Check Point Threat emulation 2013

Threat Emulation
Inside Out

Avi Shua
Intrusion Prevention Group Manager

[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

“There are known knowns;
there are things we know
we know.
We also know there are
known unknowns; that is
to say, we know there are
some things we do not know.
But there are also unknown
unknowns – the ones we
don‟t know we don‟t know.”
— Donald Rumsfeld, 2002



2

Known Knowns –
Threat Prevention Software Blades

IPS

Prevent exploit
of known
vulnerabilities

Antivirus

Block
known malware

Anti-Bot

Block Bot
Overall IPS Protection
Communication

99.0%



3

Known Unknowns –
Top Vulnerable Applications in 2012

Adobe Reader

Java

Microsoft Office

We know that in the upcoming year
17 Critical
16 Critical
vulnerabilities
vulnerabilities
200–300 new currently unknown
vulnerabilities will be discovered in
popular business applications

30 Critical
vulnerabilities

Adobe Flash

Firefox

Internet Explorer

57 Critical
vulnerabilities

91 Critical
vulnerabilities

14 Critical
vulnerabilities



4

Known

Unknown Back Again!

 IPS/Anti Virus work by:
– Looking for specific patterns
– Enforce compliance of protocols to standards
– Detect variations from the protocols

 Attackers evade signature based detection by
obfuscating the attacks and creating attacks variants

 So how tough is it?
– Zeus and SpyEye „builder‟s, generating Zeus or Spyeye
variants in a click, are sold at 1-10K$
– www.styx-crypt.com will obfuscate HTML, Javascript,
Executable files, PDF & Flash files at 5-25$ per file, quantity
discounts apply.



5

CVE-2008-2641 ‒
What Does ‘Known’ Mean?
Actual code that performs get to
 JavaScript vulnerability in Acrobat Reader

fdf.p-.kkk.xgx78i6p6rlv0.readnotify.com

 Heap Spray attack – Java Script code
which „fills‟ the heap with shell code, and allows
arbitrary code execution when Acrobat „crashes into it‟
We know that an attacker can create a

 How can youof a known malware / exploit,
variant write a signature for it?
– There are infinite ways to implement the attack (using
rendering itself unknown again to
recursion, loops, whiles, divisions to functions, etc.)
signature based mechanisms
– Writing code that understands code (without running it) is hard
– PDF document can contain sections which are
encoded/compressed in various algorithms
– Engines must be constantly updated to support new
Acrobat features.


6

The Attack Against the
Syrian Ministry of Foreign Affairs

Syrian Attack



7

 Leaked from
Syrian Ministry
(by Anonymous)

 CVE-2010-0188 –
tiff vulnerability in
PDF

 Installs custom
built malware

 Sent from a proxy
in Seoul, Korea

 C&C
Communications
to China



8




9

Protecting Against Such Aattacks

Reputation
based

 Sender email addresses / mail server IP
 MD5 of the PDF or malware
 Ineffective against targeted attack –

The multi-million dollar question:
no reputation data

How can we protect against the
known on the exploit
 Match unknowns?
Signature
based

 Match on the malware
 Match on the CnC communication
 Limited due to lack of prior knowledge,
variants and obfuscation



10

Let’s Talk About Food
 What would you do if you were given a fruit you didn‟t know?
How can you know it isn‟t dangerous?
We DO NOT endorse the encyclopedia (or Google)
 You should definitely look in experiments on animals.
(No animal was harmed in any way during
 But what wouldofyouThreat Emulationlisted? the development
do if it‟s not Software Blade)
the
 You can hireOur „monkeys‟ don‟t have feelings.
someone to examine it in a lab
– Very time consumingcan guarantee that.
We & expensive

 But you can also give it to a monkey
– Usually it gives a good answer
– But monkeys are cute



11

Introducing Check Point
Threat Emulation Software Blade

Instant protection against unknown threats


12

Threat Emulation –
Malicious Attachment Example

Email with malicious
attachment



13

Threat Emulation –
Malicious Attachment Example

Email with malicious
attachment

Intercepted by Threat
Emulation Software Blade

Extracting attachments

Malware detected
Emulation
Clean

 The We know whatopened on several emulated machines (different OS) („White List‟)
attachment is should happen when opening a legitimate document
 The entire system activity is monitored for unexpected behavior
Any document which causes system & registry can be safely consider as more
 We monitor network activity, file abnormal behaviorchanges, process activity &malicious


14

Syrian Attack Fed to the
Threat Emulation

Drops malware
(‘explorer.exe’ in temp directory)
Detected by Threat Emulation
Executes the malware
Contact CnC



15

Threat Emulation



16

Threat Emulation



17

Threat Emulation



18

Joseph H. Nyee Resume Report
Threat Emulation @ Work
Abnormal file activity
“Naive” processes created

Joseph_Nyee.pdf

Tampered system registry
Remote Connection to
Command & Control Sites
A STANDARD CV?

