Post on 06-Apr-2017
1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
Why Evasive Zero-day Attacks Are Killing Traditional SandboxingRichard Stiennon, IT-HarvestLior Kohavi, Cyren
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Today’s Speakers
Richard StiennonChief Research Analyst
IT-Harvest
Lior KohaviChief Technology Officer
Cyren
3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Trends in zero-day attacks
The next generation of zero-day threat defense
Q&A
Agenda
Richard StiennonChief Research Analyst, IT-Harvest
Blog: www.csoonline.com/blog/stiennons-security-scorecard twitter.com/cyberwar
Threatscape 2016
2010 20??
• APT (espionage)• Botnets (spam, DDoS)• Droppers (data theft, ransomeware)• Worms (sabotage) • Backdoors (surveillance)
Malware at the Root of Most Threats
• Adversary knows what they want • Where it is• Who has it• Will stop at nothing
Targeting of High Value Data
Starting in 2000 and persisting for at least ten years: “over the years [Chinese hackers] downloaded technical papers, research-and-development reports, business plans, employee emails and other documents”
Compromised Designs include: • The advanced Patriot missile system (PAC-3)• The Terminal High Altitude Area Defense (THAAD)• Navy’s Aegis ballistic-missile defense system.• F/A-18 fighter jet• V-22 Osprey• Black Hawk helicopter • Littoral Combat Ship• F-35 Joint Strike Fighter
A persistent, relentless drive tocapture SecurID seeds.
The RSA Attack, March 2011
”…at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers”
source: OPEN LETTERhttp://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex991.htm
But Don’t Worry
• Tracking the same campaign for over a year
• Saw the escalation
• Cut off all access via RSA SecurID tokens
Lockheed Martin, May 2011
• Combine capabilities and existing presence with ransomware and you get a recipe for disaster.
• From precision to scatter shot. Advanced targeting techniques now applied to mass market.
• From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
• This amounted to more than $2.3 billion in losses.• Since January 2015, the FBI has seen a 270 percent
increase in identified victims and exposed loss.• One company lost $100 million
Whaling
Step 7 software DLLRootkit
DLLoriginal
Siemens Programmable Logic Controller
New data blocks added
s7otbxdx.dll s7otbxsx.dll
Cyber sabotage: Stuxnet
BlackEnergy Targets ICS
Vulnerable systems:
GE CimplicityAdvantech/Broadwin WebAccessSiemens WinCC
But how do you know you have the right sandbox? • Technology is moving too fast• Attackers are evading sandboxes.
Sandboxes are required for zero day defense.
Detonation Chamber
Multiple environments• Emulation• VM• Full application stack
X-47B makes first flight fromaircraft carrier
• Autonomous code will shorten possible response time from minutes/hours to seconds.
• Preventing is going to be only line of defense.
It is going to get much worse
Richard StiennonChief Research AnalystIT-Harvest
richard@it-harvest.comBlog: Forbes Cyber Domaintwitter.com/stiennon
22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Trends in zero-day attacks
The next generation of zero-day threat defense
Q&A
Agenda
23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Cyren sees a huge volume of threat traffic
24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Methods to defeat anti-malware tools• Polymorphism• Encryption• Droppers• Packers
But malware is becoming smarter
Methods to evade sandboxes• Delayed Activation
• Out-wait the sandbox
• Sandbox Detection• Identify files or registry keys that
indicate a virtual environment
• Human Interaction• Look for human activity such as
mouse movement, page scrolling
25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
1. Attackers exploit limited CPU cycles of appliances• First generation sandboxes limited by time and processing power
2. Attackers know that every sandbox has limitations• Some sandboxes are more effective at OS and registry analysis,
others at network behavior, etc.
3. Sandboxing is only one technique• Effective threat detection requires multiple techniques
Hyper-evasive malware is killing sandboxing
26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
1. Cloud-based• Cloud-scale compute resources• Massive visibility to the Internet threat environment (size matters)
2. Multi-layer• Sandboxing• Reputation
3. Multiple different types of sandboxes
Cyren’s vision for zero-day threat defense
27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
Cyren’s multi-layered security engine
URL Filtering• 64 URL categories• Zero-hour malware, phishing, C&C
Dynamic Web Reputation• Risk calculation• URL, IP, Host, Domain, ASN• Big data analytics
Anti-Malware• Signature and algorithmic scanning• Heuristics and emulation• Leverage email outbreak visibility
Cloud Sandbox Array• Multiple sandboxes• Recursive analysis
Known Threats
Unknown Threats
28©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
Dynamic Web Reputation Analysis – How it works
Host1
Host3
Host2
Domain1
Domain3
IP1
IP2
NS
BGP2
BGP1
ASN
Registrant
Domain2
Reputation: A score (0-100) representing the likelihood of an accessed URL being malicious The higher the score, the greater the probability that the URL is malicious
Goal: Calculate the reputation for known and unknown accessed URL/Host/Domain/IP
Reputation calculation is based on relations between entities Files, URLs, Hosts, IPs, Domains, Registrants, ASN
29©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Dynamic Reputation Sources
Cyren GlobalView Security Cloud Half million points of presence Unified cloud, 19 DC’s worldwide
Industry’s largest security database 17B transactions daily 130M threats blocked daily 600M users protected
Fastest reaction time Threats identified and blocked
inside of 5-15 seconds
Web Reputation
Anti-Malware
Virus Outbreak Detection
Sandbox Array
Link Monitor
URL Filtering
IP Reputation
Anti-Spam
30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Cloud Sandbox Array – How it Works
Re-escalation
Pre-processing
Post-processing
ReportingIncident
management
Static Analysis
Dynamic Analysis
Sandbox nOS n
Browser nEnvironment n
...
Windows EXE MS Office PDFs Flash files Scripts Images ZIP files
OS Risk Evaluation Network Risk Evaluation
Run-time Environment Selection
Risk scoring
Sandbox 2OS B
Browser HEnvironment T
Sandbox 1OS A
Browser GEnvironment S
Not Malicious Malicious
GlobalViewIntelligence
31©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
CYREN Advanced Malware Analysis Vizualization
DEMO
32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
Facebook tagging trick
33©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
• Friend mentioned you in a comment
34©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
• Redirect you to downloading JSE file from google drive
35©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
• The javascript file
36©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
37©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
38©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
The End
39©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Questions?
Lior Kohavilior.kohavi@CYREN.com
Richard Stiennonrichard@it-harvest.com
40©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
APPENDIX
40
41©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
CYREN Advanced Malware Analysis Vizualization
42©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
43©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
44©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
45©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.