BitDam Blog

How to Automate Investigation in IDA Python Scripting
Alex Livshiz
Alex Livshiz
4 minutes & 16 seconds read · April 29, 2019

How to Automate Investigation in IDA Python Scripting

As a researcher in the Cybersecurity field, IDA is a tool that I use almost on a daily basis. IDA allows me to reverse engineer executables in order to deeply understand what happens under the hood.

If you’re like me, the first time you opened IDA blew your mind. I’m not just talking about their GUI (which I think is great), but the sheer amount of data IDA is able to extract from a Portable Executable (PE) file:

  • – Strings inside the PE
  • – Imports, Exports
  • – Functions, with their parameters and flows
  • – And so much more

In this post I’m going to discuss IDA Python scripting, why I needed it, and why you should use it too.

Why did I use it?

IDA Python is great for scripting, especially when you can’t just search manually for what you’re looking for. When investigating a suspicious behavior in a certain DLL, or extracting specific data, I find it very convenient.

After working and analyzing various malicious EXEs and DLLs, I noticed that my methodology doesn’t change too much. It always starts with:

  • – Search for interesting strings
  • – Search for WinApi uses that may indicate an attempt for achieving persistency on the machine
  • – Detect obfuscated content
  • – Etc.

IDA Python provides scripting capabilities, which allows me to extract this data, and saves a lot of manual hastle. Moreover, if there’s interesting info I want to extract (like size of code section, debug section info, etc), I can add it to the script for future uses.

Of course, there’s a lot more you can do with IDA. Everything that IDA displays, and much more, can be accessed using scripting.

Since IDA Python lacks a lot in documentation, here are few code samples.

IDA Python Tutorial

To run a python script on IDA, you need to make sure that you have IDA Python installed. I’m using IDA 6.5 and Python 2.7.

There are two ways to run your script:

1. Run your script directly from IDA, in the lower output window:

2. Inject your python code to IDA.

To do so, you create a .py file, write your code, and run IDA in the following way:

                                   idaq64.exe -c -A -T”Portable executable” -S”<<Your scipt path>>”

I’ll try to summarize the most useful\undocumented APIs by providing a few examples.

Example 1 – Print All Functions

Let’s say I want to print all existing functions in the DLL. Here’s all the code you need:

from idaapi import *
from idautils import *
from idc import *
# Wait for IDA to finish loading
# get the entry point of the PE file
start_address = BeginEA()
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
# Go over all the functions
for funcea in Functions(SegStart(start_address), SegEnd(start_address)):
    function_name = GetFunctionName(funcea)
    function_start = funcea
    function_end = FindFuncEnd(funcea)
print “function name – {0}, start address – {1}, end address – {2}”.\
, str(function_start), str(function_end))

Example 2 – Opcodes And Operands

IDA Python also provides you with API to go through opcodes and their operands. In this example, we iterate over all instructions in the “.text” section and print all addresses referenced by another address. Basically, this will print all function and location addresses.

from idaapi import *
from idautils import *
from idc import *
# Wait for IDA to finish loading
# This returns the entry point of the PE file
start_address = BeginEA()
# If there’s no start address, there’s probably no .text section for the PE file
if start_address == BADADDR:
# Go over all the instructions
for address in Heads(SegStart(start_address), SegEnd(start_address)):
if isCode(GetFlags(address)):
# Check if there are references to the address
has_ref = False
for ref in XrefsTo(address):
            ref_type = XrefTypeName(ref.type)
if ref_type.startswith(CODE_REFERENCE) or ref_type.startswith(DATA_REFERENCE):
                has_ref =
print address


IDA Python is a great tool for extracting data from PE files, it enables basic scripting as well as many cool APIs. In this post I showed the rationale behind using this tool, and provided two easy-to-use code samples. Enjoy.

Read more
Rotem Shemesh
Rotem Shemesh
5 minutes & 8 seconds read · April 16, 2019

Ask the Expert: The Data Breach Effects We Never Hear About

We’re constantly hearing about data breaches in the context of financial losses – this company lost $40m, this one’s market value dropped by 3% – but what about the softer losses? What about the people who lose their privacy and have their most intimate details exposed?

