CHECK POINT NEXT GENERATION ZERO-DAY PROTECTION

Transcription

1 CHECK POINT NEXT GENERATION ZERO-DAY PROTECTION Thinking Out of the Sandbox Luc Straeten Global Account Manager 2015 Check Point Software Technologies Ltd.

2 2015 Check Point Software Technologies Ltd. Check Point Zero- Day Attacks

3 An Ever-Changing Threat Landscape Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT 100,000+ malware variants daily ,300 known viruses ,000 known viruses VIRUSES AND WORMS 2004 ADWARE AND SPYWARE 2007 DDOS APTS 2010 RANSOMWARE HACTIVISM STATE SPONSORED INDUSTRIAL ESPIONAGE NEXT GEN APTS (MASS APT TOOLS) UTILIZING WEB INFRASTRUCTURES (DWS)

4 Networks need protection against ALL types of threats

5 New Threat Prevention Technologies PRE-INFECTION POST INFECTION MULTIPLE LAYERS OF PREVENTION AGAINST KNOWN, UNKNOWN AND ZERO-DAY THREATS

6 Pre-Infection Known Malware

7 Building Blocks of Advanced Threat Prevention IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files

8 Post Infection Known Malware

9 Building Blocks of Advanced Threat Prevention IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files Anti-Bot (post) Detect and prevent bot damage

10 Pre-Infection Unknown Malware

11 Antivirus is DEAD Modern antivirus software only stops ~45% of attacks on computers Source:

12 Cat and Mouse: Known Unknown Attackers evade signature based detection by obfuscating the attacks and creating attack variants

13 Your Team Can t Keep Up 106 New forms of malware hit a company per-hour Source: Check Point Security Report 2015

14 Building Blocks of Advanced Threat Prevention IPS (pre) Stops exploits of known vulnerabilities Antivirus (pre) Block download of known malware infested files Anti-Bot (post) Detect and prevent bot damage Threat Emulation and Extraction (pre) Stop zero-day and unknown malware in files

15 WOULD YOU OPEN THIS ATTACHMENT?

16 First Generation Zero-Day Protection OS-LEVEL THREAT EMULATION 2015 Check Point Software Technologies Ltd.

17 What is Threat Emulation or Sandboxing? A safe environment to evaluate suspicious files

18 Check Point Threat Emulation STOPS Unknown Attacks INSPECT FILE EMULATE TURN TO KNOWN PREVENT

19 1 Inspect files in Mail & Web No infrastructure changes No additional devices 2 Send files to virtual sandbox INSPECT EXE files, PDF, Java, Flash and Office documents

20 Windows XP, 7, 8, customer images EMULATE RUN files & identify abnormal behavior 3 - file system - registry - connections - processes

21 PREVENT Security Gateway Inline BLOCKING of malicious files on the gateway 4 Prevention-based approach (vs. detection only)

22 5 Automatic Signature Creation for ThreatCloud Turn the Unknown into KNOWN Collaborative protection through ThreatCloud

23 Test Results for Catching Unknown Malware with OS-Level Threat Emulation 99% Check Point: Industry s Best Catch Rate!

24 N E X T G E N E R AT I O N Z E R O - DAY P R OT E C T I O N NG Threat Emulation + Threat Extraction 2015 Check Point Software Technologies Ltd.

25 Known Unknown Back Again! Delays malware to operate after XX hours - Accelerating the clock won t work Malware to execute on shutdown/restart H A C K E R S Develop techniques to evade sandboxing / threat emulation products Malware to detect and not work on virtual environments Malware to look for human behavior to operate Evasion is code that comes together with the malware, but executes first

26 Attack Infection Flow V U L N E R A B I L I T Y Trigger an attack through unpatched software or zero-day vulnerability E X P L O I T S H E L L C O D E Bypass the CPU and OS security controls using exploitation methods Activate an embedded payload to retrieve the malware M A L W A R E Run malicious code

27 Attack Infection Flow V U L N E R A B I L I T Y Thousands E X P L O I T S H E L L C O D E EVASION CODE M A L W A R E HANDFUL DETECT THE ATTACK BEFORE IT BEGINS Identify the Exploit itself instead of looking for the evasive malware Millions

28 Why does an attack need to start with exploitation? What the OS does DEP (Data Execution Prevention - since XP SP2) The processor will only run code marked as executable What the attackers do Re-use pieces of legit executable code that are already loaded ROP Most popular exploitation technique Examine code known to be loaded when the exploit is activated Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode Bypass DEP using Gadgets as code primitives

