Two Level Defense for APT attack (Malware) & Ransomware...

NPCore, Inc.

Zombie ZERO Introduction

Two Level Defense for APT attack (Malware) & Ransomware

ISO 9001:2008

Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.

Ⅰ. Proposal Overview

Ⅱ. Zombie ZERO Introduction

Ⅲ. ZombieZERO Inspector

Ⅳ. ZombieZERO EDR

Ⅴ. Company Introduction

Zombie ZEROSolutions

Introduction

Presentation


1. What APT attack?

2. Chronicle of Major Incidents

3. Alternatives to APT attack

Zombie ZEROProposal Overview

Presentation

1. What is APT attack?

An APT (Advanced Persistent Threat) attack is an attack by a malicious criminal group to reach a goal using a method such as e-mail, web downloading and so on, aiming at a specific target to realize a group's purpose.

Advanced

The scope and level of technical performance of an APT attack organization

- Use a variety of technologies, not just one technology

- Use ZERO-Day vulnerability attack and existing security product bypass technique

Persistent

Threat

Attitudes toward achieving the objectives of an APT attack performing organization

- Perform a continuous attack to achieve the purpose

- In order to confront attack detection, hinder detection and attempt to avoid actions.

Meaning of the threat of information

- Analyze targets directly from non-automation tools

- Includes social engineering techniques to try various attacks

<1>

1. 사업의 이해Zombie ZERO Solutions

Dual defense solution for new APT attacks

2. Chronicle of Major incidents

<2>



Since 2006, APT attacks have become increasingly sophisticated and frequently occurring, which is currently the greatest threat to information security.

3. Alternatives to APT attack

With existing security solutions, APT (new and variant malware) can not be effectively blocked.- Behavior-based SandBox and EDR can respond to new and variant Malware & Ransomware (New Trends).

AS-IS (Signature-based) TO-BE (Behavior-based SandBox System)

TO-BE (EDR – Endpoint Detection and Response)

Internet

F/W

IPS

Switch

User PC User PC User PC

Router

Web gateway

Anti-Virus

∙ Impossible to block malware inflowing through permitted policies and applications

∙ Impossible to detect file-based

malware

∙ Impossible to block malware inflowing through permitted sites

∙ Unable to detect and block new and variant malware

64bit64bit

User PC environment Sandbox Analysis

Block / Quarantine

Behavior Analysis

Pattern Transfer

Management Server

<3>



NewTrends

Same or Similar configuration


1. Zombie ZERO System Diagram

2. Zombie ZERO System Introduction

3. Zombie ZERO NCSC

Zombie ZEROSystem

Introduction

Presentation

1. Zombie ZERO System Diagram

<4>

Router

F/W

TAPMirroring

Switch

Streaming link Server

Streaming link Server

File transfer data link

Server

File transfer data link

Server

Business Network

Employee Business NetworkInstall EDR on external

network PCs

E-mail APT Inspector(Spam Mail Server + APT Analysis)

External Mail Server

Network APT Inspector

File APT Inspector

Internet



Switch

Install EDR on internal network PCs

2. ZombieZERO Inspector Network Series

Router

F/W

TAP

Switch

Network APT Inspector

User PC

Mirroring

User PC User PC

MGT IP

Network APT system collects packets on the network and detects / analyzes APT attacks.

<5>

Internet



2. ZombieZERO Inspector E-mail Series

F/WSwitch

E-mail APT Inspector

Mail Server

SwitchBackup

Sending normal emails

E-mail APT system provides the integrated service of APT analysis equipment and response to spam e-mail

<6>



2. ZombieZERO Inspector File Series

인터넷

User PCs

Internet Network

Business Network

Network Connection

External Relay Server

Internal Relay Server

Storage

File APT Inspector

File APT system is an APT response solution for the file transfers to the internal network in the network separation environment

<7>

Internet



2. ZombieZERO Inspector Real Machine

A malware detection/block APT response solution through a Real Machine, not a Virtual Machine for the Sandbox bypass malware.

Router

F/W

TAP

Switch

Real Machine APT

Mirroring

User PCs

MGT IP

<8>

Internet



2. ZombieZERO EDR (Endpoint Detection & Response) for APT

A solution responding to new and variant malware based on the behavior via the endpoint security EDR

Router

F/W

Switch

Network APT Inspector / or ESM

MGT IP

User PCs

①File Download

③EDR execution pending : Enabling to view the status

② Analysis of executable filesMalicious files: blacklisted and quarantinedNormal file: Add whitelist

④ If analysis result of files is normal, execute the fileMalicious file: EDR can check blocking messageNormal file: You can check the file downloaded normally

<9>

Internet



Analysis info

Analyzing...

