Metapacket analyzes outbound network traffic to flag and block malware

Metapacket, one of YC’s current batch of startups, is hoping to get its SaaS on corporates’ list of essential threat detection software with a technique to stop malware attacks by analyzing outbound network traffic to determine whether it’s human or not.

Rather than by trying to assess where data is being sent, to try to ID suspicious outbound connections, its technology focuses on trying to determine whether network traffic is really being generated by a human or not. And thereby, it claims, catch (and block) malware in the act of relaying pilfered data elsewhere.

“Malware cannot completely mimic human beings’ behavior and the whole functioning operating system plus browser when it’s surfing the web,” says founder Nir Krakowski, who along with his co-founder has a background working for the Shin Bet Israeli state security agency.

“We know how attackers work, how they think, how they strategize… That’s when I realized we had to do this in order to catch them where they’re going to be” is how he explains the thinking behind the startup.

“There’s a tactical reason why malware uses web communications and not other things — because initially it wants to look as human as possible. 99.9% of the traffic out there is web-based. And it wants to hide itself in plain sight, between user interactions. But it can’t do that completely,” he adds.

Trying to ID malware based on where it’s sending data can be complicated by hackers looping in legitimate services to mask malicious intent — such as the Russian Hammertoss malware uncovered last year which sends data to services such as Twitter and Github. Hence Metapacket taking the opposite tack of looking to determine the source.

“What are you going to do, are you going to block all of Twitter? You can’t do this at the website level, at the target level,” argues Krakowski. “It’s almost impossible to do it this way, via the target.

“What we’re doing is, unlike all the other proxy solutions or web-analysis solutions, we are not just passively looking at the data but we are modifying it. So we are challenging the user and browser to prove that they’re human by adding to the traffic.”

Krakowski says that the closest similar approach to what it’s doing is anti-bot technologies deployed by websites to try to block scraping — such as the likes of Distil Networks — but he says these companies aren’t focusing on blocking malware communications.

“They’re trying to solve a different problem. Their technology might be somewhat similar… but the problem they’re facing is how do you defend a website, not a company? We’re defending a company, a corporate network.”

Other security companies he names as having more of an overlap with Metapacket include Zscaler and Blue Coat.

The challenges Metapacket is using to try to identify malware are JavaScript-based, so it’s basically looking at user behavior on websites while surfing and using that as a benchmark to identify non-human web connections.

False positives can occur, he concedes, but notes that about a week of learning is required on first implementation so the software can get a handle on normal network traffic. After this learning phase it gets switched over to block mode so potential problem connections will be blocked and flagged to a sys admin, via a dashboard view — providing them with various metrics (such as frequency seen and confidence level) to make a judgement on whether the traffic is malicious or otherwise.

In order for malware writers to workaround Metapacket’s detection system Krakowski reckons they would have to create complex programs — “of at least a few megabytes of data”, that run “a whole chunk of code that mimics a browser” — which would in turn be at risk of flagging up the presence of something malicious on the network by merit of their complexity.

“It’s almost impossible to bypass. It raises the bar really, really high,” he argues. “Because it has to be fully automatic… To include all that in its code it’s going to make itself really, really high signature — it’s going to be really, really easy to identify with all the other means of security.

“You’re going to, basically, risk your code-base in order to attack this communication… I’m guessing there are only a handful of organizations that can build this right now.”

He reckons the startup has a one to two year lead on any malware writers working to create a potential bypass. Albeit, security is ever an arms race so there’s little doubt a clever hacker will come up with a workaround in time.

“We’re probably talking more about Russians and Chinese and US that might, in two years, be able to bypass this — but they’ll have to build something specifically to bypass us,” he adds.

Meanwhile, at this nascent stage of the business, Metapacket has just one customer (who it’s not yet naming), but Krakowski points to seven proof of concepts it has lined up, due to start in the next two to three weeks.

Its customer focus generally is on corporates and/or organizations with strategic data, whether their own or their users, to protect — at the risk of “brand meltdown” if they fail in that crucial duty and data leak out, as he puts it.

“We’re also working with a really big payments company, one of the biggest in the world — and one of the four major banks in the U.S.,” he adds. “We’re more appealing to the more traditional sectors that keep a lot of IP and have a lot of value in remotely controlled malware.”

In terms of installation, Metapacket’s system is installed like a firewall at the edge of the network — “just like any other proxy”. The software can also be implemented on premise or off premise, as a subscription solution.