In this blog post, we guest interview Dana Turjeman, Ph.D. Candidate in Quantitative Marketing in University of Michigan, and look at the implications on individuals who have suffered the consequences of a data breach.

About Dana Turjeman

Dana Turjeman is a Ph.D. Candidate at the Ross School of Business, University of Michigan, and her research focuses on privacy and impression management.

After working with an online match-making website (specifically for those seeking an extramarital affair) that suffered a severe data breach, Dana and her team wanted to learn more about the short term changes in the behavior of users following the announcement of a breach.

When she started to investigate the consequences of the data breach, she realized there was a lack of research on how such breaches affect users. Almost all work in this field was on financial damages suffered by public companies – simply because financial data on public companies are more available.

BitDam (BD): What’s the impact of data breaches on individuals?

Dana Turjeman (DT): Data breaches differ based on their level of sensitivity of the data, number of records, where the data ends up (public or not), and whether people can be protected from damage or not. On many occasions, data breaches cause financial harm to individuals; in many countries, these effects can be minimized by using financial identity and fraud detection services.

In other cases, sensitive information about habits, sexual preferences, and illegal behavior have been revealed. In the case of one of the affair-seeking websites that was breached, individual users got divorced, had their reputation severely harmed, and in extreme cases – committed suicide. This example of a breach is one of the most extreme in terms of the sensitivity of the data.

Usually, even though data breaches receive a lot of media attention, individual users do not have many ways to protect their identity, and even if they do have a way to protect it, they neglect to do so; this is often referred to as the “privacy paradox“. This might be for several reasons: optimism bias, laziness, uncertainty as to what can be done, and habituation (getting used) to data breaches. Measurement of changes to users’ engagement with companies is hard to achieve, following a data breach, and my research aims to solve this problem.

BD: Can you tell us more about your research?

DT: I have several projects on privacy; one of them focuses on the consequences of the data breach on the affair-seeking website, as I mentioned. Another relevant one is on the positive and negative sides of data collection, specifically in marketing practices.

In a different stream of my research, I look at impression management. In one relevant project, I observe changes people make on online dating websites (not only those seeking an affair) and investigate the “optimization” they make to their appearance on the website. Some users change details such as date of birth, height, and ethnicity – which can clearly never change. It doesn’t mean they lie in order to deceive. Rather, there are several reasons that have been discovered – personal security, ability to hide personal information and “hold the cards”, and yes, also – desire to attract more.

BD: It seems like the main focus when it comes to data breaches is on financial losses rather than customer behavior. Can you comment on that?

DT: Most research on the consequences of a data breach focuses on the stock market valuation of companies that suffered a breach, and customer surveys. It is hard to measure actual changes in customer behavior, for two main reasons:

(1) Companies don’t easily provide data following such instances (very naturally so – they want to share less, and not more, data, after a data breach), and (2) it is hard to measure users’ reactions, especially when there’s no “control group” (i.e., usually, in a data breach, all users/customers of the company are affected, and there is no clear group that can be used for comparison).

BD: How do you deal with these constraints?

DT: We solve both of these problems by having a rich data set that we received directly from the company (under a Non-Disclosure Agreement, and only for academic purposes), and by using advanced quantitative and causal inference methods.

BD: Why are the “softer” effects being overlooked in your opinion?

DT: Some of the consequences of data breaches that I mentioned above – loss of privacy, reputation, etc., are hard to measure. Usually, it is easier to look at stock market valuation and assess what the damage is from there.

BD: Any idea on how to avoid such privacy violations?

DT: The easiest thing is to collect only the data that is really needed and hold it for the least amount of time necessary. But even with data that is collected, companies should:

  •     – Update their security practices all the time
  •     – Encrypt every piece of the data, and obviously the sensitive parts of it
  •     – Grant access to only those who must access the data
  •     – If using third-party code:
  •         – Be sure to use it only if it is from a reputable source
  •         – If it is an open-source, use open source that is well maintained and validated
  •     – Data protection should be discussed from the very first step of product development
  •     – Apply advanced cybersecurity solutions and keep up-to-date with new solutions and technologies


The Key: Stay Protected

Data breaches can take a massive financial toll on businesses. What’s less known, is the tremendous negative impact these breaches have on individuals. Thanks to researchers like Dana Turjeman, we’re starting to find out more about the effects these breaches have.