File System
Activity

System
Registry

System
Processes

Network
Connections


19

Threat Emulation
Dynamic Threat Discovery
Dynamic detection of new
attacks & ever-changing threats

Boosting collaboration power of
ThreatCloud
Integral part of Check Point
Software Blades


20

Threat Emulation Engine
 High performance – supports up to 100,000 unique files
daily on a 12600 appliance

 Supports Check Point provided OS images and custom
images

 Emulation of documents and executable files
 Deep inspection of the system – file system, API calls,
network, registry, memory and more.

 Anti-VM detection capabilities



21

Flexible Deployment Options
Dedicated
Appliance

In the Cloud

Inline / Tap
Mode

Enterprise

Enterprise

As a Mail
Transfer Agent

Emulation
Offload
Local Offload
Appliance

Enterprise

Enterprise


22

Dedicated emulation gateway
Small
performance
impact
Perimeter Firewall
Reassembled files
sent for emulation

DMZ
Data Center Firewall

Threat Emulation
appliance



23

Architecture – Local Emulation
ThreatCloud

SmartEvent

Virtual Machines
Open and Execute
multiple files in multiple
machines – Patented
technology

• Run Emulation and

User Space

check for bad behavior

Emulation Module

• Gathers forensics
information (shared to
Threat Cloud)
SecureXL
(Multi-Core)

Kernel
Policy

Reassembly Module

Compose and reassembly
files received

Signature Scan by Threat
prevention blades
IPS

Anti-Bot

AV



24

Pre-Emulation Static Filtering
 Contemporary documents range from very simple to
ultra-complex

 Usually, the risk factor of a document varies according to the
number of advanced feature it utilize
‒ e.g. JavaScript support in Acrobat reader

 The pre-emulation static filtering process allows skipping
documents which contains only safe features

 Filters are constantly updated
 Filters ~50% of the documents



25

Threat Emulation

ThreatCloud
Software Blades


26

Boosting the Collaborative Power
of ThreatCloud

Real-time sharing for immediate protection


27

Threat Emulation

ThreatCloud
Software Blades


28

Granual Threat Prevention Policy
 Anti-Bot & Antivirus Rulebase now also includes
Threat Emulation

Threat Emulation profile controls the emulation configuration:
Where to emulate – Locally, other gateway or cloud
Integrated with identity awareness to match the
right profile according images to use, use static analysis…
How – which to the user identity


29

Encrypted Traffic Support
 Just because traffic is encrypted doesn‟t mean the file
transferred isn‟t malicious

 Integration with Check Point SSL Inspection
– Visibility into encrypted web traffic
– Major advantage of Check Point integrated solution compared
to non-integrated expert solutions

 Can be deployed as an Mail Transfer agent
– Allowing visibility to SMTP over TLS

Enterprise


30

Threat Emulation Results
 Detection rate
– Testing methodology – feed Threat Emulation with new
(first submitted) malicious documents from VirusTotal.com
– Detection rate – 80-90% (depends on the month)

 False positive
– Downloaded hundreds of thousands (250,000 currently)
documents from the internet
– Feed to Threat Emulation
– Each detection was verified
to be real

 EA customers
– Running for 6 months
– Attacks which passed all other
security measures were found on all sites


31

Roadmap
Limited
Availability

 Local Document





Emulation (PDF
and Office)
Pre-emulation
static filters
Windows XP and
7 images
Detect only
Standalone
configuration

Main train GA –
H1 2013

 All deployment
modes (local,
remote, cloud
and MTA)
 Executable
emulation
(on the cloud)
 Threat Cloud™
integration
 Full granular
management

H2 2013

 Windows 8 image
 Additional file
formats support
 Customer image
support

Roadmap is subject to changes


32

Anyone can submit files for

THREAT EMULATION

threats@threats.checkpoint.com

threatemulation.checkpoint.com



33

Demo



34

Summary ‒ Check Point
Threat Prevention Solution
IPS

Prevent exploit of
known vulnerabilities

Anti-Bot

Antivirus

Block Bot
Communication


Block download of
known malware


35

Summary ‒ Check Point
Threat Prevention Solution
IPS

Prevent exploit of
known vulnerabilities

Anti-Bot

Block Bot
Communication

Antivirus

Block download of
known malware

Threat
?
Emulation

Fighting Unknown
Unknown Threats
Threats

?

?
Real Time Security Collaboration
Powered by ThreatCloud


36

Summary – Known Unknowns

Zero Day exploits

New variants of
existing attacks

An average of 70,000 to 100,000 new malware
samples are created and distributed each day.


37

Questions?



38

Check Point Threat emulation 2013

More Related Content

What's hot

Similar to Check Point Threat emulation 2013

More from Group of company MUK

Recently uploaded

Check Point Threat emulation 2013

Editor's Notes