Post on 26-Mar-2020
1
COMBATTING ADVANCED
MALWARE THREATS IN EMAIL A guide to how an Email Sandbox helps organizations to prepare for Advanced Persistent Threats
2
Advanced malware and advanced persistent threats (APT) are frequently used as terms to
describe malicious code that bypasses traditional security systems, such as signature-based
detectors (anti-virus engines and intrusion detection systems). Sandboxing works by
running code inside a tightly controlled environment, in which one can monitor and
analyze the code's behavior. Since it is not necessary to have seen a specific threat before,
sandboxing offers the promise to identify advanced malware and zero-day threats.
Not all sandbox technologies provide the same level of detection capabilities.
This guide will introduce you to the CYBONET Sandbox—available as a module
in CYBONET’s PineApp Mail SeCure Solution.
APT IS THE “NEW NORMAL”
3
WHAT IS AN ADVANCED PERSISTENT THREAT
Modern malware uses Advanced techniques
such as encrypted communication channels,
kernel-level rootkits and sophisticated evasion
capabilities to get past a network's defenses.
More importantly they often leverage ero-day
vulnerabilities—flaws for which no patch is
available and no signature has been written.
Modern malware is Persistent and designed to
stick around for “as long as it takes” to achieve
its mission. It is stealthy and hides its
communications and exists within a victim's
network for as long as possible, often cleaning
up after itself by deleting logs, using strong
encryption and reporting back to its controller in
small, difficult to trace bursts of communication.
Many attacks now blend combinations of sveral
techniques. These threat often originate and are
initiated by groups of highly skilled and
motivated criminals and represent a very serious
Threat to organizations of all sizes. No
organization is immune to the threat that these
criminal networks represent and so many of
today’s solutions fall short in delivering deep
protection - often exposing vulnerabilities.
4
The number of known cybersecurity incidents rose
by 48 percent last year. Moreover, these attacks have
become far more costly, as the losses from advanced
phishing scams increased from $525 million in 2012
to $800 million last year, an increase of more than 50
percent.
The costs associated with cybersecurity threats
exponentially increase as the criminals themselves
evolve from isolated individual actors to organized
hacker groups to nation states.
COST OF APT THREATS
5
TRADITIONAL MALWARE DETECTION
The emergence of signature-based detection can be conceptualized as attempting to identify people
strictly by how the look: What color is their hair? How tall are they? What is their eye color? How old are
they? Do we have their fingerprint? These types of questions make a lot of sense when threats are
straightforward and traditional in nature. What happens, though, if the criminal is wearing a black hat
and sun glasses for disguise? What if the criminal is also able to change his fingerprints on the fly,?
Unfortunately, Advanced Persistent Threats behave in the same manner—detecting malware just based
on “looks” does not work anymore.
6
ANTIVIRUS IS NOT ENOUGH
Protecting organizations against malware is a
constant struggle. Antivirus companies monitor
and analyze files and programs in a test
environment in order to update and report new
virus signatures.
A “brute force” component of today’s attack
methodology is to automatically generate tens
of thousands of variants of old or new viruses, at
a rate which far outpaces the capacity of any anti
-virus vendor to keep up. To quantify this, up to
around 2005, several hundred new threats were
identified each day, but by the end of 2009 some
15-25,000 new threats were identified every day,
and this number keeps doubling every 6-12
months.
According to data compiled by Panda Research,
traditional AV only stops 30-50 percent of new
zero-hour malware when it’s first seen. A few
take up to eight hours to reach even the 90
percent level, with the majority needing a full 24
hours. The conclusion must be that “traditional”
AV technology is not dead, but needs to be
complemented with other approaches that
provide additional signals for detection.
7
THE SANDBOX: A CONCEPT
Sandboxes execute an unknown malware
program in an instrumented, separate
environment and monitor their execution—
allowing for the identification of previously
unseen (zero day) malware.
THE GOALS OF A SANDBOX:
A Sandbox has to achieve three goals: Visibility,
resistance to detection, and scalability.
1. First, a sandbox has to see as much as
possible of the execution of a program.
In order to make solid deductions about the
presence or absence of malicious behaviors.
2. Second, a sandbox has to perform
monitoring in a fashion that makes it
difficult to detect. Otherwise, it is easy for
malware to identify the presence of the
sandbox and alter its behavior to evade
detection.
3. The third goal captures the desire to run
many samples through a sandbox, in a
way that the execution of one sample does
not interfere with the execution of subsequent
malware programs.
