Evolving threat landscape
-
Upload
motiv -
Category
Data & Analytics
-
view
138 -
download
0
Transcript of Evolving threat landscape
©2015 Check Point Software Technologies Ltd. 1
We’ve come a long way…
[Protected] Non-confidential content
From This:
Disney Epcot Spaceship Earth
Photo by Jeff Krause
©2015 Check Point Software Technologies Ltd. 2 2 ©2014 Check Point Software Technologies Ltd. [Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd. 3
We’ve come a long way…
[Protected] Non-confidential content
To This:
Inside Google Data Centers.
Photo by Connie Zhou
©2015 Check Point Software Technologies Ltd. 4 ©2015 Check Point Software Technologies Ltd.
Zahier Madhar | Security Engineer
EVOLVING THREAT
LANDSCAPE
©2015 Check Point Software Technologies Ltd. 5
Why?
Bank robber, Willie Sutton famous answer when he was asked why he robbed banks:
“That’s where the money is!”
©2015 Check Point Software Technologies Ltd. 6
Today..
• Banks don’t store that large amounts of money anymore..
• Coins and notes are used less due to plastic cards
• Most money transactions are initiated from a personal computer
• A different approach is needed to steal your money
or information that is valuable and be sold..
• This is where bots takes over!
• In most cases their purpose is to steal or make money
Bots are organized crimes latest tools
©2015 Check Point Software Technologies Ltd. 7
High
Low 1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking
sessions
sweepers
sniffers
packet spoofing
GUI automated probes/scans
denial of service
www attacks
Tools
Attackers
Intruder
Knowledge
Attack
Sophistication
“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributed
attack tools
Cross site scripting
Staged
attack
Zero Day
Source: CERT
Sophistication Continues To Evolve
©2015 Check Point Software Technologies Ltd. 8
©2015 Check Point Software Technologies Ltd.
THE CYBER WAR IS RAGING ON
“It's a CAT-AND-MOUSE game
We try to stay ahead.
People will try to break in,
and it's our job to STOP them breaking in.” Steve Jobs
©2015 Check Point Software Technologies Ltd. 9
Known Unknown Back Again!
• IPS/Anti Virus work by:
Looking for specific patterns
Enforce compliance of protocols to standards
Detect variations from the protocols
• Attackers evade signature based detection by obfuscating the attacks and creating attacks variants
• So how tough is it?
Zeus and SpyEye ‘builder’s, generating Zeus or Spyeye variants in a click, are sold at 1-10K$
www.styx-crypt.com will obfuscate HTML, Javascript, Executable files, PDF & Flash files at 5-25$ per file, quantity discounts apply.
©2015 Check Point Software Technologies Ltd. 10
Protecting Against Such Attacks
Reputation
based
Sender email addresses / mail server IP
MD5 of the PDF or malware
Ineffective against targeted attack –
no reputation data
Signature
based
Match on the exploit
Match on the malware
Match on the CnC communication
Limited due to lack of prior knowledge,
variants and obfuscation
[Protected] For public distribution
The multi-million dollar question:
How can we protect against the
known unknowns?
©2015 Check Point Software Technologies Ltd. 11
Let’s Talk About Food
• What would you do if you were given a fruit you didn’t know? How can you know it isn’t dangerous?
• You should definitely look in the encyclopedia (or Google)
• But what would you do if it’s not listed?
• You can hire someone to examine it in a lab
Very time consuming & expensive
• But you can also give it to a monkey
Usually it gives a good answer
But monkeys are cute
We DO NOT endorse experiments on animals.
(No animal was harmed in any way during the development
of the Threat Emulation Software Blade)
Our ‘monkeys’ don’t have feelings.
We can guarantee that.
©2015 Check Point Software Technologies Ltd. 12 12 ©2014 Check Point Software Technologies Ltd.
Know Knows
Know Unknowns
Unknown Unknowns
Threats we know we know
Threats we know we don’t know
Threats we don’t know we
don’t know
ANTI VIRUS
ANTI BOT
IPS
NEXT GEN SANDBOX
ANTI BOT
[Confidential] For designated groups and individuals
THE THREATS WE NEED TO PREVENT
©2015 Check Point Software Technologies Ltd. 13
[Confidential] For designated groups and individuals
Vulnerability
Trigger an attack with
unpatched software or
zero-day vulnerability
Malware Run
malicious
code
Attack Infection Flow
Exploit Run an embedded
payload by evading
the CPU
Shellcode Run a small
payload to
activate malware
[Confidential] For designated groups and individuals
©2015 Check Point Software Technologies Ltd. 14
[Confidential] For designated groups and individuals
Vulnerability
Malware
Stop Attacks at the First Point of Contact
Shellcode
Thousands
Millions
Exploit HANDFUL
DETECT THE ATTACK BEFORE IT BEGINS
Identify the exploit itself instead of looking for the evasive malware
[Confidential] For designated groups and individuals
©2015 Check Point Software Technologies Ltd. 15
[Confidential] For designated groups and individuals
Vulnerability
Malware
Focus on Malware in its Infancy
Shellcode
Thousands
Millions
Exploit HANDFUL
HIGHLY SOPHISTICATED EXPLOIT DETECTION
ENGINE
Based on real-time CPU-level analysis
[Confidential] For designated groups and individuals
©2015 Check Point Software Technologies Ltd. 16
Unprecedented real-time prevention against
unknown malware, zero-day and targeted attacks
WHAT IS THE NEXT GENERATION SANDBOX?
Sandbox with CPU-
Level Detection
Evasion-
resistant
malware
detection
Threat Extraction
Prompt
Delivery of safe
reconstructed
files
©2015 Check Point Software Technologies Ltd. 17
A STANDARD CV?
Emulation @ Work
©2015 Check Point Software Technologies Ltd. 18 [Restricted] ONLY for designated groups and individuals
TH
RE
AT
EX
TR
AC
TIO
N
CPU-Level Detection Catches the most sophisticated malware
before evasion techniques deploy
O/S Level Emulation Stops zero-day and unknown malware
in wide range of file formats
Malware Malware
Original Doc
Safe Doc
Threat Extraction Deliver safe version of content quickly
SANDBLAST ZERO-DAY PROTECTION
©2015 Check Point Software Technologies Ltd. 19
Threat Extraction Document Reconstruction
Original Document
Document Reconstructed
Safe Copy of Document
Reconstructed safe copy of documents
Delivered immediately
Customizable
Protection Level
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 20
Threat Emulation Exploit Detection and Prevention
Original Document
Document is sent for sandboxing, where it
is opened and inspected
Original
Document If no infection
found
Prevent Zero-Day Attacks
Constantly Update ThreatCloud
If infected with unknown Malware -Document is deleted,
-ThreatCloud is updated,
-Admin is notified
Attack is PREVENTED
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 21
VISIBILITY INTO ATTEMPTED ATTACKS
File System
Activity
System
Registry
System
Processes
Network
Connections
Abnormal file activity
Tampered system registry
Remote Connection to
Command & Control Sites
“Naive” processes created
©2015 Check Point Software Technologies Ltd. 22
PROVIDING CLEAN FILES
[Restricted] ONLY for designated groups and individuals
B E F O R E A F T E R
Malware activated Malware removed
©2015 Check Point Software Technologies Ltd. 24 ©2015 Check Point Software Technologies Ltd.
THANK YOU