Check Point Threat emulation 2013

2,586 views

Published on

Check Point Threat emulation

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,586
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • This is the baseline; nowadays, doing it is the cost of doing business.
  • Here we have the list of leading vulnerable applications in 2012. We know, with a very good confidence level, that we’ll have similar numbers this year as well.
  • Documents leaked from “Syrian Ministry of Foreign Affairs” by a branch of Anonymous called “Par:AnoIA” (new wikileak site)One of the document contains an exploit for CVE-2010-0188 Once exploited, it connects to a C&C (over SSL) an awaits for commands from the C&C master.0x1: System Identification, 0x4: Run Updater, 0x5: Disable Autorun , 0x6: Interactive Shell, 0x7: File Manager, 0x16: Change connection delay4.This exploit is wide spread, but the specific implementation is very rare (Seen <150 times worldwide)5. The exploit also spawns a new PDF process and shows a picture of a document, this is so the end-user would not suspect that anything happen.Source: http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
  • The fake picture that is opened in a new process – gives the user a sense that everything is fine.Talk about who is the target? It can be the Syrian ministry, but it also can be someone who’s expected to open the leaked document (we don’t know if it was infected originally)Source: http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
  • The malicious attachment can be the Syrian attack, but also a much more common attack
  • 1. Small joke – you give the file to a monkey to eat - not
  • Regarding performance – talk about the fact that computers have Anti-VM detection capabilities – we try to detect that the malware is checking whether it is running on a VM, rather than trying to mimic a physical computer perfectly
  • See this slide as optional if time is borderline
  • Not only Threat Emulation customers enjoy Threat Emulation, but all of the participants of the Threat Cloud
  • Talk about the value of the Check Point SSL inspection integration – expert solutions which don’t includes this capability are as easy to pass
  • An average of 70,000 to 100,000 new malware samples are created and distributed each day, often through automated, "polymorphic" programs that automatically alter malware into a new, previously unseen form factor each time it is delivered. Oct 15, 2012Dark Reading
  • Check Point Threat emulation 2013

