• Share
  • Email
  • Embed
  • Like
  • Private Content
Detección y mitigación de amenazas con Check Point
 

Detección y mitigación de amenazas con Check Point

on

  • 1,333 views

Presentación de Ignacio Berrozpe, de Check Point, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.

Presentación de Ignacio Berrozpe, de Check Point, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.

Statistics

Views

Total Views
1,333
Views on SlideShare
1,264
Embed Views
69

Actions

Likes
1
Downloads
5
Comments
0

2 Embeds 69

http://www.nextel.es 65
http://192.168.6.184 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Introducing Check Point’s new Anti-Bot SW Blade to REVOLUTIONIZE BOT PREVENTION!
  • http://www.istockphoto.com/stock-photo-18108990-group-of-businesspeople-standing.php?st=0ae6138http://www.istockphoto.com/stock-illustration-18720833-global-shipping.php?st=7c23c86http://www.istockphoto.com/stock-photo-19333241-internet-browser.php?st=c968d2ehttp://www.istockphoto.com/stock-photo-17318605-shooting-arrows.php?st=6499398http://www.istockphoto.com/stock-photo-17693110-files-and-download.php?st=a144563http://www.istockphoto.com/stock-photo-14389257-download.php?st=e4e64cdhttp://www.istockphoto.com/stock-photo-15493177-3d-word-download-with-earth-globe-and-computer-mouse.php?st=e4e64cdhttp://www.istockphoto.com/stock-illustration-9412936-arrow-1-credit.php?st=293be18http://www.istockphoto.com/stock-photo-11365236-24-hours-7-days-a-week.php?st=ec4a625
  • How is this huge threat repository is generated?The solution has multiple feeds of signatures, patterns and reputation.Some are check point proprietary some are incorporated using inputs from other security vendors.REmerging threats – global network of sensors to identify threats earlirt and provide protections fasterEmulation – GWs can’t handle it, too power consumingEmulate files to identify hidden attacks and malwareGenerate alerts and reports underlying threat risk & operationThe emulator creates a report which includes the network activity, disk access, registry access, processes which are created / killed, and more.
  • Introducing Check Point’s new Anti-Bot SW Blade to REVOLUTIONIZE BOT PREVENTION!
  • http://www.istockphoto.com/stock-photo-18108990-group-of-businesspeople-standing.php?st=0ae6138http://www.istockphoto.com/stock-illustration-18720833-global-shipping.php?st=7c23c86http://www.istockphoto.com/stock-photo-19333241-internet-browser.php?st=c968d2ehttp://www.istockphoto.com/stock-photo-17318605-shooting-arrows.php?st=6499398http://www.istockphoto.com/stock-photo-17693110-files-and-download.php?st=a144563http://www.istockphoto.com/stock-photo-14389257-download.php?st=e4e64cdhttp://www.istockphoto.com/stock-photo-15493177-3d-word-download-with-earth-globe-and-computer-mouse.php?st=e4e64cdhttp://www.istockphoto.com/stock-illustration-9412936-arrow-1-credit.php?st=293be18http://www.istockphoto.com/stock-photo-11365236-24-hours-7-days-a-week.php?st=ec4a625
  • How is this huge threat repository is generated?The solution has multiple feeds of signatures, patterns and reputation.Some are check point proprietary some are incorporated using inputs from other security vendors.REmerging threats – global network of sensors to identify threats earlirt and provide protections fasterEmulation – GWs can’t handle it, too power consumingEmulate files to identify hidden attacks and malwareGenerate alerts and reports underlying threat risk & operationThe emulator creates a report which includes the network activity, disk access, registry access, processes which are created / killed, and more.
  • In this way, if one company is attacked with malware, it is instantly shared with ThreatCloud. A signature of the attack is added to the massive database, and is leveraged by all other companies. This shuts down the ability of an attack to spread over multiple companies.
  • Talk about the value of the Check Point SSL inspection integration
  • Hi may name is XXXX I am working as a XXX here at Check Point.It is an honor for me to be here today, to talk about: How increasing numbers of organizations are affected by the DDOS phenomenonHow organizations can protect themselves against these kinds of overload attacks.Click
  • A DoS attack is launched from a single source to overwhelm and disable the target service.A Distributed Denial-of-service (DDoS) attack is coordinated and simultaneously launched from multiple sources to overwhelm and disable a target service. These multiple attack sources are typically part of a "bot-net" (a network of compromised computers) and can be scattered across a region or around the globe. The botnet can act dynamically in terms of which bots are attacking a target at any given moment, making it very difficult to detect and block the attack.