29 Building a ROP Gadgets Dictionary - To gain privileges to run the malware 77E3346A 77E3348A 77E334AA 77E334CA 77E334EA 77E3350A 77E3352A 77E3354A 77E3356A 77E3358A 77E335AA 77E335CA 77E335EA 77E3360A 77E3362A 77E3364A 77E3366A 77E3368A 77E336AA 77E336CA 77E336EA 77E3370A 77E3372A 77E3374A 77E3376A 77E3378A 77E337AA 77E337CA 77E337EA 77E3380A 77E3382A 77E3384A 77E3386A 77E3388A 77E338AA FF FF FF 50 E8 6F DE FF FF 85 F6 0F 85 0F B8 FF C D F 85 7B 7B FF FF 8B FF FF FF FF FF FE FF FF 55 8B EC 6A 00 FF FF FF 75 0C FF C0 40 5D C E8 D4 FF FF FF E9 20 DD FF FF FF A DE B EC 5D EB FF 25 5C 1D DE 77 8B FF 55 8B EC 5D EB ED B FF B FF 55 8B EC 5D EB B EC 5D EB FF 25 0C 1A DE 77 EA FC 85 C0 0F 85 7E C3 FF FF F D B 0F B 03 8D 8E 24 6B EA B FF 55 8B EC 64 A B B 4D C D EB FF DE B DE FF 25 1C 1B DE FF DE F F 84 3C D1 EE FE FF E8 D7 B B F0 57 FF 15 7C 8B FF 55 8B EC 56 8B C0 0F B7 0E 66 F9 2F 0F 84 AE 2F E D 8D 7E 83 F8 2F EB E8 8B C7 2B C6 D1 F8 83 F7 D8 1B C C B 55 0C 85 D2 74 0B B FF 55 8B EC 56 8B B F4 FD FF 83 C6 06 8B C6 5E 5D C B C6 0F 85 4A 3E FE FF F 85 B9 41 FE D E9 20 FF FF FF C A A0 38 E3 77 E8 FB B9 FF FF 8B D2 E8 31 BD FF FF 8B 40 2C 64 8B 0D DE D4 33 FF 3B C7 0F 84 0B C E B 35 B4 12 DE 77 FF D6 3B C7 0F E C 46 FE 5C C6 45 E B 7D E9 85 C0 0F 84 5C B C3 0F F A 5C C B 45 E0 E8 64 B9 FF FF C2 0C FF FF FE FF FF FF C1 38 FF 83 BD 64 FF FF FF 00 7C FF 74 0F 8B 45 FF FF FF E8 42 DB FF FF C E4 FF FF FF 42 D4 E D4 E B E8 0B FF FF FF 85 C0 0F 8C 7F 9F B FF 55 8B EC 5D E9 D4 F4 FF FF 8B FF 55 8B EC 5D EB ED B FF FF 25 A4 1C DE B EC 5D EB FF D DE FF D DE B FF A 00 FF B C3 FF FF 57 E C0 0F 77 8B C E9 4E C3 FF FF A 10 6A 00 FF FF DE C D C B FF 55 8B EC FF 25 3C 1B DE FF B FF 55 8B EC BF C0 62 EA FF FF DE C 0F 15 DE 77 5F 8B C6 5E 5D C C F9 5C 0F 84 B8 2F F B C F8 5C 74 0A 66 7D F 85 FA 14 FF FF E8 DF 0A B 4D C F 5E 5D C2 10 FF 15 DC 13 DE F FE FF 48 0F B FF 55 8B EC 8B 45 0C F6 57 FF 8B C0 5F 5E 5B 5D C F D D 0C 03 DB 33 C D0 B F B7 55 D B FF FF D E0 89 7D FC C6 45 E7 00 8D 45 D C F8 C B 75 D DC 0F B7 45 D0 D FF 15 B8 12 DE D8 8B C8 D1 00 8D 14 4F A FE 5C D B CB D1 E9 89 4D E0 C7 45 FC FE FF FF FF E A0 37 E3 77 FE FF FF FF C0 FF E A FF 75 D4 PFo à.à.+ â+d..à t.ïe -ë.ç}...à{{ ïàd FB -..ÉÉÉS B+swS+swÉÉÉÉÉï Uï8j. u. u. u. u.f. à+.î ƒ..3 +@]-..F+ T ÉÉÉÉÉï Uï8]T+( ÉÉÉÉÉ %.. wéééééï Uï8]dfÉÉÉÉÉï U ï8]d.ééééé %\. wééééé %ñ. wééééé ï Uï8]dfÉÉÉÉÉï Uï8]d.ÉÉÉÉÉ %H. w ÉÉÉÉÉï Uï8]d.ÉÉÉÉÉ %0. wéééééï U ï8]d.ééééé %.. wéé..wh...j. û(k OwëEnà+.à~+ 9..äv+ WF'...ë.à+. ä.}..ï.ë.ï.ìä$kowï.ëp.ë.tn+ ÉÉÉ ÉÉï Uï8dí...ï@0j.j. p.... wà+t.ïm.â.â`..â`..ëh.]-..éééééï Uï8 ]d.ééééé %Ç. wééééé %<. wééééé %.. wééééé %.. wéééééï Uï8VW++bOw W.x. w3 9u..ä<`.. u..t. wp9u.. ä-e F+..ï=W.. w_ï ^]-..ÉÉÉÉÉ Gadgets Dictionary ï Uï8Vïu.W3+.+.fà+tgfâ \.ä+/..fâ /.ä«/..fâ>.tmì~..+.fà+t.fâ \t.f â /t.ggdfï + - â}..pv.à. F @à+tvïu.à-t.ïm.à+t.ë2ë9_^]-. 1.ÉÉÉÉÉï Uï8Vïu.V._. wh.äw. H.à 2 +(² â.ï ^]-..ÉÉÉÉÉï Uï8ïE.SV3 W ;.àj> 39u..à A ïe.ë03+_^[]-..f 9.tùìw.T ÉÉ\./...ÉÉT.M.P...ÉÉ ÉÉÉj há8pwfv 4 ï].. 3+fëE-+...f ëe-f1+ ï@,dï...+u-rpïa0 p wëe+3 ;.ä...ë}aë}n Et.ìE-Ph ÿ8pwwï5. w 6 +;.î..ïu+ëu_.+e-- Ffâ F \t. Et.Wï}.WSV.+. wëe+ï+- Tà+.ä\...;+.âT...ì.Ofâz \t.ìh.;- 7.âT...j\Xfë.3+fëB.-TëMa En F ïEaFd -...á7pw pwééééédí... u+

