Identyfikacja na poziomie brzegu sieci Wiem kim jest ale co może? Deszyfracja wymaga znajomości kluczy i powoduje opożnienia DDoS na IDS
An exploit is a piece of software that takes advantage of a vulnerability in order to cause unintended application behavior. In this slide we see how external content can carry an exploit. When the content is opened by the viewer application – for example a pdf file in Adobe Acrobat Reader, there can be legitimate access to the file system. However, an exploit will create a different type of access, which uses a vulnerability to download a malicious piece of code to the file system. That code can be a ‘downloader’ or the payload itself. Apex protects applications that open/render external content, and may be exploited. These applications are: Adobe Acrobat Reader Flash viewer MS-Office applications: Outlook (mail), Excel, Word, PowerPoint Java Browsers: Chrome, IE and FF
How does Apex work? Apex verifies the memory state of the application, against Whitelisted, Legitimate application states. When an application accesses the file system, Apex is triggered to check the memory state. If, like in this case, the memory state matched a whitelisted state, Apex allows it to go through.
However, if the action is caused by an exploit, known or zero-day, the access to the file system will create an unknown memory state, and so Apex will prevent the execution of the file the application created. As long as Apex is installed on the endpoint, that code would not execute, so the threat is mitigated. [Note that in the first version Apex will not remove the malicious file from the file system. This functionality is planned for the next release which is due in H1 2013.]
If malware infected the machine it is very important to mitigate the infection. It doesn’t matter if the machine got infected before or after the installation. If the malware directly communicates with the attacker that communication is very visible and can be easily blocked. So advanced malware uses a few evasion techniques to bypass detection. For example, it will compromise another legitimate application process, and/or communicate with the attacker over legitimate websites (like Forums and Google Docs). Trusteer Apex uses a few different techniques to identify unauthorized exfiltration states and malicious communication channels and blocks them. Because Trusteer Apex monitors the activity on the host itself, it has better visibility and can accurately detect and block these exfiltration states.
Apex specifically protects employee credentials, which are a prime target for cyber criminals. If compromised, a hacker can use these credentials to log in and access sensitive business information. Key loggers are often used for stealing user credentials. They often target VPN clients used by remote employees to access the enterprise network or specific enterprise applications. Trusteer Apex encrypts the keystrokes entered by the user to applications like: VPN clients like Citrix receiver, Browsers, Outlook and can be configured to protect custom applications [needs to be approved by PM]. Trusteer Apex prevents users from submitting credentials to phishing sites by validating the site to which they connect and blocking attempt to submit corporate credentials to unapproved sites. In addition, Apex will prevent users from reusing enterprise passwords on public site like Facebook: public sites are constantly targeted by hackers attempting to steal lists of user credentials. Since users don’t want to remember many passwords, they tend to reuse passwords. But using enterprise passwords on public sites may expose your enterprise because public sties are also under attacks. Apex detects and blocks enterprise password submission to an unauthorized web site and alert the user and the enterprise. How is it done? The admin configures in the Trusteer Management Application (TMA) a list of approved URLs for enterprise application login. The agent keeps a one-way-hash of the passwords locally and compares against it when the users tries to login to a webapp. If the login is to an approved URL, it is allowed. If the URL is not on the approved list, the user will not be allow to use that password. Note that this feature is optional and does not have to be enabled.