  • DoS attacks have been used by all manner of organizations and groups to further their cause. Who are these groups and what are their motivations? Hacktivistsare individuals or groups that are organized and motivated to make social and political points primarily through public IT disruption by leveraging DoS and other attack methods. From Wikipedia1, "The term was first coined in 1996 by a member of the Cult of the Dead Cow hacker collective named Omega." If hacking as "illegally breaking into computers" is assumed, then hacktivism could be defined as "the use of legal and/or illegal digital tools in pursuit of political ends". In addition to social and political motivations, some believe that a small subset of hacktivists are actually tied to organized crime and use hacktivism as a diversion to facilitate stealing information for financial gain. Nation state driven DoS attacks, presumably sanctioned by one or more governments, are also conducted for many different reasons. These reasons are age old and obvious—from creating havoc and disrupting governmental operations, to good old fashioned spying and stealing national secrets. Note, however, that attacks that might appear as nation state driven can actually be unsponsored acts perpetrated by a few who are motivated to carry out acts under their own perception of patriotism. Conducting an attack for financial gain is a common denominator in a vast majority of the DoS attacks launched on governments and businesses alike. A for-hire DoS attacker can be paid to conduct a DoS attack against the buyer’s competitor, thereby deriving financial gain for both the buyer and the attacker. In other cases the DoS attacks are merely a diversion for the actual objective to steal information—personal records, account records, intellectual property—all to be sold or somehow used for capital gain. Lastly, there have been instances of DoS "ransom attacks" where the target is told to pay a ransom, otherwise they’ll be DoS’d and their systems rendered unusable.
  • Lets take look at this old slide with cybercrime trends for 2012. DDOS attacks according to this report was the fourth most seen attack type businesses were targeted with was DDOS attacks.What have happened and what we are seeing happening. Is that there is an increase of DDOS activities starting from 2012 an continuously increasing today.One of the major reasons is because organizations still today are not prepared to take care of these types of threats.Another reason these treats have been so successful, is because DDOS attacks have become more sophisticated able to bypass or bring down traditional security solution like Firewall, IPS or application control, but at the same time still very easy for the attackers to execute.
  • So, is it true are theses attacks really happening?Yes CLICKYes CLICK Yes CLICKAnd… CLICK Yes,Just looks at the what the news have been writing abou in the last 6 moths in countries like Denmark, Finland, Norway and Sweden.What's interesting here to note is that when reading these articles CLICKThey claim that “It is impossible to protect against these DDOS attacks.”And this is not true.CLICK
  • What kind of attackexample do we have out the that organizations are targeted with?We have the Volumetric attacks, they can be caused by some one using public available innocent DNS server as amplifiers in order to be able to generate large UDP floods of DNS reposes towards a target.One of the most common attack method seen in the wild are of course the traditional SYN Flood attack.And of course Application based attacks…. CLICK
  • The idea with Volumetric attacks is to send a mixture of traffic to the organization in order to consume the bandwidth on the internet connection towards the target so that no legitimate traffic is going to be able to pass through to the target machine
  • The mixture of the traffic towards the target can contain for example a UDP flood generated by using and DNS amplification attack.The way this UDP flood is generated is quite simple, the attacker will send a DNS request to an innocent public available DNS sever like goggle DNS server 8.8.8.8 for example. In this request the attacker will spoof the source IP to and use the Victims IP address as the source IP, this will cause the DNS server to respond back to the source.Doing this the attackers use amplification to increase the traffic volume in an attack. The attacker uses an extension to the DNS protocol (EDNS0) that enables large DNS messages. The attacker composes a DNS request message of approximately 60 bytes to trigger delivery of a response message of approximately 4000 bytes to the target. The resulting amplification factor, approximately 70:1, significantly increases the volume of traffic the target receives, accelerating the rate at which the target's pipe will be saturated.CLICK
  • SYN attacks are quite easy to generate since the source IP does not have to be coming from a valid source and the packet does not have to be especially large. On the target the state table on Firewalls and Servers will be consumed and the organization will be unable to provide services to it’s intended users.
