Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tom Hartig Check Point Software Technologies August 13th, 2015

Published byAusten Hart Modified over 6 years ago

Similar presentations

Presentation on theme: "Tom Hartig Check Point Software Technologies August 13th, 2015"— Presentation transcript:

1 Tom Hartig Check Point Software Technologies August 13th, 2015
BREAKING Malware Preventing the next breach or discovering the one currently underway Tom Hartig Check Point Software Technologies August 13th, 2015 [Restricted] ONLY for designated groups and individuals

2 Networks need protection against ALL types of threats
[Protected] Non-confidential content

3 An Ever-Changing Threat Landscape
Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT VIRUSES AND WORMS ADWARE SPYWARE DDOS APTS RANSOMWARE HACTIVISM STATE SPONSORED INDUSTRIAL ESPIONAGE NEXT GEN APTS (MASS APT TOOLS) UTILIZING WEB INFRASTRUCTURES (DWS) 2014 2010 2007 2004 1997 100,000+ malware variants daily 50,000 known viruses 1,300 known viruses [Protected] Non-confidential content

4 “There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” — Donald Rumsfeld, 2002 [Protected] Non-confidential content

5 Modern Anti-virus software only stops ~45% of attacks on computers
Symantec says… “Anti-virus is DEAD” Modern Anti-virus software only stops ~45% of attacks on computers Source:

6 Cat and Mouse: Known Unknown
Attackers evade signature based detection by obfuscating the attacks and creating attack variants [Protected] Non-confidential content

7 Time it takes take to learn the root cause of an attack
Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014

8 PREDICTIVE INTELLIGENCE
Infection Timeline Infection 9:15AM What happened before? What happened after? Are there similar infection attempts in my network? PREDICTIVE INTELLIGENCE [Protected] Non-confidential content

9 Endpoint Forensics Other Hosts with Apploader.exe Host Create Date
Was used? David-X230 23/5/2014 Yes John-S220-2 27/5/2014 No Leo-F543-1 Sending files 77.rip.com Infection via Web New file created Open connection Download files Access C&C Caller.exe Caller.exe W2ol.com Apploader.exe Wupdater.exe DocChecker.exe Wupdater.exe DocChecker.exe W2ol.com Zeus.com Customer.doc 77rip.com [Restricted] ONLY for designated groups and individuals

10 Building Blocks of Advanced Threat Prevention
IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files Anti-Bot (post) Detect and prevent bot damage Threat Emulation and Extraction (pre) Stop zero-day and unknown malware in files [Protected] Non-confidential content

11 WOULD YOU OPEN THIS ATTACHMENT?

12 Exploiting Zero-Day Vulnerabilities
“nearly 200,000 new malware samples appear around the world each day” - net-security.org, June 2013 [Protected] Non-confidential content

13 What is Threat Emulation or Sandboxing?
A safe environment to evaluate suspicious files [Restricted] ONLY for designated groups and individuals

14 Check Point Threat Emulation STOPS Undiscovered Attacks
INSPECT FILE EMULATE TURN TO KNOWN PREVENT [Protected] Non-confidential content

15 RUN files & Identify abnormal behavior
Windows XP, 7, 8, customer images Unique Anti Evasion Technologies RUN files & Identify abnormal behavior 3 EMULATE - file system - registry - connections - processes [Protected] Non-confidential content

16 Inline BLOCKING of malicious files on the gateway
PREVENT Inline BLOCKING of malicious files on the gateway Security Gateway 4 Prevention-based approach [Protected] Non-confidential content

17 Turn the Unknown into KNOWN
Automatic Signature Creation for ThreatCloud 5 Collaborative protection through ThreatCloud™ [Protected] Non-confidential content

18 Next Generation Zero-Day Protection
+ NG Threat Emulation Threat Extraction

19 Known Unknown Back Again!
Delays – malware to operate after XX hours - Accelerating the clock won’t work… Malware to execute on shutdown/restart Malware to detect and not work on virtual environments HACKERS Develop techniques to evade sandboxing / threat emulation products Malware to look for human behavior to operate Evasion is code that comes together with the malware, but executes first… [Protected] Non-confidential content

20 Attack Infection Flow VULNERABILITY Trigger an attack through unpatched software or zero-day vulnerability EXPLOIT Bypass the CPU and OS security controls using exploitation methods SHELLCODE Activate an embedded payload to retrieve the malware MALWARE Run malicious code [Protected] Non-confidential content