A key takeaway is how imperative it is to ensure that all content and applications are secure. Organizations and individuals should make sure they are protected and deploy sophisticated solutions to deal with these advanced threats before it’s too late.

Read more
Perimeter-Based Security
Maor hizkiev
Maor hizkiev
2 minutes & 43 seconds read · April 8, 2019

Perimeter-Based Security: So You’re Saying You Detect The Malware After I Got It?

If you read my previous blog then you already know that I like to dig into other vendors websites and marketing materials.

In this blog, I’d like to share with you another interesting aspect that I’ve learned about perimeter-based security solutions. Apparently, the bigger (and the smaller?) vendors claim that they constantly scan files or links, even after they were flagged as clean. The purpose of doing so is to lower the false negatives rate of the solution and alert on those threats retrospectively.

It does sound nice that you can be notified on a malicious file after it entered your organization, I mean, better late than never right? My claim is that it covers a much bigger problem in today’s detection engines.

Which files are scanned?

First, let’s look at it economically – constantly scanning all the files 7 days back sounds really expensive. So it is probably not something that is actually done as said, but it’s safe to assume that only a subset of those files is actually scanned. So how do they determine which files to scan? I’ll have an educated guess, and say that the subset is determined based on some characteristics, or maybe a low scoring that these files received. So, the question to ask now is “what about the files that are not falling into these categories?”. They are going undetected even a week after they have entered the organization.

Why didn’t you detect it a week ago?

Second, what does it actually mean that after a few days a vendor will suddenly detect a file? It means that they got new data on the file, whether it’s a list of recent malicious files that they received from a partner, a more significant statistics on that file, or that the malicious part in the file was triggered after a few days. Anyway, at the end of the day, it means that they weren’t good enough to detect the file on first sight. And more importantly, it means that you as an organization was exposed to this malicious file, and hey, it might be too late.

From our experience and data that we see at our customers, the time it takes for a vendor to update its solutions, ranges from 1 day to 12 days. The importance of detecting the threats on first sight is becoming THE purpose of cyber security today. Attackers are aware of that gap and taking advantage of it, so they are using an attack just like a disposable plate – after a short use, they throw it away, and recycling it to something brand new which most solutions can’t detect.

The high investing in post-detection mechanisms (continuous scanning and pull capabilities) raises some serious doubts in the effectiveness of those engines, as they are immortalizing the cat-and-mouse game, which is the preferred game for the attackers as they are the ones holding the advantage.

What can you do about it?

My suggestion is to look for solutions that do not pose these questions and doubts, or even better – solutions that are ‘attack-agnostic’. If a detection engine is not dependent at all on how attacks look like, and doesn’t ‘care’ that attacks pretend to be something else, it is more likely that it will detect attacks on first sight.

Read more
Don’t Jeopardize Your Security When Using Platforms Like G-Drive, Dropbox, OneDrive and Box
Rotem Shemesh
Rotem Shemesh
2 minutes & 20 seconds read · March 28, 2019

Don’t Jeopardize Your Security When Using Platforms Like G-Drive, Dropbox, OneDrive and Box

Most of us use some kind of cloud collaboration platform as part of our workday routine. We’re constantly sharing files and working together with our colleagues on projects. But with so much of today’s business taking place online, the security of our documents becomes paramount.

Security Focus Has Been On Email
Online security has been highly focused on protecting against email-borne threats. And with good reason – over 90% of attacks penetrating organizations’ defenses are delivered via email.

Currently, it’s relatively easy for hackers to attack via email. For too many organizations and individuals, an absence of sufficient awareness, training, and sophisticated security tools means that they are left vulnerable to even simple phishing attacks.

This has been changing over the last couple of years, however, as more companies start to offer specific email security tools – in the form of both basic solutions from email service providers, as well as from vendors that specialize in security.

A New Challenge Emerging: Content-borne Attacks Via Cloud Drives

With so many people focused on email security, a new, much more dangerous threat has emerged.

Cloud storage platforms like OneDrive, SharePoint, G-Drive, Dropbox, and Box are often left unsecured. They lack the high level of security that has become instrumental in securing email, endpoints, and networks. While there have been major attacks using cloud storage platforms in the past – most notably the G-Suite Google Docs hack – most hackers aren’t yet focusing on these platforms.