  • As we said before attacks are getting more sophisticated.Application layer attacks can be targeted at specific application implementation weakness and might cause more damageThey are pretty easy for the attacker to execute because they require less bandwidth and resources from the attacker and there is no need to fill-up the target’s Internet connection. You can for example download the attack tool slowloris or tors hammer to your computer.Connect the computer to a 3G ConnectionHide you source IP in the Tor anonymizer networkAnd bring down multiple web servers that still have for example Slow HTTP Get application weaknesses.These types of attacks are very sneaky and difficult to detect with traditional network monitoring or by solutions that are based only on thresholds and volume-based measures since they are generating a very small amount of traffic, from an traditional security perspective using firewalls, IPS or application control the traffic will be seen as legitimate traffic and allowed to pass since they are not exploiting any application vulnerabilities.CLICKLow & Slow attacks exploit application implementation weaknessesUsing relatively low volume and low number of connections In many cases, targeted application DoS attacks are used in parallel to volumetric DDoS attacksThis kind of attacks can go undetected by solutions that are based only on thresholds and volume-based measures
  • So lets look at a real world example,When you need to protect your organizations against Denial Of Services attacks, do not just stare yourself blind on the numbers of packets per second or the amount of bandwidth that can be handle with an could based services or an on site solution.In the US banking attack example they where not only targeted with one attack vector they were targeted with a mixture of multiple types of attacks vectors going from Network Flood attacks, Application flood attacks to Application DOS attack.The goal of the attacker is to bring down the target in a DOS attack, he will use any means necessary in order to succeed. When you are building a defense against these types of attacks you need to consider protection types for all these types of attack vectors.CLICK
  • Poor detection of sly attacks for example where attackers a sending legitimate HTTP traffic but with slow transfer speed to use up servers resourcesBasic filters to aggressively clear connection table when under attack, witch will also affect legitimate users traffic.The signatures used in IPS systems is focused on protecting against exploitation of vulnerabilities, but to protect against DoS attack you need to be bale to create customer signatures based on traffic patterns.
  • Therefore you need a DDOS protection solution that have multiple layers of security in order to protect against these different types of attack vectors.CLICKIt should be able to do behavioral analysis on the network traffic in order to understand if it indeed is a flood or an increase of legitimate traffic. It should be capable of handling the amount of Packets Per Seconds that the organization is being hammered with during an network Flood.CLICKthe solution should be able to generate real-time signature in order to correctly only block the illegitimate traffic.CLICKIt should be capable of detect the suspicious sources and identify the attacker in those sources by using different types of challenges methods on the application layer in order allow the legitimate users to access the system while the organization is targeted.CLICK It should also be bale to use granular custom filters in order to block sneaky Low & Slow application based attacks.
  • This is exactly what we can do with Check Point DDOS Protector: it have customized multi-layer protection modulesit will automatically identify and protect against an attack within secondsit is fully automated, automatically learning the behavior and adapting the base line of the network environmentIt uses challenge methods to accurately identify attacking sources.____DDoS Protector’s customized multi-layered DDoS protection blocks a wide range of attacksBehavioral analysis comparing typical vs. abnormal trafficAutomatically generated and pre-defined signatures Using advanced challenge/response techniquesCustomized protection optimized to meet specific network environment and security needs  DDoSProtectorTM is ready to protect any size network in minutesProduct line of 7 new appliances offering:Low-latency (less than 60 microseconds)High-performance (up to 12 Gbps)Port density of up to 16 ports (both 1 GE and 10 GE options available)On premise inline deployment for immediate response to attacksTransparent network device easily fits into existing network topology (layer 2 bridge)Filter traffic before it reaches the firewall to protect networks, servers and block exploits Integrated with Check Point security management suite Leverage SmartEvent, SmartLog and SmartViewTracker for real-time and historic view of overall network security and DDoS attack status Policy management with both Web UI and command line interfaceTeam of security experts provide immediate help for customers facing DoS
  • There are 2 DDoS protection deployment types:on the customer premisesCLICKor on the customer premises working together with an cloud based service called DefensePipeThe On-Premise solution have a quick response time and can be customized for the organizations requirements.The additional Cloud based service called DefensePipe, helps with moving the problem away from the protected network – it Fits when attack is on bandwidthThey way DefensePipe works is that when the organization is under attack and the On-Premise DP detects that there is an risk for a pipe saturation the DP will inform the cloud base DefensePie service that there is a pipe saturation risk and redirection of traffic is requested. The cloud base service will take care and clean the traffic when it is redirected, the clean traffic will be sent back to the organization.CLIKC
  • The deployment options for DDOS protector is very flexible.It is completely transparent, you do not need to redesign you network topology. You can deploy it as a standalone or High Availability cluster. You can Deploy it in Symmetric as well as Asymmetric network environments.You can deploy it in an emergency deployment when the organization is under attack in order to directly start protecting the business.You have an optional Learning mode deployment where you let the system learn behavior for one week before configuring it to protect the environment.Since the systems automatically adjusting baselines and integrated to our event management system the maintenance cost is very low.
