©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and...
-
Upload
imogen-roberta-gibbs -
Category
Documents
-
view
213 -
download
0
Transcript of ©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and...
©2015 Check Point Software Technologies Ltd. 1[Restricted] ONLY for designated groups and individuals©2015 Check Point Software Technologies Ltd.
Preventing the next breach or discovering the one currently underway
Tom HartigCheck Point Software TechnologiesAugust 13th, 2015
BREAKING MALWARE
©2015 Check Point Software Technologies Ltd. 2[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd. 2
Networks need protectionagainst ALL types of threats
©2015 Check Point Software Technologies Ltd. 3
Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT
An Ever-Changing Threat Landscape
[Protected] Non-confidential content
VIRUSESANDWORMS
ADWARE ANDSPYWARE
DDOSAPTS
RANSOMWARE HACTIVISMSTATE SPONSOREDINDUSTRIAL ESPIONAGENEXT GEN APTS (MASS APT TOOLS)UTILIZING WEB INFRASTRUCTURES (DWS)
2014
2010
20072004
19971,30
0 know
n viruse
s
50,000 known viruses
100,000+malware
variants daily
©2015 Check Point Software Technologies Ltd. 4[Protected] Non-confidential content
“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know.”
— Donald Rumsfeld, 2002
©2015 Check Point Software Technologies Ltd. 5
“Anti-virus is DEAD”
Modern Anti-virus software only stops ~45% of attacks on computers
Symantec says…
Source: http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/
©2015 Check Point Software Technologies Ltd. 6[Protected] Non-confidential content
Cat and Mouse: Known Unknown
Attackers evade signature based detection by obfuscating the attacks and creating attack variants
©2015 Check Point Software Technologies Ltd. 7
Time it takes take to learn the root cause of an attack
One Day One Week One Month One Year Never0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
12%
18%
25%
38%41%
Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014
©2015 Check Point Software Technologies Ltd. 10
Building Blocks of Advanced Threat Prevention
[Protected] Non-confidential content
IPS (pre) Stops exploits of known vulnerabilities
Anti-Bot (post) Detect and preventbot damage
Antivirus (pre) Block download ofknown malware infested files
Threat Emulation and Extraction
(pre) Stop zero-day and unknown malware in files
©2015 Check Point Software Technologies Ltd. 1111©2014 Check Point Software Technologies Ltd.
WOULD YOU OPEN THIS ATTACHMENT?
©2015 Check Point Software Technologies Ltd. 12
Exploiting Zero-Day Vulnerabilities
[Protected] Non-confidential content
“nearly 200,000 new malware samples appear around the world each day”
- net-security.org, June 2013
©2015 Check Point Software Technologies Ltd. 13[Restricted] ONLY for designated groups and individuals
What is Threat Emulation or Sandboxing?
A safe environment to evaluate suspicious files
©2015 Check Point Software Technologies Ltd. 14©2015 Check Point Software Technologies Ltd. 14
Check Point Threat Emulation
STOPS Undiscovered Attacks
INSPECT FILE
EMULATE
PREVENTTURN
TOKNOWN
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 15©2015 Check Point Software Technologies Ltd. 15
EMULATE
• Windows XP, 7, 8, customer images• Unique Anti Evasion Technologies
- file system- registry- connections- processes
RUN files & Identify abnormal behavior
3
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 16©2015 Check Point Software Technologies Ltd. 16
PREVENT
Security Gatewa
y
Inline BLOCKING of
malicious files on the
gateway
4
Prevention-based approach [Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 17©2015 Check Point Software Technologies Ltd. 17
Automatic Signature Creation
for ThreatCloud
Turn the Unknown
into KNOWN
5
Collaborative protection through ThreatCloud™
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd.
Next Generat ion Zero-Day Protect ion
+NG Threat Emulation
Threat Extraction
©2015 Check Point Software Technologies Ltd. 19
Known Unknown Back Again!
H A C K E R S
Develop techniques to evade sandboxing /
threat emulation products
Delays – malware to operate after XX hours- Accelerating the clock won’t
work…
Malware to execute on shutdown/restart
Malware to detect and not work on virtual environments
Malware to look for human behavior to operate
Evasion is code that comes together with the
malware, but executes first…
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 20
Attack Infection Flow
Trigger an attack through unpatched software or zero-day vulnerability
Bypass the CPU and OS securitycontrols using exploitation methods
Activate an embedded payload toretrieve the malware
Run malicious code
V U L N E R A B I L I T Y
E X P L O I T
S H E L L C O D E
M A LWA R E
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 21
Attack Infection Flow
V U L N E R A B I L I T Y
E X P L O I T
S H E L L C O D E
M A LWA R E
Thousands
Millions
HANDFUL
DETECT THE ATTACK BEFORE IT BEGINSIdentify the Exploit itself instead of looking for the evasive malwareEVASION CODE
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 22
DEP (Data Execution Prevention - since XP SP2)
The processor will only run code marked as executable
Re-use pieces of legit executable code that are already loaded
What the OS does
What the attackers do
ROPMost popular exploitation technique
• Examine code known to be loaded when the exploit is activated
• Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode
• Bypass DEP using Gadgets as code primitives
Why does an attack need to start with exploitation?
