Targeted attacks begin with spearphishing

Transcription

1 Targeted attacks begin with spearphishing Jasper Evertzen Sales Director Benelux & Nordics Charles Rami SE Manager France Benelux& Nordics threat protection compliance archiving & governance secure communication

2 Proofpoint (NASDAQ: PFPT) Security-as-Service Leader What We Do Protect the Most Sensitive Data of the World s Most Successful Companies Comprehensive Data Protection Portfolio Scalable Security-as-a- Service platform Advanced Threat Protection Key Partners Demonstrated Success 3 of the 5 largest US Retailers 5 of the 5 largest US Banks 3 of the 5 largest US Defense Contractors 2 of the 5 largest Global Pharmaceuticals Companies Select Partners & Customers Accolades Leaders Quadrant: Magic Quadrant for Secure Gateways & Enterprise Information Archive Champions Quadrant & Innovation Award, 2012

3 Leaders in Gartner s 2014 Magic Quadrant for Secure Gateways Gartner, Inc. positions Proofpoint in the Leaders Quadrant in its 2014 Magic Quadrant for Secure Gateways. It clearly has the sharpest focus on security issues, resulting again in one of the highest growth rates in this market. The last pure-player in security Gateway (focused only on security gateway) In the top right of the magic quadrant for the last 6 times This slide for Proofpoint INTERNAL use only.

4 Comprehensive Suite Security-as-a-Service Suite Full-life cycle data protection Big Data Platform Advanced data processing, search, and analytics Cloud Infrastructure Innovative hybrid architecture with global data center footprint Proofpoint, Inc.

5 Proofpoint Protection Proofpoint, Inc. Enterprise Protection Stop SPAM, viruses and other forms of malware Targeted Attack Protection Identify and block advanced threats from penetrating the enterprise Threat Response Automate threat remediation Single pane of glass for security operations Respond in minutes instead of hours

6 Targeted attacks begin with a spear-phishing & it s not a fiction! threat protection compliance archiving & governance secure communication

7 The Industry Challenge Breaches Keep Happening ALL PHISH Proofpoint, Inc.

8 It s also happen here!

9 French TV hacked

10 We Think Malware Attackers Think Monetization EveryPC is valuable to cybercriminals Source: Brian Krebs, Value of a Hacked PC, krebsonsecurity.com

11 Some real examples #1 Banking customer Dridex malware

12 #1 Banking customer CryptoLocker

13 #1 Banking customer Dridex malware Malware campaigns

14 #1 Banking customer Dridex malware Malware not detected by AV

15 #1 Banking customer Dridex malware Malware not detected by AV TAP Msgs Major AV Vendor 379K Msgs

16 Some real examples #2 Credentials seeking How it works To target defense company Academi, the attacker registered two typosquatted domain names: tolonevvs[dot]com (real news domain: tolonews.com (news site about Afghanistan)) academl[dot]com (real company domain: academi.com) When the target opens the through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site.

17 #2 Credentials seeking Fake Outlook Web Access login pages

18 #2 Credentials seeking Fake Outlook Web Access login pages The typosquatteddomain tolonevvs.comactually contained a mildly obfuscated JavaScript code: This JavaScript is not malicious because it simply sets the windows open property to point to a URL: window.opener.location= hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replacecurrent=1&url=https%3a%2f%2f mail.academi.com%2fowa%2f&tids=lkdmfvlkd

19 #2 Credentials seeking Fake Outlook Web Access login pages

20 #3 The human factor

21 #3 The human factor - Who Is Clicking? Executives aren t the problem

22 #3 The human factor - Where Do Users Click? On and off the network 1-in-5 clicks occur off the corporate network

