Posted on

How British spies made a cyber immune system | Video Interview

Darktrace uses artificial intelligence to not just fix computer viruses, but to stop them before they start. It is the world’s leading machine learning company for cyber security. Created by mathematicians from the University of Cambridge, the Enterprise Immune System uses AI algorithms to automatically detect and take action against cyber-threats within all types of networks, including physical, cloud and virtualized networks, as well as IoT and industrial control systems. A self-configuring platform, Darktrace requires no prior set-up, identifying advanced threats in real time, including zero-days, insiders and stealthy, silent attackers. Headquartered in San Francisco and Cambridge, UK, Darktrace has 30 offices worldwide.


Nicole Eagan, Darktrace CEO, speaks at Hong Kong RISE: ‘When AI attacks’ | Video Interview

5 Key Benefits of Computer-Integrated Manufacturing

About Us


Posted on

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

You’re no doubt aware that Defender — and third-party apps like it– offer an critical layer of protection against threats like ransomware and cryptominers. What you may not know is that they can also introduce new security risks.

Hackers Data Breach Equifax For 76 Days Before Being Discovered

That’s why Microsoft is adding a sandbox mode to Windows Defender. Sandboxing an app keeps its activities isolated from the rest of the software installed on your computer. Should something go wrong, the sandbox acts as a sort of force field and prevents damage from spreading.

Facebook exposed up to 6.8 million users’ private photos to developers in latest data leak

Sanboxing isn’t a new thing. There’s a good chance you’re already using one app that runs in a sandbox. Google Chrome has been sandboxed since 2008.

That makes it very, very hard for hackers to do any serious damage by attacking Chrome. Even if they can find an exploit for the browser itself they still have to figure out escape Chrome’s sandbox. Without that escape, there’s no way to directly attack the computer’s operating system.

Google changed the game for browser security by sandboxing Chrome. Microsoft has done the same for anti-malware apps by sandboxing Windows Defender.

What’s the big deal?

Anti-malware apps need deep access to your operating system to do their job. They need to be able to see what’s going on behind the scenes in order to detect and neutralize malicious code.

Some anti-malware apps also offer browsing protection, too. To secure your browser, they need full access to all the data you upload and download.

When suspicious activity is spotted, these apps upload what they’ve discovered to a remote server for analysis.

Windows 10 can carry on slurping even when you’re sure you yelled STOP

It’s not hard to see how a weakness in an anti-malware app could be disastrous. A hacker who managed to compromise your app of choice could peer into your files, snoop on all your Internet activity, and silently steal your files.

As many security researchers put it antivirus or anti-malware software is a backdoor. It’s a backdoor that you install knowingly and it’s one that you trust.

Goodbye to Edge: Microsoft is building a new, faster browser

Microsoft has made sure that it’s nigh-impossible for hackers to abuse that trust and sneak in through the backdoor.

Oct 28, 2018,3:31 pm // Lee Mathews – Contributor // Source:


Nicole Eagan, Darktrace CEO, speaks at Hong Kong RISE: ‘When AI attacks’

Computer Software and Supplies

Protect DNS traffic from malware and related malicious activity


Posted on

Protect DNS traffic from malware and related malicious activity

5 Ways To Monitor and Protect DNS Traffic For Security Threats

Check out these examples of how to implement real-time or offline traffic monitoring using common commercial or open source security products. Says Dave Piscitello VP Security, ICANN

In Monitor DNS Traffic & You Just Might Catch A RAT, Dave Piscitello described how inspecting DNS traffic between client devices and your local recursive resolver could reveal the presence of botnets in your networks. Today, he will share how you can monitor traffic using security systems and name resolvers you may already have deployed.


Let’s begin at the most prevalent security system: your firewall. All firewalls should let you define rules to prevent IP spoofing. Include a rule to deny DNS queries from IP addresses outside your allocated numbers space to prevent your name resolver from being exploited as an open reflector in DDoS attacks.

Next, enable inspection of DNS traffic for suspicious byte patterns or anomalous DNS traffic to block name server software exploit attacks. Documentation describing how popular firewalls provide this feature is readily available (e.g., Palo Alto NetworksCisco SystemsWatchGuard). Sonicwall and Palo Alto can detect and block certain DNS tunneling traffic, as well.

Intrusion detection systems

Whether you use SnortSuricata, or OSSEC, you can compose rules to report DNS requests from unauthorized clients. You can also compose rules to count or report NXDOMAIN responses, responses containing resource records with short TTLs, DNS queries made using TCP, DNS queries to nonstandard ports, suspiciously large DNS responses, etc. Any value in any field of the DNS query or response message is basically “in play.” You’re essentially limited only by your imagination and mastery of DNS. Intrusion prevention services in firewalls provide permit/deny rules for many of the most common of these checks.

Marriott faces backlash over data breach impacting 500 million guests

Traffic analyzers

Use cases for both Wireshark and Bro show that passive traffic analysis can be useful in identifying malware traffic. Capture and filter DNS traffic between your clients and your resolver, and save to a PCAP file. Create scripts to search the PCAP for the specific suspicious activities you are investigating, or use PacketQ (originally DNS2DB) to SQL query the PCAP file directly.

(Remember to block your clients from using any resolver or nonstandard port other than your local resolvers).

Passive DNS replication

This involves using sensors at resolvers to create a database that contains every DNS transaction (query/response) through a given resolver or set of resolvers. Including passive DNS data in your analysis can be instrumental in identifying malware domains, especially in cases where the malware uses algorithmically generated domain names (DGAs). Palo Alto Networks firewalls and security management systems that use Suricata as an IDS engine (like AlienVault USM or OSSIM) are examples of security systems that pair passive DNS with IPS to block known malicious domains.

Logging at your resolver

The logs of your local resolvers are a last and perhaps most obvious data source for investigating DNS traffic. With logging enabled, you can use tools like Splunk plus getwatchlistor OSSEC to collect DNS server logs and explore for known malicious domains.

Despite peppering this column with links to documentation, case studies, and examples, I’ve barely scratched the surface of the many ways you can monitor DNS traffic. And bear in mind that you can use several of these methods in a complementary manner. I’ve no doubt overlooked other products, services, or methods, so comment to add to these resources for your colleagues (with technical relevance, please).

Nicole Eagan, Darktrace CEO, speaks at Hong Kong RISE: ‘When AI attacks’

How British spies made a cyber immune system