©2015 Check Point Software Technologies Ltd. 23
CPU-Level Threat Emulation Detects the Exploitation
Use the latest CPU-interfacing technologies
Monitor CPU based instructions for exploits attempting to bypass OS Security Controls
Applications
Operating System(Windows, MAC OS, etc.)
CPU
OS-Level Threat Emulation
CPU-Level Threat Emulation
©2015 Check Point Software Technologies Ltd. 24
CPU-Level Threat Emulation
[Protected] Non-confidential content
Highest accuracyDetection is outright, not based on heuristics or statistics
Evasion-proofDetection occurs before any evasion code can be applied
Efficient and fastCPU-level technology identifies the attack at its infancy
OS IndependentDetection occurs at the CPU level
©2015 Check Point Software Technologies Ltd. 25[Restricted] ONLY for designated groups and individuals
FASTEST OS-Level
CPU-Level
+ADVANCED DETECTION
HIGHEST CATCH RATE
EVASION RESISTANT
Check Point Next Gen Threat Emulation
©2015 Check Point Software Technologies Ltd. 27
How can we further reduce the attack surface?
100%
P O S S I B L E S E C U R I T Y G A P
NG THREAT EMULATIONDetects unknown or zero-day malware
ANTIVIRUSCatches known or old malware
©2015 Check Point Software Technologies Ltd. 28
Addressing the possible Security Gap: Threat Extraction
THREATEXTRACTION
[Protected] Non-confidential content
Proactively REMOVE potential malicious objects from ALL incoming attachments
• Eliminates any remaining threats • 100% of all incoming attachments go through
Threat Extraction - whether malicious or not
©2015 Check Point Software Technologies Ltd. 29
How Does Threat Extraction Work?
RECONSTRUCTSDOCUMENTS
Removes embedded objects, macros and Java Script Code,
sensitive hyperlinks
USER EXAMPLES• HR with CV’s• Purchasing receiving
quotes• Data from untrusted
websites
Security Gateway with Threat Extraction
Software Blade
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 30
Remove active content from the file (such as macros and embedded objects)• Cleaned 93% of the files• Average cleaning time: 0.3 seconds / document
Convert file to PDF • Cleaned 100%• Average conversion time: 5 seconds
Threat Extraction Statistics
Tested Thousands of Recently-Discovered Malicious Files
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 31
Configurable Content Removal For Original Format Documents
Administrator Establishes Removal Policy:
Macros or JavaScript
Embedded Objects
External Links
Document Properties
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 32
Always Maintain Access to Originals
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 33
Check Point Offering
Threat Extraction
NG Threat Emulat ion
Threat Extract ion
Visibility on attack attempts and inspection
of original documents
[Protected] Non-confidential content
Zero malware documents delivered in
zero seconds
©2015 Check Point Software Technologies Ltd. 34[Restricted] ONLY for designated groups and individuals
Threat Extraction/Emulation Demo
https://threatemulation.checkpoint.com/
©2015 Check Point Software Technologies Ltd. 35[Restricted] ONLY for designated groups and individuals
Zero Second Protection
Industry’s Fastest Threat Emulation
©2015 Check Point Software Technologies Ltd. 36
Test Results for Detecting and Blocking Malware
[Restricted] ONLY for designated groups and individuals
Check Point:Industry’s Fastest Threat Emulation!
©2015 Check Point Software Technologies Ltd. 37[Restricted] ONLY for designated groups and individuals
A Real Customer Example
©2015 Check Point Software Technologies Ltd. 38[Restricted] ONLY for designated groups and individuals
LiveDemo
©2015 Check Point Software Technologies Ltd. 39[Restricted] ONLY for designated groups and individuals
NG Threat Emulation
Threat Extraction+
Summary
ADVANCED DETECTION
STRONGEST
EVASION RESISTANT
FASTEST
HIGHEST CATCH RATE
BEST
ZERO SECOND DELIVERY
ZERO MALWARE
SAFE DOCUMENTS
TRY IT NOW!It’s easy and free!