Targeted attacks begin with spearphishing Jasper Evertzen jevertzen@proofpoint.com Sales Director Benelux & Nordics Charles Rami crami@proofpoint.com SE Manager France Benelux& Nordics threat protection compliance archiving & governance secure communication
Proofpoint (NASDAQ: PFPT) Security-as-Service Leader What We Do Protect the Most Sensitive Data of the World s Most Successful Companies Comprehensive Data Protection Portfolio Scalable Security-as-a- Service platform Advanced Threat Protection Key Partners Demonstrated Success 3 of the 5 largest US Retailers 5 of the 5 largest US Banks 3 of the 5 largest US Defense Contractors 2 of the 5 largest Global Pharmaceuticals Companies Select Partners & Customers Accolades Leaders Quadrant: 2012-2013-2014 Magic Quadrant for Secure Email Gateways & Enterprise Information Archive Champions Quadrant & Innovation Award, 2012
Leaders in Gartner s 2014 Magic Quadrant for Secure Email Gateways Gartner, Inc. positions Proofpoint in the Leaders Quadrant in its 2014 Magic Quadrant for Secure Email Gateways. It clearly has the sharpest focus on email security issues, resulting again in one of the highest growth rates in this market. The last pure-player in Email security Gateway (focused only on Email security gateway) In the top right of the magic quadrant for the last 6 times This slide for Proofpoint INTERNAL use only.
Comprehensive Suite Security-as-a-Service Suite Full-life cycle data protection Big Data Platform Advanced data processing, search, and analytics Cloud Infrastructure Innovative hybrid architecture with global data center footprint 2015 2014 Proofpoint, Inc.
Proofpoint Protection 2015 2014 Proofpoint, Inc. Enterprise Protection Stop SPAM, viruses and other forms of malware Targeted Attack Protection Identify and block advanced threats from penetrating the enterprise Threat Response Automate threat remediation Single pane of glass for security operations Respond in minutes instead of hours
Targeted attacks begin with a spear-phishing email & it s not a fiction! threat protection compliance archiving & governance secure communication
The Industry Challenge Breaches Keep Happening ALL PHISH 2015 2014 Proofpoint, Inc.
It s also happen here!
French TV hacked
We Think Malware Attackers Think Monetization EveryPC is valuable to cybercriminals Source: Brian Krebs, Value of a Hacked PC, krebsonsecurity.com
Some real examples #1 Banking customer Dridex malware
#1 Banking customer CryptoLocker
#1 Banking customer Dridex malware Malware campaigns
#1 Banking customer Dridex malware Malware not detected by AV
#1 Banking customer Dridex malware Malware not detected by AV TAP 16.000 14.000 12.000 10.000 8.000 6.000 4.000 2.000-0 Msgs Major AV Vendor 379K Msgs
Some real examples #2 Credentials seeking How it works To target defense company Academi, the attacker registered two typosquatted domain names: tolonevvs[dot]com (real news domain: tolonews.com (news site about Afghanistan)) academl[dot]com (real company domain: academi.com) When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site.
