As Malware evolves into targeted Advance Persistent Threat the response has to be layered, proactive response, and highly visible
Automated Prevention- Block Malware and exploits prevent future attacks
Automated Detection- Targeted and Zero-day attacks are block in real time without signature files.
Automated Forensic- Forensic information for in-dept analysis of every attempted attack
Automated remediation- Automated malware removal to reduce burden on administrator.
All made possible by big data analytic and collective intelligence
Malware evolution and Endpoint Detection and Response Technology
1. Evolution of Malware and the Next
Generation Endpoint Protection against
Targeted Attacks
2. 17/06/2016Malware Evolution 2
Index
1. Malware volume evolution
2. Malware Eras
3. Panda Adaptive Defense
1. What is it
2. Features & Benefits
3. How does it work
4. Successs Story
6. 1st Era
• Very little samples and Malware families
• Virus created for fun, some very harmful,
others harmless, but no ultimate goal
• Slow propagation (months, years) through
floppy disks. Some virus are named after
the city where it was created or
discovered
• All samples are analysed by technicians
• Sample static analysis and disassembling
(reversing)
17/06/2016Malware Evolution 6
8. 2nd Era
• Volume of samples starts growing
• Internet slowly grows popular, macro
viruses appears, mail worm, etc…
• In general terms, low complexity viruses,
using social engineering via email, limited
distribution, they are not massively
distributed
• Heuristic Techniques
• Increased update frequency
17/06/2016Malware Evolution 8
10. 3rd Era
• Massive worms apparition overloads the internet
• Via mail: I Love You
• Via exploits: Blaster, Sasser, SqlSlammer
• Proactive Technologies
• Dynamic: Proteus
• Static: KRE & Heuristics Machine Learning
• Malware process identification by events analysis of
the process:
• Access to mail contact list
• Internet connection through non-standard port
• Multiple connections through port 25
• Auto run key addition
• Web browsers hook
17/06/2016Malware Evolution 10
13. Static proactive
technologies
Response times reduced to 0 detecting
unknown malware
Machine Learning algorithms applied to
classic classification problems
Ours is ALSO a “class” problem: malware vs
goodware.
17/06/2016Malware Evolution 13
14. 4th Era
• Hackers switched their profile: the main
motivation of malware is now an economic
benefit, using bank trojans and phishing
attacks.
• Generalization of droppers/downloaders/EK
• The move to Collective Intelligence
• Massive file classification.
• Knowledge is delivered from the cloud
17/06/2016Malware Evolution 14
16. 17/06/2016Malware Evolution 16
El salto a la
Inteligencia
Colectiva
La entrega del conocimiento desde la nube
como alternativa al fichero de firmas.
Escalabilidad de los servicios de entrega de
firmas de malware a los clientes mediante la
automatización completa de todos los
procesos de backend (procesado,
clasificación y detección).
17. Big Data arrival
Current working set of 12 TB
400K million registries
600 GB of samples per day
400 million samples stored
Innovation: to make viable the data
processing derived from Collective
Intelligence strategy, applying Big Data
technologies.
17/06/2016Malware Evolution 17
18. 5th Era
• First massive cyber-attack against a country,
Estonia from Russia.
• Anonymous starts a campaign against several
organizations (RIAA, MPAA, SGAE, and others)
• Malware professionalization
• Use of marketing techniques in spam campaigns
• Country/Time based malware variant distribution
• Ransomware
• APTs
• Detection by context
• Apart from analysing what a process does, the
context of execution is also taken into account…
17/06/2016Malware Evolution 18
22. 17/06/2016Malware Evolution 22
- November / December 2013
- 40 millions credit/debit cards stolen
- Attack made through the A/C maintenance
company
- POS
- Unknown author
- Information deletion
- TB of information stolen
Sony Pictures computer system down
after reported hack
Hackers threaten to release 'secrets' onto web
23. 17/06/2016Malware Evolution 23
Carbanak
- Year 2013/2014
- 100 affected entities
- Countries affected: Russia, Ukraine, USA,
Germany, China
- ATMs: 7.300.000 US$
- Transfer: 10.000.000 US$
- Total estimated: 1.000.000.000 US$
25. 17/06/2016Adaptive Defense 25
Panda Adaptive Defense is a new security model which
can guarantee complete protection for devices and
servers by classifying 100% of the processes running on
every computer throughout the organization and
monitoring and controlling their behavior.
More than 1.2 billion applications already classified.
Adaptive Defense new version (1.5) also includes AV
engine, adding the disinfection capability. Adaptive
Defense could even replace the company antivirus.
