Tom Hartig Check Point Software Technologies August 13th, 2015 BREAKING Malware Preventing the next breach or discovering the one currently underway Tom Hartig Check Point Software Technologies August 13th, 2015 [Restricted] ONLY for designated groups and individuals
Networks need protection against ALL types of threats [Protected] Non-confidential content
An Ever-Changing Threat Landscape Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT VIRUSES AND WORMS ADWARE SPYWARE DDOS APTS RANSOMWARE HACTIVISM STATE SPONSORED INDUSTRIAL ESPIONAGE NEXT GEN APTS (MASS APT TOOLS) UTILIZING WEB INFRASTRUCTURES (DWS) 2014 2010 2007 2004 1997 100,000+ malware variants daily 50,000 known viruses 1,300 known viruses [Protected] Non-confidential content
“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” — Donald Rumsfeld, 2002 [Protected] Non-confidential content
Modern Anti-virus software only stops ~45% of attacks on computers Symantec says… “Anti-virus is DEAD” Modern Anti-virus software only stops ~45% of attacks on computers Source: http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/
Cat and Mouse: Known Unknown Attackers evade signature based detection by obfuscating the attacks and creating attack variants [Protected] Non-confidential content
Time it takes take to learn the root cause of an attack Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014
PREDICTIVE INTELLIGENCE Infection Timeline Infection 9:15AM What happened before? What happened after? Are there similar infection attempts in my network? PREDICTIVE INTELLIGENCE [Protected] Non-confidential content
Endpoint Forensics Other Hosts with Apploader.exe Host Create Date Was used? David-X230 23/5/2014 Yes John-S220-2 27/5/2014 No Leo-F543-1 Sending files 77.rip.com Infection via Web New file created Open connection Download files Access C&C www.keys4all.com Caller.exe Caller.exe W2ol.com Apploader.exe Wupdater.exe DocChecker.exe Wupdater.exe DocChecker.exe W2ol.com Zeus.com Customer.doc 77rip.com [Restricted] ONLY for designated groups and individuals
Building Blocks of Advanced Threat Prevention IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files Anti-Bot (post) Detect and prevent bot damage Threat Emulation and Extraction (pre) Stop zero-day and unknown malware in files [Protected] Non-confidential content
WOULD YOU OPEN THIS ATTACHMENT?
Exploiting Zero-Day Vulnerabilities “nearly 200,000 new malware samples appear around the world each day” - net-security.org, June 2013 [Protected] Non-confidential content
What is Threat Emulation or Sandboxing? A safe environment to evaluate suspicious files [Restricted] ONLY for designated groups and individuals
Check Point Threat Emulation STOPS Undiscovered Attacks INSPECT FILE EMULATE TURN TO KNOWN PREVENT [Protected] Non-confidential content
RUN files & Identify abnormal behavior Windows XP, 7, 8, customer images Unique Anti Evasion Technologies RUN files & Identify abnormal behavior 3 EMULATE - file system - registry - connections - processes [Protected] Non-confidential content
Inline BLOCKING of malicious files on the gateway PREVENT Inline BLOCKING of malicious files on the gateway Security Gateway 4 Prevention-based approach [Protected] Non-confidential content
Turn the Unknown into KNOWN Automatic Signature Creation for ThreatCloud 5 Collaborative protection through ThreatCloud™ [Protected] Non-confidential content
Next Generation Zero-Day Protection + NG Threat Emulation Threat Extraction
Known Unknown Back Again! Delays – malware to operate after XX hours - Accelerating the clock won’t work… Malware to execute on shutdown/restart Malware to detect and not work on virtual environments HACKERS Develop techniques to evade sandboxing / threat emulation products Malware to look for human behavior to operate Evasion is code that comes together with the malware, but executes first… [Protected] Non-confidential content
Attack Infection Flow VULNERABILITY Trigger an attack through unpatched software or zero-day vulnerability EXPLOIT Bypass the CPU and OS security controls using exploitation methods SHELLCODE Activate an embedded payload to retrieve the malware MALWARE Run malicious code [Protected] Non-confidential content
