Incapsula announced this week that they're offering an intriguing Backdoor Protection feature for sites using their cloud-based website security and performance services.
What's a Backdoor? A backdoor is a malicious function that enables hackers to remotely operate a site or server, even after whatever exploit they used for initial access has been patched. Installing a backdoor is often the first thing a hacker will do after gaining access to your site - so if you've been hacked before, there's a good chance you've already got one.
Hackers love backdoors because they provide easy return access to the site. Once installed, backdoors can used to distribute spam and malware, launch distributed denial of service (DDoS) attacks, or to help steal valuable data like credit card numbers. Recently, Incapsula reported how during the ongoing DDoS attacks against United States banks, a backdoor was used to turn a compromised site into a unwilling foot-soldier in the hackers Zombie Bot army.
Incapsula BackDoor Protect
What the Incapsula team developed is the capability to detect backdoors based on a comprehensive dictionary of backdoor kit signatures, together with their platform's ability to identify suspicious incoming and outgoing traffic. This combination of signature-based detection and live traffic monitoring allows Incapsula to immediately detect and quarantine all backdoors, even if they are masked or yet unidentified.
How Does It Work?
Incapsula divides the backdoor protection process into three phases: detect, alert, and quarantine.
1.) Detect : Incapsula's reverse proxy technology allows them to closely monitor all client website traffic. This means that they can uniquely identify backdoors not only by HTTP signature, but also by tracing suspicious remote commands back to their source.
By using both of these methods, Incapsula delivers tight, multi-layered detection. Even if the backdoor is heavily modified or previously unknown, they can still detect it based on incoming suspicious command strings.
And this is the crux: Incapsula's unique approach to backdoor detection enables them to go beyond signature based detection and detect a wider array of threats. Moreover, they can also counter obfuscation and masking, because they don't look for clues in the file system, but rather monitor on-execution "raw" traffic.
2.) Alert and Quarantine: Detection is, of course, the primary key to this system. But any site admin knows that threat management is a big time-eater. And Incapsula has taken this into account, too.
Once the system detects traffic suspected as coming from a backdoor, Incapsula immediately quarantines the backdoor URL, automatically denying access to it. It then notifies the site owner, providing a secure "preview-only" link to inspect the backdoor. But the initial action, that crucial first response, is totally hands-off.
Their system is quite flexible, and you can customize this action with options including "Auto-Quarantine", "Alert Only" and "Ignore" (not advisable). You can even permanently Whitelist backdoor files, if necessary. And, in addition to the preview link, Incapsula provides a path to the original backdoor file, which helps you easily find and remove the threat.
Open Beta: Free for Customers: Incapsula is offering their backdoor protection service FREE to existing and new customers. Add this to their already-impressive package of WAF and DDOS protection, and you end up with 360-degree security solution that combines the best of proactive and reactive security methods.