23 #3 The human factor

24 #3 The human factor Louise Bergman is the Human Resources Manager at XXXX

25 Borne Threat Landscape Spear Phishing Handcrafted, social engineered, very low volume Target anyone with access to sensitive data Preferred method for state actors Longlining High volume, mass customized phishing technique High-cost to remediate Opportunistic payloads Watering Hole Compromised trusted content sources Use newsletters to drive traffic Seen across multiple verticals Multi-Variant One campaign serving both spam & malware TDS varies payload based on time, device, geography, other factors Hard to distinguish

26 -Borne Threats: Exploit Techniques URL-Based Drive-by Downloads: Compromised sites, exploit kits, malware Credential-seeking: false sites, Google Doc forms, phone number scams Attachment-Based.exes inside archives (.zips, rar etc.) Weaponized Documents (PDF, Office).URLs pointing to zips

27 The Cybercrime Attack Chain

28 The Cybercrime Attack Chain High-volume unsolicited Credential phish High-volume to highly targeted

29 Legitimate , Compromised Sites Web marketing to subscribers of a popular healthcare site Compromised site meant that legitimate s carried malicious links

30 The Cybercrime Attack Chain Malicious scripts Malicious redirects Virtually infinite supply: domain and URL reputation cannot keep up

31 Legitimate , Compromised Sites Malicious JavaScript in compromised site pulls in Sutra TDS TDS directs to Sweet Orange exploit kit Drops signed Qbot malware

32 The Cybercrime Attack Chain Traffic Distribution System (TDS)

33 Multi-Variant Campaign: TDS in Action

34 The Cybercrime Attack Chain For-hire service Can include 0-days (Angler) Pre-exploit (heap-spray) Exploits chosen based on client apps and patch level Exploits obfuscated and tested for evasiveness

35 The Cybercrime Attack Chain Delivery: Dropper downloads malware Or can have a single-stage where dropper is also malware Can also download other payloads in future Makes file system and registry changes, browser hooking, etc

36 How can we help you? threat protection compliance archiving & governance secure communication

37 New Landscape New Requirements TRADITIONAL ANTI-SPAM Traditional Reputation and Signature Systems 99% effectiveness good enough TODAY S THREATS Mass customization and botnets increasingly by-pass Every message matters Black-box Real-time, end-to-end insight and rich policy are critical

38 Proofpoint Security Suite BLOCK DETECT Known, Emerging Threats Proofpoint Enterprise Protection RESPOND Targeted, Previously Unknown Threats Proofpoint Targeted Attack Protection

39 Known / Emerging Threats: Proofpoint Enterprise Protection Blocks today s advanced campaigns Effectively blocks known threats Predictively blocks new, emerging threats Enables unmatched visibility and control Powerful threat classification Rich policy Real-time analysis Provides robust delivery and administration functionality Flexible deployment, scalable performance Powerful routing Flexible, global administration

40 Blocks Today s Advanced Campaigns Effectively block known threats Industry leading visibility & analysis Real-time IP, URL reputation Content & attachment signatures Predictively block new, emerging threats Predictive URL sandboxing IP-velocity and volume tracking Zero-hour attachment blocking Automated campaign identification Predictive content analysis BLOCK

41 Proofpoint Enterprise Protection Unmatched Visibility and Control Powerful threat classification Phish, Malware, Spam, Adult, Bulk, Suspect Rich policy Flexible options, discard, delay, quarantine Separate, configurable quarantines Real-time analysis SmartSearch enable rapid message tracing and tracking

42 Proofpoint Enterprise Protection Robust Delivery & Administration Flexible deployment, scalable performance Cloud, Appliances, Virtual Machines, Hybrid proven ability to scale rapidly from thousands to hundreds of thousands of users Powerful routing Built on top of the commercial version of Sendmail, the world s most widely used MTA Flexible, global administration Granular and delegated administration for complex global organizations

43 Even the Best Protection Has Limits Hand-crafted spear-phish Low Volume Legit IPs and sender addresses Legitimate Watering Hole or Malvertising compromised legit website Leverages existing routine newsletters from the site Nothing to Detect at Delivery Malware not mounted at time of delivery TDS system and obfuscated redirects mask bad IPs No attachments, only URLs with morphing results and some fraction of the time systems will just miss one.

