Deep Discovery. Technical details



Similar documents
CryptoLocker la punta dell iceberg, impariamo a difenderci dagli attacchi mirati. Patrick Gada 18 March 2015 Senior Sales Engineer

The Hillstone and Trend Micro Joint Solution

How Attackers are Targeting Your Mobile Devices. Wade Williamson

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Comprehensive Advanced Threat Defense

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Cisco Advanced Malware Protection for Endpoints

Unified Security, ATP and more

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Check Point: Sandblast Zero-Day protection

egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game.

Palo Alto Networks. October 6

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Analyzing HTTP/HTTPS Traffic Logs

Next Generation Firewalls and Sandboxing

SourceFireNext-Generation IPS

WildFire. Preparing for Modern Network Attacks

Attacks from the Inside

Cisco Advanced Malware Protection for Endpoints

Networking for Caribbean Development

Storm Worm & Botnet Analysis

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

You ll learn about our roadmap across the Symantec and gateway security offerings.

Defending Behind The Device Mobile Application Risks

Unknown threats in Sweden. Study publication August 27, 2014

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

What is Next Generation Endpoint Protection?

Getting Ahead of Malware

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Integrating MSS, SEP and NGFW to catch targeted APTs

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Speed Up Incident Response with Actionable Forensic Analytics

5 Steps to Advanced Threat Protection

Post-Access Cyber Defense

24/7 Visibility into Advanced Malware on Networks and Endpoints

Breach Found. Did It Hurt?

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Evolving Threat Landscape

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Security Intelligence Services.

Agenda , Palo Alto Networks. Confidential and Proprietary.

AppGuard. Defeats Malware

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Spear Phishing Attacks Why They are Successful and How to Stop Them

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Real World Enterprise Security Exploit Prevention Test

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

Cloud Services Prevent Zero-day and Targeted Attacks

Advanced Threats: The New World Order

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Persistence Mechanisms as Indicators of Compromise

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Securing Secure Browsers

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

RSA Security Anatomy of an Attack Lessons learned

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

McAfee Network Security Platform

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

The Value of Physical Memory for Incident Response

User Documentation Web Traffic Security. University of Stavanger

10 Things Every Web Application Firewall Should Provide Share this ebook

Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

SANS Top 20 Critical Controls for Effective Cyber Defense

Cisco Advanced Malware Protection

Active Response: Automated Risk Reduction or Manual Action?

Fighting Advanced Persistent Threats (APT) with Open Source Tools

Fighting Advanced Threats

Memory Forensics & Security Analytics: Detecting Unknown Malware

One Minute in Cyber Security

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Protecting the Infrastructure: Symantec Web Gateway

Proxies. Chapter 4. Network & Security Gildas Avoine

Host-based Intrusion Prevention on Windows and UNIX. Dr. Rich Murphey White Oak Labs

APPLICATION PROGRAMMING INTERFACE

Zscaler Cloud Web Gateway Test

Securing and Accelerating Databases In Minutes using GreenSQL

THE SCRIPTING THREAT GAINING POPULARITY

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Computer Security DD2395

IBM Advanced Threat Protection Solution

SECURITY REIMAGINED. FireEye Network Threat Prevention Platform. Threat Prevention Platform that Combats Web-based Cyber Attacks

Next Generation IPS and Reputation Services

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Transcription:

Deep Discovery Technical details

Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior Tracing Exploit Detection Network Content Inspection Engine Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine HTTP CIFS More than 80 protocols analyzed SMTP SQL DNS P2P Embedded doc exploits Drive-by downloads Dropper Unknown Malware C&C access Data stealing Worms/Propagation Backdoor activities Data exfiltration FTP ----- 11/06/2014

Single Appliance for Advanced Protection DETECT Entry point Lateral Movement Deep Discovery Exfiltration Inspector 360 Approach Appliance All-in-One Content Up to 4 Inspection Gbps model Document Bare Metal Emulation & VA available Payload Custom Download sandboxes Behavior embedded Tracing Exploit Can be Detection linked to external SB Network Monitoring Network Content Inspection Engine Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine All HTTP protocols SMTP DNS analyzed FTP CIFS on a SQL single P2P box ----- Detect known, unknown and custom threats Embedded doc exploits Leverage Drive-by Trend downloads Micro Threat Intelligence Dropper technologies Unknown Malware C&C access Adapts and responds to Data stealing threats Worms/Propagation in your unique environment Backdoor activities Data exfiltration 11/06/2014

