Tom Hartig Check Point Software Technologies August 13th, 2015

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Computer viruses are small software programs that are made to spread from one computer to another and to interfere with computer operations. There are.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Sky Advanced Threat Prevention
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Understand Malware LESSON Security Fundamentals.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
©2014 Check Point Software Technologies Ltd. 1 ©2014 Check Point Software Technologies Ltd [Restricted] ONLY for designated groups and individuals©2014.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Final Project: Advanced Security Blade IPS and DLP blades.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
ITS220 – How To Prevent Your PC From Infected by Virus presented by Desmond Ho.
bitdefender virus protection
Understanding and breaking the cyber kill chain
Escalation Of Ad Wars Boosts Malware Delivery
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Exchange Online Advanced Threat Protection
Sophos Intercept Next-Gen Endpoint Protection
Ilija Jovičić Sophos Consultant.
Malware and Computer Maintenance
Today’s cyber security landscape
Instructor Materials Chapter 7 Network Security
Real-time protection for web sites and web apps against ATTACKS
Hank Johnson, Area Manager Check Point Software Technologies
Various Types of Malware
Active Cyber Security, OnDemand
Sophos Intercept Next-Gen Endpoint Protection
Computer Worms & Viruses
Jon Peppler, Menlo Security Channels
Exchange Online Advanced Threat Protection
Call AVG Antivirus Support | Fix Your PC
4 ways to stay safe online 1. Avoid viruses and phishing scams
Risk of the Internet At Home
Chap 10 Malicious Software.
Malware CJ
Panda Adaptive Defense Platform and Services
Symantec Web Isolation Secure Access to Uncategorized and Risky Sites Protect Your Most Privileged Users Prevent Phishing and Ransomware Attacks John Moore.
Hardware Security – Highlevel Survey Review for Exam 4
Chap 10 Malicious Software.
Introduction to Symantec Security Service
Introduction to Internet Worm
An overview over Botnets
Cybersecurity Simplified: Ransomware
Defencebyte THE PERFECT SECURITY FOR YOUR COMPUTER.
Presentation transcript:

Tom Hartig Check Point Software Technologies August 13th, 2015 BREAKING Malware Preventing the next breach or discovering the one currently underway Tom Hartig Check Point Software Technologies August 13th, 2015 [Restricted] ONLY for designated groups and individuals

Networks need protection against ALL types of threats [Protected] Non-confidential content

An Ever-Changing Threat Landscape Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT VIRUSES AND WORMS ADWARE SPYWARE DDOS APTS RANSOMWARE HACTIVISM STATE SPONSORED INDUSTRIAL ESPIONAGE NEXT GEN APTS (MASS APT TOOLS) UTILIZING WEB INFRASTRUCTURES (DWS) 2014 2010 2007 2004 1997 100,000+ malware variants daily 50,000 known viruses 1,300 known viruses [Protected] Non-confidential content

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” — Donald Rumsfeld, 2002 [Protected] Non-confidential content

Modern Anti-virus software only stops ~45% of attacks on computers Symantec says… “Anti-virus is DEAD” Modern Anti-virus software only stops ~45% of attacks on computers Source: http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/

Cat and Mouse: Known Unknown Attackers evade signature based detection by obfuscating the attacks and creating attack variants [Protected] Non-confidential content

Time it takes take to learn the root cause of an attack Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014

PREDICTIVE INTELLIGENCE Infection Timeline Infection 9:15AM What happened before? What happened after? Are there similar infection attempts in my network? PREDICTIVE INTELLIGENCE [Protected] Non-confidential content

Endpoint Forensics Other Hosts with Apploader.exe Host Create Date Was used? David-X230 23/5/2014 Yes John-S220-2 27/5/2014 No Leo-F543-1 Sending files 77.rip.com Infection via Web New file created Open connection Download files Access C&C www.keys4all.com Caller.exe Caller.exe W2ol.com Apploader.exe Wupdater.exe DocChecker.exe Wupdater.exe DocChecker.exe W2ol.com Zeus.com Customer.doc 77rip.com [Restricted] ONLY for designated groups and individuals

Building Blocks of Advanced Threat Prevention IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files Anti-Bot (post) Detect and prevent bot damage Threat Emulation and Extraction (pre) Stop zero-day and unknown malware in files [Protected] Non-confidential content

WOULD YOU OPEN THIS ATTACHMENT?