2. ZombieZERO EDR for Ransomware

A solution for new and variant Ransomware through the behavior-based detection/blocking and backup by the endpoint EDR

Router

F/W

Switch

Network APT Inspector/ or ESMMGT IP

User PCs

Pattern Information uploading

Preventing the proliferation of infection by sharing the pattern information

<10>

Internet



3. ZombieZERO NSOC (NPCore Security Operations Center)

Malicious code analysis and Rule Pattern update through the NPCore Cyber Security Center

Malware Collection Building Big Data System

Elasticsearch

Correlation analysis/association analysis/similarity analysis through machine learning NPCore Cyber Security Center Policy Distribution Server

Customer A Customer B Custoemer N

Policy Deployment Policy Deployment Policy Deployment

<11>




1. System Operation FLOW

2. Key Processes

- Static Environment Analysis

- Dynamic Environment Analysis

3. Product Features

ZombieZEROInspector

Presentation


Detects unknown (new, variant) malware through dual analysis of signature analysis and behavior based analysis.- Pattern-based malicious code analysis for collected files- Behavior-based analysis through dynamic and static analysis- Treatment to the infected PC through generating the detected malicious code pattern- Detect VM Access behavior of executable file, detect malware for VM avoidance by forcing removal after removing relevant part

File Collection File Analysis Verification and Response

① File collection by network traffic

② Classification by file type

③ Signature-based Analysis

④ Behavior-based Analysis

⑤ Verification with VirusTotal through API

⑥ Block/Quarantine response after pattern generation

Block/Quarantine

Dynamic Analysis (Behavior Monitor)

Static Analysis (Yara Rule)

Windows 7/10 32/64 Bit Sandbox environment

<12>



2. Key Processes- Static Environment Analysis (Yara Rule Applied)

ZombieZERO supports sending customized YARA rules to quickly analyze suspicious objects for specific threats.

<13>

YARA RULE Update YARA RULE Update YARA RULE Update

Policy Applied

Policy Applied

Policy Applied

YARA Rule Application Scenario

INTERNET

AAAAAA

888

UUU

DDDDDD XXX

GGG

GGG

NNN

BBB

EEE

FFF

CCC

Malware file Malware file

Malware file Malware file

Extract by using Strings

AAA

BBB

CCC

DDD

EEE

FFFGGG

Create Yara Rule

Malicious file info. Normal file info.

Static YARA Rule Generation Process



Behavioral Analysis Key Features

Analysis through virtual systems

-Provides a virtual sandbox system based on

VMWare ESXi 5.5, providing a behavior-based

detection system consisting of a static analysis

engine and a dynamic analysis engine

Various format analysis

-Provides analysis function for PE files (DLL,

EXE, etc.) and compressed files, MS-office, HWP,

PDF and ZIP files

Behavior-based analysis

- After analyzing suspicious files using dynamic

analysis system, it provides information on the

maliciousness of the behavior by analyzing the

behavior such as process behavior, file behavior,

network behavior, and memory behavior.

2. Key Processes- Dynamic Environment Analysis

<14>

Behavior-based Analysis

“Support for virtual machines by network traffic and customer environment”

Suspicious file

Suspicious file

Mirroring

File execution

Suspicious file

VirusTotal : Option

User Group

File Validation

Dynamic Analysis(Behavior Monitor)

Upload

Registration of analysis file

Virtual Machine x n

Analysis by file type

INTERNET

FTP WEBE-MAIL



2. Key Processes- Detectable malicious code(Malware) using dynamic environment analysis

Name Features

Backdoor When executed, it behaves to open the Port so that the hacker can connect to the PC at any time

Ransomware When executed, it behaves to encrypt all the document files on the PC and make them unusable

Downloader Downloading and running a file without knowing the user when accessing a website or opening a document

Keylogger Hooking and storing all keyboard events typed by the user and sending them to the hacker server

Bootkit Destroying the disk to disable the OS boot by corrupting the MBR (Master Boot Record) of the PC

Exploit Executing malicious programs using vulnerabilities of Software (IE, MS-Office, PDF Viewer, etc.)

System modulation Modifying sensitive files such as PC Registry or Hosts files for malicious purposes

<15>



2. Key Processes- Dynamic environment analysis case (Ransomware detection result)

Summary of analysis results

12

3

1. Threat Level : If it is 4 or more, it is

determined to be malicious.

This file is determined to be

malicious by Threat level 4

2. YARA

DetectBulkChange :

Capture the behavior of modifying

files in bulk

3. Dynamic analysis results :

Behavior log that occurs when the

actual analysis target file is

executed

Files on the C drive are modified

and deleted repeatedly

<16>



2. Key Processes- Dynamic environment analysis case (Keylogger detection result)


12

3

1. Threat Level : : If it is 4 or more, it is




2. YARA

HookingKeyLogger :

Capture the behavior of intercepting

user input values using keyboard

event hooking


Behavior log when the actual

analysis target file is executed

SetWindowsHookEx (13, ..)

Hooking behavior occurred on

keyboard event

<17>



2. Key Processes- Dynamic environment analysis case (BootKit detection result)


12

3

1. Threat Level : If it is 4 or more, it is




2. YARA

DetectMBR :

Detecting the behavior of

modulating the MBR


Behavior log when the actual

analysis target file is executed

Behavior using

\Device\Harddisk0\DR0

MasterBootRecord occurred

<18>



3. Product Features

<19>

Detection of malicious code in a closed

environment

Fast detection analysis

environment

Fast detection analysis environment

· Simultaneous executions of max. 50 virtual machines for malicious code analysis on a single device (system)

· Network APT : Provides 10G file processing capability on a single device (system).