  • Together with a valid support contract DDOS Protectorincludes support from a team called Emergency Response team at no additional cost.The idea with DDOS Protector is that it should automatically mitigate an attack, but if it is for some reason not doing that we are not leaving you in the dark by your self.You are requesting access to the ERT team under special situations for example when you are under a DOS attack and the solution for some reason is not automatically mitigating the attack. ERT will then help you adjust the system in order to block the attack.ERT is an reactive team and the way to get access to the team is to open a Severity 1 critical ticket to Check Point TAC. Inform TAC that you have a DDOS Protector in your production environment and that you are currently under an DDOS attack that is not automatically mitigated by the DDOS Protector, there for you request access to ERT. Check Point TAC will establish a Conf Call with you ERT and TAC and you need to be able to provide Remote access to DP over for example Webex in order for ERT to help you.CLICK
  • To summarize this with DDOS Protector you have fast response time to minimizeDDoS damages Application adaptation for customer’s specific environmentPossibility to do Emergency deployments to be able to protect an attacked organization within minutesLow maintenance cost based on the event management integration and automatic baseline adaptions and behavioral learning in the system.
  • Thank you for listening to me, if you would like to get more information please contact any Check Point representative here.

Detección y mitigación de amenazas con Check Point Detección y mitigación de amenazas con Check Point Presentation Transcript

  • ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point Threat Control
  • 2©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Agenda 1 Modern Malware: Risks and Challenges Collaborative Security Intelligence: ThreatCloud™2 Anti-Bot Software Blade3 Unified Threat Prevention Solution5 Antivirus Software Blade4
  • 3©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Today’s Threat Landscape Organizations believe they have been the target of an APT attack 159% 1 ESG APT Survey October 2011 2 Ponemon 2nd annual cost of cybercrime study Aug 2011 3 Kaspersky research labs 2011 4 Sophos Security Threat Report 2011 Experienced a Bot attack in the past year 282% Known attacks per day3 10 Million A new malware is created4Every Second With today’s multiple vectors of attacks  Multi-layer Real-time Solution Needed
  • 4©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | ThreatCloud™ First Collaborative Network to Fight Cybercrime Check Point ThreatCloud™ Over 250 Million Addresses Analyzed for Bot Discovery Over 4.5 Million Malware Signatures Over 300,000 Malware-Infested Sites Up-to-the-Minute Security Intelligence
  • 5©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | ThreatCloud™ - Dynamically Updated Intelligence Industry-best malware feeds Malware Sites Signatures Bot addresses Collect attack information from gateways Global network of sensors to identify emerging threats Check Point ThreatCloud™ SensorNET
  • 6©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | The SensorNET System SensorNET provides a global set of observation points in the network feeding threat observations back to a central analysis point. Check Point’s position enables wide access to data points in the network.
