Today we’re announcing support for malware detection and prevention directly from the Cloudflare edge, giving Gateway users an additional line of defense against security threats.
Cloudflare Gateway protects employees and data from threats on the Internet, and it does so without sacrificing performance for security. Instead of backhauling traffic to a central location, Gateway customers connect to one of Cloudflare’s data centers in 200 cities around the world where our network can apply content and security policies to protect their Internet-bound traffic.
Last year, Gateway expanded from a secure DNS filtering solution to a full Secure Web Gateway capable of protecting every user’s HTTP traffic as well. This enables admins to detect and block not only threats at the DNS layer, but malicious URLs and undesired file types as well. Moreover, admins now have the ability to create high-impact, company-wide policies that protect all users with one click, or they can create more granular rules based on user identity.
Earlier this month, we launched application policies in Cloudflare Gateway to make it easier for administrators to block specific web applications. With this feature, administrators can block those applications commonly used to distribute malware, such as public cloud file storage.
These features in Gateway enable a layered approach to security. With Gateway’s DNS filtering, customers are protected from threats that abuse the DNS protocol for the purposes of communicating with a C2 server, downloading an implant payload, or exfiltrating corporate data. DNS filtering applies to all applications generating DNS queries, and HTTP traffic inspection complements that by going deep on threats that users might encounter as they navigate the Internet.
Today, we are excited to announce another layer of defense with the addition of antivirus protection in Cloudflare Gateway. Now administrators can block malware and other malicious files from being downloaded onto corporate devices as they pass through Cloudflare’s edge for file inspection.
Stopping malware distribution
Protecting corporate infrastructure and devices from becoming infected with malware in the first place is one of the top priorities for IT admins. Malware can wreak a wide range of havoc: business operations may be crippled by ransomware, sensitive data may be exfiltrated by spyware, or local CPU resources may be siphoned for financial gain by cryptojacking malware.
In order to compromise a network, malicious actors commonly attempt to distribute malware through an email attachment or malicious link sent via email. More recently, in order to evade email security, threat actors are beginning to leverage other communication channels, such as SMS, voice, and support ticket software for malware distribution.
The devastating impact of malware, coupled with the large attack surface for potential compromise, makes malware prevention a top-of-mind concern for security teams.
Defense in Depth
No single tool or approach provides perfect security, necessitating a layered defense against threats that make their way past these different tools. Not all threats are previously known to threat researchers, requiring admins to fall back on additional inspection tools once a user successfully connects to a site containing potentially malicious content.
Highly sophisticated threats may make their way into a user’s network and the primary task for security teams is to quickly determine the scope of the attack against their organization. In these worst case scenarios, where a user accesses a domain, website, or file that is deemed malicious, the last line of defense for a security team is achieving a clear understanding of the source of the attack against their organization and what resources were affected.
Announcing File Scanning
Today, with Cloudflare Gateway, you can augment your endpoint protection and prevent malicious files from being downloaded onto employee devices. Gateway will scan files inbound from the Internet as they pass through the Cloudflare edge at the nearest data center. Cloudflare manages this layer of defense for customers the same as it manages intelligence used for DNS and HTTP traffic filtering, freeing admins from purchasing additional antivirus licenses or worrying about keeping virus definitions up to date.
When a user initiates a download and that file passes through Gateway at Cloudflare’s edge, that file is sent to the malware scanning engine. This engine contains malware sample definitions and is updated on a daily basis. When Gateway scans a file and detects the presence of malware, it will block the file transfer by resetting the connection which is then displayed to the user in their browser as a download error. Gateway also logs the URL where the file was downloaded, the SHA-256 hash of the file, and the fact that the file was blocked due to the presence of malware.
A common approach to security is to “assume breach.” This assumption by security teams acknowledges that not all threats are previously known and optimizes for responding to threats quickly. With Gateway, administrators have complete visibility over the impact the threat had on their organization by leveraging Gateway’s centralized logging, providing clear steps for threat remediation as part of an incident response.
Detecting malware post-compromise
When using an “assume breach” approach, security teams rely on surfacing actionable insights from all available information around an attack. A more sophisticated attack might unfold this way:
After exploiting a user’s system through any number of means (leading to the “assume breach” approach), a stage 0 implant (or dropper) is placed on the exploited device.
This file may be complete or need additional pieces of a larger implant, and sends a DNS query to a domain previously unknown to threat research as being associated with C2 for an attack campaign.
The response to the query to the C2 server encodes information indicating where the implant can download additional components of the implant.
The implant uses DNS tunneling to a different domain, also unknown to threat research as being malicious, to download additional components of the implant.
The fully constructed implant performs any number of tasks assigned by another C2 server. These include exfiltrating local files, moving laterally in the network, encrypting all the files on the local machine, or even using the local CPU for the purpose of mining cryptocurrency.
Cloudflare Gateway goes beyond simply detecting and blocking queries to domains previously known to be associated with C2, DNS tunneling, or that appear to be generated by a Domain Generation Algorithm (DGA). Gateway uses heuristics from threat research to identify queries that appear to be generated by a DGA for the purposes of an attack outlined above, detects these previously unknown threats from an organization’s log data, and proactively blocks them before a security admin needs to manually intervene.
Threat research is continually evolving. Cloudflare Gateway takes the burden of keeping pace with security threats off IT admins by delivering insights derived from Cloudflare’s network to protect organizations of any size anywhere they are.
What’s Next
Our goal is to provide sophisticated, but easy to implement, security capabilities to organizations regardless of size so they can get back to what matters to their business. We’re excited to continue to expand Gateway’s capabilities to protect users and their data. DNS tunneling and DGA detection is included in Gateway DNS filtering at no cost for teams up to 50 users. In-line detection of malware at Cloudflare’s edge will be included with Teams Standard and Teams Enterprise plans.
Stay tuned for filtering at the network level and integration with GRE tunnels — we’re just getting started. Follow this link to sign up today.