· E-mail APT : Equipped with 300K to 600K emails processing throughput daily in average on a single device (system)

· File APT : Equipped with 80K to 160k files processing throughput daily in average on a single device (system)

Flexible scalability for increased equipment

· Enabling to add virtual analysis images or organize devices in parallel to expand operations on growing analysis files

· Separation of file collecting equipment (Detector) and file analyzing equipment (Analyzer) enables system operation by adding only file analysis equipment

· Process up to 10Gbps traffic per device and configure up to four 10GbE interfaces (using accelerating board instead of regular NIC)

Stability

Ensuring stability through integrated management

· Enabling to see security level of target, status of malicious file analysis, key events, and status information through Dashboard

· Providing notification (Email, SMS, etc.) and linkage with other systems (Syslog, SNMP) when major security event occurs

· Providing stable system operating environment through status check of equipment and recovery function

Behavior-based Malware

Detection

Behavior-based Malware Detection

· Quick detection/blocking function for known malicious codes through built-in AV engine (Bit-defender)

· Detects and blocks unknown new and variants of malicious code through a sandbox

· By applying the same environment as the real environment to the virtual analysis environment, it improves the accuracy of detection and minimizes the damage caused by false positives.

Detection of malicious code in a closed environment

· Provides analysis function in closed environment through virtual analysis system and provides detection function of maliciouscode through behavior analysis method using static analysis system and dynamic analysis system

· Provides manual pattern update function in internet-blocked environment and allows manual analysis of patterns

· Provides detection function for sandbox bypass malicious code (sleep call, sandbox camouflage, VM bypass packet collection, real machine, etc.)

Scalability






3. ZombieZERO EDR for APT

ZombieZEROEDR

Presentation


Behavior-based malware detection allows you to respond quickly to malware that is not known - Behavior-based detection and treatment enable immediate response to malicious behavior- Enabling to respond primarily to the damage by effective response to ZERO Day attack- Real-time response to malicious code that bypasses the network

<20>

Defenseless period

Zero-Day

Infection attack

GenerationPropagation

Damage occurrence

Vaccine development

Treatment extinction


Detection/Blocking

Existing vaccine method vs. Behavior-based method

Zombie behavior

occurrence

Traffic blocking

and process

tracing

• Korea Patent Number 10-1036750 / System and method for blocking Zombie behavior processes• US Patent US 9060016 B2 / Apparatus and method for blocking Zombie behavior processes

ZombieZERO

Malicious code extraction Treatment

Ransomware Response




Key Features

<21>

+ Backup technologyBehavior-based

analysis technology

· Real-time/ scheduled backup, version control

· Duplicate data removal technology

· Creating a virtual secure drive on user PC's local

drive by the Central Management Policy Server

· Immediate response to new Ransomware with behavior

based malware detection/treatment

· Uploading Ransomware pattern information to the

central management server and distributing it to prevent

proliferation to other PC

· Organically linking with security backup

24x7

Real-time

Backup Configuration Plan

Type-A Type-B

ESM Server (OS : Windows)

EDR #1

(OS : Windows)

EDR #2 EDR #n

. . . . .

PC BackupNAS Backup

ESM Sever (OS : Windows)

EDR #1

(OS : Windows)

EDR #2 EDR #n

. . . . .



2. ZombieZERO EDR for Ransomware2.1 Method for quarantining Ransomware and preventing proliferation (1)

When suspected Ransomware process is executed- Quarantining the process and transmitting the process pattern to ESM- Preventing proliferation of infection by sharing malicious process pattern information

<22>

Firewall

IPS

Switch

Preventing proliferation of

infection by sharing pattern information

Pattern info. upload

Router

EncryptionAPI

File manipulation

API

Sign presence

Encryptioncount

Increase of malicious entropy

Normal File

Malicious doubt

High probability of malignancy

Very high probability of malignancy

Entropy<32

Entropy≥32

Entropy≥64

Entropy≥96

Behavior detection category

ESM

+

API monitor detection and behavior algorithm

EDR

Expanding algorithm of infected PC (ZombieZERO EDR installed)




Detecting/blocking modification and manipulation of files of specific program not like authorized program- Behavior modifying and manipulating files of specific program not like authorized program- Preventing external crashes by installing I/O driver (file system driver)

<23>

USER

Kernel

Authorized program Unauthorized program

ZombieZEROEDR

Document

Request access

authorization of the Document

Approve access authorization

BLOCK

Ransomware, etc.

Request access authorization of the Document

Blocking access approval of unauthorized program of Document Blocking distribution of unauthorized program in conjunction with ESM




Detection method using file signatures- Confirming modulation of unique Signature file of executable file and document file- Techniques to detect if a modulation above a threshold is detected

Header Signature (Hex) File Type

22 50 44 46PDFFDF

D0 CF 11 E0 A1 B1 1A E1

HWPDOCPPTXLS…..

4D 5A EXE

4D 4D 00 2A TIF, TIFF

50 4B 03 04ZIP…

50 4B 03 04 14 00 06 00DOCX, PPTX

XLSX

52 49 46 46 xx xx xx xx41 56 49 20 4C 49 53 54

AVI

Normal signature file header

Header Signature (Hex) File Type

BB C9 DD DFPDFFDF

49 56 88 79 38 28 83 78

HWPDOCPPTXLS…..