  • 7©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | SensorNET Collects Attack Information Attack Name: Web Client Enforcement Violation; Protection name: Microsoft IE argument handling memory corruption vulnerability (MS08-045) Protection Type: signature; rule: 3; Destination: 81.0.0.41 Source: N1.H291; proto: tcp; product: IPS SW blade; service: http; s_port: 5707; Severity: High; Confidence: High The Attack Sensitive customer data is hidden Probe identifies an attack Attack information sent to ThreatCloud™
  • 8©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | SensorNET Analyzes Attack Information Analyzes threat landscape Multiple attacks Same IP address identified
  • 9©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | New protections sent to Check Point gateways Identify Bot attack and Update Check Point gateways Further analysis show IPs are bot C&C addresses New bot C&C address protection sent to gateways CheckPoint ThreatCloud™
  • 10©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | ThreatCloud™ - Dynamically Updated Intelligence Industry-best malware feeds Malware Sites Signatures Bot addresses Collect attack information from gateways Global network of sensors to identify emerging threats Check Point ThreatCloud™ SensorNET
  • 11©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | Collect Bot Attack Info From GWs Run classifier Expert analysis Identify infection and send potential C&C address to ThreatCloud Analyze address in Check Point Labs Add to ThreatCloud C&C address DB – protect ALL GWs ThreatCloud™
  • 12©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | Collect Bot Attack Information From GWs Map Cyber criminal network • Gather bot security events from GWs • Analyze Bot DB data in Check Point Labs • Identify different resources (IPs) used by the same botnet
  • 13©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | Collect Bot Attack Information From GWs Identify Trends • Gather bot security events from GWs • Analyze Bot DB data in Check Point Labs • Identify attack trends (geography)
  • 14©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | ThreatCloud™ - Dynamically Updated Intelligence Industry-best malware feeds Malware Sites Signatures Bot addresses Collect attack information from gateways Global network of sensors to identify emerging threats Check Point ThreatCloud™ SensorNET
  • 15©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | ThreatCloud™ Model: High Performance with Extended Protection Threat Database is kept in the cloud Download updates to the gateway Gateway consults the cloud  Malicious URLs  Real time signatures  C&C IP Addresses  Binary Signatures  Heuristic Engine  Traffic Anomaly Check Security updates normalized to the ThreatCloud Extended Protection High Performance
  • 16©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | First Integrated Anti-Bot Network Solution Discover and stop Bot outbreaks and APT attacks Check Point Anti-Bot Software Blade – Now available! 16©2011 Check Point Software Technologies Ltd. | [PROTECTED] – All rights reserved |
  • 17©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Botnet Operation: The Infection Infection  Social engineering  Exploiting vulnerability  Drive-by downloads Download Egg  Small payload  Contains initial activation sequence  Egg downloaded directly from infection source or source, such as Command & Control server C&C Server
  • 18©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Botnet Operation: Self -Defense Self Defense  Stop Anti-Virus service  Change ―hosts‖ file  Disable Windows Automatic Updates  Reset system restore points Command & Control Server
  • 19©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Botnet Operation: The Damages Payload Pull Command & Control Server  Spam  Denial of Service  Identity Theft  Propagation  Click fraud
  • 20©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Prevent Bot damage Stop traffic to remote operators Discover Bot infections Multi-tier discovery Anti-Bot Software Blade Extensive forensics tools Investigate Bot infections DISCOVER and STOP Bot Attacks
  • 21©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | ThreatSpect™ Engine Reputation  Detect Command & Control sites and drop zones  Over 250 millions addresses in ThreatCloud™  Real time updates Network Signatures  Over 2000 bots’ family unique communication patterns  Dozen of behavioral patterns Suspicious Email Activity  Over 2 million outbreaks ThreatSpect™ Engine Maximum security with multi-gig performance
  • 22©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Anatomy of Discovering a Bot (ThreatSpect™ Engine) ThreatCloud™ Reputation Engine in the cloud  Using smart caching to minimize number of queries to the cloud Resource (IP/URL/DNS) C&C
  • 23©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Anatomy of Discovering a Bot (ThreatSpect™ Engine) ThreatCloud™ Check for Signatures in the gateway  Multi-connection communication patterns (unique per botnet family)  Bot behavioral patterns
  • 24©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Anatomy of Discovering a Bot (ThreatSpect™ Engine) ThreatCloud™ Check suspicious Email activity Mail params (obfuscated) Bot-based spam  Outbound mail analysis to identify Spam sent from the organization  Mails normalized, parameters extracted  All customer data is obfuscated
  • 25©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Bot Damage Prevention Bot remote operator Stop Traffic between Infected Hosts and Remote Operator Stop Data Theft Enable User Work Continuity Performance Over 40Gbps*
  • 26©2012 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals | Enhanced Network Antivirus Software Blade Up-to-the-minute protection using ThreatCloud™ 26 Providing extended malware protection
  • 27©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Antivirus Software Blade Constantly updated Security intelligence with ThreatCloud™ Prevent Access to Malicious Sites Over 300,000 sites! Stop Incoming Malware Attacks R75.40 Signatures [Million] 300xProtect with 300x more signatures! R75.20 4.5- 0- Extended Protection using ThreatCloud™
  • 28©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Antivirus Software Blade Architecture - Prevent Access to Malware-infested Resources ThreatCloud™ Check Connection – Reputation Engine: IP/DNS/URLs with malware  Prevent connections to resources that contain malware  Prevent drive-by- downloads attacks  Hundred of thousands of addresses Address Malware containing site