This is set to change as email security improves. Hackers have already begun looking for newer attack vectors, and cloud storage is high up on their list. We’ve already seen a dramatic increase in content-borne attack incidents that start from within these platforms. 

An additional factor that makes cloud storage platforms so tempting for hackers, is how trusting people are of the platforms. Believing shared documents to be safe from traditional phishing and email fraud, users often throw caution to the wind even when receiving a document from a stranger.

BitDam scans files and links before users can access them through cloud drives.

Secure Your Cloud Collaboration Platform

What’s becoming clear from the increase in both quantity and severity of security breaches that leverage from a cloud collaboration platform, is that a purpose-built solution is required in order to keep yourself, and your organization, protected.

That’s where BitDam comes in. BitDam stops advanced content-borne attacks contained in any type of file or URL across channels, including your email (Office 365, G-Suite or any other email service), cloud collaboration platform (Google Drive, OneDrive, Dropbox, Box), and even Instant Messaging (Teams, Skype or Slack).

In today’s environment of sharing and collaborating on even the most highly sensitive documents, it’s imperative to have the best protection possible. For more information or to schedule a trial, get in touch.

Read more
Rotem Shemesh
Rotem Shemesh
2 minutes & 15 seconds read · March 14, 2019

Customer Interview: Michael Lee Sherwood, The City of Las Vegas

“In Cyber Security, nothing’s ever enough. There’s always more you can do.”

Michael Lee Sherwood, Director of Innovation and Technology, The City of Las Vegas

We’ve interviewed Michael Lee Sherwood, The City of Las Vegas‘ Director of Innovation and Technology about his experience with BitDam’s Advanced Threat Protection. Here is the result in video and text:

Please introduce yourself – Who are you, and what do you do?

My name is Michael Lee Sherwood. I’m the director of Technology and Innovation for the City of Las Vegas.

In one sentence, what’s your take on cyber security? And what was the challenge you had before BitDam?

Cyber Security is a completely evolving area and one of our number one priorities, prior to using BitDam has been how do we gauge that risk? How do we engage the threat and ensure that email can be a tool used for safety?

What does BitDam do for you? And what makes you happy with their service?

BitDam really helps us now by scanning our emails before they come in and eliminating threats that might otherwise have come into our network. So one of the key reasons other than a great partnership with BitDam, is its technology. With BitDam we’ve seen very little latency from time of entry to actually delivery to our customers’ mailbox. BitDam has been very successful in not only helping us address email threats, but actually providing us intelligence into the type of threats that is coming in as well as how we can mitigate future threats from impacting our network.

In your opinion, what makes BitDam different in the marketplace?

There’s a vast amount of products out in the security marketplace and growing all the time. I think what separates BitDam from other products and in my opinion, makes it unique, is their approach and their knowledge on Cyber Security.

What was the installation like? How long did it take to start seeing the value?

The BitDam solution was probably one of the easiest installations I’ve ever had. Within the first hour or two hours of the product being deployed, we had our first return of a suspect email. And in today’s cyber landscape, the ability to respond quickly and decisively is most important.

What have the results been so far?

I think in our case with BitDam, we’ve had 26 detections so far. We’ve had no infections from malware since we’ve had the product in place. It has provided valuable intelligence.

Is there anything else that you’d like to add?

I look at it this way, not only is BitDam an insurance policy, it’s an insurance policy that pays us dividends every day.


Read more
Best of RSA 2019 – A First-timer’s Perspective
Rotem Shemesh
Rotem Shemesh
3 minutes & 7 seconds read · March 11, 2019

Best of RSA 2019 – A First-timer’s Perspective

Dispatch from the world’s premier security event

With more than 40,000 attendees from InfoSec, Security Ops, Software Architects, CISOs, 500 sessions and the entire city packed with conference visitors, attending the RSA Conference for the first time was an overwhelming experience. It seemed like the whole city talks cyber security – signs, side events in every hotel, and I won’t even mention how difficult it was to find a proper table in a restaurant… (actually, I did get a table at Ozumo and that was an amazing dinner!)

