Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding and breaking the cyber kill chain

Published byReginald O’Connor’ Modified over 7 years ago

Similar presentations

Presentation on theme: "Understanding and breaking the cyber kill chain"— Presentation transcript:

1 Understanding and breaking the cyber kill chain
Peter Sandkuijl Head of security solutions engineering Europe  [Protected] Non-confidential content​

2 THINGS WE DON’T KNOW THE GROWTH OF THE UNKNOWN MALWARE CVEs Botnets
Exploits Trojans Bad URLs THERE ARE MORE AND MORE THINGS WE DON’T KNOW Virus Because there are more and more threats and hackers we don’t know Threat landscape is evolving so fast with new threats, new techniques, new actors and new targets. Impossible to predict with certainty what the next waves of malware will look like. ZERO DAY, APTs, UNKNOWN MALWARE Signatures  [Protected] Non-confidential content​

3 ATTACKS ARE MORE DANGEROUS THAN EVER
Modern Threats Are… STRATEGIC TARGETED PERSISTENT MULTI-STAGE SOPHISTICATED EVASIVE ATTACKS ARE MORE DANGEROUS THAN EVER  [Protected] Non-confidential content​

4 Simple protections are FAILING
Modern threats require SOPHISTICATED DEFENSE STRATEGY  [Protected] Non-confidential content​

5 Planning and Executing A Cyber Attack
Planning the Attack Getting In Carrying out the Attack Weeks in Advance Within Seconds From Here On… Look for potential victims Collect relevant social data Build, find or buy your weapon of choice Exploit kit, Malware package Adapt to your specific needs Package for delivery Bypass detection Convince the victim to open your crafted file Bypass system security control Install your malware Wait for your malware to “call home” Instruct it what to do on the victim’s computer Continuously monitor its progress Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Identify the target and exploitable weaknesses Create/select attack vector Deliver the malicious payload to the victim Gain execution privileges Install the malware on infected host Establish a channel of communication Data collection or corruption, Lateral movement and exfiltration  [Protected] Non-confidential content​

6 The Cyber Kill Chain Reconnaissance Weaponization Delivery
Exploitation Installation Command & Control Act on Objectives Identify the target and exploitable weaknesses Create/select attack vector Deliver the malicious payload to the victim Gain execution privileges Install the malware on infected host Establish a channel of communication Data collection or corruption, Lateral movement and exfiltration [Restricted] ONLY for designated groups and individuals​

7 Simple Attack Timeline: Australian Ransomware
Locate addresses Send a spoofed with PDF Key obtained from C&C server TIME Create an infected PDF Victim double clicks attachment Cryptolocker installed Files gradually encrypted Some kill-chain steps take hours or even weeks, while others take mere seconds Act On Recon Weapon Delivery Exploit Install C&C  [Protected] Non-confidential content​

8 How does one buy an attack?
 [Protected] Non-confidential content​

9 Images from: www.deepdarkweb.com
 [Protected] Non-confidential content​

10 Very generous indemnity program: $0
334 listings for “software & malware” Images from:  [Protected] Non-confidential content​

11 Don’t forget to read user reviews
 [Protected] Non-confidential content​

12 And then there are Exploit Kit-as-a-Service (EaaS) sites
 [Protected] Non-confidential content​

13 Method example: Angler  [Protected] Non-confidential content​

14 Exploit delivery service
Web-connected servers with WordPress vulnerabilities Operates as an Exploit Kit  [Protected] Non-confidential content​

15 Browsing, link in email or integrated domain call
Users connect to a site Browsing, link in or integrated domain call Machines scanned for vulnerabilities Exploits lead to malware drop: TeslaCrypt, Locky, Dridex…  [Protected] Non-confidential content​

16 Each site leads to multiple destinations, some are unintended
 [Protected] Non-confidential content​

17 You’re actually going to many more places
Let’s say you go to your favorite site…  [Protected] Non-confidential content​

18 Your unintended destinations aren’t necessarily evil…
But they can be Your unintended destinations aren’t necessarily evil…  [Protected] Non-confidential content​

19 Let‘s take a look at how Angler leverages Silverlight
 [Protected] Non-confidential content​

20 Looks for Silverlight version 4.0.50524.0
Tells itself to… Pulls the upgrade file from… That’s the location of the dropper, which leads to the Ransomware  [Protected] Non-confidential content​

21 The outcome is the same  [Protected] Non-confidential content​

22  [Protected] Non-confidential content​

23 IT’S TIME TO BREAK THE CHAIN
 [Protected] Non-confidential content​

24 Successful Defense Strategy
Pre-Compromise Compromise Post-Compromise Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives Apply protection for EACH of the stages No single step protection is enough Tackle attackers at each stage of their attack Strong preventive defense BEFORE infection Prevention is the most cost-effective form of protection Protect against the devastating cost of a successful attack Damage and cost are proportional to time Minimize the time it takes to detect and contain attacks Effective POST compromise defense  [Protected] Non-confidential content​

25 Successful Defense with Check Point
Pre-Compromise Compromise Post-Compromise Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Act on Objectives IPS Threat Intelligence Firewall Anti-Virus Anti-Bot Anti-Bot DLP Firewall Anti-Spam IPS Endpoint Security Endpoint Security Document Security DLP URL Filtering Threat Emulation Forensics Firewall Document Security Threat Emulation Mobile Threat Prevention IPS Threat Extraction Mobile Threat Prevention INTELLIGENCE DETECTION PREVENTION Extensive research Collaboration with industry leading services Sharing across users community Multi-layer architecture Evasion-resistant detection Best catch rate Proactive practical prevention Effective containment Clear visibility and insight  [Protected] Non-confidential content​

26 PROTECT FROM THE UNKNOWN
Evasion resistant sandboxing at CPU- and OS- Level THREAT EMULATION Quick delivery of safe reconstructed content THREAT EXTRACTION PROTECT FROM THE UNKNOWN [Restricted] ONLY for designated groups and individuals​

27 ACCELERATE RESPONSE TO INFECTIONS
Detect and block malicious infections and activity PREVENT & CONTAIN Automated forensics analysis for effective response RESPOND & REMEDIATE ACCELERATE RESPONSE TO INFECTIONS lock [Restricted] ONLY for designated groups and individuals​

28 One Console to Manage Everything
Enterprise Now with one console, security teams can now manage all aspects of security from policy to threat prevention – across their entire organization – both their physical and virtual environments. You get operational efficiency, you simplify management and avoid overlapping policies and redundant configurations. Less maintenance costs and labor man hours equals lower TCO. ONE CONSOLE ONE POLICY  [Protected] Non-confidential content​

29 Ask questions. Share code. Stay up-to-date.
COMMUNITY. CHECKPOINT.COM Ask questions. Share code. Stay up-to-date. Customers Partners Experts  [Protected] Non-confidential content​

30 THANK YOU  [Protected] Non-confidential content​

Download ppt "Understanding and breaking the cyber kill chain"

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.

©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

Similar presentations

Ads by Google