Fun With Internet Metadata (AKA The Deep Web)

Our Cyber Security Services (CSS) division spend a fair amount of time working with companies on threat assessments. They’ve been doing this stuff for several years, and during that time, they developed some useful tools to make their jobs easier.

One of those tools is Riddler. It’s a web crawler that makes Internet metadata available via a search interface, and it’s useful for looking at relationships between domains, hosts, and IP addresses. It also lists metadata associated with sites that can give you clues as to any potential security issues. I got a hold of Riddler about half a year ago, and have had quite a bit of fun playing around with it since then.

Riddler has been available to the public for a while now, but as a company we’ve not really made much noise about it. You can access a web interface to it at The free version only returns ten results from a query, so it has limited use, but the subscription version is a lot more interesting. With that, you get access to a command-line interface and an API which makes it pretty easy to build your own mapping and monitoring tools.

I got quite addicted to digging through internet queries using the Riddler command-line interface.

I got quite addicted to digging through internet queries using the Riddler command-line interface.

I just finished writing a white paper about Riddler, which is available here. The paper tells the story behind Riddler – why and how we built it, a short guide on how to use it, and some ideas about what it can be used to do. If you’re interested in doing threat assessments, or like myself, just enjoy digging through Internet metadata, give it a look!

Tagged: Deep Web, Kyb3r, Riddler

What’s The Deal With Non-Signature-Based Anti-Malware Solutions?

Gartner recently published an insightful report entitled “The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization”. In this report, it discusses the ways in which non-signature technologies can be used to augment an organization’s endpoint protection strategy.

Let’s take a look at how Gartner has defined non-signature malware detection solutions. Here’s a clip directly from the report.

Gartner"s list of nonsignature technologies

Gartner’s list of non-signature technologies, taken from “The Real Value of a Non-Signature-Based Anti- Malware Solution to Your Organization” report, 22nd September 2016, by Eric Ouellet and Peter Firstbrook

So, how do our endpoint protection technologies stand up against these competitor solutions?

Hardening — typically application control

This is a feature we include in our business products that’s coincidentally called “Application Control”. It’s something I haven’t specifically blogged about (yet). This feature works great in corporate environments, where the IT department can create a defined list of software or authenticode certificates that are allowed in the organization. This white list is then applied to each endpoint, and only software defined on this list is allowed to execute.

Application control is especially useful in hardened environments such as embedded devices (think ATM machines or bank teller terminals) where the list of allowed software is small and very well-defined. In other corporate environments, it can be overly restrictive to the end-user. This is why it’s a business feature. We leave it to the local IT department to define how they want to use the feature, based on how restrictive their policies are.

I’m actually not sure how long we’ve had application control in our products. As far as I remember, the feature was already there when I started at F-Secure over 11 years ago. (I tried to install World of Warcraft on my work laptop, for after hours fun, and was promptly disallowed.)

Hardening can also include patch management. We have a component we call “Software Updater”, the function of which is to enumerate all software on the system, check for latest patch versions, and automatically update the software, in the background, without the user needing to do anything themselves. Since unpatched vulnerabilities are one of the most common ways an attacker can infect a system, patch management is extremely useful, since it frees up the admin for other important tasks.

Memory protection (exploit prevention)

Our own exploit prevention methods are the same as those used in non-signature products. We hook application and system processes in order to analyze memory and execution traces, spot suspicious behavior, and shut down offending processes. This allows us to prevent exploits against browsers, browser plugins, and common applications (such as PDF readers and Microsoft Office). It’s also useful for catching scripted attacks. This is the same technology used in our activity/behavior monitoring, which is covered below.


Isolation technologies protect the system by sandboxing processes and allowing them limited access to the operating system. Bromium is the first product that comes to my mind when I think of isolation technologies. This is something we don’t do, because it’s a radically different approach to securing the endpoint, akin to taking Windows and making it work like iOS. Isolation is a really cool way of protecting a system (if you can solve the non-trivial usability issues that it presents). Done right, isolation technologies can negate the need for most other types of protection.

The closest thing we’re doing to this is on-client sandbox analysis. When we hit certain suspicious looking samples, we launch a sandbox, run the executable in question, examine its execution trace, and make a determination as to whether the sample is malicious. This analysis approach can task system performance, so it’s not something we’ll do on every file we encounter. Malware writers tend to add new anti-emulation tricks that defeat sandboxing, and this forces us to update the components and rules once in a while.

Activity/behavior monitoring

I’ve covered our behavioral analysis protection technologies in a few of my explainer posts. In fact, there’s one entirely dedicated to that topic here. I won’t bother reiterating what’s in that post except to say that we’ve been doing endpoint behavioral analysis for a decade already, and it comes as standard on every Windows product we ship. Familiar with Locky? The behavioral rules that caught that particular ransomware family were in our product for over half-a-year before it was in the wild.

Algorithmic file classification

I recently wrote about how we use machine learning techniques in a variety of our protection and detection technologies here. As that explainer states, we’ve been using machine learning techniques to train endpoint components to identify suspiciousness on both the structural and behavioral level. And, again, we’ve been shipping these technologies in our Windows products for ten years.

We ticked four out of the five boxes. What does that make F-Secure?

Gartner is an authoritative and influential player in the cybersecurity industry. Many enterprises go to them for advice when it comes to choosing a new product or solution. We understand that terminology is needed to distinguish between pure-play technology providers and established endpoint protection players. In its report Gartner uses the terms “non-signature” and “signature-based” to differentiate between the two. The problem as I see it is that “next-gen” marketing departments have perverted the term “signature-based” into “signature-only”.

All technically minded people know that there aren’t any signature-only endpoint protection products on the market. But “signature-based” also seems to imply that this category of products are overly reliant on signatures to protect against threats. This is most definitely not the case. For instance, we actually have internal test configurations with signature-based technologies disabled and our products still do a great job at blocking emerging threats.

Most of the mentioned pure-play vendors use a single technology from that list of “non-signature” technologies as the basis for their entire protection stack  (something which some industry analysts refer to as “feature-as-a-product”). Our product utilizes four of those technologies at the same time.  Given that a list of “non-signature” vendors was supplied in the report, but a corresponding list of “signature-based” vendors wasn’t, we’re wondering exactly how our products would be classified, because we clearly don’t fall into either category.

Or at least, we don’t think so and reject the label… signature-based.

Tagged: Antivirus, Explainer, Kyb3r, Next Gen, Technology