Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks
02/05/2023Malware Evolution 2
Index1. Malware volume evolution
2. Malware Eras3. Panda Adaptive Defense
1. What is it2. Features & Benefits3. How does it work4. Successs Story
02/05/2023Malware Evolution 3
Malware samples evolution
02/05/2023Malware Evolution 4
Malware volume evolution
02/05/2023Malware Evolution 5
Malware Eras
02/05/2023Malware Evolution 6
1st Era• Very little samples and Malware
families• Virus created for fun, some very
harmful, others harmless, but no ultimate goal
• Slow propagation (months, years) through floppy disks. Some virus are named after the city where it was created or discovered
• All samples are analysed by technicians
• Sample static analysis and disassembling (reversing)
02/05/2023Malware Evolution 7
W32.Kriz Jerusalem
02/05/2023Malware Evolution 8
2nd Era• Volume of samples starts growing
• Internet slowly grows popular, macro viruses appears, mail worm, etc…
• In general terms, low complexity viruses, using social engineering via email, limited distribution, they are not massively distributed
• Heuristic Techniques
• Increased update frequency
02/05/2023Malware Evolution 9
Melissa Happy 99
02/05/2023Malware Evolution 10
3rd Era• Massive worms apparition overloads the
internet• Via mail: I Love You• Via exploits: Blaster, Sasser, SqlSlammer
• Proactive Technologies• Dynamic: Proteus• Static: KRE & Heuristics Machine
Learning• Malware process identification by events
analysis of the process:• Access to mail contact list• Internet connection through non-
standard port• Multiple connections through port 25• Auto run key addition• Web browsers hook
02/05/2023Malware Evolution 11
I love you Blaster
02/05/2023Malware Evolution 12
Sasser
02/05/2023Malware Evolution 13
Static proactive technologies
Response times reduced to 0 detecting unknown malware
Machine Learning algorithms applied to classic classification problems
Ours is ALSO a “class” problem: malware vs goodware.
02/05/2023Malware Evolution 14
4th Era•Hackers switched their profile: the main motivation of malware is now an economic benefit, using bank trojans and phishing attacks.
•Generalization of droppers/downloaders/EK
•The move to Collective Intelligence
•Massive file classification.
•Knowledge is delivered from the cloud
02/05/2023Malware Evolution 15
Banbra Tinba
02/05/2023Malware Evolution 16
El salto a la Inteligencia Colectiva
La entrega del conocimiento desde la nube como alternativa al fichero de firmas.
Escalabilidad de los servicios de entrega de firmas de malware a los clientes mediante la automatización completa de todos los procesos de backend (procesado, clasificación y detección).
02/05/2023Malware Evolution 17
Big Data arrival
Current working set of 12 TB 400K million registries 600 GB of samples per day 400 million samples stored
Innovation: to make viable the data processing derived from Collective Intelligence strategy, applying Big Data technologies.
02/05/2023Malware Evolution 18
5th Era•First massive cyber-attack against a
country, Estonia from Russia. •Anonymous starts a campaign against
several organizations (RIAA, MPAA, SGAE, and others)•Malware professionalization•Use of marketing techniques in spam
campaigns•Country/Time based malware variant
distribution•Ransomware•APTs•Detection by context•Apart from analysing what a process does,
the context of execution is also taken into account…
02/05/2023Malware Evolution 19
Reveton Ransomware
02/05/2023 20Malware Evolution
APTs…
02/05/2023Malware Evolution 21
02/05/2023Malware Evolution 22
- November / December 2013- 40 millions credit/debit cards stolen- Attack made through the A/C
maintenance company- POS
- Unknown author- Information deletion- TB of information stolen
Sony Pictures computer system down after reported hackHackers threaten to release 'secrets' onto web
02/05/2023 23Malware Evolution
Carbanak- Year 2013/2014
- 100 affected entities
- Countries affected: Russia, Ukraine, USA, Germany, China
- ATMs: 7.300.000 US$
- Transfer: 10.000.000 US$
- Total estimated: 1.000.000.000 US$
02/05/2023Adaptive Defense 24
What is Panda Adaptive Defense?The Next Generation Endpoint Protection
02/05/2023Adaptive Defense 25
Panda Adaptive Defense is a new security model which can guarantee complete protection for devices and servers by classifying 100% of the processes running on every computer throughout the organization and monitoring and controlling their behavior.
More than 1.2 billion applications already classified.
Adaptive Defense new version (1.5) also includes AV engine, adding the disinfection capability. Adaptive Defense could even replace the company antivirus.
