Advanced Threat Protection
Next-Level Protection Against Ransomware, Targeted Attacks, and Zero-Day Exploits
White Paper
Barracuda • Advanced Threat Protection - Next-Level Protection Against Ransomware, Targeted Attacks, and Zero-Day Exploits
Why is Antivirus and IPS Not Enough Anymore?
The speed of doing business is steadily increasing. Unfortunately, this also applies to the business
of malware and ransomware attacking your organization. Popular branches of cryptographic
ransomware like Locky or CryptoLocker get reissued every five to 10 minutes, requiring a new
signature. By nature, this is a showstopper for pattern-based defense layers like antivirus and IPS/
IDS. Today, threats spread at a high velocity, and it is not possible to detect a threat, isolate the
signature, add the signature to the databases, and make it publicly and continually available within
five minutes. By the time the database update is available, the threat has already compromised
systems in a network and successfully covered up its traces.
Online resources
Barracuda ATP at:
atp.barracuda.com
While these signature-based legacy systems are still important as a first line of defense for prefiltering the network traffic, organizations still need an additional security layer to protect against
today’s targeted malware.
The Barracuda Difference
Barracuda Advanced Threat Protection (ATP) is a cloud-based sandboxing service that is available
in all Barracuda NextGen Firewall Series models, as well as available for all sizes and deployment
types. Unlike many other first-generation, advanced persistent threat security vendors, Barracuda's
ATP implements full-system emulation and next-generation sandboxing techniques that provide
granular visibility into malware behavior.
First, all files are checked against a constantly updated and worldwide synchronized hash database
of already emulated files. If the file is not known, it is uploaded and emulated in a virtual sandbox
where all malicious behavior is revealed. While traditional breach detection solutions detect
network threats only after they have entered the network and after sending log notifications to
the administrator, ATP on Barracuda's NextGen Firewalls stops not yet known advanced persistent
threats and ransomware before it enters the network.
Additionally, Advanced Threat Protection is also available on the Barracuda Email Security Gateway,
Barracuda Essentials for Office 365, and Barracuda Essentials for Email Security – processing more
than 20 million requests per day. This results in one of the world’s most comprehensive databases
of known bad IP addresses, “spyware domains," and command and control servers used by
botnets.
Barracuda
Advanced Threat Protection
Block file
Allow file
Page 2 of 5
Barracuda • Advanced Threat Protection - Next-Level Protection Against Ransomware, Targeted Attacks, and Zero-Day Exploits
Provides the Flexibility an Organization Needs
Administrators have to deal with more than just one file type and/or protocol. Barracuda
Advanced Threat Protection gives NextGen Firewall administrators the flexibility they need to
ensure the highest quality of service possible.
Create ATP policies per file type, whether it's an Office file, Android APKs, Executables, etc. Even
the protocol where the file entered your network can be taken into consideration. Therefore, a
policy may force PDF files received via spam mail to be rigorously handled than PDF files coming
from a well-known, good website.
Define (per file type/protocol) how the files are delivered. ATP offers a fast mode, where
the file is simultaneously delivered to the emulation service and the requesting system, thereby
minimizing delivery delay. As soon as the file is scanned and malicious file activity has been
identified, a log event is created and the administrator can contact the user to remediate the
threat. Since the malware has been downloaded to the corporate network already, preventing
the malware from spreading and causing further damage is key. Barracuda NextGen Firewalls
can be configured to automatically quarantine user/IP/machine combinations for these cases,
blocking further network activities. If the file is recognized as benign, the quarantine status is set
back and the system is granted all connectivity again.
ATP's second mode of delivery inherits more security, but also includes a slight delay in delivery.
This delay depends on if the file is already known to the ATP database. Depending on the file type
such a delay in delivery may range from only a couple of seconds up to a minute.
Real-Time Monitoring
Unfortunately, malicious files can also sneak their way into the network through thumbdrives or
not-so-strict BYOD policies. Barracuda NextGen Firewalls act as the linchpin for an organization's
network traffic, and (by using ATP) are aware of domains/IP addresses known to spread malware,
ransomware that cause botnet infections. So by detecting network traffic from inside the network
to botnet and spyware control servers, data theft is stopped before the actual connections are
created. Additionally, administrators are notified accordingly to take care of the compromised
system.
On-demand query for infected machines
Page 3 of 5
Barracuda • Advanced Threat Protection - Next-Level Protection Against Ransomware, Targeted Attacks, and Zero-Day Exploits
Detailed Reporting
Auditing and reporting
is a key task in modern
IT departments. To make
this effort as smooth as
possible, Barracuda NextGen
Firewall deployments can
make use of the Barracuda
Report Creator. This
reporting tool is windows
executable, and is free for
download at https://dlportal.
barracudanetworks.com.
Create on-demand and/
or scheduled reports on
a selection of or on the
complete NextGen Firewall
deployment, or just on
compromised users, systems,
IP addresses. It is up to you.
