Evolving threat landscape

©2015 Check Point Software Technologies Ltd. 1

We’ve come a long way…

[Protected] Non-confidential content

From This:

Disney Epcot Spaceship Earth

Photo by Jeff Krause


We’ve come a long way…

[Protected] Non-confidential content

To This:

Inside Google Data Centers.

Photo by Connie Zhou

©2015 Check Point Software Technologies Ltd. 4 ©2015 Check Point Software Technologies Ltd.

Zahier Madhar | Security Engineer

EVOLVING THREAT

LANDSCAPE


Why?

Bank robber, Willie Sutton famous answer when he was asked why he robbed banks:

“That’s where the money is!”


Today..

• Banks don’t store that large amounts of money anymore..

• Coins and notes are used less due to plastic cards

• Most money transactions are initiated from a personal computer

• A different approach is needed to steal your money

or information that is valuable and be sold..

• This is where bots takes over!

• In most cases their purpose is to steal or make money

Bots are organized crimes latest tools


High

Low 1980 1985 1990 1995 2000+

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking

sessions

sweepers

sniffers

packet spoofing

GUI automated probes/scans

denial of service

www attacks

Tools

Attackers

Intruder

Knowledge

Attack

Sophistication

“stealth” / advanced

scanning techniques

burglaries

network mgmt. diagnostics

distributed

attack tools

Cross site scripting

Staged

attack

Zero Day

Source: CERT

Sophistication Continues To Evolve


©2015 Check Point Software Technologies Ltd.

THE CYBER WAR IS RAGING ON

“It's a CAT-AND-MOUSE game

We try to stay ahead.

People will try to break in,

and it's our job to STOP them breaking in.” Steve Jobs


Known Unknown Back Again!

• IPS/Anti Virus work by:

Looking for specific patterns

Enforce compliance of protocols to standards

Detect variations from the protocols

• Attackers evade signature based detection by obfuscating the attacks and creating attacks variants

• So how tough is it?

Zeus and SpyEye ‘builder’s, generating Zeus or Spyeye variants in a click, are sold at 1-10K$

www.styx-crypt.com will obfuscate HTML, Javascript, Executable files, PDF & Flash files at 5-25$ per file, quantity discounts apply.

http://www.styx-crypt.com/




Protecting Against Such Attacks

Reputation

based

Sender email addresses / mail server IP

MD5 of the PDF or malware

Ineffective against targeted attack –

no reputation data

Signature

based

Match on the exploit

Match on the malware

Match on the CnC communication

Limited due to lack of prior knowledge,

variants and obfuscation

[Protected] For public distribution

The multi-million dollar question:

How can we protect against the

known unknowns?


Let’s Talk About Food

• What would you do if you were given a fruit you didn’t know? How can you know it isn’t dangerous?

• You should definitely look in the encyclopedia (or Google)

• But what would you do if it’s not listed?

• You can hire someone to examine it in a lab

Very time consuming & expensive

• But you can also give it to a monkey

Usually it gives a good answer

But monkeys are cute

We DO NOT endorse experiments on animals.

(No animal was harmed in any way during the development

of the Threat Emulation Software Blade)

Our ‘monkeys’ don’t have feelings.

We can guarantee that.

©2015 Check Point Software Technologies Ltd. 12 12 ©2014 Check Point Software Technologies Ltd.

Know Knows

Know Unknowns

Unknown Unknowns

Threats we know we know

Threats we know we don’t know

Threats we don’t know we

don’t know

ANTI VIRUS

ANTI BOT

IPS

NEXT GEN SANDBOX

ANTI BOT

[Confidential] For designated groups and individuals

THE THREATS WE NEED TO PREVENT



Vulnerability

Trigger an attack with

unpatched software or

zero-day vulnerability

Malware Run

malicious

code

Attack Infection Flow

Exploit Run an embedded

payload by evading

the CPU

Shellcode Run a small

payload to

activate malware




Vulnerability

Malware

Stop Attacks at the First Point of Contact

Shellcode

Thousands

Millions

Exploit HANDFUL

DETECT THE ATTACK BEFORE IT BEGINS

Identify the exploit itself instead of looking for the evasive malware




Vulnerability

Malware

Focus on Malware in its Infancy

Shellcode

Thousands

Millions

Exploit HANDFUL

HIGHLY SOPHISTICATED EXPLOIT DETECTION

ENGINE

Based on real-time CPU-level analysis



Unprecedented real-time prevention against

unknown malware, zero-day and targeted attacks

WHAT IS THE NEXT GENERATION SANDBOX?

Sandbox with CPU-

Level Detection

Evasion-

resistant

malware

detection

Threat Extraction

Prompt

Delivery of safe

reconstructed

files


A STANDARD CV?

Emulation @ Work

©2015 Check Point Software Technologies Ltd. 18 [Restricted] ONLY for designated groups and individuals

TH

RE

AT

EX

TR

AC

TIO

N

CPU-Level Detection Catches the most sophisticated malware

before evasion techniques deploy

O/S Level Emulation Stops zero-day and unknown malware

in wide range of file formats

Malware Malware

Original Doc

Safe Doc

Threat Extraction Deliver safe version of content quickly

SANDBLAST ZERO-DAY PROTECTION


Threat Extraction Document Reconstruction

Original Document

Document Reconstructed

Safe Copy of Document

Reconstructed safe copy of documents

Delivered immediately

Customizable

Protection Level

[Restricted] ONLY for designated groups and individuals


Threat Emulation Exploit Detection and Prevention

Original Document

Document is sent for sandboxing, where it

is opened and inspected

Original

Document If no infection

found

Prevent Zero-Day Attacks

Constantly Update ThreatCloud

If infected with unknown Malware -Document is deleted,

-ThreatCloud is updated,

-Admin is notified

Attack is PREVENTED



VISIBILITY INTO ATTEMPTED ATTACKS

File System

Activity

System

Registry

System

Processes

Network

Connections

Abnormal file activity

Tampered system registry

Remote Connection to

Command & Control Sites

“Naive” processes created


PROVIDING CLEAN FILES


B E F O R E A F T E R

Malware activated Malware removed

Evolving threat landscape

Data & Analytics

Transcript of Evolving threat landscape