skip to Main Content

FireTower Attack Detection Task

FireTower Security Solution
  • Preamble
  • Threat Detection
  • Discovery
  • Authentication
  • Threat Database
  • Resources

Anti-Virus security solutions from Enterprise Protection Platforms (EPPs) employ signature-based detection methodology and cannot detect advanced attacks and Zero-day attacks that are previously undiscovered and have no associated signature.

Most anti-virus software have been enhanced with additional measures to combat Zero-day threats such as reputation database and behavior analysis and to warn users of potential dangers but they require users to make their own decision.

FireTower is an endpoint detection and response (EDR) tool.  EDR tools have become a critical component of enterprise security architecture to combat zero-day attacks and targeted attacks.

FireTower detects zero-day and suspicious threats in real-time by automatically discovering all persistence mechanism change events at endpoint computers and stacking to a centralized enterprise threat database at FireTower server.

The Discovery task logs all existing “persistence mechanisms” including associated metadata, digital certificate and hash values of target binary files (MD5, SHA-1 and SHA-256). The discovery task will continue to monitor the persistence mechanisms in real-time and trigger automatic authentication on all persistence mechanism change events.

A cloud-based Autorun Setting Repository (ASR) is used for persistence mechanism authentication. ASR provides detection scheme with ratings for persistence mechanisms such as Autorun entries and identifies them as known good, known bad, or unknown (zero-day):

  • Green: Autorun whitelist database kept at ASR
  • Red: Autorun blacklist from cloud-based 60+ Anti-virus engines
  • Yellow: Zero-day Entries, could be good or bad

ASR allows support professionals and digital forensics investigators to quickly disregard the majority of good Autorun entries and focus on a smaller list of questionable or possibly malicious entries.

FireTower detection task delivers and stacks all persistence mechanisms from the networked endpoints with an Inter-Host Intrusion Prevention System (IHIPS) database maintained by the FireTower service.  The FireTower service can be hosted as an application on either an internal drive or USB device hosted on a Windows or a Linux computer (desktop or server OS). The computer can be either an on-premise machine or cloud-based.

This enterprise threat database could be used to analyze malware kill chains and multi-stage attack artifacts, alert persistence mechanism exception relative to a group template, identify possible malware distribution (yellow and red) and all at-risk endpoints

Back To Top