D4 C3 EXE

D4 D4 99 B3 TIF, TIFF

C9 D2 9A 9DZIP…

C9 D2 9A 9D 8D 99 9F 99DOCX, PPTX

XLSX

CB D0 DF DF xx xx xx xxD8 CF D0 B9 D5 D0 CA CD

AVI

Modulated signature file header

“Techniques to detect if a modulation above a threshold is detected”Signature Check => Confirming modulation of File Signature

Check => Confirming file signature presence

<24>



2. ZombieZERO EDR for Ransomware2.2 Advantage points

<25>

Ransomware Prevention

Storage

PC data security backup function

· Minimizing system load for real-time/scheduled backup and supporting various options such as copy, one-way, and two-way

· Version (history) management can restore the necessary point by utilizing index information even if one file is backed up several times

· Redundant data removal technology minimizes disk expense and optimizes system availability.

· Cloud business environment: Access data with multiple devices anytime, anywhere to increase the efficiency (optional)

Trust-Zone function

· Creating a virtual secure drive on the local drive of the PC by the Central Management Policy Server (for example, T: \)

· Security zone (private zone), not for backup purpose, managed by individual is not allowed to access other than authorized users

· Login based on server authentication and automatic logout when PC idle for a certain time, AES256 encrypted storage protection

· Enabling to block and delete Trust-Zone access when malicious use of external intruder or lost/stolen PC

Distribution /Service

Security Sharing / Collaboration Function

· Sharing / collaborating files and folders per user or group by user policy and permissions (except C: \ drive)

· Documents in the shared folder can only be accessed by authorized users

· When a laptop is stolen/lost, remote data deletion and the business trip can be carried out with security maintained from outside

Behavior-based malware detection


· Minimizing damage from false positives using linkage analysis techniques for process/ file/traffic

· Blocking illegal behaviors (DDoS attacks, information leakage, peeking, etc.) through an endpoint agent behavior based engine

· Unlike other products that can only be blocked / interlocked with network equipment, it is possible to operate independently because it is equipped with behavior based engine with patented technology.

T-ZONE Protection

Pre-blocking function of behavior-based Ransomware

· Immediate detection and response to unknown Ransomware by behavior based malware detection and remediation

· Uploading Ransomware pattern information to the central management server and distributes it to prevent proliferation to other PC

· Organically linking with security backup



3. ZombieZERO EDR for APT

<26>

Key Features

+ Execution pending functionBehavior-based

analysis technology

· Providing pending function for real-time executables

· Enabling to view analysis status through the UI on

the user PC

· Endpoint users can register whitelists to respond to

false positives and analysis delays

· Enabling to respond to new and variant malicious codes by

Behavior-based malicious code detection/treatment

· Preventing proliferation to other PCs after uploading new and

variant malicious code pattern information to central

management server

· Organically linkage with APT analysis server

Excution pending and white list processing function

Execution pending Whitelist

Ensuring safety through pending and analysis

about executables

Increase operational efficiency with user's whitelist

registration



3. ZombieZERO EDR for APT3.1 Main functions (1) Configuring a safe environment by detecting and blocking malicious behavior that may be infected by malware on your PC

<27>



Process Hiding Detection Memory Modulation Detection

Reverse Connection Detection Peeking Prevention

Normal activity

Order t Screen Capture Order Screen Capture

Normal activity

Run user processProcess 1 Process 2 Process 3

Process hiding

C/S Model Reverse Connection

Connection

Request

C S Victim Attacker

①

②③②

① Human Thinking Time

② Propagation Delay

③ CPU Processing Time

②

①

②

③

③

If there is no

response , retry

Reverse

connection by

time interval

• Monitoring whether an administrator process is running and detecting attempts to hide own process and specific processes from the Task Manager list

• Monitoring all processes running, and detecting modulation behavior in the memory area of other processes other than own process

• Monitoring the behavior of backdoor programs and detecting them using backdoor features

• Monitoring all processes running and detecting attempts screen captures and transmissions by the target process

3. ZombieZERO EDR for APT3.1 Main functions (2) Configuring a safe environment by detecting and blocking malicious behavior that may be infected by malware on your PC

<28>

Traffic anomaly (abnormal behavior) detection File driver level quarantine

User behavior detection File transfer detection

Normal packet flow

Abnormal packet flow

T1 T2Attacker

Normal packet flow

Abnormal packet flow

T1 T2Attacker

File

Filter

Driver

Blacklist

Comparison

Typing Click Wheeling

DB

Typing Click Wheeling

BlockDetection/block by

monitoring

File execution

Normal

Abnormal

Make DB

• Monitoring packet in real time using network filter driver and check/detect whether packet is abnormal

• When PE file loading is executed, the Signature (MD5, SHA256) of the corresponding file is compared with Blacklist and the execution is blocked/quarantined in the case of malicious determination

• The target process is activated according to the input of the user's mouse and keyboard. This is a function that manages this activation process list.

• It monitors all running processes and detects the attempted file leaking attempt of the target process.

