BEST PRACTICE: DEFINING A MULTI-LAYER THREAT PREVENTION STRATEGY

Transcription

1 WE ARE CHECK POINT WE SECURE THE FUTURE BEST PRACTICE: DEFINING A MULTI-LAYER THREAT PREVENTION STRATEGY Summersecurity 2015 Frank Suijten Security Engineer 2015 Check Point Software Technologies Ltd. 1

2 THE CYBER WAR IS RAGING ON 2015 Check Point Software Technologies Ltd.

3 The Victims: ALL OF US 74% E X P E R I E N C E D A T L E A S T O N E M A L W A R E I N C I D E N T 47% E X P E R I E N C E D S E C U R I T Y B R E A C H E S F R O M A C O M P R O M I S E D M O B I L E D E V I C E PWC Global State of Information Security Survey 2014 n=9700 ESG - The State of Mobile Computing Security n Check Point Software Technologies Ltd. 3

4 30% MORE WEB-BASED ATTACKS ATTACKS ARE CONSTANTLY EVOLVING INCREASE OF CYBER THREATS OVER THE PREVIOUS YEAR 42% MORE TARGETED CYBER ATTACKS 58% MORE MOBILE MALWARE FAMILIES 125% MORE SOCIAL MEDIA PHISHING SITES 2015 Check Point Software Technologies Ltd. 4

5 What Can We Do? 2015 Check Point Software Technologies Ltd. 5

6 Best Practice Education! CONFIGURATION MONITORING INCIDENT RESPONSE 2015 Check Point Software Technologies Ltd. 6

7 Check Point Threat Prevention Solution Anti-Bot IPS Threat Emulation Anti-Virus 2015 Check Point Software Technologies Ltd. 7

8 BUT FIRST: SEGMENTATION! Protect against unauthorized access Contain infections in network segments 2015 Check Point Software Technologies Ltd. 8

9 Why Segmentation The assumption of a trusted internal network is no longer a safe bet Enables compartmentalization and enhances resiliency during an attack 2015 Check Point Software Technologies Ltd. 9

10 Check Point Threat Prevention Solution Anti-Bot IPS Stop exploits of known vulnerabilities Threat Emulation Anti-Virus 2015 Check Point Software Technologies Ltd. 10

11 Check Point IPS Prevents Exploits of Known Vulnerabilities Signature based Engine Enforce Protocol Specifications Detect Protocol Anomalies 2015 Check Point Software Technologies Ltd. 11

12 Examples of 2014 vulnerabilities blocked by Check Point IPS Heartbleed Validated requested heart beat length Shellshock Analyzed and blocked http get requests Poodle Validated and blocked vulnerable Open SSL version 2015 Check Point Software Technologies Ltd. 12

13 Check Point Software Technologies Ltd. 13

14 Check Point Threat Prevention Solution Anti-Bot IPS Threat Emulation Anti-Virus Block download of malware-infested files and access to malicious web sites 2015 Check Point Software Technologies Ltd. 14

15 Check Point Anti-Virus Blocks Download of Known Malware Signatures and MD5 based Engines Malware Feeds Blocks Access to Malware Sites 2015 Check Point Software Technologies Ltd. 15

16 Check Point Threat Prevention Solution Anti-Bot IPS Threat Emulation Prevent zero-day, undiscovered attacks Anti-Virus 2015 Check Point Software Technologies Ltd. 16

17 Check Point Threat Emulation Blocks Undiscovered Attacks INSPECT FILE EMULATE TURN TO KNOWN PREVENT 2015 Check Point Software Technologies Ltd. 17

18 Threat Emulation Features Protocols HTTP SMTP CIFS FTP (soon) File Types PDF Office Documents Exe Java Flash Archives Planned Features Web Emulation Links to Files Windows 8 and 64 bit images 2015 Check Point Software Technologies Ltd. 18

19 Check Point Threat Prevention Solution Anti-Bot Detect Bot-infections & prevent damage IPS Threat Emulation Anti-Virus 2015 Check Point Software Technologies Ltd. 19

20 Check Point Anti-Bot Blocks Bot Communication IDENTIFY Bot infected Devices Multi-tier Discovery Reputation Patterns SPAM PREVENT Bot Damage Stop Traffic to Remote Operators 2015 Check Point Software Technologies Ltd. 20

21 Meet John John is a security administrator. He works for a retail company 2015 Check Point Software Technologies Ltd. 21

22 ENABLED BLADES IPS ANTI VIRUS ANTI BOT 2015 Check Point Software Technologies Ltd. 22

23 John starts his mornings with coffee and 2015 Check Point Software Technologies Ltd. 23

24 Robert s PC is infected with Zeus monitoring threat prevention events 2015 Check Point Software Technologies Ltd. 24

25 OMG!!! The point of sale device is infected!!! Critical Severity Prevented Do Bot we have Event business in Italy? Unusual hour How should I respond to this incident? 2015 Check Point Software Technologies Ltd. 25

26 Let s validate IP reputation on Virus Total 2015 Check Point Software Technologies Ltd. 26

27 Advanced Threat Prevention Forensics The Host is infected now what? NEW Questions: How was the host infected? What got compromised? Which files/domains/processes were part of the attack? Which other machines are also compromised? 2015 Check Point Software Technologies Ltd. 27

28 Malicious site: Wed 17-Jun :35:02 (Malicious URL) 2 Suspicious User Activity Remote Login at unusual time (5:37AM) User (Jasmin) started a malicious process CustomerFeedbacks.doc (Suspicious file) 2015 Check Point Software Technologies Ltd. 28

29 $^####^#%&^ Another infected host?!?!?! 2015 Check Point Software Technologies Ltd. 29

