CheckPoint Sandblast _Защита от угроз Нулевого дня

PowerPoint Presentation

,

2016 Check Point Software Technologies Ltd.

2016 Check Point Software Technologies Ltd. #

1

2016 Check Point Software Technologies Ltd. #Brian Dye, Symantec's senior vice president for information security, said in interview to WSJ.2

- IPS -

,


3


4

[Restricted] ONLY for designated groups and individuals

2016 Check Point Software Technologies Ltd. #The malware hides it self in legit sites for sharing photosReal pictures.Mean malware.

The images were legally put on a legit server in Australia5

99% 58 ?

, Source: Verizon 2016 Data Breach Investigations Report


6

, , CVE URLAPT ,

-

2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content

2016 Check Point Software Technologies Ltd. # 2 : . , IP- URL-. , . (Advanced Persistent Threats PT.)

APT 2 . -, . -, - , , . .

, APT ? 7

?

2016 Check Point Software Technologies Ltd. #[Restricted] ONLY for designated groups and individuals

: . ...

THREAT CONTAINED



( ), THREAT EMULATION

THREAT EXTRACTION

ENDPOINT FORENSICS

ZERO PHISHING

-ZERO RANSOMWARE112016 Check Point Software Technologies Ltd. [Protected] Non-confidential content


SandBlast EXPLOIT

CPU Detection Engine , .2016 Check Point Software Technologies Ltd.

2016 Check Point Software Technologies Ltd. #Lets take a deeper look at the CPU-level detection.

The first step a hacker must take is to find a vulnerability a weakness in some piece of software, maybe the browser, or in Java, or maybe Windows. This lets them inject their exploit code into memory bypassing security controls. Once it is here, now they can run their shell code, essentially a small application that then retrieves the malware, either from the original file, or over the network. Now they can do what they really came for, whether that is exfiltrating data, logging keystrokes, or spreading additional malware behind your firewall

Now if we look at this chain and see what is going on.First of all, at the top of the chain, there are thousands of vulnerabilities out there, and hundreds of them are active and unpatched and at any point in time. Getting into computers and being able to talk to them is still not that difficult for hackers.

At the end of the chain, there are millions and millions of different types of malware. Malware that might try to exfiltrate data from your network, or malware that might try to run a bot to spread malware throughout the network or initiate a command and control to other machines in the network.

But getting from the top to the bottom has to go through the very narrow stream of exploits, of which there are only a handful. The way as attacker is going to try to evade detection in the sandbox is down at the bottom of that chain. As the malware starts up, it is going to look for that VM, or wait for user interaction, or its going to issue a delay for a week. But that only happens late in the stage.

If we can come in at this exploit phase, where there are only a handful of techniques, we can be a step ahead of those malware variants. The fact that someone has created a new, slightly modified version of software doesnt matter. We are going to be able to see it because it is using the same exploit.There are very few new exploits being written. When they appear our team quickly finds out about them through ThreatCloud and Incident Response, and we quickly build protections against them.

It is also a step earlier in the attack cycle BEFORE the evasion code can run.

12

DEP DLL , ASLR OS

ROPReturn Oriented Programming OS , : , RET shell code ()


2016 Check Point Software Technologies Ltd.

2016 Check Point Software Technologies Ltd. #Consider removing Intel screenshot14

27 WEB INSPECTIONMACHINE LEARNINGDOCUMENT VALIDITYBEHAVIOR ANALYTICSCPU LEVEL DETECTIONANTIRANSOMWAREANTI PHISHINGTHREAT EXTRACTIONFORENSICSDECOYS & TRAPSMEMORY ANALYSIS


Sandblast Threat Extraction

. .[Restricted] ONLY for designated groups and individuals

2016 Check Point Software Technologies Ltd. #SandBlast takes a new approach to this problem, providing a safe COPY of files until inspection is complete, allowing deployment in full blocking mode. Any threats identified will still generate an alert, but the malware was prevented from reaching the user.

SandBlast calls this capability Threat Extraction. It creates a clean, reconstructed version of the document, using only safe components. Scripts and macros are removed, dynamic content is rendered as a static view.

This is not intended to replace the original, but for many users, being able to view the content is all that is needed, and in a matter of minutes, the original can be retrieved, but only after it is deemed safe.


17

SANDBLASTThreat EmulationThreat ExtractionThreat EmulationThreat ExtractionZero PhishingForensicsThreat EmulationThreat EmulationThreat Extraction

API

2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content

Threat Extraction


18

SANDBLAST APPLIANCECHECK POINT GATEWAY

SANDBLASTCLOUD


19

- , HTTPS [Confidential] For designated groups and individuals


20

SandBlast Agent [Confidential] For designated groups and individuals

-


SANDBLASTCLOUD [Confidential] For designated groups and individuals

SandBlast1 2 3


22

/ PDF

[Confidential] For designated groups and individuals

2016 Check Point Software Technologies Ltd. #With todays sophisticated watering hole, spear phishing, and drive by exploits, malicious content downloaded from the web is of particular concern. For this content, we provide a unique proactive approach to securing content, Threat Extraction.23

Visual SimilarityText SimilarityTitle SimilarityURL SimilarityLookalike CharactersImage Only SiteMultiple Top-Level DomainLookalike FaviconIP ReputationDomain Reputation

PHISHING SCORE: 95%

, 1 2 3


! , !


24

CorporateCredentials

.


25


1 ANTI-BOT2 C&C 3 4


26

SandBlast Agent [Confidential] For designated groups and individuals

,

AV, AB


[Confidential] For designated groups and individuals 1 2 SmartEvent4

ProcessesRegistryFilesNetwork

3


28

, C&C

Chrome -

[Restricted] ONLY for designated groups and individuals

-

2016 Check Point Software Technologies Ltd. #We trace the whole path and can see everything along it.You see the investigation trigger (which was reaching out to C&C server)It traced back to the original point of infection and identified the origin of entry (someone browsing with chrome and specifically the website used)The system rebooted, and we can see what happens when the dropper installs malware, which was waiting for rebootSees when system scheduled to execute post reboot and the entry into the task scheduleYou see when it tried to execute the malware, and see when it tries to activate and pick it up and block it

In other words, you can see the whole path.This is a pretty simple caseIn a multi-stage attack this could happen over days or weeks and involve multiple pieces of malware executing and downloading

29

Dashboard

, ,

2016 Check Point Software Technologies Ltd. #We know security can be complex to implement. Our management system translates your security strategy into reality with unified policy and event management known in the industry as the management gold standard. This management system provides end-to-end visibility that enables our customers to react quickly to any events affecting their network and also enables them to better prevent threats.

Since our management is unified and both the visibility and policy components are linked together, an administrator can in a single step click on a security event and convert it into a new security rule.

Also based on 3rd party analyst research, Check Point leads all other security vendors in needing the least amount of people to manage an extensive network of security gateways.

30

!


CheckPoint Sandblast _Защита от угроз Нулевого дня

Presentations & Public Speaking

Transcript of CheckPoint Sandblast _Защита от угроз Нулевого дня