• File transfer detection technology regardless of user intention, file transfer detection technology by user



<29>

3. ZombieZERO EDR for APT3.2 Advantage points

Execution pending function

Whitelist function

Whitelist function

· Whitelist policy setting through analysis server (ESM server) provides strong control over unauthorized files and processes

· Enhanced efficiency of false positives and system operation by providing users the ability to register whitelists directly on the EDR UI

· Providing verification function for registered whitelist (manual analysis and remote analysis function)

· Providing updates to whitelist patterns

Blocking illegal behaviors (detection/blocking of information leakage)

· Separating user behavior and process behavior to detect unauthorized malicious code leakage and illegal traffic source detection/blocking

· Detecting reverse session to block hacker command source for zombie PC

· Detecting/blocking PC behavior monitor that monitors real time monitor screen of user PC through network

· Detecting/blocking DDoS attack and other system hacking

StabilityConnectivity

Guarantee system stability and interworking

· In the case of the agent for the endpoint, it is installed at the driver side of the kernel, not at the application level, to prevent collision with other programs, thus minimizing system stability and PC resources

· Dual defense system can be built by interworking with other company's network equipment

Behavior-based malware

detection


· Minimizing damage from false positives using linkage analysis techniques for process/file/traffic

· Blocking illegal behaviors (DDoS attacks, information leakage, peeking, etc.) through a behavior-based engine of an endpoint agent

· Unlike other products that can only be blocked/interlocked with network equipment, it is possible to operate independently because it is equipped with behavior based engine with patented technology.

Execution pending function

· Prevention of malware infection through EDR-based execution pending function for downloaded executable file (User recognized or user unrecognized)

· Execute analysis request to analysis server about execution pending file and decide whether to execute according to result (malicious / normal)

· Provides file analysis function by pending execution even for document files other than PE files

· EDR UI can be used to check the status of inspection and can be whitelisted by user specification

White List

block illegal

behavior



1. 사업의 이해Unknown APT/Ransomware Response SolutionsZ o m b i e Z E R O S E C a a S

1. ZombieZERO SECaaS (Security as a Service)1) What is SECaaS?

Response solution to Ransomware through EDR (Endpoint Detection & Response). Developed in cooperation with KT, KT is now providing

the services to SMEs in the form of SECaaS (Security as a Service) with the brand name 'KT securegate'. (Site link : securegate.olleh.com)

KT securegate Business Model SECaaS Block Diagram

<KT’s SecaaS Business Model> - securegate.olleh.com

< Behavior-based malware solution for PC > - securegate.olleh.com

A company B company

securegateWAS Server

Cloud Service

ZombieZEROManager (Server)

KT securegate Server Farm

Router

F/W

Switch

Router

F/W

Switch

Internet

SECaaS(malware detection / blocking solution) detects and blocks Ransomware based on behavior, and

supports PC backup and NAS backup for integrated protection of enterprise or organization’s data.

+Backup

technology

Behavior-based

analysis technology

· Providing pending function for real-time

executables

· Enabling to view analysis status through the

UI on the user PC

· Endpoint users can register whitelists to

respond to false positives and analysis delays

· Enabling to respond to new and variant malicious

codes by Behavior-based malicious code

detection/treatment

· Preventing proliferation to other PCs after

uploading new and variant malicious code pattern

information to central management server

· Organically linkage with APT analysis server

24x7

Real-time

Type-A Type-B

Central Management Server (Zombie ZERO Manager)

(OS : Windows)

PC #1

(OS : Windows)

PC #2 PC #n

. . . .

PCggBackup NASff

Backup

(OS : Windows)

PC #1

(OS : Windows)

PC #2 PC #n

. . . .


Detection/Blocking

Occurrence of Zombie

behaviors

Blocking of Traffic

and tracing back

processes

* KOREA Patent No. 10-1036750 / Block system and method for Zombie behavior

* US Patent No. US 9060016 B2 / Apparatus and method for blocking Zombie behavior Process

ZombieZERO

Ransomware Response

Extraction of

Malware

Quarantine

1. ZombieZERO SECaaS (Security as a Service)2) Main Services

Central Management Server (Zombie ZERO Manager)

1. 사업의 이해Unknown APT/Ransomware Response SolutionsZ o m b i e Z E R O S E C a a S


1. General Information

2. Organization and Personnel

3. History and Technology

4. Customers

5. Case Studies

6. Reference Sites

7. Comparison Table

Company Introduction

Presentation

1. General Information

Company Name

NPCore, Inc.

Date of establishment

2008. 11. 19.

Annual Sales 2015 : 1.9B KRW ($1.9M) / 2016 : 2.4B KRW ($2.4M)

Employee No. 24

Main Product Information Security Solutions

AddressISBiz Tower 1001, 26, Yangpyeongro 21 gil, Yeongdeunpogu, Seoul, Korea

Contact +82-1544-5317 FAX) +82-2-413-5317

Website www.npcore.com

CEO SC Han

MS in Electronic Engineering, Yonsei Univ.