  • 29©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Antivirus Software Blade Architecture – Stop Incoming Malicious Files ThreatCloud™ Check Signatures in the gateway  Files analyzed against a set of signatures downloaded in the gateway  Limited number of signatures compared to the cloud
  • 30©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Antivirus Software Blade Architecture – Stop Incoming Malicious Files ThreatCloud™ File unique identifier (MD5) File is malicious Check Signatures in the cloud  Real time update and availability of new malware signature  Granular signature database  Only MD5 Checksum is sent to the cloud – high performance
  • 31©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Antivirus Software Blade Architecture – Stop Incoming Malicious Files ThreatCloud™ Check for unknown malware – Heuristic Engine in the gateway 4  Utilizes Sandbox to detect unknown ‘zero day’ infections  Check for archive files only  Buffers entire file  Easily configurable to ensure optimal user experience Registry OS files
  • 32©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Agenda 1 Modern Malware: Risks and Challenges Collaborative Security Intelligence: ThreatCloud™2 Anti-Bot Software Blade3 Unified Threat Prevention Solution5 Antivirus Software Blade4
  • 33©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Unified Anti-Bot and Antivirus Threat Prevention Antivirus + Anti-Bot Unified Policy Settings Unified Malware Analysis
  • 34©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Policy Model – The Rule Base Scope: contains network objects to be protected by the rule in question Action: Indicates which Profile to activate
  • 35©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Unified Malware Report See the BIG malware picture
  • 36©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | The Threat Wiki Search the ThreatCloud™ repository for a malware Filter by Category or malware family Learn more about a malware
  • 37©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Check Point Multi-layer Threat Prevention Keep Your Edge Against Advanced Threats Check Point Integrated Threat Prevention Solution Powered by ThreatCloud™ Antivirus Software Blade prevents incoming malware infections and access to malware containing sites ThreatCloud™ provides security gateways with real-time security intelligence IPS Software Blade Prevents Attacks using Known and Unknown Vulnerabilities Anti-Bot Software Blade Detects bots and stops bot damage
  • ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Closing the Gap: Threat Emulation
  • 39©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Agenda 1 The contemporary world of exploits 2 Introduction to threat emulation 3 Check Point Threat Emulation Solution 4 Summary
  • 40©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Exploits are here to stay  Number of critical exploits which allow the attacker to execute arbitrary code, published in 2011 alone – 5 JRE exploits – 10 Chrome exploits – 26 Office exploits – 27 Internet Explorer exploits – 60 Firefox exploits – 48 Acrobat reader exploits – 56 Flash player exploits  On average, every 1.5 days – Previously unknown (and thus, unprotected against) exploit is published – Targeting software installed virtually on every PC  We have no reason to believe that the upcoming years will be different Source: www.cvedetails.com Anyone with decent technical capabilities who knows about the exploit before it is published, have a ‗zero-day‘ attack which can be used in order to run arbitrary code on your network.
  • 41©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Signature based tools are not enough  IPS/ Anti Virus work by – Looking into specific patterns – Enforce compliance of protocols to standards – Detect variations from the protocols  They are limited in protecting from:  Unknown (zero day) attacks  Attack variations / obfuscated attacks  An updated IPS is a very good tool against known attacks and some of the unknown attacks.  Not enough to protect from unknown attacks. – We need a different approach! Attack obfuscation is a commodity nowadays; for example, at styx-crypt.com you can create an obfuscated version of a malicious PDF for 25$ per file, quantity discounts apply Another example – the Zeus malware isn‘t sold directly. A ‗Zeus Builder‘ is sold, allowing to generate another malware variant in a click
  • 42©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | CVE-2008-2641 as an example  JavaScript vulnerability in Acrobat Reader  Heap Spray attack – Java Script code which ‗fills‘ the heap with shell code, and allows arbitrary code execution when Acrobat ‗crashes into it‘  How can you sign it? – There are infinite ways to implement the attack (using recursion, loops, whiles, divisions to functions, etc.) – Writing code that understand code (without running it) is hard – PDF document can contain sections which are encoded/compressed in various algorithms – Engines must be constantly updated to support new acrobat features. Actual code that performs get to fdf.p- .kkk.xgx78i6p6rlv0.readnotify.com Bottom line: Signature based tools are not enough against advanced attacks
  • 43©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Gartner, Aug 2011 - Strategies for Dealing With APT - Quotes ―Through year-end 2015, financially motivated attacks will continue to be the source of more than 70% of the most damaging cyberthreats‖ ―…these are not noisy, mass attacks that are easily handled by simple, signature- dependent security approaches.‖ ―Targeted attacks often use custom-created executables that are rarely detected by signature based techniques‖ ―Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious‖ Key Finding – ―Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve”
  • 44©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Agenda 1 The contemporary world of exploits 2 Introduction to threat emulation 3 Check Point Threat Emulation Solution 4 Summary
  • 45©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Threat emulation – malicious attachment example Email with malicious attachment