As someone who’s relatively new to the security space, the real experience from my perspective was to see first-hand, the depth and the width of the IT security space. There are so many categories (such as Risk & Compliance, Network Security, Cloud Security, Mobile Security etc.) sub-categories (including Email Security, Data Leak Prevention, Fire Wall, End Point Security, VPN, SIEM, Biometrics and so on) and sub-sub-categories (like SCADA security for buildings or biometrics for contact centers) to information security. There are so many potential breaches and so much data to protect. I knew that before but didn’t really realize the scope of it.

So what did I learn at RSA 2019?

1. Wherever you look, there is a growing need for better security

I learned that wherever there is information, or a connection to information, there is also a risk of having this information lost or stolen. I also learned that as the technology evolves and new techniques emerge, these innovations lead directly to an increased potential for data loss, breaches and therefore and increased need to protect and mitigate them. That’s why we see more and more niche security solutions – for healthcare, for IoT, for industrial IoT, for DevOps, for specific mobile apps and so on – and I fully expect that trend to continue.

2. Stick to security basics

Although there are plenty of new market categories that are driven by real needs, most attacks still start with an employee lured to click a malicious file or link. There are many cyber security solutions aiming to address this problem – from securing the network, through securing email gateways and endpoints, and all the way to employee training and education. However, at the end of the day there is still a gap, and even though these solutions are in place, organizations are still being breached at an increased rate. Therefore, it is no surprise that even in 2019, these “basic” solutions are still a key part of RSA. And you know what, as long as the arms race of email and content security is taking place, they are not going anywhere.

3. Enough with FUD

And perhaps the most important thing for me as a marketer was to notice how everyone talks the same language. Almost all the vendors are talking about threats, attacks and risks. I understand why they use FUD (and I do that too sometimes, after all, I’m in security too), but I did miss two things – looking at the positive side of things (for example, how these cyber solutions make your life easier), and some sense of humor. It seems like everybody is so busy frightening others, that they sometimes forget that after all, we talk to people and people like to laugh.

IT and cyber security is not going anywhere, there is a growing need for it across industries, roles, geographies, organizations, and basically, wherever you look. Even traditional problems like email or network security gaps are not totally addressed yet, there is a need for innovation there too. And the entire conversation is around threats, risks, attacks, loss. Makes you wish that we would live in a safer world. On a personal note as a marketer, I would try changing the attitude, and the lingo to a more positive one.

Read more
Even TrickBot Didn’t Trick BitDam
Roy Rashti
Roy Rashti
3 minutes & 37 seconds read · February 13, 2019

Even TrickBot Didn’t trick BitDam

Running at one of our American customers, the BitDam service has recently detected an email containing a TrickBot dropper with the following sha1 – 8cad6d7f47553b363698230c36c36cb39a801126.

It was pretending to be sent from Bank of America – the subject of the email was “FW: Incoming Confirmation” and it arrived from The attackers tried to lure their victim into clicking the attachment by pretending the email was sent a known bank.

You can read more about TrickBot at the end of this blog post, but first I’d like to take you through the analysis of this attack.

Attack Analysis

The following is a technical analysis of the interesting attack vector that we detected just a couple of weeks ago at one of BitDam’s customers.

When I opened the file, it was quite clear that it attempts to look like a ‘Bank of America’ document as shown in figure1.

Figure 1

The attack was macro based, and as I tried viewing the macro, I noticed that the VBA project was password protected. That was done by the attackers in order to make it harder for security teams to debug or view the VBA code of the attack, which was obviously well written.

Once I bypassed the password protection (it was relatively easy), I saw that the VBA project (shown in Figure 2) is made of a VBA module containing most of the code, and a form.

Figure 2

The code in the workbook was very simple. The attackers implemented Workbook_Open function that runs automatically. That function made only one simple call (shown in Figure 3).

Figure 3

The attackers made a significant effort to make their code look as legitimate as possible. Unlike most cases where we see heavily obfuscated code, this one was clear and even had some comments in it.

The malicious content that the attackers were trying to hide was founded in a textbox inside the form.

Figure 4 shows the value hidden in the textbox and the beginning of the ‘de-obfuscation’ of that odd, unreadable string.

Figure 4

Eventually, the string becomes readable and the attackers launch a shell that is supposed to execute it. Figure 5 shows the shell execution and the value it executes.

Figure 5

When copied aside, Figure 6 shows the full Powershell command line.