#2 Credentials seeking Fake Outlook Web Access login pages
#2 Credentials seeking Fake Outlook Web Access login pages The typosquatteddomain tolonevvs.comactually contained a mildly obfuscated JavaScript code: This JavaScript is not malicious because it simply sets the windows open property to point to a URL: window.opener.location= hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replacecurrent=1&url=https%3a%2f%2f mail.academi.com%2fowa%2f&tids=lkdmfvlkd
#2 Credentials seeking Fake Outlook Web Access login pages
#3 The human factor
#3 The human factor - Who Is Clicking? Executives aren t the problem
#3 The human factor - Where Do Users Click? On and off the network 1-in-5 clicks occur off the corporate network
#3 The human factor
#3 The human factor Louise Bergman is the Human Resources Manager at XXXX
Email Borne Threat Landscape Spear Phishing Handcrafted, social engineered, very low volume Target anyone with access to sensitive data Preferred method for state actors Longlining High volume, mass customized phishing technique High-cost to remediate Opportunistic payloads Watering Hole Compromised trusted content sources Use newsletters to drive traffic Seen across multiple verticals Multi-Variant One campaign serving both spam & malware TDS varies payload based on time, device, geography, other factors Hard to distinguish
Email-Borne Threats: Exploit Techniques URL-Based Drive-by Downloads: Compromised sites, exploit kits, malware Credential-seeking: false sites, Google Doc forms, phone number scams Attachment-Based.exes inside archives (.zips, rar etc.) Weaponized Documents (PDF, Office).URLs pointing to zips
The Cybercrime Attack Chain
The Cybercrime Attack Chain High-volume unsolicited email Credential phish High-volume to highly targeted
Legitimate Email, Compromised Sites Web marketing email to subscribers of a popular healthcare site Compromised site meant that legitimate emails carried malicious links
The Cybercrime Attack Chain Malicious scripts Malicious redirects Virtually infinite supply: domain and URL reputation cannot keep up
Legitimate Email, Compromised Sites Malicious JavaScript in compromised site pulls in Sutra TDS TDS directs to Sweet Orange exploit kit Drops signed Qbot malware
The Cybercrime Attack Chain Traffic Distribution System (TDS)
Multi-Variant Campaign: TDS in Action
The Cybercrime Attack Chain For-hire service Can include 0-days (Angler) Pre-exploit (heap-spray) Exploits chosen based on client apps and patch level Exploits obfuscated and tested for evasiveness
The Cybercrime Attack Chain Delivery: Dropper downloads malware Or can have a single-stage where dropper is also malware Can also download other payloads in future Makes file system and registry changes, browser hooking, etc
How can we help you? threat protection compliance archiving & governance secure communication
New Landscape New Requirements TRADITIONAL ANTI-SPAM Traditional Reputation and Signature Systems 99% effectiveness good enough TODAY S THREATS Mass customization and botnets increasingly by-pass Every message matters Black-box Real-time, end-to-end insight and rich policy are critical
Proofpoint Email Security Suite BLOCK DETECT Known, Emerging Threats Proofpoint Enterprise Protection RESPOND Targeted, Previously Unknown Threats Proofpoint Targeted Attack Protection
Known / Emerging Threats: Proofpoint Enterprise Protection Blocks today s advanced campaigns Effectively blocks known threats Predictively blocks new, emerging threats Enables unmatched visibility and control Powerful threat classification Rich policy Real-time analysis Provides robust delivery and administration functionality Flexible deployment, scalable performance Powerful routing Flexible, global administration
Blocks Today s Advanced Campaigns Effectively block known threats Industry leading visibility & analysis Real-time IP, URL reputation Content & attachment signatures Predictively block new, emerging threats Predictive URL sandboxing IP-velocity and volume tracking Zero-hour attachment blocking Automated campaign identification Predictive content analysis BLOCK
Proofpoint Enterprise Protection Unmatched Visibility and Control Powerful threat classification Phish, Malware, Spam, Adult, Bulk, Suspect Rich policy Flexible options, discard, delay, quarantine Separate, configurable quarantines Real-time analysis SmartSearch enable rapid message tracing and tracking
Proofpoint Enterprise Protection Robust Delivery & Administration Flexible deployment, scalable performance Cloud, Appliances, Virtual Machines, Hybrid proven ability to scale rapidly from thousands to hundreds of thousands of users Powerful routing Built on top of the commercial version of Sendmail, the world s most widely used MTA Flexible, global administration Granular and delegated administration for complex global organizations
Even the Best Protection Has Limits Hand-crafted spear-phish Low Volume Legit IPs and sender addresses Legitimate Email Watering Hole or Malvertising compromised legit website Leverages existing routine newsletters from the site Nothing to Detect at Delivery Malware not mounted at time of delivery TDS system and obfuscated redirects mask bad IPs No attachments, only URLs with morphing results and some fraction of the time systems will just miss one.