  • 46©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Threat emulation – malicious attachment example Email with malicious attachment Extracting attachments Emulation During the emulation, the attachment is opened on several emulated machines – from XP to Windows 7, and the entire system activity is monitored for unexpected behavior. We monitor network activity, file system & registry changes, process activity and more. Clean Malware detected We know what should happen on the machines when opening a legitimate document (‗White List‘), thus we can safely consider any document which causes the machine to do something else as malicious. Intercepted by Threat Emulation Blade
  • 47©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Real detection of malware ‘Pdfjsc.XD’, leveraging CVE-2011-0609 Drops malware (‗rthdcpl.exe‘) Execute the dropped malware Detected by threat emulation (alpha version)
  • 48©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Agenda 1 The contemporary world of exploits 2 Introduction to threat emulation 3 Check Point Threat Emulation Solution 4 Summary
  • 49©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Stop stealth malware Detect malware based on what they do, regardless of signatures Stop Unique exploitation Attacks Stop data exfiltration Threat Emulation Software blade DISCOVER and STOP advanced attacks Detect unsigned zero- day and attack variants A true ability to stop the advanced tools used for the cyber warfare
  • 50©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | How would you like your threat emulation? Dedicated appliance For medium to large deployments Existing gateway Leveraging your existing investment, when your gateways have enough horsepower In the cloud Same great capabilities without the need for local emulation resources It comes in different sizes and shapes
  • 51©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Dedicated emulation gateway Perimeter Firewall Threat Emulation Gateway Data Center Firewall DMZ Reassembled docs sent for emulation Small performance impact
  • 52©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Threat emulation is part of Check Point ThreatCloud Check Point Threat Cloud - The Power of Collaboration Previously unknown attack detected by the Threat Emulation Engine Real-time Updates Attack Information Shared Across Organizations Attack data
  • 53©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Architecture IPS AVAnti-Bot Signature Scan by Threat prevention blades Kernel Reassembly Module Compose and reassembly documents received SecureXL (Multi-Core) Policy / rulebase check User Space Emulation Module ThreatCloud Virtual Machines • Run Emulation and check for bad behavior • Run forensics checks Open and Execute multiple docs in multiple machines SmartEvent
  • 54©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Threat Emulation Engine  High performance – supports up to 100,000 unique files per day  Support Check Point provided OS images and custom images  Emulation of documents and executable files  Deep inspection of the system – file system, API calls, network, registry, memory and more.  Anti-VM detection capabilities
  • 55©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Pre-Emulation Static Filtering  Contemporary documents range from very simple to ultra complex  Usually, the risk factor of a document varies according to the number of advanced feature it utilize –E.g. JavaScript support in Acrobat reader  The pre-emulation static filtering process allows skipping documents which contains only safe features – Filters are constantly updated  Filters ~70 – 80% of the documents
  • 56©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Granular Policy  Anti Bot & Anti Virus Rule base now includes also Threat Emulation Threat Emulation profile controls the emulation configuration: Where to emulate – Locally, other gateway or cloud How – which images to use, use static analysis, … Threat Emulation allows you to define not only the inspected machines (via IPs of machines to scan), but also scope according to email address. Integrated with identity awareness to match the right profile according to the user identity
  • 57©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Encrypted traffic support  Just because traffic is encrypted doesn‘t mean the file transferred isn‘t malicious  Integration with Check Point SSL Inspection – Visibility into encrypted web traffic  Integration with Microsoft Exchange – Allowing visibility to SMTP over TLS – Using a dedicated Agent
  • 58©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Stop stealth malware Detect malware based on what they do, regardless of signatures Stop Unique exploitation Attacks Stop data exfiltration Threat Emulation Software blade DISCOVER and STOP advanced attacks Detect unsigned zero- day and attack variants A true ability to stop the advanced tools used for the cyber warfare
  • ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. The DDoS phenomenon Increasing numbers of organizations are affected by massive amounts of traffic
  • 60©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | What is an DoS Attack? Denial-of-Service attack (DoS attack) an attempt to make a machine or network resource unavailable to its intended users. Distributed Denial-of-service attack (DDoS) is coordinated and simultaneously launched from multiple sources
  • 61©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | DoS attackers can be segmented into three categories: Motivations behind (D)DoS attacks? Hacktivists  Their motive, make social and political points  Primarily through public IT disruption.  ―Use of legal and/or illegal digital tools in pursuit of political ends". Nation State Driven  Presumably sanctioned by governments.  Reasons, disrupting governmental operations.  Stealing national secrets. Financially Motivated Attackers  DoS attacks are merely a diversion  The actual objective is to steal information  Lately instances of DoS "ransom attacks"
  • 62©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Cybercrime Trends for 2012 SQL Injections 44% APTs 35% Botnet 33% DDoS 32% Ponemon Institute, May 2012 32% DDoS 65% of Businesses Experienced Attacks Average $214,000 of Damage Per Attack
  • 63©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | DDoS ‘as a Service’ Pay per hour, no expertise needed!