Deeper Look into Deep Discovery Virtual Analyzer Your Custom Sandbox Custom OS image Execution acceleration Anti-Analysis detection 32 & 64 bits Execute binaries, documents, URL... Live monitoring Kernel integration (hook, dll injection..) Network flow analysis Event correlation Isolated Network LoadLibraryA Win7 WinXP SP3 ARGs: ( NETAPI32.dll Win7 ) Return value: 73e50000 Base Hardened LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000 LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000 key: HKEY_CURRENT_USER\Local Settings\MuiCache\48\52C64B7E Modifies file with infectible type : eqawoc.exe \LanguageList value: key: Inject HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f processus : 2604 taskhost.exe Write: Access path: suspicious %APPDATA%\Ewada\eqawoc.exe host : mmlzntponzkfuik.biz type: VSDT_EXE_W32 Injecting process API ID: 2604 Fake Inject API: CreateRemoteThread Fake Target Fake AV process ID: Hooks 1540 Target Explorer image path: taskhost.exe Server socket ARGs: ( 2, 2, 0 ) Return value: 28bfe socket ARGs: ( 23, 1, 6 ) Return value: 28c02 window API Name: Core CreateWindowExW Threat Simulator ARGs: ( 200, 4b2f7c,, 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2 internet_helper API Name: InternetConnectA ARGs: ( cc0004, mmlzntponzkfuik.biz, 10050,,, 3, 0, 0 ) Return value: cc0008 Filesystem Registry Process Rootkit Network... monitor monitor monitor scanner driver ANALYZE 11/06/2014 4

Deep Discovery Simple & Efficient Infection & payload Lateral movement C&C callback Web proxy Dynamic blacklist Storage Mail Server App Server SMTP relay Inspector af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc... Endpoint 11/06/2014 5

Create your Custom Defense Analyzer External sandbox system Automatic Analysis Labs Manual & API submission tools Multi-box (5 nodes, 100k files/day) Integrated into Trend Micro solutions Threat profil export (IOC, hash) API & scripting Email Inspector Email reputation & attachment analysis Embedded URL analysis in VA MTA (inline) or BCC (monitor) mode Up to 2M mails/day per box Threat Intelligence Center Central event dashboards Custom searches & reports Central alerting and reporting 11/06/2014 6

Get a complete picture of targeted attacks Deep Discovery Endpoint Sensor Context-aware endpoint solution designed to speed the discovery, investigation and response to security incidents Accelerate you response process Confirm endpoint infiltration alerts from network security See which endpoints have specific malware or C&C activity Discover full context and spread of an attack Get a full picture of threats Records detailed system activities Performs multi-level search across endpoints Uses rich search criteria Compatible with any AV security solution

Catch all endpoint activities & Make the story of the attack Deep Discovery Endpoint Sensor RESPONSE Record all events across endpoint and network to filter out Ghost Alert noise and re- classify alert severity with REAL threat File changes/dropped Registry changes User account modifica%on URL request Connec%on to direct IP DNS resolu%on Adap%ve Inves'ga'on empowers InfoSec immediate incident responses rather of relying on vendor solu%on delivery OpenIOC support Memory snapshot Registry snapshot Retrospec%ve Replay DDES 11/06/2014 8 IOC DD Virtual Analyzer OpenIOC Yara

Deep Discovery Flexible & Efficient Email Inspector HQ/DC Site Traditionnal Security Layer Infection & payload Lateral movement C&C callback Major Remote Site Inspector Local App Server Endpoint Sensor Analyzer Inspector * Threat Intelligence Center 11/06/2014 9 * Can be virtualized

Trend Micro Products Integrated Advanced Protection Storage OfficeScan Deep Security Mail ScanMail Server Endpoint App Server Web IWSva proxy SMTP IMSva relay 11/06/2014 10 Infection & payload C&C callback Analyzer 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature Dynamic blacklist af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc...

Demo-time

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information