Advanced Malware Detection Solution

Support

Home > Solutions > ISP & Telco Solutions

Cyber Threat Protection for
Communications Service Providers (CSPs)

Internet service providers (ISPs), telcos, and Internet backbone providers are under increasing pressure to provide ‘clean pipes', regardless if those pipes are wireless, cable, fiber or satellite.  For these Communications Service Providers (CSPs), advanced malware, botnets and targeted threats infect subscribers' devices and can have a devastating impact on the CSP's network and business.

The malicious traffic generated by these attacks and the intent of the criminal operators behind them impose many risks for the CSP and its subscribers:

  • Negatively impacting network performance
  • Generating excessive bandwidth and equipment costs
  • Damaging customer relationships and goodwill due to infections and fraudulent charges
  • Increasing cost of customer service operations due to fraudulent charges
  • Putting the business at risk with regulators
  • Subjecting the CSP to subpoenas for subscriber information

CSPs that lease bandwidth are also negatively impacted by bandwidth constraints from unauthorized malicious network traffic, especially for communication traversing the different providers' networks to reach destinations across the world.

Threats to service provider networks are rampant and diverse, ranging from stolen intellectual property, identity theft, fraudulent transactions, click fraud and spam, to Distributed Denial of Service (DDoS) attacks. Despite having limited control over endpoints, CSPs are being held accountable when their networks are being used for criminal activity, often resulting in costly subpoenas for information.

CSPs must approach security differently than normal enterprise network administrators.  Deep packet inspection (DPI) of CSP network traffic is typically not feasible or permitted.  CSPs must focus their efforts on passive monitoring of data streams and protocols that provide high threat visibility, while considering both scalability and privacy concerns.

Damballa CSP

Damballa CSP

Damballa CSP is specifically designed to identify malicious activity originating from subscriber's devices on the CSP's network.  Damballa CSP sits out-of-band inside the service provider's network and monitors DNS requests (non-PII traffic) from the subscriber's IP address.

By monitoring DNS query behavior, Damballa CSP can identify which subscriber's are infected with advanced malware.  The relatively light traffic that results from DNS protocol enables Damballa CSP to passively monitor extremely large networks with minimal hardware requirements, making deployment simple.  Further, by working out-of-line inside the service provider's network, Damballa CSP won't impede network performance and remains undetectable by the criminal entities trying to evade detection.

Cyber Threat Detection

Indifferent to whether the infected device is a smartphone, tablet, PC, or Mac, DNS-based detection offers the best opportunity for threat detection in a service provider's network. Before an advanced malware / botnet infected victim can communicate with its Command-and-Control (CnC) server, steal data, and receive commands, it must first locate the server's IP address.

Damballa CSP leverages the industry's leading early warning capabilities of Damballa FirstAlert. Damballa FirstAlert detects the command-and-control infrastructure of emerging cyber threats weeks or months before the malware samples are first seen by the rest of the security industry. By using the Damballa FirstAlert cyber threat intelligence system, Damballa CSP can detect advanced malware infections on subscriber devices long before traditional preventative security solutions will have the signatures or blacklists they would need to detect the infection.

Damballa CSP sits within the service provider's network monitoring DNS traffic.  Damballa CSP sensors are located at strategic network locations to view SPAN'd traffic between the subscriber and the service provider's DNS servers or egress.  Damballa CSP sensors monitor DNS traffic for queries indicative of the presence of advanced malware.  All malicious queries are captured and delivered to the Damballa CSP Collector.  The Damballa CSP Collector aggregates and correlates the findings from the Damballa CSP sensors and generates the alerts of infections (reports) for integration with other service provider systems.

Threat Termination

Upon seeing the infected subscriber's DNS query, Damballa CSP can swiftly terminate the infected device's specific communication with the criminal operator.  By interceding on the DNS query, Damballa CSP can forge the service provider's DNS response to the infected subscriber, directing the malware to communicate to a controlled IP address within the service provider's control instead of the CnC server.  Termination of the malware's ability to receive new instruction sets and talk to the criminal operator effectively deadens the threat to the subscriber while the CSP notifies the subscriber of the infection, and the subscriber remediates the infection on the device.

Reporting and Integration

Damballa CSP is specifically designed to work with large service providers and their special data management needs.  All forensic evidence related to the malicious DNS queries from infected subscribers are aggregated and correlated for processing by service provider systems.  These reports are either provided in JSON format so they can be input into custom network systems or they can be delivered via a syslog output into SIEM solutions – including Damballa partners ArcSight and Q1 Labs.  Forensic evidence includes the subscriber's IP address, timestamp of each malicious query, queried domain, threat name / industry name, and information on the malware related to the threat.

Cyber Threat Protection for Service Providers

Managing extremely large networks and providing Internet services to customers whose devices (smartphones, tablets, PCs, Macs, and others) are beyond the CSP's control, requires a unique approach to network security.  DNS-based detection offers the best method for CSPs to secure their networks. Damballa CSP provides service providers with the ability to:

  • Provide “Clean Pipes”
  • Address customer/regulator concerns
  • Provide a more differentiated service
  • Reduce operating costs/improve margins
  • Notify subscribers of infections and the risk it may cause
  • Discover infected subscribers by monitoring the malware's malicious communication
  • Monitor millions of subscribers with a single 1U Sensor
  • Provide “Opt-In” security services
  • Offer termination of malicious traffic
  • Provide walled garden services
  • Improve network performance by eliminating fraudulent activity
  • Eliminate fraudulent activity that results in excessive charges for subscribers
  • Reduce the cost of operations associated with dealing with fraudulent charges and activity
Comcast Rolls Out Botnet Detection Service