  • 64©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Victims of Recent DDoS Attacks
  • 65©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | DDoS Attack Examples  Volumetric Attacks – Fill the pipe  DNS Amplification Attacks – Using critical applications as attack source  SYN Attacks – Simple way to use resources  Application Attack – Renegotiate SSL Key – Slow HTTP Post – DNS Query flood
  • 66©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Volumetric Attacks Victim Mixture of Valid Traffic and Spoofed Traffic Limited Pipe Attack Target
  • 67©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | DNS Amplification Attack Example Simple DNS Request Able to amplify DNS request to victim Attack Target Open DNS Server Attacker Victim
  • 68©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | SYN Attacks Utilize State Table on Firewalls and Servers Spoofed Traffic, Random Sources Attack Target Random SYN Packets Victim
  • 69©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Application Layer DDoS Attacks  Exploit application weakness with Low&Slow attacks Undetectable by threshold ‒ or volume-based solutions New Application Attacks Are Stealthier…  Utilize relatively low volume and fewer connections  Used in conjunction with volume-based attacks
  • 70©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Real World of Real Attacks  US Banking attacks – Volumetric – Application – Continues and Dynamic  DNSSEC Attack Example – Ability to execute DDoS Amplification attack via US Gov  Application low and slow attack – Lets hold those HTTP connections open forever – Very hard to find
  • 71©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | DDoS and Traditional Security Attackers Take Advantage of Traditional Security  Firewalls track state of network connections (Can be bottleneck)  Firewalls allow legitimate traffic (e.g. port 80 to web server)  IPS allows legitimate request (e.g. get http/1.0rn)  Application Control allows legitimate services (DNS or HTTP)
  • 72©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Traditional Firewalls Not Sufficient Not Designed for Network and Application DDoS Protection  Basic rate based flood protection affects all traffic (Real users and attack traffic)  Lacks Comprehensive Layer 7 DDoS protection – Poor detection of sneaky attacks – No filters to block attacks and allow real traffic – Administrators cannot create custom signatures
  • 73©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Network Flood Server Flood Application Low & Slow Attacks Layers Work Together Protection Layers Flow Allowed Traffic
  • 74©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Decision Engine Slide 74 Attack area Suspicious area Normal adapted area Attack Degree = 5 (Normal- Suspect) Abnormal rate of Syn packetsNormal TCP flags ratio Flash crowd Y-axis X-axis Z-axis AttackDegreeaxis Adaptive Detection Engine
  • 75©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Attack Degree = 10 (Attack) Abnormal high rate of SYN packets SYN flood Y-axis X-axis Z-axis AttackDegreeaxis Attack area Suspicious area Normal adapted area Abnormal TCP flags ratio Slide 75 Adaptive Detection Engine
  • 76©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Check Point DDoS Protector™ Customized multi-layered DDoS protection Protects against attacks within seconds Integrated security management and expert support
  • 77©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | + Where to Protect Against DDoS On-Premise Deployment DDoS Protector Appliance Cloud base service DDoS Protector in the cloud Scenarios: 1 2
  • 78©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Flexible Deployment Options Ready to Protect in Minutes Fits to Existing Network Topology Optional Learning Mode Deployment Low Maintenance and Support
  • 79©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Emergency Response and Support Emergency Response Team  Help from security experts when under DoS attacks  Leverage experience gathered from real-life attacks Check Point Customer Support  World-class support infrastructure  Always-on support 7x24  Flexible service options
  • 80©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. | Integrated with Check Point Security Management Customized multi-layered DDoS protection Ready to protect in minutes Blocks DDoS Attacks Within Seconds Summary
  • ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Thank You