21 Attack Infection Flow DETECT THE ATTACK BEFORE IT BEGINS Thousands
VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands HANDFUL DETECT THE ATTACK BEFORE IT BEGINS Identify the Exploit itself instead of looking for the evasive malware EVASION CODE Millions [Protected] Non-confidential content

22 Why does an attack need to start with exploitation?
DEP (Data Execution Prevention - since XP SP2) The processor will only run code marked as executable What the OS does What the attackers do Re-use pieces of legit executable code that are already loaded ROP Most popular exploitation technique Examine code known to be loaded when the exploit is activated Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode Bypass DEP using Gadgets as code primitives

23 CPU-Level Threat Emulation Detects the Exploitation
Applications OS-Level Threat Emulation Operating System (Windows, MAC OS, etc.) Use the latest CPU-interfacing technologies Monitor CPU based instructions for exploits attempting to bypass OS Security Controls CPU-Level Threat Emulation CPU

24 CPU-Level Threat Emulation
Highest accuracy Detection is outright, not based on heuristics or statistics Evasion-proof Detection occurs before any evasion code can be applied Efficient and fast CPU-level technology identifies the attack at its infancy OS Independent Detection occurs at the CPU level [Protected] Non-confidential content

25 + Check Point Next Gen Threat Emulation OS-Level CPU-Level FASTEST
HIGHEST CATCH RATE CPU-Level + ADVANCED DETECTION EVASION RESISTANT [Restricted] ONLY for designated groups and individuals

26 Threat Extraction

27 How can we further reduce the attack surface?
ANTIVIRUS Catches known or old malware NG THREAT EMULATION Detects unknown or zero-day malware POSSIBLE SECURITY GAP 100%

28 Addressing the possible Security Gap: Threat Extraction
Proactively REMOVE potential malicious objects from ALL incoming attachments Eliminates any remaining threats 100% of all incoming attachments go through Threat Extraction - whether malicious or not [Protected] Non-confidential content

29 How Does Threat Extraction Work?
Security Gateway with Threat Extraction Software Blade RECONSTRUCTS DOCUMENTS USER EXAMPLES HR with CV’s Purchasing receiving quotes Data from untrusted websites Removes embedded objects, macros and Java Script Code, sensitive hyperlinks [Protected] Non-confidential content

30 Threat Extraction Statistics
Tested Thousands of Recently-Discovered Malicious Files Remove active content from the file (such as macros and embedded objects) Cleaned 93% of the files Average cleaning time: 0.3 seconds / document Convert file to PDF Cleaned 100% Average conversion time: 5 seconds [Protected] Non-confidential content

31 Configurable Content Removal For Original Format Documents
Administrator Establishes Removal Policy: Macros or JavaScript Embedded Objects External Links Document Properties [Protected] Non-confidential content

32 Always Maintain Access to Originals
[Protected] Non-confidential content

33 Check Point Offering Threat Extraction
Zero malware documents delivered in zero seconds Threat Extraction NG Threat Emulation Threat Extraction Visibility on attack attempts and inspection of original documents [Protected] Non-confidential content

34 Threat Extraction/Emulation Demo
[Restricted] ONLY for designated groups and individuals

35 Zero Second Protection Industry’s Fastest Threat Emulation
[Restricted] ONLY for designated groups and individuals

36 Test Results for Detecting and Blocking Malware
Check Point: Industry’s Fastest Threat Emulation! [Restricted] ONLY for designated groups and individuals

37 A Real Customer Example
[Restricted] ONLY for designated groups and individuals

38 Live Demo [Restricted] ONLY for designated groups and individuals

39 + Summary NG Threat Threat Emulation Extraction TRY IT NOW!
It’s easy and free! NG Threat Emulation Threat Extraction + BEST EVASION RESISTANT ZERO MALWARE FASTEST ADVANCED DETECTION ZERO SECOND DELIVERY STRONGEST HIGHEST CATCH RATE SAFE DOCUMENTS [Restricted] ONLY for designated groups and individuals

40 Q U E S T I O N S [Restricted] ONLY for designated groups and individuals

Download ppt "Tom Hartig Check Point Software Technologies August 13th, 2015"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Computer viruses are small software programs that are made to spread from one computer to another and to interfere with computer operations. There are.

Computer viruses are small software programs that are made to spread from one computer to another and to interfere with computer operations. There are.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.

Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Similar presentations

Ads by Google