Understanding and breaking the cyber kill chain Peter Sandkuijl Head of security solutions engineering Europe psandkuijl@checkpoint.com  [Protected] Non-confidential content​

THINGS WE DON’T KNOW THE GROWTH OF THE UNKNOWN MALWARE CVEs Botnets Exploits Trojans Bad URLs THERE ARE MORE AND MORE THINGS WE DON’T KNOW Virus Because there are more and more threats and hackers we don’t know Threat landscape is evolving so fast with new threats, new techniques, new actors and new targets. Impossible to predict with certainty what the next waves of malware will look like. ZERO DAY, APTs, UNKNOWN MALWARE Signatures  [Protected] Non-confidential content​

ATTACKS ARE MORE DANGEROUS THAN EVER Modern Threats Are… STRATEGIC TARGETED PERSISTENT MULTI-STAGE SOPHISTICATED EVASIVE ATTACKS ARE MORE DANGEROUS THAN EVER  [Protected] Non-confidential content​

Simple protections are FAILING Modern threats require SOPHISTICATED DEFENSE STRATEGY  [Protected] Non-confidential content​

Planning and Executing A Cyber Attack Planning the Attack Getting In Carrying out the Attack Weeks in Advance Within Seconds From Here On… Look for potential victims Collect relevant social data Build, find or buy your weapon of choice Exploit kit, Malware package Adapt to your specific needs Package for delivery Bypass detection Convince the victim to open your crafted file Bypass system security control Install your malware Wait for your malware to “call home” Instruct it what to do on the victim’s computer Continuously monitor its progress Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Identify the target and exploitable weaknesses Create/select attack vector Deliver the malicious payload to the victim Gain execution privileges Install the malware on infected host Establish a channel of communication Data collection or corruption, Lateral movement and exfiltration  [Protected] Non-confidential content​

The Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Identify the target and exploitable weaknesses Create/select attack vector Deliver the malicious payload to the victim Gain execution privileges Install the malware on infected host Establish a channel of communication Data collection or corruption, Lateral movement and exfiltration [Restricted] ONLY for designated groups and individuals​

Simple Attack Timeline: Australian Ransomware Locate email addresses Send a spoofed email with PDF Key obtained from C&C server TIME Create an infected PDF Victim double clicks attachment Cryptolocker installed Files gradually encrypted Some kill-chain steps take hours or even weeks, while others take mere seconds Act On Recon Weapon Delivery Exploit Install C&C  [Protected] Non-confidential content​

How does one buy an attack?  [Protected] Non-confidential content​

Images from: www.deepdarkweb.com  [Protected] Non-confidential content​

Very generous indemnity program: $0 334 listings for “software & malware” Images from: www.deepdarkweb.com  [Protected] Non-confidential content​

Don’t forget to read user reviews  [Protected] Non-confidential content​

And then there are Exploit Kit-as-a-Service (EaaS) sites  [Protected] Non-confidential content​

Method example: Angler  [Protected] Non-confidential content​

Exploit delivery service Web-connected servers with WordPress vulnerabilities Operates as an Exploit Kit  [Protected] Non-confidential content​

Browsing, link in email or integrated domain call Users connect to a site Browsing, link in email or integrated domain call Machines scanned for vulnerabilities Exploits lead to malware drop: TeslaCrypt, Locky, Dridex…  [Protected] Non-confidential content​

Each site leads to multiple destinations, some are unintended  [Protected] Non-confidential content​

You’re actually going to many more places Let’s say you go to your favorite site…  [Protected] Non-confidential content​

Your unintended destinations aren’t necessarily evil… But they can be Your unintended destinations aren’t necessarily evil…  [Protected] Non-confidential content​

Let‘s take a look at how Angler leverages Silverlight  [Protected] Non-confidential content​

Looks for Silverlight version 4.0.50524.0 Tells itself to… Pulls the upgrade file from… That’s the location of the dropper, which leads to the Ransomware  [Protected] Non-confidential content​

The outcome is the same  [Protected] Non-confidential content​

 [Protected] Non-confidential content​

IT’S TIME TO BREAK THE CHAIN  [Protected] Non-confidential content​

Successful Defense Strategy Pre-Compromise Compromise Post-Compromise Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Apply protection for EACH of the stages No single step protection is enough Tackle attackers at each stage of their attack Strong preventive defense BEFORE infection Prevention is the most cost-effective form of protection Protect against the devastating cost of a successful attack Damage and cost are proportional to time Minimize the time it takes to detect and contain attacks Effective POST compromise defense  [Protected] Non-confidential content​

Successful Defense with Check Point Pre-Compromise Compromise Post-Compromise Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives IPS Threat Intelligence Firewall Anti-Virus Anti-Bot Anti-Bot DLP Firewall Anti-Spam IPS Endpoint Security Endpoint Security Document Security DLP URL Filtering Threat Emulation Forensics Firewall Document Security Threat Emulation Mobile Threat Prevention IPS Threat Extraction Mobile Threat Prevention INTELLIGENCE DETECTION PREVENTION Extensive research Collaboration with industry leading services Sharing across users community Multi-layer architecture Evasion-resistant detection Best catch rate Proactive practical prevention Effective containment Clear visibility and insight  [Protected] Non-confidential content​

PROTECT FROM THE UNKNOWN Evasion resistant sandboxing at CPU- and OS- Level THREAT EMULATION Quick delivery of safe reconstructed content THREAT EXTRACTION PROTECT FROM THE UNKNOWN [Restricted] ONLY for designated groups and individuals​

ACCELERATE RESPONSE TO INFECTIONS Detect and block malicious infections and activity PREVENT & CONTAIN Automated forensics analysis for effective response RESPOND & REMEDIATE ACCELERATE RESPONSE TO INFECTIONS lock [Restricted] ONLY for designated groups and individuals​

One Console to Manage Everything Enterprise Now with one console, security teams can now manage all aspects of security from policy to threat prevention – across their entire organization – both their physical and virtual environments. You get operational efficiency, you simplify management and avoid overlapping policies and redundant configurations. Less maintenance costs and labor man hours equals lower TCO. ONE CONSOLE ONE POLICY  [Protected] Non-confidential content​

Ask questions. Share code. Stay up-to-date. COMMUNITY. CHECKPOINT.COM Ask questions. Share code. Stay up-to-date. Customers Partners Experts  [Protected] Non-confidential content​

THANK YOU  [Protected] Non-confidential content​