Attack Infection Flow DETECT THE ATTACK BEFORE IT BEGINS Thousands VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands HANDFUL DETECT THE ATTACK BEFORE IT BEGINS Identify the Exploit itself instead of looking for the evasive malware EVASION CODE Millions [Protected] Non-confidential content
Why does an attack need to start with exploitation? DEP (Data Execution Prevention - since XP SP2) The processor will only run code marked as executable What the OS does What the attackers do Re-use pieces of legit executable code that are already loaded ROP Most popular exploitation technique Examine code known to be loaded when the exploit is activated Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode Bypass DEP using Gadgets as code primitives
CPU-Level Threat Emulation Detects the Exploitation Applications OS-Level Threat Emulation Operating System (Windows, MAC OS, etc.) Use the latest CPU-interfacing technologies Monitor CPU based instructions for exploits attempting to bypass OS Security Controls CPU-Level Threat Emulation CPU
CPU-Level Threat Emulation Highest accuracy Detection is outright, not based on heuristics or statistics Evasion-proof Detection occurs before any evasion code can be applied Efficient and fast CPU-level technology identifies the attack at its infancy OS Independent Detection occurs at the CPU level [Protected] Non-confidential content
+ Check Point Next Gen Threat Emulation OS-Level CPU-Level FASTEST HIGHEST CATCH RATE CPU-Level + ADVANCED DETECTION EVASION RESISTANT [Restricted] ONLY for designated groups and individuals
Threat Extraction
How can we further reduce the attack surface? ANTIVIRUS Catches known or old malware NG THREAT EMULATION Detects unknown or zero-day malware POSSIBLE SECURITY GAP 100%
Addressing the possible Security Gap: Threat Extraction Proactively REMOVE potential malicious objects from ALL incoming attachments Eliminates any remaining threats 100% of all incoming attachments go through Threat Extraction - whether malicious or not [Protected] Non-confidential content
How Does Threat Extraction Work? Security Gateway with Threat Extraction Software Blade RECONSTRUCTS DOCUMENTS USER EXAMPLES HR with CV’s Purchasing receiving quotes Data from untrusted websites Removes embedded objects, macros and Java Script Code, sensitive hyperlinks [Protected] Non-confidential content
Threat Extraction Statistics Tested Thousands of Recently-Discovered Malicious Files Remove active content from the file (such as macros and embedded objects) Cleaned 93% of the files Average cleaning time: 0.3 seconds / document Convert file to PDF Cleaned 100% Average conversion time: 5 seconds [Protected] Non-confidential content
Configurable Content Removal For Original Format Documents Administrator Establishes Removal Policy: Macros or JavaScript Embedded Objects External Links Document Properties [Protected] Non-confidential content
Always Maintain Access to Originals [Protected] Non-confidential content
Check Point Offering Threat Extraction Zero malware documents delivered in zero seconds Threat Extraction NG Threat Emulation Threat Extraction Visibility on attack attempts and inspection of original documents [Protected] Non-confidential content
Threat Extraction/Emulation Demo https://threatemulation.checkpoint.com/ [Restricted] ONLY for designated groups and individuals
Zero Second Protection Industry’s Fastest Threat Emulation [Restricted] ONLY for designated groups and individuals
Test Results for Detecting and Blocking Malware Check Point: Industry’s Fastest Threat Emulation! [Restricted] ONLY for designated groups and individuals
A Real Customer Example [Restricted] ONLY for designated groups and individuals
Live Demo [Restricted] ONLY for designated groups and individuals
+ Summary NG Threat Threat Emulation Extraction TRY IT NOW! It’s easy and free! NG Threat Emulation Threat Extraction + BEST EVASION RESISTANT ZERO MALWARE FASTEST ADVANCED DETECTION ZERO SECOND DELIVERY STRONGEST HIGHEST CATCH RATE SAFE DOCUMENTS [Restricted] ONLY for designated groups and individuals
Q U E S T I O N S [Restricted] ONLY for designated groups and individuals