Figure 6

The attackers tried to avoid detection at any phase of the attack. In the Powershell execution line, we do not see any URLs nor downloaders. Just a long odd string that is base64 decoded an uncompressed using GZIP compression. To see what that stream is, I decoded and decompressed it to see a Powershell code with obvious intentions, shown in Figure 7.

Figure 7

Even here, in a code with clean intentions to download and execute an executable, the attackers inserted comments, probably used to break textual sequence in order to avoid detection.

This code is relatively clear as it attempts to download the payload from two different servers:

  • jamaicabeachpolice[.]com/za.liva
  • gba-llp[.]ca/za.liva

The payload (sha1 f91ed88e61b431ce883f75797ad36c5a4a9ca212) is TrickBot.

A bit about TrickBot

TrickBot is one of the newest banking trojans. It was initially seen in 2016. TrickBot aims to steal banking details, stored passwords, and emails, as well as stealing from Bitcoin wallets.

TrickBot has several modules, each with its own purpose: one for propagation, another one for stealing passwords, a module for setting persistency mechanisms, etc. TrickBot communicates with its Command and Control (C&C) servers that are set on hacked routers.

Propagation-wise, TrickBot uses EternalBlue SMB exploit (the same one used by WannaCry and NotPetya) to reach new computers within the network. Any computer that is not updated with the relevant patch is vulnerable to that exploit.

In an un-patched network in which TrickBot can spread easily, it will be hard to get rid of it. Keeping its persistency using scheduled tasks, it could get a hold in many computers within the organization, leak and take control over a lot of banking accounts and mailboxes.

The organization that was targeted by this specific TrickBot attack uses BitDam as the last line of defense. This means that this attack, detected by BitDam, has actually bypassed all other security solutions in place before BitDam caught it. Just imagine what would have happened if the BitDam solution wasn’t there.


Read more
Introducing BitDam Advanced Threat Protection for Cloud Storage
Rotem Shemesh
Rotem Shemesh
1 minute & 30 seconds read · February 7, 2019

Introducing BitDam Advanced Threat Protection for Cloud Storage

Keep combating content-borne cyber attacks

As you probably know, BitDam Advanced Threat Protection (ATP) for Email protects hundreds of thousands of mailboxes, scanning millions of emails for malicious files and links. That’s awesome – we love protecting our customers, we detect malicious emails all the time, and prevent them from reaching end users. It really is cool. But this is not enough.

Email protection is important, but what about other channels?

All of us use additional collaboration channels every day. We upload, download and share files over cloud storage. You may be using Google Drive, OneDrive, Sharepoint, Dropbox, Box or any other cloud collaboration platform, but you definitely use at least of those as part of your day-to-day work practice. And guess what? Attackers know that. They also know that these channels are much less protected than corporate email. And guess what? They’re going to take advantage of it!

BitDam 3.0 to the rescue

This is exactly why we decided to expand our solution to help protect important cloud content collaboration channels such as MS OneDrive, Sharepoint, G-Drive, Dropbox and Box. As a leader in content-borne attacks, we understand that there are multiple channels allowing content to reach end-users. A key channel is cloud drives. BitDam 3.0 which is now available for our customers covers cloud storage in addition to email, scanning every file and link that is uploaded to the drive in order to ensure that end-users can access legit files only.

To give you a glimpse of what I’m talking about, here is a screenshot of our (brand new) dashboard that helps SOC teams view, manage, analyze and investigate malicious files in order to take immediate action once an attack takes place. 


Want to learn more about BitDam 3.0? Contact us to see a demo, or read the full press release announcing BitDam 3.0 here.

Read more
Rotem Shemesh
Rotem Shemesh
5 minutes & 56 seconds read · January 24, 2019

City and County of San Francisco’s Nathan Sinclair Share His Experience of BitDam’s PenTest

Nathan Sinclair heads the Cybersecurity Defense team of the City and County of San Francisco providing IT security services to about 30,000 employees. He has recently engaged with BitDam, used its PenTest in several ways and got to some conclusions. In this interview, he shares his experience with BitDam’s PenTest including some specific insights about the process, how it helped him assess different email security solutions and even push for doing more in less time.

Nathan, can you please give us some background about yourself and your job?