Exploiting Zero-Day Vulnerabilities “nearly 200,000 new malware samples appear around the world each day” - net-security.org, June 2013 [Protected] Non-confidential content

What is Threat Emulation or Sandboxing? A safe environment to evaluate suspicious files [Restricted] ONLY for designated groups and individuals

Check Point Threat Emulation STOPS Undiscovered Attacks INSPECT FILE EMULATE TURN TO KNOWN PREVENT [Protected] Non-confidential content

RUN files & Identify abnormal behavior Windows XP, 7, 8, customer images Unique Anti Evasion Technologies RUN files & Identify abnormal behavior 3 EMULATE - file system - registry - connections - processes [Protected] Non-confidential content

Inline BLOCKING of malicious files on the gateway PREVENT Inline BLOCKING of malicious files on the gateway Security Gateway 4 Prevention-based approach [Protected] Non-confidential content

Turn the Unknown into KNOWN Automatic Signature Creation for ThreatCloud 5 Collaborative protection through ThreatCloud™ [Protected] Non-confidential content

Next Generation Zero-Day Protection + NG Threat Emulation Threat Extraction

Known Unknown Back Again! Delays – malware to operate after XX hours - Accelerating the clock won’t work… Malware to execute on shutdown/restart Malware to detect and not work on virtual environments HACKERS Develop techniques to evade sandboxing / threat emulation products Malware to look for human behavior to operate Evasion is code that comes together with the malware, but executes first… [Protected] Non-confidential content

Attack Infection Flow VULNERABILITY Trigger an attack through unpatched software or zero-day vulnerability EXPLOIT Bypass the CPU and OS security controls using exploitation methods SHELLCODE Activate an embedded payload to retrieve the malware MALWARE Run malicious code [Protected] Non-confidential content

Attack Infection Flow DETECT THE ATTACK BEFORE IT BEGINS Thousands VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands HANDFUL DETECT THE ATTACK BEFORE IT BEGINS Identify the Exploit itself instead of looking for the evasive malware EVASION CODE Millions [Protected] Non-confidential content

Why does an attack need to start with exploitation? DEP (Data Execution Prevention - since XP SP2) The processor will only run code marked as executable What the OS does What the attackers do Re-use pieces of legit executable code that are already loaded ROP Most popular exploitation technique Examine code known to be loaded when the exploit is activated Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode Bypass DEP using Gadgets as code primitives

CPU-Level Threat Emulation Detects the Exploitation Applications OS-Level Threat Emulation Operating System (Windows, MAC OS, etc.) Use the latest CPU-interfacing technologies Monitor CPU based instructions for exploits attempting to bypass OS Security Controls CPU-Level Threat Emulation CPU

CPU-Level Threat Emulation Highest accuracy Detection is outright, not based on heuristics or statistics Evasion-proof Detection occurs before any evasion code can be applied Efficient and fast CPU-level technology identifies the attack at its infancy OS Independent Detection occurs at the CPU level [Protected] Non-confidential content

+ Check Point Next Gen Threat Emulation OS-Level CPU-Level FASTEST HIGHEST CATCH RATE CPU-Level + ADVANCED DETECTION EVASION RESISTANT [Restricted] ONLY for designated groups and individuals

Threat Extraction

How can we further reduce the attack surface? ANTIVIRUS Catches known or old malware NG THREAT EMULATION Detects unknown or zero-day malware POSSIBLE SECURITY GAP 100%

Addressing the possible Security Gap: Threat Extraction Proactively REMOVE potential malicious objects from ALL incoming attachments Eliminates any remaining threats 100% of all incoming attachments go through Threat Extraction - whether malicious or not [Protected] Non-confidential content

How Does Threat Extraction Work? Security Gateway with Threat Extraction Software Blade RECONSTRUCTS DOCUMENTS USER EXAMPLES HR with CV’s Purchasing receiving quotes Data from untrusted websites Removes embedded objects, macros and Java Script Code, sensitive hyperlinks [Protected] Non-confidential content

Threat Extraction Statistics Tested Thousands of Recently-Discovered Malicious Files Remove active content from the file (such as macros and embedded objects) Cleaned 93% of the files Average cleaning time: 0.3 seconds / document Convert file to PDF Cleaned 100% Average conversion time: 5 seconds [Protected] Non-confidential content

Configurable Content Removal For Original Format Documents Administrator Establishes Removal Policy: Macros or JavaScript Embedded Objects External Links Document Properties [Protected] Non-confidential content

Always Maintain Access to Originals [Protected] Non-confidential content

Check Point Offering Threat Extraction Zero malware documents delivered in zero seconds Threat Extraction NG Threat Emulation Threat Extraction Visibility on attack attempts and inspection of original documents [Protected] Non-confidential content

Threat Extraction/Emulation Demo https://threatemulation.checkpoint.com/ [Restricted] ONLY for designated groups and individuals

Zero Second Protection Industry’s Fastest Threat Emulation [Restricted] ONLY for designated groups and individuals

Test Results for Detecting and Blocking Malware Check Point: Industry’s Fastest Threat Emulation! [Restricted] ONLY for designated groups and individuals

A Real Customer Example [Restricted] ONLY for designated groups and individuals

Live Demo [Restricted] ONLY for designated groups and individuals

+ Summary NG Threat Threat Emulation Extraction TRY IT NOW! It’s easy and free! NG Threat Emulation Threat Extraction + BEST EVASION RESISTANT ZERO MALWARE FASTEST ADVANCED DETECTION ZERO SECOND DELIVERY STRONGEST HIGHEST CATCH RATE SAFE DOCUMENTS [Restricted] ONLY for designated groups and individuals

Q U E S T I O N S [Restricted] ONLY for designated groups and individuals