44 Unknown Threats: Targeted Attack Protection Detects today s advanced threats even after delivery Polymorphic & zero-day malware in attachments and URLs Credential phishing Protects on click, even while mobile or remote Click-time defense: validation of URLs when you click Follow-me protection: for users on and off the corporate network Provides end-to-end, real-time, per-user insight User targets, methods and potential exposure

45 Detects Today s Advanced Threats Polymorphic & Zero-Day Advanced, cloud-based dynamic and sandbox analysis Full-attack chain detection: compromised site, TDS, pre-exploit, exploit, malicious payload DETECT URLs and Attachments URLs, URL campaigns, Malicious Ads Weaponized documents (PDF, Office, flash etc.) Malware and Credential-Seeking Rich forensics and IoCs Screen-shots

46 Protects on Click, Even Mobile or Remote Click-time Defense Protects users post delivery Provides end-to-end visibility Follow-me Protection works anywhere Works on any device any location: mobile, home use, hotels, airports Nothing installed on the client Respects Existing Security Layers Leverages industry-standard http redirection; does not proxy, so requests still pass through existing security layers

47 End-to-End Insight Who is being targeted User level insight into who is being targeted with what campaigns Insight into targeted vs. broad-based attacks Who is at risk, from what Who s clicking, when, what they re clicking on Detailed forensics RESPOND In Real-time, back-in-time Continual rescoring of history Real-time alerts Real-time aggregation and summarization

48 Proofpoint Targeted Attack Protection URL Defense Proofpoint URL Analysis Proofpoint BIG DATA ANALYSIS Sandboxing Proofpoint Malware Service External MTA End Users

49 Proofpoint Targeted Attack Protection Attachment Defense SHA256 Hash Sent to Cloud Reputation? Post Scan? UNKNOWN GOOD BAD? PDF No Present? Dynamic GOOD? Content Present GOOD BAD Initiate Deliver Unknown Dynamic Content Scan Proofpoint Attachment Defense API Proofpoint Sandboxing External MTA End Users Admin Quarantine AD Queue Hidden Quarantine

50

51 /onesourceprocess.com/ab3bp5r/index.html&s=ab eb44ac1/&k=cpgdz%... Click to follow link

52 When & Whether you re being attacked When & Whether you ve been compromised By What

53 Who s at risk, when

54 What they re at risk from

55

56

57 Summary: Proofpoint Protection BLOCK DETECT Predictively Block more attacks Quickly detect targeted, polymorphic and zero-day attacks RESPOND Full visibility into targets, methods and exposure

58 TAP Who clicked a bad link? TAP What now? Sender IP: Clicked URL: [email protected]

59 TAP+Threat Response Add: Username Infection history Group Local information Local IP Malicious file check IP/Domain Reputation Geo-location CNC server checks Assign incidents Put user in Penalty box Update Firewalls Update Proxies Document responses Update Threat Response AD IP reputation Geolocation WhoIS Virus Total IOC Verification Threat Verified Network connections: Registry Changes: File changes: Mutexes: Yes Yes Yes Yes AD User: User Group: User Phone: System IP: Sender IP: Clicked URL: User Context Josephsmith Finance Additional Incident Context Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country? Known bad actor Trojan.Turla.A Yes Neutral Y N. Korea

60 Exchange Threat Scanner Free Tool, Easy To Run Actionable Report

61 Audit or Proof of Concept Deploy Proofpoint behind your current solution Can be deployed to remain passive within mail flow Quickly determine your current risk exposure and effectiveness Results within weeks

62 How Can You Defend Your Organization? Continue to emphasize the importance of security and social media security Deploy defenses that use multiple, contextual big data and threat intelligence-based detection techniques Ensure layered security that incorporates automated threat response systems content control systems as well as next-generation detection... because someone will always click and it only takes one.

63 & threat protection compliance archiving & governance secure communication