Nathan: I manage the cybersecurity defense team for the city and county of San Francisco. We are a central service for cybersecurity monitoring and alerting which serves the entire organization.

One of the newest additions is that now we are also focused on email protection. Our biggest challenge was phishing because we knew it’s a growing problem but didn’t have much visibility on what was going on, so that was the main trigger for our email security solution search.

How did you hear about BitDam?

Nathan: Our CISO, Mike Makstman, brought it to my notice. I heard about BitDam before but didn’t have any direct touch with them. Then Mike told me about them and that they use an interesting approach. So I did some research and found out that it is indeed a different approach to how all others do email security and it sparked my curiosity. That was when we started to kick off, saw a demo and understand what it does. Understanding the technology underlying behind it, I realized how valuable it could be. That’s one of the reasons we went forward with procuring it.

Ok, so what was the next step?

Nathan: To start testing we used the BitDam online PenTest and forwarded some malicious emails to the BitDam portal to see how it works. Just like we did to other email protection solutions. I know that this wasn’t the perfect test, but that was the best we could as an initial step.

Alright, can you tell me a bit more about the PenTest itself? What was done there?

Nathan: Well, the Pentest – that was interesting!

I started with the free online PenTest – very simple. You just put your email address there. The first time we did that was actually very helpful because we tested multiple solutions using the same PenTest – sent the same emails to mailboxes equipped with different solutions so we got a true comparison.

Then we rolled in into the advanced part of the BitDam PenTest working with the company’s team. That was really good because the number of emails that were sent to all solutions was high and it gave us a representation of what emails the products could see, which ones saw what, whether they were able to detect malicious files and so on. This helped us narrow down the solutions very very fast. This is the fastest POC that I’ve ever done for so many solutions at the same time in my whole career.

How many solutions did you test?

Nathan: We’ve examined about 5 solutions in total. We had licensing set up from different solutions to some internal mailboxes so each mailbox used a different solution. It was interesting to see in real-time how different solutions handle different malicious emails, which alerts they send etc.

What kind of products did you check in this PenTest?

Nathan: All products we’ve compared to were email security solutions. Some of them had additional functions like sandboxing and advanced analysis of the messages, so it was kind of a mix.

How would you evaluate these solutions without the BitDam PenTest?

Nathan: It would have been a similar process but a lot slower…We would have to wait for certain malicious or phishing messages to come to us for real in order to send it to each of the solutions.

How long did the process of comparing these 5 solutions take?

Nathan: Honestly, once BitDam started to send all those messages the test was very quick. This PenTest was way more efficient than how we’ve been testing other solutions before. The PenTest analysis took about a month in total, and that was only so I can pull data and make sure I’ve tested all the features and covered all bases.

How easy was it to operate? Analyze?

Nathan: The initial one on the website was super easy. Literally, put your email address in, click a button, and click submit. The advanced PenTest was also easy. We just had to let the team know which email addresses to send the messages to. I had alerts set up so I knew when it was coming in, what time. It wasn’t anything that was complicated.

Anything worth sharing with others who may do this PenTest?

Nathan: We had to figure out a way to count the messages that did pass and came in, and there were hundreds of such messages. To deal with that, one of our guys set up a rule so he could tell me every morning how many messages actually made it to his mailbox. He just created a folder in order to track it and it was very interesting to see how many did make it through.

Also, to us, the PenTest helped us assess how we will operate on those systems when we will get a false negative. Good representation of what’s going on is a pretty big deal to us since we serve different departments.

Were you surprised by the results?

Nathan: You know what, no, I wasn’t. We asked our peers what other solutions and services they have, and the actual experience they had with these solutions. So when we tested one of the first ones I wasn’t surprised, it was typical.

I was surprised by the speed of this PenTest which gave us the amount of time to be able to do everything that we wanted and even more.

And what was your impression of BitDam?

Nathan: I can definitely tell that it’s a company that doesn’t just sell a product but really builds a partnership which really fits how we operate with vendors. I think it’s really cool how the product looks at email very differently. The BitDam approach – creating the baseline of how something is supposed to work – was a key driver to make the decision to have it as a security blanket, especially for mailboxes that are more targeted than others.

Are there any cyber trends that you notice at the City and County of San Francisco?