RESPONSE
… and
forensic
information to
analyze each
attempted
attack in detail
VISIBILITY… and
traceability of each action
taken by the applications
running on a system
PREVENTION… and blockage
of applications and isolation of
systems to prevent future
attacks
DETECTION…
and blockage of
Zero-day and
targeted attacks
in real-time
without the need
for signature files
27. Daily and on-demand reports
Simple, centralized administration
from a Web console
Better service, simpler
management
Detailed and configurable monitoring of
running applications
Protection of vulnerable systems
Protection of intellectual assets against
targeted attacks
Forensic report
Protection
Productivity
Identification and blocking of unauthorized
programs
Light, easy-to-deploy solution
Management
28. Key Differentiators
- Categorizes all running processes on the endpoint
minimizing risk of unknown malware: Continuous
monitoring and attestation of all processes fills the
detection gap of AV products.
- Automated investigation of events significantly
reduces manual intervention by the security team:
Machine learning and collective intelligence in the cloud
definitively identifies goodware & blocks malware.
- Integrated remediation of identified malware: Instant
access to real time and historical data provides full
visibility into the timeline of malicious endpoint activity.
- Minimal endpoint performance impact (<3%)
17/06/2016Adaptive Defense 28
29. 17/06/2016Adaptive Defense 29
New malware detection capability*
Traditional
Antivirus (25)
Standard Model Extended Model
New malware blocked during the first 24 hours 82% 98,8% 100%
New malware blocked during the first 7 days 93% 100% 100%
New malware blocked during the first 3 months 98% 100% 100%
% detections by Adaptive Defense detected by no other antivirus 3,30%
Suspicious detections YES NO (no uncertainty)
File Classification
Universal
Agent**
Files classified automatically 60,25% 99,56%
Classification certainty level 99,928% 99,9991%
< 1 error / 100.000 files
* Viruses, Trojans, spyware and ransomware received in our Collective Intelligence platform. Hacking tools,
PUPS and cookies were not included in this study.
Adaptive Defense vs Traditional Antivirus
** Universal Agent technology is included as endpoint protection in all Panda Security solutions
30. 17/06/2016Adaptive Defense 30
Adaptive Defense vs Other Approaches
AV vendors WL vendors* New ATD vendors**
Detection gap
Do not classify all applications
Management of WLs required
Not all infection vectors covered
(i.e. USB drives)
No transparent to end-users and admin (false
positives, quarantine administration,… )
Complex deployments required
Monitoring sandboxes is not as effective as
monitoring real environments
Expensive work overhead involved ATD vendors do not prevent/block attacks
* WL=Whitelisting. Bit9, Lumension, etc
** ATD= Advanced Threat Defense. FireEye, Palo Alto, Sourcefire, etc
32. A brand-new three phased cloud-based security
model
17/06/2016Adaptive Defense 32
1st Phase:
Comprehensive monitoring of all the
actions triggered by programs on
endpoints
2nd Phase:
Analysis and correlation of all
actions monitored on customers'
systems thanks to Data Mining and
Big Data Analytics techniques
3rd Phase:
Endpoint hardening &
enforcement: Blocking of all
suspicious or dangerous processes,
with notifications to alert network
administrators
35. Adaptive Defense in
figures
+1,2 billion applications already
categorized
+100 deployments. Malware detected in
100% of scenarios
+100,000 endpoints and servers
protected
+200,000 security breaches mitigated in
the past year
+230,000 hours of IT resources saved
estimated cost reduction of 14,2M€
Lest’s see an example…
17/06/2016Adaptive Defense 35
36. 17/06/2016Adaptive Defense 36
Scenario
Description
Concept Value
PoC length 60 days
Machines currently monitored +/- 690
Machines with malware 73
Machines with malware executed 15
Machines with PUP found 91
Executed PUP files 13
Executed files classified 27.942
Concept Value
Malware blocked 160
PUP blocked 623
TOTAL threats mitigated 783
Como dato curioso MS ofreció una recompensa de 250.000 dólares a quien diera alguna pista que llevara hasta el autor del mw. Jaschan fue fichado en septiembre de 2004 por Securepoint lo que motivó no pocas quejas en el mundillo e incluso conflictos diplomáticos entre empresas del sector (http://en.wikipedia.org/wiki/Sven_Jaschan)
Panda Adaptive Defense is focused on zero day threats, advanced persistent threats, targeted attacks.
It is focused on identifying and blocking previously unknown malware. Traditional AV products use known properties like signatures or behaviors to identify malware. The challenge is to protect against malware that has yet to be identified by the AV vendors. Panda Adaptive defense does this by monitoring all running processes on the endpoint. It then uses local capabilities and collective intelligence / big data in the cloud to categorize and attest as to whether an executable is goodware (and not malware). And because it is constantly monitoring all process, it can detect APT malware that may lie dormant for a period of time before being activated.
Panda Adaptive Defense goes a step beyond simply providing the security team a slew of IOCs (indicators of compromise). Panda Adaptive Defense leverages collective intelligence to provide a definitive attestation as to whether an executable (and its processes) are malware and It blocks any executable categorized as malware. This automatic investigation saves the security team from having to investigate a large number of IOCs
Panda’s experience with remediating malware adds to the capability of Panda Adaptive Defense. Panda Adaptive Defense also logs activities making investigation and remediation a much easier task