    1. 1. Threat Emulation Inside Out Avi Shua Intrusion Prevention Group Manager [Protected] For public distribution ©2013 Check Point Software Technologies Ltd.
    2. 2. “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don‟t know we don‟t know.” — Donald Rumsfeld, 2002 [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 2
    3. 3. Known Knowns – Threat Prevention Software Blades IPS Prevent exploit of known vulnerabilities Antivirus Block known malware Anti-Bot Block Bot Overall IPS Protection Communication 99.0% [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 3
    4. 4. Known Unknowns – Top Vulnerable Applications in 2012 Adobe Reader Java Microsoft Office We know that in the upcoming year 17 Critical 16 Critical vulnerabilities vulnerabilities 200–300 new currently unknown vulnerabilities will be discovered in popular business applications 30 Critical vulnerabilities Adobe Flash Firefox Internet Explorer 57 Critical vulnerabilities 91 Critical vulnerabilities 14 Critical vulnerabilities [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 4
    5. 5. Known Unknown Back Again!  IPS/Anti Virus work by: – Looking for specific patterns – Enforce compliance of protocols to standards – Detect variations from the protocols  Attackers evade signature based detection by obfuscating the attacks and creating attacks variants  So how tough is it? – Zeus and SpyEye „builder‟s, generating Zeus or Spyeye variants in a click, are sold at 1-10K$ – www.styx-crypt.com will obfuscate HTML, Javascript, Executable files, PDF & Flash files at 5-25$ per file, quantity discounts apply. [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 5
    6. 6. CVE-2008-2641 ‒ What Does ‘Known’ Mean? Actual code that performs get to  JavaScript vulnerability in Acrobat Reader fdf.p-.kkk.xgx78i6p6rlv0.readnotify.com  Heap Spray attack – Java Script code which „fills‟ the heap with shell code, and allows arbitrary code execution when Acrobat „crashes into it‟ We know that an attacker can create a  How can youof a known malware / exploit, variant write a signature for it? – There are infinite ways to implement the attack (using rendering itself unknown again to recursion, loops, whiles, divisions to functions, etc.) signature based mechanisms – Writing code that understands code (without running it) is hard – PDF document can contain sections which are encoded/compressed in various algorithms – Engines must be constantly updated to support new Acrobat features. [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 6
    7. 7. The Attack Against the Syrian Ministry of Foreign Affairs Syrian Attack [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 7
    8. 8. The Attack Against the Syrian Ministry of Foreign Affairs  Leaked from Syrian Ministry (by Anonymous)  CVE-2010-0188 – tiff vulnerability in PDF  Installs custom built malware  Sent from a proxy in Seoul, Korea  C&C Communications to China [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 8
    9. 9. The Attack Against the Syrian Ministry of Foreign Affairs [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 9
    10. 10. Protecting Against Such Aattacks Reputation based  Sender email addresses / mail server IP  MD5 of the PDF or malware  Ineffective against targeted attack – The multi-million dollar question: no reputation data How can we protect against the known on the exploit  Match unknowns? Signature based  Match on the malware  Match on the CnC communication  Limited due to lack of prior knowledge, variants and obfuscation [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 10
    11. 11. Let’s Talk About Food  What would you do if you were given a fruit you didn‟t know? How can you know it isn‟t dangerous? We DO NOT endorse the encyclopedia (or Google)  You should definitely look in experiments on animals. (No animal was harmed in any way during  But what wouldofyouThreat Emulationlisted? the development do if it‟s not Software Blade) the  You can hireOur „monkeys‟ don‟t have feelings. someone to examine it in a lab – Very time consumingcan guarantee that. We & expensive  But you can also give it to a monkey – Usually it gives a good answer – But monkeys are cute [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 11
    12. 12. Introducing Check Point Threat Emulation Software Blade Instant protection against unknown threats [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 12
    13. 13. Threat Emulation – Malicious Attachment Example Email with malicious attachment [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 13
    14. 14. Threat Emulation – Malicious Attachment Example Email with malicious attachment Intercepted by Threat Emulation Software Blade Extracting attachments Malware detected Emulation Clean  The We know whatopened on several emulated machines (different OS) („White List‟) attachment is should happen when opening a legitimate document  The entire system activity is monitored for unexpected behavior Any document which causes system & registry can be safely consider as more  We monitor network activity, file abnormal behaviorchanges, process activity &malicious [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 14
    15. 15. Syrian Attack Fed to the Threat Emulation Drops malware (‘explorer.exe’ in temp directory) Detected by Threat Emulation Executes the malware Contact CnC [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 15
    16. 16. Syrian Attack Fed to the Threat Emulation [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 16
    17. 17. Syrian Attack Fed to the Threat Emulation [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 17
    18. 18. Syrian Attack Fed to the Threat Emulation [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 18
    19. 19. Joseph H. Nyee Resume Report Threat Emulation @ Work Abnormal file activity “Naive” processes created Joseph_Nyee.pdf Tampered system registry Remote Connection to Command & Control Sites A STANDARD CV? File System Activity System Registry [Protected] For public distribution System Processes Network Connections ©2013 Check Point Software Technologies Ltd. 19