Unknown Threats: Targeted Attack Protection Detects today s advanced threats even after delivery Polymorphic & zero-day malware in attachments and URLs Credential phishing Protects on click, even while mobile or remote Click-time defense: validation of URLs when you click Follow-me protection: for users on and off the corporate network Provides end-to-end, real-time, per-user insight User targets, methods and potential exposure
Detects Today s Advanced Threats Polymorphic & Zero-Day Advanced, cloud-based dynamic and sandbox analysis Full-attack chain detection: compromised site, TDS, pre-exploit, exploit, malicious payload DETECT URLs and Attachments URLs, URL campaigns, Malicious Ads Weaponized documents (PDF, Office, flash etc.) Malware and Credential-Seeking Rich forensics and IoCs Screen-shots
Protects on Click, Even Mobile or Remote Click-time Defense Protects users post delivery Provides end-to-end visibility Follow-me Protection works anywhere Works on any device any location: mobile, home use, hotels, airports Nothing installed on the client Respects Existing Security Layers Leverages industry-standard http redirection; does not proxy, so requests still pass through existing security layers
End-to-End Insight Who is being targeted User level insight into who is being targeted with what campaigns Insight into targeted vs. broad-based attacks Who is at risk, from what Who s clicking, when, what they re clicking on Detailed forensics RESPOND In Real-time, back-in-time Continual rescoring of history Real-time alerts Real-time aggregation and summarization
Proofpoint Targeted Attack Protection URL Defense Proofpoint URL Analysis Proofpoint BIG DATA ANALYSIS Sandboxing Proofpoint Malware Service External MTA End Users
Proofpoint Targeted Attack Protection Attachment Defense SHA256 Hash Sent to Cloud Reputation? Post Scan? UNKNOWN GOOD BAD? PDF No Present? Dynamic GOOD? Content Present GOOD BAD Initiate Deliver Unknown Dynamic Email Content Scan Proofpoint Attachment Defense API Proofpoint Sandboxing External MTA End Users Admin Quarantine AD Queue Hidden Quarantine
https://urldefense.proofpoint.com/v1/url?u=http:/ /onesourceprocess.com/ab3bp5r/index.html&s=ab eb44ac1/&k=cpgdz%... Click to follow link
When & Whether you re being attacked When & Whether you ve been compromised By What
Who s at risk, when
What they re at risk from
Summary: Proofpoint Protection BLOCK DETECT Predictively Block more attacks Quickly detect targeted, polymorphic and zero-day attacks RESPOND Full visibility into targets, methods and exposure
TAP Who clicked a bad link? TAP What now? Email: Sender IP: Clicked URL: joe@myco.com 10.10.10.253 http://waterhole.me?xy
TAP+Threat Response Add: Username Infection history Group Local information Local IP Malicious file check IP/Domain Reputation Geo-location CNC server checks Assign incidents Put user in Penalty box Update Firewalls Update Proxies Document responses Update Threat Response AD IP reputation Geolocation WhoIS Virus Total IOC Verification Threat Verified Network connections: Registry Changes: File changes: Mutexes: Yes Yes Yes Yes Email: AD User: User Group: User Phone: System IP: Sender IP: Clicked URL: User Context joe@myco.com Josephsmith Finance 650-555-1234 56.188.13.218 10.10.10.253 http://waterhole.me Additional Incident Context Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country? Known bad actor Trojan.Turla.A Yes Neutral Y N. Korea
Exchange Threat Scanner https://www.proofpoint.com/us/id/scanner Free Tool, Easy To Run Actionable Report
Audit or Proof of Concept Deploy Proofpoint behind your current solution Can be deployed to remain passive within mail flow Quickly determine your current risk exposure and effectiveness Results within weeks
How Can You Defend Your Organization? Continue to emphasize the importance of email security and social media security Deploy defenses that use multiple, contextual big data and threat intelligence-based detection techniques Ensure layered security that incorporates automated threat response systems content control systems as well as next-generation detection... because someone will always click and it only takes one.
& threat protection compliance archiving & governance secure communication