RESPONSE… and forensic information to analyze each attempted attack in detail
VISIBILITY… and traceability of each action taken by the
applications running on a system
PREVENTION… and blockage of applications
and isolation of systems to prevent future attacks
DETECTION… and blockage
of Zero-day and targeted
attacks in real-time without the need for
signature files
02/05/2023Adaptive Defense 26
Features and benefits
Daily and on-demand reports
Simple, centralized administration from a Web console
Better service, simpler management
Detailed and configurable monitoring of running applications
Protection of vulnerable systems
Protection of intellectual assets against targeted attacks
Forensic report
Protection
ProductivityIdentification and blocking of unauthorized programs
Light, easy-to-deploy solution
Management
Key Differentiators- Categorizes all running processes on the endpoint minimizing risk of unknown malware: Continuous monitoring and attestation of all processes fills the detection gap of AV products.- Automated investigation of events significantly reduces manual intervention by the security team: Machine learning and collective intelligence in the cloud definitively identifies goodware & blocks malware.- Integrated remediation of identified malware: Instant access to real time and historical data provides full visibility into the timeline of malicious endpoint activity.- Minimal endpoint performance impact (<3%)02/05/2023Adaptive Defense 28
02/05/2023Adaptive Defense 29
New malware detection capability* Traditional Antivirus (25)
Standard Model Extended ModelNew malware blocked during the first 24 hours 82% 98,8% 100%New malware blocked during the first 7 days 93% 100% 100%New malware blocked during the first 3 months 98% 100% 100%% detections by Adaptive Defense detected by no other antivirus 3,30%Suspicious detections YES NO (no uncertainty)
File Classification Universal Agent**
Files classified automatically 60,25% 99,56%Classification certainty level 99,928% 99,9991%
< 1 error / 100.000 files
* Viruses, Trojans, spyware and ransomware received in our Collective Intelligence platform. Hacking tools, PUPS and cookies were not included in this study.
Adaptive Defense vs Traditional Antivirus
** Universal Agent technology is included as endpoint protection in all Panda Security solutions
02/05/2023Adaptive Defense 30
Adaptive Defense vs Other Approaches
AV vendors WL vendors* New ATD vendors**
Detection gapDo not classify all applications Management of WLs required Not all infection vectors covered
(i.e. USB drives)
No transparent to end-users and admin (false positives, quarantine administration,… ) Complex deployments required Monitoring sandboxes is not as effective as
monitoring real environments
Expensive work overhead involved ATD vendors do not prevent/block attacks
* WL=Whitelisting. Bit9, Lumension, etc ** ATD= Advanced Threat Defense. FireEye, Palo Alto, Sourcefire, etc
02/05/2023Adaptive Defense 31
How does Adaptive Defense work?
A brand-new three phased cloud-based security model
02/05/2023Adaptive Defense 32
1st Phase: Comprehensive monitoring of all
the actions triggered by programs on endpoints
2nd Phase: Analysis and correlation of
all actions monitored on customers' systems thanks to Data Mining and Big Data
Analytics techniques
3rd Phase: Endpoint hardening &
enforcement: Blocking of all suspicious or dangerous
processes, with notifications to alert network administrators
02/05/2023Adaptive Defense 33
Panda Adaptive Defense Architecture
02/05/2023Adaptive Defense 34
Success Story
Adaptive Defense in figures
+1,2 billion applications already categorized
+100 deployments. Malware detected in 100% of scenarios
+100,000 endpoints and servers protected
+200,000 security breaches mitigated in the past year
+230,000 hours of IT resources saved estimated cost reduction of 14,2M€
Lest’s see an example…
02/05/2023Adaptive Defense 35
02/05/2023Adaptive Defense 36
Scenario Description
Concept Value
PoC length 60 days
Machines currently monitored +/- 690
Machines with malware 73
Machines with malware executed 15
Machines with PUP found 91
Executed PUP files 13
Executed files classified 27.942
Concept Value
Malware blocked 160
PUP blocked 623
TOTAL threats mitigated 783
02/05/2023Adaptive Defense 37
Software vendor distribution over 100% of executable files
02/05/2023Adaptive Defense 38
Skillbrains Igor Pavilov
02/05/2023Adaptive Defense 39
Sandboxie Holdings LLC
Eolsoft
02/05/2023Adaptive Defense 40
Opera SoftwareDropbox Inc.
02/05/2023Adaptive Defense 41
Vulnerable applicationsVulnerable applications activity:
- … - (22 vulnerable applications in ALL seats = 2074)
Vulnerable applications inventory:- Excel v14.0.7 - v15.0 (279)
- Firefox v34.0 - v36 (178)
- Java v6 – v7 (80)
02/05/2023Adaptive Defense 42
Top Malware
02/05/2023Adaptive Defense 43
Top Malware
02/05/2023Adaptive Defense 44
PUP (Spigot)
02/05/2023Adaptive Defense 45
Potentially confidential information extraction
02/05/2023Adaptive Defense 46
+
Thank you
Top Related