    20. 20. Introducing Check Point Threat Emulation Dynamic Threat Discovery Dynamic detection of new attacks & ever-changing threats Boosting collaboration power of ThreatCloud Integral part of Check Point Software Blades [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 20
    21. 21. Threat Emulation Engine  High performance – supports up to 100,000 unique files daily on a 12600 appliance  Supports Check Point provided OS images and custom images  Emulation of documents and executable files  Deep inspection of the system – file system, API calls, network, registry, memory and more.  Anti-VM detection capabilities [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 21
    22. 22. Flexible Deployment Options Dedicated Appliance In the Cloud Inline / Tap Mode Enterprise Enterprise As a Mail Transfer Agent Emulation Offload Local Offload Appliance Enterprise Enterprise [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 22
    23. 23. Dedicated emulation gateway Small performance impact Perimeter Firewall Reassembled files sent for emulation DMZ Data Center Firewall Threat Emulation appliance [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 23
    24. 24. Architecture – Local Emulation ThreatCloud SmartEvent Virtual Machines Open and Execute multiple files in multiple machines – Patented technology • Run Emulation and User Space check for bad behavior Emulation Module • Gathers forensics information (shared to Threat Cloud) SecureXL (Multi-Core) Kernel Policy Reassembly Module Compose and reassembly files received Signature Scan by Threat prevention blades IPS Anti-Bot AV [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 24
    25. 25. Pre-Emulation Static Filtering  Contemporary documents range from very simple to ultra-complex  Usually, the risk factor of a document varies according to the number of advanced feature it utilize ‒ e.g. JavaScript support in Acrobat reader  The pre-emulation static filtering process allows skipping documents which contains only safe features  Filters are constantly updated  Filters ~50% of the documents [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 25
    26. 26. Introducing Check Point Threat Emulation Dynamic Threat Discovery Dynamic detection of new attacks & ever-changing threats Boosting collaboration power of ThreatCloud Integral part of Check Point Software Blades [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 26
    27. 27. Boosting the Collaborative Power of ThreatCloud Real-time sharing for immediate protection [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 27
    28. 28. Introducing Check Point Threat Emulation Dynamic Threat Discovery Dynamic detection of new attacks & ever-changing threats Boosting collaboration power of ThreatCloud Integral part of Check Point Software Blades [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 28
    29. 29. Granual Threat Prevention Policy  Anti-Bot & Antivirus Rulebase now also includes Threat Emulation Threat Emulation profile controls the emulation configuration: Where to emulate – Locally, other gateway or cloud Integrated with identity awareness to match the right profile according images to use, use static analysis… How – which to the user identity [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 29
    30. 30. Encrypted Traffic Support  Just because traffic is encrypted doesn‟t mean the file transferred isn‟t malicious  Integration with Check Point SSL Inspection – Visibility into encrypted web traffic – Major advantage of Check Point integrated solution compared to non-integrated expert solutions  Can be deployed as an Mail Transfer agent – Allowing visibility to SMTP over TLS Enterprise [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 30
    31. 31. Threat Emulation Results  Detection rate – Testing methodology – feed Threat Emulation with new (first submitted) malicious documents from VirusTotal.com – Detection rate – 80-90% (depends on the month)  False positive – Downloaded hundreds of thousands (250,000 currently) documents from the internet – Feed to Threat Emulation – Each detection was verified to be real  EA customers – Running for 6 months – Attacks which passed all other security measures were found on all sites [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 31
    32. 32. Roadmap Limited Availability  Local Document     Emulation (PDF and Office) Pre-emulation static filters Windows XP and 7 images Detect only Standalone configuration Main train GA – H1 2013  All deployment modes (local, remote, cloud and MTA)  Executable emulation (on the cloud)  Threat Cloud™ integration  Full granular management H2 2013  Windows 8 image  Additional file formats support  Customer image support Roadmap is subject to changes [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 32
    33. 33. Anyone can submit files for THREAT EMULATION threats@threats.checkpoint.com threatemulation.checkpoint.com [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 33
    34. 34. Demo [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 34
    35. 35. Summary ‒ Check Point Threat Prevention Solution IPS Prevent exploit of known vulnerabilities Anti-Bot Antivirus Block Bot Communication [Protected] For public distribution Block download of known malware ©2013 Check Point Software Technologies Ltd. 35
    36. 36. Summary ‒ Check Point Threat Prevention Solution IPS Prevent exploit of known vulnerabilities Anti-Bot Block Bot Communication Antivirus Block download of known malware Threat ? Emulation Fighting Unknown Unknown Threats Threats ? ? Real Time Security Collaboration Powered by ThreatCloud [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 36
    37. 37. Summary – Known Unknowns Zero Day exploits New variants of existing attacks An average of 70,000 to 100,000 new malware samples are created and distributed each day. [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 37
    38. 38. Questions? [Protected] For public distribution ©2013 Check Point Software Technologies Ltd. 38

    ×