30 What s the Story behind this infection? NEW Jasmine received an with a link Jasmine browsed to the link Bot was detected on Jasmine s desktop 2015 Check Point Software Technologies Ltd. 30

31 Internet CARD SWIPING DEVICES POS TERMINALS REST OF THE ORGANIZATION 2015 Check Point Software Technologies Ltd. 31

32 SMARTEVENT STORY LINE Jasmine receives an with a link in it from the known sender Jasmine follows the link in the and opens a malicious pdf Her computer is infected with a bot. The bot connects to C&C Links inside URL reputation Anti-Bot ENDPOINT FORENSICS The bot tries to send credit card numbers to its C&C Bot records credit cards numbers at the point of sale The bot scans internal network and infects the point of sale device via CIFS Anti-Bot 2015 Check Point Software Technologies Ltd. 32

33 What did we learn? CARD SWIPING DEVICES POS TERMINALS REST OF THE ORGANIZATION Segmentation is important 2015 Check Point Software Technologies Ltd. 33

34 Back to malicious Check Point Software Technologies Ltd. 34

35 Let s check if the document is known to Virus Total?!?!? $#$^%$^ The file is clean according to Virus Total 2015 Check Point Software Technologies Ltd. 35

36 Let s emulate the document on Check Point cloud 2015 Check Point Software Technologies Ltd. 36

37 Current defenses are not strong enough BLOCK THREATS IPS ANTI VIRUS ANTI BOT THREAT EMULATION 2015 Check Point Software Technologies Ltd. 37

38 Attack Shellcode tests if it runs inside of the targeted organization and only hen runs the malware Evasion technique is used 2015 Check Point Software Technologies Ltd. 38

39 CPU Level Threat Emulation V U L N E R A B I L I T Y Trigger an attack through unpatched software or zero-day vulnerability E X P L O I T S H E L L C O D E Bypass the CPU and OS security controls using exploitation methods Activate an embedded payload to retrieve the malware M A L W A R E Run malicious code 2015 Check Point Software Technologies Ltd. 39

40 Attack Infection Flow V U L N E R A B I L I T Y Thousands E X P L O I T S H E L L C O D E M A L W A R E HANDFUL DETECT THE ATTACK BEFORE IT BEGINS Identify the Exploit itself instead of looking for the evasive malware Millions 2015 Check Point Software Technologies Ltd. 40

41 I m afraid there are too many blades enabled. It will affect performance Let me explain you the architecture 2015 Check Point Software Technologies Ltd. 41

42 Engine flow AB IPS AV Signatures Engine AB AV DNS Reputation using cloud or local cache AB AV URL Reputation using cloud or local cache AV TE MD5 using cloud or local cache and files emulation on cloud or on TE appliance DNS Host Context URL context from HTTP request File Context Other Contexts (CIFS, HTTP body, FTP, etc) PROTOCOL PARSING TCP STREAMING AB AV SYN Packet IP Reputation 2015 Check Point Software Technologies Ltd. 42

43 What s up, man? We have an infected host, and I m waiting for my boss to approve enabling Threat Emulation. There are additional users that start getting same with the malicious link Meanwhile, block it with the custom Indicator or with IPS SNORT rule 2015 Check Point Software Technologies Ltd. 43

44 Check Point Software Technologies Ltd. 44

45 Use indicator to block malicious URL 2015 Check Point Software Technologies Ltd. 45

46 SNORT signature blocking specific Threat Prevention policy granularity attachment 2015 Check Point Software Technologies Ltd. 46

47 I need to install new IPS policy We need to review firewall policy changes first SNORT signature blocking specific Back attachment in R7x days 2015 Check Point Software Technologies Ltd. 47

48 IPS is part of Threat Prevention policy now 2015 Check Point Software Technologies Ltd. 48

49 And it takes only 15 seconds to install new IPS policy now 2015 Check Point Software Technologies Ltd. 49

50 Thanks, Man! It works! BTW, we have IntelliStore enabled, and we get relevant feeds automatically Check Point Software Technologies Ltd. 50

51 Introducing The first Cyber Intelligence Marketplace to proactively fight threats 2015 Check Point Software Technologies Ltd. 51

52 Choose and customize relevant intelligence feeds from industry s leading intelligence vendors 2015 Check Point Software Technologies Ltd. 52

53 Immediate subscription for intelligence feeds NO changes needed to policy and infrastructure For all of your security gateways 2015 Check Point Software Technologies Ltd. 53

54 Why do people open malicious documents? Because people do not know that these documents are malicious Why do they need to open these documents? Because people work with documents 2015 Check Point Software Technologies Ltd. 54

55 What if, instead of looking for malware, you could Eliminate all RISKS? IMMEDIATELY? 2015 Check Point Software Technologies Ltd. 55

56 CHECK POINT T H R E AT E X T R A C T I O N Reconstructing Documents Eliminates Threats PREVENTING 100% OF THREATS IN FILES 2015 Check Point Software Technologies Ltd. 56

57 How Does it Work? Reconstructed Document Original Document 100% Malware-Free Document CHECK POINT T H R E AT E X T R A C T I O N 2015 Check Point Software Technologies Ltd. 57

58 Always Maintain Access to Originals 2015 Check Point Software Technologies Ltd. 58

59 Threat Emulation and Threat Extraction 2015 Check Point Software Technologies Ltd. 59

60 What have we learned? CONFIGURATION MONITORING INCIDENT RESPONSE 2015 Check Point Software Technologies Ltd. 60

61 Are we safe now? TO BE CONTINUED 2015 Check Point Software Technologies Ltd. 61

62 THANK YOU! WE ARE CHECK POINT WE SECURE THE FUTURE 2015 Check Point Software Technologies Ltd. 62