Head of R&D center

18 years experience in network and

information security solutions

Year 2015 2016

Total Asset 6,589 ($6.6M) 6,695 ($6.7M)

Total Capital 3,853 ($3.9M) 4,161 ($4.2M)

Sales 1,963 ($1.9M) 2,419 ($2.4M)

(Unit : M Won)

Evaluation Year

- 2016

Evaluation Institution

- Korea Enterprise Data

<30>



2. Organization and Personnel

HQ

Branch

Subsidiary

Distributor Distributor

Distributor

Distributor

Classified Total

Master level engineer 3

Advanced level engineer 5

Intermediate level engineer 6

Elementary level engineer 1

Management & Marketing 3

Tech Sales (Korea/Overseas) 6

Total 24

Engineer ratio: 65%

<31>



3. History and Technology

<32>

•

•

•

•

•

•

•

•

•

•

•

•

•

1) Network intrusion prevention methods and systems

2) Abnormal traffic control device and method

3) An LAN card for server security

4) Access control system and method

5) Network interface device with information leaking prevention function, and information leakage prevention method

6) Zombie Behavior Blocking System and Method

7) Information leakage prevention device and method

8) System and method for hacking device of mobile terminal.

Registered patent (8 domestic / 1 US)

Certification details

1) GS Certification ZombieZERO V2.0 ”

2) CC Certification ZombieZERO Inspector V3.0 "

3) CC Certification ZombieZERO V2.0 “

4) Green technology certification (hybrid low power multicore NPU based high performance server platform system)

Patent application (7 domestic / 1 PCT)

9) APPARATUS AND METHOD FOR BLOCKING ZOMBIE BEHAVIOR PROCESS



<33>

Financial Supervisory Service

Korea Water Resource Corp.

KEPCO

NUCLEAR

FUEL

Seoul City Hall

Yeongcheon

City Hall

PROPERTY OFFICE

Government

University

Financial Corp. / Enterprise

4. Main Customers

Post Business Information Center



Kamisu City Hall, Japan

Toukei Computer, Japan Hitachi, Japan

Royal

Malaysia

Police

Vietnam Posts

and Telecom

Group

YUHAN adopted ZombieZERO Inspector to protect the internal information and property from APT attacks getting more intelligent.

Took about one month to complete this project since Aug. 2015.

When reviews introduction, our product was the final selection by the result of product presentation and BMT.

YUHAN : Defense system against APT attack

Installed Agent in Lotte Duty Free to defend malware

Installed in Lotte Duty Free’s total user PCs including main office, Incheon International Airport shop, Jamsil shop, COEX shop, Gimpo

Airport shop, etc.

When reviews introduction, proceeded product presentation and BMT about domestic competitors and our product under the supervision of

Lotte Data Communication's security consulting team. As the result, our product was the final selection.

Due to the ransomware issue, all the system was patched (Jan. 2016) and approximately 2,000 users introduced our product

01. LOTTE DUTY FREE

02. YUHAN (pharmaceutical company)

LOTTE DUTY FREE : Endpoint’s malware defense

5. Case Studies1. 사업의 이해Zombie ZERO Solutions


<34>

Adopted ZombieZERO Inspector to buildup defense system by real-time detection and block against APT attack on Seoul City Hall.

Took about one month to complete this project since Jun. 2014.

Seoul City Hall : Intelligent malware response system

Adopted ZombieZERO Agent to user PC to prevent information exfiltration by malicious behavior Korea Aerospace Industries' internal

user cannot realize.

When reviews introduction, our product was the final selection as the result of proceeding the product presentation and BMT about

domestic competitors and our product.

Took about one month to complete this project since Dec. 2015 and approximately 2,000 users adopted our product.

03. Korea Aerospace Industries, Ltd.

04. Seoul City Hall

Korea Aerospace Industries : Information exfiltration defense system



<35>

Cheonan Yonam College adopted ZombieZERO Agent to internal user PCs to arrange professional response system against APT

attacks getting more intelligent.

Our product was the final selection as the result of BMT

Took about one month to complete this project since Nov. 2013 and approximately 500 users adopted our product.

06. Cheonan Yonam College

Cheonan Yonam College : APT attack defense system

ZombieZERO Inspector was adopted in APT attack defense system area of Gyeongsangbuk-do Office of Education's 3 steps

SchoolNet service project.

Took about one month to complete this project since May. 2016.

Adopted 2 sets of ZombieZERO Inspector 5000 for internet network and backup network.

Built the best infra by interworking configuration with this site's other security equipment.

05. Gyeongsangbuk-do Office of Education

Gyeongsangbuk-do Office of Education : APT defense system of 3 steps SchoolNet service

<36>



ZombieZERO adopted as the defense solution against data exfiltration of KT&G's user PC, it was the final selection after

proceeding BMT for about a year.

Took about one month to complete this project since May. 2014 and approximately 4,000 users adopted our product.

KT&G : Zombie PC and data exfiltration prevention system

07. KT&G

ZombieZERO adopted as the defense soltion against zombie PC and data exfiltration of COMWEL's user PC, it was the final

selection after proceeding BMT for about a year.

Took about one month to complete this project since Dec. 2013 and approximately 8,000 users including nationwide branches

and 8 hospitals that COMWEL manages adopted our product.