30 CPU-Level Threat Emulation Detects the Exploitation Applications OS-Level Threat Emulation Operating System (Windows, MAC OS, etc.) CPU-Level Threat Emulation CPU Use the latest CPU-interfacing technologies Monitor CPU based instructions for exploits attempting to bypass OS Security Controls

31 CPU-Level Threat Emulation Highest accuracy Detection is outright, not based on heuristics or statistics Evasion-proof Detection occurs before any evasion code can be applied Efficient and fast CPU-level technology identifies the attack at its infancy OS Independent Detection occurs at the CPU level

32 Check Point Next Gen Threat Emulation OS-Level + CPU-Level FASTEST HIGHEST CATCH RATE ADVANCED DETECTION EVASION RESISTANT

33 THREAT EXTRACTION 2015 Check Point Software Technologies Ltd.

34 How can we further reduce the attack surface? ANTIVIRUS Catches known or old malware NG THREAT EMULATION Detects unknown or zero-day malware 100% P O S S I B L E S E C U R I T Y G A P

35 Addressing the possible Security Gap: Threat Extraction THREAT EXTRACTION Proactively REMOVE potential malicious objects from ALL incoming attachments Eliminates any remaining threats 100% of all incoming attachments go through Threat Extraction - whether malicious or not

36 How Does Threat Extraction Work? Security Gateway with Threat Extraction Software Blade RECONSTRUCTS DOCUMENTS Removes embedded objects, macros and Java Script Code, sensitive hyperlinks USER EXAMPLES HR with CV s Purchasing receiving quotes Data from untrusted websites

37 Threat Extraction Statistics Tested Thousands of Recently-Discovered Malicious Files Remove active content from the file (such as macros and embedded objects) Cleaned 93% of the files Average cleaning time: 0.3 seconds / document Convert file to PDF Cleaned 100% Average conversion time: 5 seconds

38 Configurable Content Removal For Original Format Documents Administrator Establishes Removal Policy: Macros or JavaScript Embedded Objects External Links Document Properties

39 Always Maintain Access to Originals

40 CPU level detection and Threat Extraction are not supported by any other sandbox solution

41 Check Point Offering Threat Extraction Zero malware documents delivered in zero seconds Threat Ex t r a c t i o n Visibility on attack attempts and inspection of original documents NG Threat E m u l a t i o n

42 DEPLOYMENT CHOICES 2015 Check Point Software Technologies Ltd.

43 CURRENT NEW NGTP IPS Anti Bot Anti Virus URL Filtering Application Control Anti Spam NGTX ThreatCloud Emulation Service Threat Extraction IPS Anti Bot Anti Virus URL Filtering Application Control Anti Spam TX NGTP Out of the box COMPLETE protection against advanced ZERO DAY threats

44 SUMMARY 2015 Check Point Software Technologies Ltd.

45 Next Gen Zero-Day Protection NG Threat Emulation Threat + Extraction TRY IT NOW! It s easy and free! BEST EVASION RESISTANT ZERO MALWARE FASTEST ADVANCED DETECTION ZERO SECOND DELIVERY STRONGEST HIGHEST CATCH RATE SAFE DOCUMENTS

46 Thank you 2015 Check Point Software Technologies Ltd.