Nathan: Our biggest target is our end users. That trend is going to continue. Malicious emails are looking more and more real every day. There have been a lot of messages that were targeted to us, that looked very genuine from where they come from and they are not. They send you to websites or places that look just like the website that could potentially send it. Once the user has clicked on it the damage has been done. I think we have to combine education of end-users and technology such as more intelligence and dynamic analyzing of those messages.

Read more
Detection solutions – the more the merrier?
Maor hizkiev
Maor hizkiev
4 minutes & 9 seconds read · January 15, 2019

Detection solutions – the more the merrier?

I would like to invite you as a reader to take a deeper look at your perimeter solutions and their detection mechanisms. When you dig deep into the vendors’ websites or press releases, like I happen to do every now and then, you can find a lot of interesting information that some users are not aware of.

Specifically, I would like to draw your attention to the secrets of the detection mechanisms. As it appears from the vendors’ websites, most detection security solutions use more than one solution as their engines. Some hold an in-house-developed engine. Others only integrate external solutions into their infrastructure. You also hear about collaborations between vendors, that aim to provide you with stronger security. These typically market their solutions as even better, because “now you have five great engines that detect attacks instead of just one”.

On a first glimpse, it does seem great, that you can get several detection engines in one solution, but is this really the case? Let’s look at it from the vendor’s perspective – You now have several engines, with different levels of knowledge about how they work and operate, and you need to integrate them into one holistic solution.

Information loss on the path to one verdict

The first issue that comes in mind is that end-users should get just one decisive verdict: “passed” or “blocked”. In the case of using more than one engine integrated into one solution, you as a vendor, need to get a set of indicators from different engines and then combine them into a single verdict of “passed”/”blocked”. This means that the vendor needs to build some logic for it. Whether it’s a proprietary algorithm, a machine learning algorithm, a simple rule-based decisioning engine or any other method, it is not an easy task, especially when having a shallow knowledge about the other solutions you integrate with and the true meaning of the indicators. What we see happening here, is moving the problem to a different place, outside of the engines, and processing a set of indicators that might or might not indicate malicious behavior, to provide a definitive answer. Will you know what happens when “engine A” provides a set of indicators that, on a stand-alone deployment, would flag it as malicious, but “engine B” usually flags it as benign? Which one will you take?

Having another engine doesn’t magically increase the detection rate. In my opinion, it might be even worse when the vendor doesn’t have its own engine since the expertise is probably lesser in understanding and determining the true meaning of the indicators. The result of having too many sources of information is that some of the information is being lost.

Economical decisions

Again, looking from a vendor’s perspective, you always measure your product economically. Running all solutions all the times is expensive, and for some cases, the license doesn’t permit to use the engine extensively. So into the decision mechanism, you have to insert financial or license restrictions which determine which solutions to use for each sample. The common way to do it is by characterizing the sample using static-analysis methods. For example, if a file contains a macro, you’ll act differently than in the case of a file that doesn’t contain macros. It gets trickier on advanced attacks when static evasion techniques are used (for example you can view our blog about a variant of CVE-2017-11882 “The Hawk in the NET (CVE 2017-11882) – Part 1“. In conclusion, this level of decision algorithm is complex and usually results in a lot of false-negatives.

It takes longer to get security and engine updates

Another problem in integrating different detection engines into one solution is the updating issue. Each detection mechanism, due to its reactive nature, is evolving and creating more indicators pretty often. Using a stand-alone deployment, the user may get those updates fast, but having it as an engine inside your product means that you need to know which new indicators were added, and adds it to the overall decision algorithm. Only then, you will get to use this update. You can imagine that it takes time to develop and test, and I guess I don’t have to tell you how risky it is to wait for these updates for so long.

So what’s the solution?

We, at BitDam, believe that these three issues are key reasons for why we see many attacks bypassing all those integrated detection solutions available today. Generally speaking, we’ve reached the times when deployment can be quick and easy (thank you SaaS!), so there is no reason not to choose the best of breed, instead of relying on your old trusted vendor to do it.

If you’re using one of those integrated solutions, I recommend testing how secure it really is. You can do this by using this free Penetration Test which takes just a minute (and is totally secure and private) on our website, or contact us for a more comprehensive PenTest.

Read more

Schedule a Demo

Enter your email to get a free trial invitation