network to “phone home” critical data such as keystroke logs or password information.

Barracuda Threat Intelligence Infrastructure

The Barracuda Threat Intelligence framework forms the backbone of Barracuda security solutions. It intelligently leverages on-premises, cloud and end-point technologies to deliver advanced threat protection developed through rigorous research and analysis of massive threat data sets. The framework is a core component of Barracuda Web Security, Barracuda Email Security, Barracuda Web Application Security, Barracuda Next Generation Firewalls and Barracuda VPN solutions.