Online resources
Barracuda Report Creator:
Traffic and Application Usage Report
https://dlportal.
barracudanetworks.com
Report
Botnet and Spyware Protection Report
DETECTED BOTNETS
09/06/16 16:00:00 - 09/06/16 16:59:59
#
DETECTED BOTNETS
COUNT
2
1 Bladabindi
DETECTED SPYWARE
#
09/06/16 16:00:00 - 09/06/16 16:59:59
NAME
CATEGORY
1 LoadMoney
COUNT
2
Adware
BOTNET AND SPYWARE ALERTS BY USER
#
USER
09/06/16 16:00:00 - 09/06/16 16:59:59
TRAFFIC
COUNT
1
[Not set]
15.5 KB
236
2
mwalcher
2.1 KB
2
3
pzajush
2.1 KB
2
BOTNET AND SPYWARE ALERTS BY GEO DESTINATION
#
GEO DESTINATIONS
09/06/16 16:00:00 - 09/06/16 16:59:59
TRAFFIC
13.3 KB
COUNT
1
Australia
220
2
Russian Federation
3.3 KB
6
3
United States
3.1 KB
14
BOTNET AND SPYWARE ALERTS BY SOURCE
#
SOURCES
09/06/16 16:00:00 - 09/06/16 16:59:59
TRAFFIC
1 10.17.11.79
19.7 KB
COUNT
240
The reports are sent in PDF
format to a customizable
set of email addresses.
Page 2 of 2
Tuesday, September 06, 2016
Example for a report
On-Demand Sandboxing
Every now and then administrators come across files where they are unsure of its status.
For such files, the configuration tool for Barracuda NextGen Firewall, the NextGen Admin, allows
to manually upload files to the ATP cloud and, thereby, benefiting of the same deep inspection.
Online resources
barracudacentral.org/atd
Alternatively, files can
also be uploaded for
inspection manually via
the web interface provided
by Barracuda Central.
Example for an analysis report
Page 4 of 5
Barracuda • Advanced Threat Protection - Next-Level Protection Against Ransomware, Targeted Attacks, and Zero-Day Exploits
Barracuda Advanced Threat Protection at a Glance
Key Features
• Dynamic, on-demand analysis of malware programs
(sandboxing)
• Prevent malicious files—even unknown ones—from entering
the organization and avoid network breaches
• Identify zero-day malware exploits, ransomware, targeted
attacks, advanced persistent threats and other advanced
malware, which routinely bypasses traditional signature
based IPS and anti-virus engines
• Detailed forensics for both malware binaries and web threats
(exploits)
• High resolution malware analysis (monitoring execution from
the inside)
• Granular control over PDFs, EXEs/MSIs/DLLs, Android APKs,
Microsoft Office files, Open Office files, macOS executables,
and compressed files and archives
• Blocking of active content in Office and PDF documents
• Full interoperability with the integrated SSL Inspection - files
can be extracted and checked in order to detect advanced
malware in the encrypted stream
The Barracuda Advantage
• Flexible and simple deployment: Easy to deploy, easy to use,
and affordable Advanced Persistent Threat Protection.
• No new equipment needed.
• Full system emulation: Not only detects targeted and
persistent attacks, but also malware that was designed to
evade detection by traditional sandboxes used by firstgeneration advanced persistent threat security vendors.
• Automatic user and IP blacklisting: Based on identified
malware activities, infected users can be automatically
blocked from the corporate network.
• On-demand and scheduled reporting for infected machines.
• Customizable, on-demand analysis reports: Available for
any emulated file providing full information on malicious
activities such as registry entries, network activity (e.g., botnet
command and control center traffic), or obfuscation tactics.
• Unrivaled detection speed: Provides nearly instant threat
visibility and protection.
• Information on identified malware: It’s centrally stored and
shared in order to optimize emulation.
• Cloud-based emulation – resource intensive file emulation is
offloaded to the Barracuda Advanced Threat Protection cloud
• Fast response times provided by synchronized cryptographic
hash database for emulation shared across the Advanced
Threat Protection cloud
• Multiple and simultaneous OS environments for emulated
files (Windows, macOS, etc.)
• Temporary blocking of web and mail traffic during analysis
• Optional “deliver first then scan” policy with automatic
quarantine function
• Stops spyware and botnet infected machines phoning home
via DNS sinkhole technology
• Automatic quarantining and reporting on potentially infected
machines in the network
• Scheduled reporting on potentially infected machines via
Report Creator (includes automated distribution of the
Availability
• The Barracuda Advanced Threat Protection is available as
an affordable add-on subscription on top and requiring an
existing Malware Protection or Web Security subscription.
• Barracuda ATP and malware protection are available as an
affordable bundle subscription
• Barracuda ATP for all NextGen Firewalls F-Series hardware
models and X-Series.
• Barracuda ATP is available for all virtual appliances VF25 or
higher.
• Barracuda ATP is available for Microsoft Azure, Amazon AWS,
Google Cloud Platform and vCloud Air public cloud offerings.
reports)
• Available for hardware and virtual appliances, as well as for
Microsoft Azure, Amazon AWS, and Google Cloud Platform.
About Barracuda Networks, Inc.
Barracuda (NYSE: CUDA) simplifies IT with cloud-enabled solutions that empower customers to protect their networks,
applications, and data, regardless of where they reside. These powerful, easy-to-use and affordable solutions are trusted
by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud and hybrid
deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT
solutions that provide end-to-end network and data security. For additional information, please visit barracuda.com.
US 1.1 • Copyright 2016 Barracuda Networks, Inc. • 3175 S. Winchester Blvd., Campbell, CA 95008
408-342-5400/888-268-4772 (US & Canada) • barracuda.com
Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States.
All other names are the property of their respective owners.
Barracuda Networks
3175 S. Winchester Boulevard
Campbell, CA 95008
United States
t: 1-408-342-5400
1-888-268-4772 (US & Canada)
e: [email protected]
w: barracuda.com