Alexander LAN, Inc.

System Management Simplified

• Firetower Guard back

Zero-day attacks — in spite of today’s layers of protection — bypass installed antivirus solutions and remain the most elusive malware. In most cases, zero-day attacks depend upon modifying the Autorun service in the Windows operating system to survive the reboot process and to maintain control of the target PC. Autorun settings have long been used by system administrators and digital forensic investigators to resolve everything from crashes to cyberattacks. However, the tools available for such analysis can only be used after-the-fact and the data garnered requires expert subject matter knowledge and long effort. FireTower Guard solves these problems through the introduction of Autorun Tagging and Cloud-based Authentication. The result is both a software utility that detects and contains zero-day attacks and a software tool that simplifies forensic analysis, closing a critical gap in cybersecurity.

FireTower Guard’s Autorun Tagging monitors Autorun creation and changes in real-time. Upon discovery of Autorun changes, it accesses Cloud-based systems to identify and authenticate via both MD5 and SHA-1 hash functions.

Automated authentication is made possible in part through the Autorun Setting Repository (ASR), hosted by Sampan Security. The repository is backed by  a hot standby ASR and is complemented by versions localized for specific countries/regions. An enterprise Intranet ASR Proxy is available for SCIF sites and other sensitive network environments.

 Green: Certified entry in Autorun Setting Repository
: Zero-day Autorun setting (benign or malicious)
: Known malicious Autorun setting

he software can automatically contain risky Autorun settings such as known-malware entries, suspicious behavior such as putting a binary in the alternate data stream, or auto-reinsertion of a non-certified Autorun setting. Autoruns are assigned ratings that advise the user and initiate protection:
§  Off: Monitoring-only mode
§  Normal: Block known malicious or suspicious settings
§  Elevated: Block all except authenticated setting changes
§  Lockdown:Block all except authenticated system changes

Unlike traditional digital forensic investigations, FireTower Guard automates the analysis of Autorun setting changes. For example, consider the effort to investigate a cyberattack upon a typical office network of 3,000 endpoints. At an average of 400 Autorun settings per system, investigators would face about 1.2 million settings. In contrast, if FireTower Guard were to be utilized — even after-the-fact — it would authenticate
all Autorun settings automatically. As a result, the frequency analysis that investigators would focus on would likely drop from 3,000 to perhaps 5 compromised systems and all malicious or suspicious settings would be immediately presented.

FireTower Guard has several key components: a PC-based endpoint threat detection module, an Autorun Settings Repository (ASR), and a server-based intrusion prevention system with a web-based cybersecurity management console (CyCon). The endpoint module monitors Autorun changes in real-time and automatically checks with the ASR. The ASR authenticates the changes, enabling containment when malware is identified. In an enterprise configuration, the end-point data is incorporated in an Inter-Host Intrusion Prevention System (IHIPS) that maintains the threat database, ASR proxy and threat analytic algorithms. The Web-based console, CyCon, allows all systems to be monitored and managed regardless if the systems or the investigators are onsite or remote and whether they are company IT staff or consulting forensic investigators.


Firetower Guard Datasheet:

FireTower Guard for zero-day detection and forensics

Prices are annual fees for the software, support, and Cloud-based ASR Authentication
FireTower Guard Base Kit

- Centralized management
- Real-time zero-day protection for up to 25 endpoints
- Forensic analysis of unlimited endpoints
FireTower Guard Added Endpoints
$20 ea.
FireTower Guard Stand Alone Edition
$25 ea.
Enterprise & Site Licenses