Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

Published byImogen Roberta Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one."— Presentation transcript:

1 ©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one currently underway Tom Hartig Check Point Software Technologies August 13 th, 2015 BREAKING MALWARE

2 ©2015 Check Point Software Technologies Ltd. 2 2 Networks need protection against ALL types of threats [Protected] Non-confidential content

3 ©2015 Check Point Software Technologies Ltd. 3 Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT An Ever-Changing Threat Landscape [Protected] Non-confidential content VIRUSES AND WORMS ADWARE AND SPYWARE DDOS APTS RANSOMWARE HACTIVISM STATE SPONSORED INDUSTRIAL ESPIONAGE NEXT GEN APTS (MASS APT TOOLS) UTILIZING WEB INFRASTRUCTURES (DWS) 2014 2010 2007 2004 1997 1,300 known viruses 50,000 known viruses 100,000+ malware variants daily

4 ©2015 Check Point Software Technologies Ltd. 4 [Protected] Non-confidential content “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.” — Donald Rumsfeld, 2002

5 ©2015 Check Point Software Technologies Ltd. 5 “Anti-virus is DEAD” Modern Anti-virus software only stops ~45% of attacks on computers Symantec says… Source: http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/

6 ©2015 Check Point Software Technologies Ltd. 6 Cat and Mouse: Known Unknown [Protected] Non-confidential content ​ Attackers evade signature based detection by obfuscating the attacks and creating attack variants

7 ©2015 Check Point Software Technologies Ltd. 7 Time it takes take to learn the root cause of an attack Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014

8 ©2015 Check Point Software Technologies Ltd. 8 [Protected] Non-confidential content PREDICTIVE INTELLIGENCE Infection 9:15AM What happened before? What happened after? Infection Timeline Are there similar infection attempts in my network?

9 ©2015 Check Point Software Technologies Ltd. 9 Endpoint Forensics [Restricted] ONLY for designated groups and individuals Infection via Web www.keys4all.comCaller.exe New file created Caller.exe Open connection Download files W2ol.com Apploader.exe Wupdater.exe DocChecker.exe Wupdater.exe Access C&C DocChecker.exe Sending files 77.rip.com Customer.doc Zeus.com 77rip.com W2ol.com Other Hosts with Apploader.exe HostCreate DateWas used? David-X230 23/5/2014Yes John-S220-2 27/5/2014No Leo-F543-1 27/5/2014No

10 ©2015 Check Point Software Technologies Ltd. 10 Building Blocks of Advanced Threat Prevention [Protected] Non-confidential content IPS (pre) Stops exploits of known vulnerabilities Anti-Bot (post) Detect and prevent bot damage Antivirus (pre) Block download of known malware infested files Threat Emulation and Extraction (pre) Stop zero-day and unknown malware in files

11 ©2015 Check Point Software Technologies Ltd. 11 ©2014 Check Point Software Technologies Ltd. WOULD YOU OPEN THIS ATTACHMENT?

12 ©2015 Check Point Software Technologies Ltd. 12 Exploiting Zero-Day Vulnerabilities [Protected] Non-confidential content “nearly 200,000 new malware samples appear around the world each day” - net-security.org, June 2013

13 ©2015 Check Point Software Technologies Ltd. 13 What is Threat Emulation or Sandboxing? [Restricted] ONLY for designated groups and individuals A safe environment to evaluate suspicious files

14 ©2015 Check Point Software Technologies Ltd. 14 ©2015 Check Point Software Technologies Ltd. 14 Check Point Threat Emulation STOPS Undiscovered Attacks INSPECT FILE EMULATE PREVENT TURN TO KNOWN [Protected] Non-confidential content

15 ©2015 Check Point Software Technologies Ltd. 15 ©2015 Check Point Software Technologies Ltd. 15 EMULATE Windows XP, 7, 8, customer images Unique Anti Evasion Technologies - file system - registry - connections - processes RUN files & Identify abnormal behavior 3 [Protected] Non-confidential content

16 ©2015 Check Point Software Technologies Ltd. 16 ©2015 Check Point Software Technologies Ltd. 16 PREVENT Security Gateway Inline BLOCKING of malicious files on the gateway 4 Prevention-based approach [Protected] Non-confidential content

17 ©2015 Check Point Software Technologies Ltd. 17 ©2015 Check Point Software Technologies Ltd. 17 Automatic Signature Creation for ThreatCloud Turn the Unknown into KNOWN 5 Collaborative protection through ThreatCloud™ [Protected] Non-confidential content

18 ©2015 Check Point Software Technologies Ltd. Next Generation Zero-Day Protection + NG Threat Emulation Threat Extraction

19 ©2015 Check Point Software Technologies Ltd. 19 Known Unknown Back Again! HACKERS Develop techniques to evade sandboxing / threat emulation products Delays – malware to operate after XX hours - Accelerating the clock won’t work… Malware to execute on shutdown/restart Malware to detect and not work on virtual environments Malware to look for human behavior to operate Evasion is code that comes together with the malware, but executes first… [Protected] Non-confidential content

20 ©2015 Check Point Software Technologies Ltd. 20 Attack Infection Flow Trigger an attack through unpatched software or zero-day vulnerability Bypass the CPU and OS security controls using exploitation methods Activate an embedded payload to retrieve the malware Run malicious code VULNERABILITY EXPLOIT SHELLCODE MALWARE [Protected] Non-confidential content

21 ©2015 Check Point Software Technologies Ltd. 21 Attack Infection Flow VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands Millions EVASION CODE [Protected] Non-confidential content

22 ©2015 Check Point Software Technologies Ltd. 22 DEP (Data Execution Prevention - since XP SP2) The processor will only run code marked as executable Re-use pieces of legit executable code that are already loaded What the OS does What the attackers do ROP Most popular exploitation technique Examine code known to be loaded when the exploit is activated Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode Bypass DEP using Gadgets as code primitives Why does an attack need to start with exploitation?

