white paper 1

An Inside Look at How Strongarm’s Malware Protection Works

November 21, 2016 | By

Malware is a big (and growing) problem for small businesses today. It’s proliferating not just because malware is getting more sophisticated (it is), but because traditional defenses like antivirus and firewall technologies aren’t built to effectively detect and eliminate these threats, especially as they evolve. At Strongarm, we take a different stance against malware, and we’d like to give you an inside look into what we do, how we do it, and why.

Dealing With The Intricacies of Malware

Most malware doesn’t work alone; it takes orders from “command and control” servers hidden throughout the Internet. These servers then tell malware:

  • what and when to steal information
  • when to erase data
  • when to encrypt hard drives to hold them for ransom
  • how to spread to other computers
  • when to self-destruct to avoid detection.

Unless and until malware can contact a control server, it often lies in wait, temporarily harmless. This is where Strongarm’s intelligent malware protection comes in.

Addressing Malware with DNS Malware Protection

Strongarm works by replacing your Domain Name System (DNS) resolver service, which allows Strongarm to detect when a computer on your network tries to reach a domain that is known to control malware. Strongarm redirects this communication to a “blackhole” server that not only stops the malware from completing its mission, but actually communicates with the malware to gather intelligence about the attack. Strongarm uses the intelligence gathered to automate the incident response process, saving security teams valuable time and money.

Introducing Strongarm’s Blackhole

The concept of a DNS blackhole isn’t new, but the Strongarm blackhole server takes the concept to the next level. In simplest terms, Strongarm speaks malware. What does this mean? While most other DNS security solutions simply use a blackhole server to fool malware into believing it has successfully phoned home and stop there (many times leaving the malware sitting idle in your server), Strongarm’s blackhole server maintains the malware communication line and uses it to interrogate the victim. From here, it can automatically pinpoint which machine is infected, making cleanup fast and effective.

Employing Modern-Day Threat Intelligence

The key to DNS-based malware defenses is knowing which domains belong to malware command and control servers. Standing up a new server is often a simple matter of a few keystrokes for bad actors, so maintaining an accurate and up-to-date blacklist of dangerous domains is a constant challenge undertaken by some of the finest security minds in the world today.

Strongarm’s team and partner network is continually gathering intelligence on where the attackers are setting their servers up on the Internet. We leverage the best open-source threat intelligence feeds, private threat intelligence vendors like ThreatConnect, and Strongarm’s own malware and intrusion analysis.

The technology behind Strongarm is government-grade, but we know that SMBs and MSPs need this technology more than ever, so we built our solution to be easy to use and put a pricetag on it that even the smallest business can afford.

We detail much more of the inner workings of Strongarm and the step-by-step approach to identifying, communicating with, and eradicating malware all using Strongarm’s automated protection it in our technical whitepaper, which you can download for free below.

How Does Strongarm Work?