8
CYBONET SANDBOX FOR ADVANCED PROTECTION
CYBONET integrates CheckPoint’s ThreatCloud
Ecosystem into the PineApp Mail Secure Sandboxing
Module. This Integration means that newly
discovered threats are sent to the ThreatCloud
intelligence database. Each newly discovered threat
signature is distributed across the ThreatCloud
ecosystem to protect other connected gateways. This
enables connected gateways to block the new threat
before it has a chance to become widespread.
Constant collaboration makes ThreatCloud the most
advances and up-to-date threat Intelligence network
available.
9
CHECK POINT
CYBONET is proud to partner with Check Point
Software Technologies. Check Point Software
Technologies are a worldwide industry leader in
securing the internet. Check Point ensures that
internet communications and critical data are secure,
reliable and available everywhere.
By partnering with Check Point, we at CYBONET
believe that together we can provide the most
comprehensive security messaging security solution.
10
CYBONET has integrated with Check Point’s SandBlast Network Threat into the PineApp Mail Secure
Sandboxing Module. The SandBlast Zero-Day Protection employs Threat Emulation and Threat
Extraction capabilities to elevate network security to the next level with evasion-resistant malware
detection, and a comprehensive protection from the most dangerous attacks.
CYBONET’s Sandbox provides complete detection, inspection and protection against the most
dangerous zero-day and targeted attacks at the network.
CYBONET SANDBOX NETWORK OVERVIEW
11
THREAT EMULATION AND THREAT EXTRACTION
The Threat Emulation feature performs deep CPU-level inspection, stopping even the most dangerous
attacks before malware has an opportunity to deploy and evade detection. The use of OS-level
inspection examines a broad range of file types, including executables and data files. With its unique
inspection capabilities, SandBlast Threat Emulation delivers the best possible catch rate for threats, and
is virtually immune to attackers’ evasion techniques.
Threat Extraction complements the solution by promptly delivering safe content, or clean and
reconstructed versions of potentially malicious files, maintaining uninterrupted business flow. By
eliminating unacceptable delays created by traditional sandboxes, Threat Extraction makes real-world
deployment in prevent mode possible, not just issuing alerts but blocking malicious content from
reaching users at all.
12
PROACTIVE PREVENTION
The Threat Extraction component within SandBlast
eliminates threats by removing risky content such as
macros or embedded links and then reconstructs the
document using only known safe elements. Unlike
detection technologies that require time to search
for and identify threats before blocking them, Threat
Extraction preemptively eliminates risk, ensuring
prompt delivery of safe documents.
13
FULL SYSTEM EMULATION
The SandBlast Threat Emulation sandboxing stops attacks before they have a chance to evade detection
by the sandbox. The engine also monitors CPU– based instruction flow for exploits attempting to
bypass operating system and hardware security controls. Threat Emulation supports multiple
deployment options, providing a cost-effective solution for virtually any size organization. Files can be
sent from existing gateways to either the SandBlast cloud-based service or to an on premise appliance
available with a range of capacities.
14
HOW TO EVADE A SANDBOX
New evasion techniques are constantly
developed which are capable of bypassing
traditional sandbox detection technology. These
evasion techniques include not activating the
malware on virtual environments, delaying the
attack by time or action, different OS versions
and variants as well as encrypted channels.
Today’s hacker ecosystem makes it easy for
cybercriminals to share exploit code, newly
identified vulnerabilities and even talent with
their co-conspirators. Traditional sandbox
solutions identify “new” and unknown malware,
but take time, risking potential exposure to
network infection before detection and blocking
occurs. Unfortunately, they are also vulnerable to
evasion techniques capable of bypassing
traditional sandbox detection technology.
15
PINEAPP MAIL SECURE SANDBOXING MODULE
After first running through the PineApp Mail Secure
Solution for standard Spam and Virus protection,
emails and attachments are fingerprinted and
checked against an existing database. If the file has
never been seen before, it is analyzed using the
system emulator, which monitors the execution of all
instructions and can spot evasive techniques that
other sandboxes miss. When malware is detected it
is quarantined and alerting measures are triggered.
FILE TYPES ANALYZED:
All Windows executable files, Adobe PDF, MS Office,
.apk, .zip, etc.
Sender
Inbound Email &
Attachment Mail Secure Spam
& Virus Scan
Check Point SandBlast
Recipient
PineApp Mail Secure
16
PINEAPP MAIL SECURE SOLUTION MODULES
17
CYBONET | p. +1.646.883.3455 | e. info@cybonet.com | www.CYBONET.com
©2016 Cybonet, Ltd., All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is
prohibited. Cybonet and the Cybonet logo are registered trademarks. Cybonet believes that the information in this publication is accurate as of
its publication date; such information is subject to change without notice.