23 ©2015 Check Point Software Technologies Ltd. 23 CPU-Level Threat Emulation Detects the Exploitation ​ Use the latest CPU-interfacing technologies ​ Monitor CPU based instructions for exploits attempting to bypass OS Security Controls Applications Operating System (Windows, MAC OS, etc.) CPU OS-Level Threat Emulation CPU-Level Threat Emulation

24 ©2015 Check Point Software Technologies Ltd. 24 CPU-Level Threat Emulation [Protected] Non-confidential content Highest accuracy Detection is outright, not based on heuristics or statistics Evasion-proof Detection occurs before any evasion code can be applied Efficient and fast CPU-level technology identifies the attack at its infancy OS Independent Detection occurs at the CPU level

25 ©2015 Check Point Software Technologies Ltd. 25 [Restricted] ONLY for designated groups and individuals FASTEST OS-Level CPU-Level + ADVANCED DETECTION HIGHEST CATCH RATE EVASION RESISTANT Check Point Next Gen Threat Emulation

26 ©2015 Check Point Software Technologies Ltd. THREAT EXTRACTION

27 ©2015 Check Point Software Technologies Ltd. 27 How can we further reduce the attack surface? 100% POSSIBLE SECURITY GAP NG THREAT EMULATION Detects unknown or zero-day malware ANTIVIRUS Catches known or old malware

28 ©2015 Check Point Software Technologies Ltd. 28 Addressing the possible Security Gap: Threat Extraction THREAT EXTRACTION [Protected] Non-confidential content Proactively REMOVE potential malicious objects from ALL incoming attachments Eliminates any remaining threats 100% of all incoming attachments go through Threat Extraction - whether malicious or not

29 ©2015 Check Point Software Technologies Ltd. 29 How Does Threat Extraction Work? RECONSTRUCTS DOCUMENTS Removes embedded objects, macros and Java Script Code, sensitive hyperlinks USER EXAMPLES HR with CV’s Purchasing receiving quotes Data from untrusted websites Security Gateway with Threat Extraction Software Blade [Protected] Non-confidential content

30 ©2015 Check Point Software Technologies Ltd. 30 ​ Remove active content from the file (such as macros and embedded objects) Cleaned 93% of the files Average cleaning time: 0.3 seconds / document ​ Convert file to PDF Cleaned 100% Average conversion time: 5 seconds Threat Extraction Statistics Tested Thousands of Recently-Discovered Malicious Files [Protected] Non-confidential content

31 ©2015 Check Point Software Technologies Ltd. 31 Configurable Content Removal For Original Format Documents Administrator Establishes Removal Policy: ​ Macros or JavaScript ​ Embedded Objects ​ External Links ​ Document Properties [Protected] Non-confidential content

32 ©2015 Check Point Software Technologies Ltd. 32 Always Maintain Access to Originals [Protected] Non-confidential content

33 ©2015 Check Point Software Technologies Ltd. 33 Check Point Offering Threat Extraction NG Threat Emulation Threat Extraction Visibility on attack attempts and inspection of original documents [Protected] Non-confidential content Zero malware documents delivered in zero seconds

34 ©2015 Check Point Software Technologies Ltd. 34 Threat Extraction/Emulation Demo [Restricted] ONLY for designated groups and individuals https://threatemulation.checkpoint.com/

35 ©2015 Check Point Software Technologies Ltd. 35 Zero Second Protection Industry’s Fastest Threat Emulation [Restricted] ONLY for designated groups and individuals

36 ©2015 Check Point Software Technologies Ltd. 36 Test Results for Detecting and Blocking Malware [Restricted] ONLY for designated groups and individuals Check Point: Industry’s Fastest Threat Emulation!

37 ©2015 Check Point Software Technologies Ltd. 37 A Real Customer Example [Restricted] ONLY for designated groups and individuals

38 ©2015 Check Point Software Technologies Ltd. 38 Live Demo [Restricted] ONLY for designated groups and individuals

39 ©2015 Check Point Software Technologies Ltd. 39 [Restricted] ONLY for designated groups and individuals NG Threat Emulation ThreatExtraction + Summary ADVANCED DETECTION STRONGEST EVASION RESISTANT FASTEST HIGHEST CATCH RATE BEST ZERO SECOND DELIVERY ZERO MALWARE SAFE DOCUMENTS TRY IT NOW! It’s easy and free!

40 ©2015 Check Point Software Technologies Ltd. 40 ©2014 Check Point Software Technologies Ltd. Q U E S T I O N S [Restricted] ONLY for designated groups and individuals

Download ppt "©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Similar presentations

Ads by Google