COMWEL : Zombie PC and data exfiltration prevention system

08. Korea Workers’ Compensation & Welfare Service (COMWEL)



<37>

Division Customer Project Period Adopted Type

Gov. Agency

Geongsangbuk-do Office of Education APT Defense System Apr.2016~Now Inspector (Network)

Korea Aerospace Industries, Ltd. Data Spill Defense System Jan.2016~Feb.2016 Agent (Endpoint)

Korea Water Resource Corp. APT Defense System Apr.2015~May.2015 Inspector + Agent

KEPCO NUCLEAR FUEL Advanced Malware Defense System Apr.2015~Jun.2015 Inspector (Network)

Seoul Metro APT Defense System Oct.2014~Nov.2014 Inspector (Network)

Seoul City Hall Advanced Malware Defense System Apr.2014~Jun.2014 Inspector (Network)

Yeongcheon City Hall APT Defense System Mar.2014 Agent (Endpoint)

The Independence Hall of Korea Zombie PC Detection System Nov.2013~Dec.2013 Inspector (Network)

Korean Intellectual Property Office APT Defense System Dec.2013 Inspector (Network)

Daegu-Gyeongbuk Free Economic Zone

AuthorityZombie PC Detection System Nov.2013 Inspector (Network)

Korea Workers' Compensation & Welfare

ServiceZombie PC Defense System Aug.2013~Oct.2013 Agent (Endpoint)

Korea Forest Service Zombie PC & Data Spill Defense System Oct.2012~Nov.2012 Agent (Endpoint)

The Blue House New Hacking Blocking System Nov.2011~Dec.2011 Agent (Endpoint)

Univ.

Munkyung College Zombie PC Detection System Jun.2015~Jul.2015 Inspector (Network)

Seoyeong Univ. Advanced Malware Defense System Feb.2015~Mar.2015 Inspector (Network)

Hanshin Univ. Zombie PC Detection System Mar.2014~Apr.2014 Agent (Endpoint)

Cheonan Yonam College Zombie PC Detection System Nov.2013 Agent (Endpoint)

Dongduk Womens Univ. Zombie PC Detection/Blocking System Feb.2012 Agent (Endpoint)

Chosun Univ. Zombie PC Detection/Blocking System Feb.2011 Agent (Endpoint)

Financial

Corp. /

Enterprise

Lotte Duty Free APT Defense System Aug.2014~Now Agent (Endpoint)

KT&G APT Defense System Apr.2014 Agent (Endpoint)

Financial Supervisory Service APT Defense System Apr.2013~May.2013 Agent (Endpoint)

YUHAN Corp. APT Defense System Sep.2015~Nov.2015 Inspector (Network)

Hankook Capital Co., Ltd. APT Defense System Apr.2013~May.2013 Agent (Endpoint)

Sapphire Technology APT Defense System Apr.2014~May.2014 Agent (Endpoint)

DGB Life Insurance APT Defense System Aug.2013~Sep.2013 Agent (Endpoint)

Busan Bank New Hacking Blocking System Jun.2012~Jul.2012 Agent (Endpoint)

Actual Cases

The Independence Hall of Korea

Cheonan Yonam College

COMWEL

6. Reference Sites1. 사업의 이해Zombie ZERO Solutions


<38>

Division-1 Division-2 Customer Project Setup Period Setup Type

Republicof

KOREA

Gov. Agency

Korea Post Office APT Defense System Setup Nov.2016~Dec. 2016 ZomebieZERO Inspector (Network)

Geongsangbuk-do Office of Education APT Defense System Setup Apr.2016~Jun. 2016 ZomebieZERO Inspector (Network)

Korea Aerospace Industries, Ltd. Data Spill Defense System Setup Jan.2016~Feb.2016 ZomebieZERO Agent (Endpoint)

Korea Water Resource Corp. APT Defense System Setup Apr.2015~May.2015 ZomebieZERO Inspector + Agent

KEPCO NUCLEAR FUEL Advanced Malware Defense System Setup Apr.2015~Jun.2015 ZomebieZERO Inspector (Network)

Seoul Metro APT Defense System Setup Oct.2014~Nov.2014 ZomebieZERO Inspector (Network)

Seoul City Hall Advanced Malware Defense System Setup Apr.2014~Jun.2014 ZomebieZERO Inspector (Network)

Yeongcheon City Hall APT Defense System Setup Mar.2014 ZomebieZERO Agent (Endpoint)

The Independence Hall of Korea Zombie PC Detection System Setup Nov.2013~Dec.2013 ZomebieZERO Inspector (Network)

Korean Intellectual Property Office APT Defense System Setup Dec.2013 ZomebieZERO Inspector (Network)

Daegu-Gyeongbuk Free Economic Zone Authority Zombie PC Detection System Setup Nov.2013 ZomebieZERO Inspector (Network)

Korea Workers' Compensation & Welfare Service Zombie PC Defense System Setup Aug.2013~Oct.2013 ZomebieZERO Agent (Endpoint)

Korea Forest ServiceZombie PC & Data Spill Defense System Set

upOct.2012~Nov.2012 ZomebieZERO Agent (Endpoint)

The Blue House(The President Office) New Hacking Blocking System Setup Nov.2011~Dec.2011 ZomebieZERO Agent (Endpoint)

Univ.

Munkyung College Zombie PC Detection System Setup Jun.2015~Jul.2015 ZomebieZERO Inspector (Network)

Seoyeong Univ. Advanced Malware Defense System Setup Feb.2015~Mar.2015 ZomebieZERO Inspector (Network)

Hanshin Univ. Zombie PC Detection System Setup Mar.2014~Apr.2014 ZomebieZERO Agent (Endpoint)

Cheonan Yonam College Zombie PC Detection System Setup Nov.2013 ZomebieZERO Agent (Endpoint)

Dongduk Womens Univ. Zombie PC Detection/Blocking System Setup Feb.2012 ZomebieZERO Agent (Endpoint)

Chosun Univ. Zombie PC Detection/Blocking System Setup Feb.2011 ZomebieZERO Agent (Endpoint)

Financial Corp. / Enterprise

Lotte Duty Free APT Defense System Setup Aug.2014~Now ZomebieZERO Agent (Endpoint)

KT&G APT Defense System Setup Apr.2014 ZomebieZERO Agent (Endpoint)

Financial Supervisory Service APT Defense System Setup Apr.2013~May.2013 ZomebieZERO Agent (Endpoint)

YUHAN Corp. APT Defense System Setup Sep.2015~Nov.2015 ZomebieZERO Inspector (Network)

Hankook Capital Co., Ltd. APT Defense System Setup Apr.2013~May.2013 ZomebieZERO Agent (Endpoint)

Sapphire Technology APT Defense System Setup Apr.2014~May.2014 ZomebieZERO Agent (Endpoint)

DGB Life Insurance APT Defense System Setup Aug.2013~Sep.2013 ZomebieZERO Agent (Endpoint)

Busan Bank New Hacking Blocking System Setup Jun.2012~Jul.2012 ZomebieZERO Agent (Endpoint)

JAPAN

Enterprise Daou Japan APT Defense System Setup Aug.2015~Mar.2016 ZomebieZERO Inspector (Network)

Gov. Agency Kamisu City APT Defense System Setup Nov.2015 ZomebieZERO Inspector (Network)

Enterprise Toukei Computer APT Defense System Setup Mar.~May 2016 ZomebieZERO Inspector + Agent

Enterprise Hitachi APT Defense System Setup 1Q. 2017 ZomebieZERO Inspector + Agent

Vietnam

Enterprise VNPT Network Device / DB Security Setup Aug. 2016 ~ Oct. 2016 Network Device / DB Security

Enterprise Tsukatani Network Device Mar. 2016 ~ May. 2016 Network Device

Enterprise Enshu Network Device Mar. 2016 ~ May. 2016 Network Device

Enterprise Elentec Network Device May. 2016, Nov. 2016 Network Device

Malaysia Gov. Agency Ministry of Police APT Defense System Setup Oct. 2016 ZomebieZERO Inspector (Network)

UAE Gov. Agency Smart City APT Defense System Setup 1Q~2Q. 2017 ZomebieZERO Inspector + Agent

6. Reference Sites1. 사업의 이해Zombie ZERO Solutions


<39>

Division NPCore (ZombieZERO) FireEye TrendMicro Checkpoint Ahn Lab

Main technology Behavior-based analysis Behavior-based analysis Behavior-based situation awareness Behavior-based analysis Behavior-based analysis

Ransomware

detection’s main

feature

- Behavior-based category monitors

API(encrypting, sign, file manipulating)

- Signature counterfeit & modulation

- Manages & controls document access

- File change, set-up limit

- If digital signature is or not

- Realizes ransomware’s specific

pattern

- Realizes ransomware’s pattern

- Detects file modulation

- PC-based Backup

No ransomware technology

- Detects file access behavior

- Detects continuous encrypting

behavior

- PC-Base Backup

Ransomware

block function

Block/isolation/cure functions

(when registers cure pattern)

Block/isolation/cure functions

(when registers cure pattern)Isolation/Backup X

Isolation/Backup

(when registers cure pattern)

Agent’s

APT response

O

- Process/file/traffic interworking analysis

- Reverse access (detects C&C)

- Memory modulation, traffic’s abnormal

behavior

- Detects file transfer

O

- Detects C&C

- Detects pattern DB and real-time

threat

- Protects from web browser’s threat

X

△(cannot use Agent alone)

- Detects C&C

- Classifies the same process use

O

- Detects C&C

- Prevents data exfiltration

- Detects user’s behavior, etc.

If possesses own APT

equipment for

network or not

Possesses APT equipment for Network, Email,

net connection

Possesses APT equipment for Network

& EmailX Possesses Network APT equipment X

If possesses own

C&C list or notO O X X O

If possesses own

Blacklist or notO O X X O

If possesses own

Whitelist or notO O X X O

Management server

Based on customer or Cloud (option)

- Integrates network equipment or configures

alone

- ESM (Dashboard)

- Deploys policy for customer’s nature

- Prevents spread by registering pattern (easy

for big customer management and response)

Customer-based

- Configured by Agent alone

- Dashboard

- Deploys central policy

Cloud-based

- Management tool for each user

- Difficulties in deploying policy to

group company and institute

- Security manager’s difficulties in total

status management

Customer-based

- Network integrated configuration

- Dashboard


Customer-based

- Network integrated configuration

- Dashboard




7. Comparison Table

<40>

Two Level Defense for APT attack (Malware) & Ransomware...

Documents

Transcript of Two Level Defense for APT attack (Malware) & Ransomware...