Brian Dye, Symantec's senior vice president for information security, said in interview to WSJ.
The malware hides it self in legit sites for sharing photos
Real pictures.
Mean malware.
The images were legally put on a legit server in Australia
Мы делим угрозы на 2 типа: известные и неизвестные вредоносные программы.
Традиционные меры безопасности идентифицируют известных вредоносных программ с помощью сигнатур, IP-адресов и URL-адресов. Теперь мы видим большой объем новых неизвестных вредоносных программ, которые мы не можем обнаружить с помощью традиционных технологий. Мы называем их сложными постоянными угрозами или целевыми атаками (Advanced Persistent Threats или АPT.)
Мы наблюдаем резкое увеличение APT по 2 причинам. Во-первых, злоумышленники тратят больше времени на поиск уязвимостей в новых системах. Во-вторых, кто-то создает простые приложения, которые могут конвертировать любые известные вредоносные программы в неизвестное вредоносное ПО, изменяя несколько характеристик. Обычная система безопасности не распознает измененное вредоносное программное обеспечение.
Как вы обнаружите, если у вас APT в вашей сети?
Let’s take a deeper look at the “CPU-level detection”.
The first step a hacker must take is to find a vulnerability – a weakness in some piece of software, maybe the browser, or in Java, or maybe Windows. This lets them inject their exploit code into memory… bypassing security controls. Once it is here, now they can run their shell code, essentially a small application that then retrieves the malware, either from the original file, or over the network. Now they can do what they really came for, whether that is exfiltrating data, logging keystrokes, or spreading additional malware behind your firewall…
Now if we look at this chain and see what is going on.
First of all, at the top of the chain, there are thousands of vulnerabilities out there, and hundreds of them are active and unpatched and at any point in time. Getting into computers and being able to talk to them is still not that difficult for hackers.
At the end of the chain, there are millions and millions of different types of malware. Malware that might try to exfiltrate data from your network, or malware that might try to run a bot to spread malware throughout the network or initiate a command and control to other machines in the network.
But getting from the top to the bottom has to go through the very narrow stream of exploits, of which there are only a handful. The way as attacker is going to try to evade detection in the sandbox is down at the bottom of that chain. As the malware starts up, it is going to look for that VM, or wait for user interaction, or its going to issue a delay for a week. But that only happens late in the stage.
If we can come in at this exploit phase, where there are only a handful of techniques, we can be a step ahead of those malware variants. The fact that someone has created a new, slightly modified version of software doesn’t matter. We are going to be able to see it because it is using the same exploit.
There are very few new exploits being written. When they appear our team quickly finds out about them through ThreatCloud and Incident Response, and we quickly build protections against them.
It is also a step earlier in the attack cycle BEFORE the evasion code can run.
Consider removing Intel screenshot
SandBlast takes a new approach to this problem, providing a safe COPY of files until inspection is complete, allowing deployment in full blocking mode. Any threats identified will still generate an alert, but the malware was prevented from reaching the user.
SandBlast calls this capability Threat Extraction. It creates a clean, reconstructed version of the document, using only safe components. Scripts and macros are removed, dynamic content is rendered as a static view.
This is not intended to replace the original, but for many users, being able to view the content is all that is needed, and in a matter of minutes, the original can be retrieved, but only after it is deemed safe.
With today’s sophisticated watering hole, spear phishing, and drive by exploits, malicious content downloaded from the web is of particular concern. For this content, we provide a unique proactive approach to securing content, Threat Extraction.
We trace the whole path and can see everything along it.
You see the investigation trigger (which was reaching out to C&C server)
It traced back to the original point of infection and identified the origin of entry (someone browsing with chrome and specifically the website used)
The system rebooted, and we can see what happens when the dropper installs malware, which was waiting for reboot
Sees when system scheduled to execute post reboot and the entry into the task schedule
You see when it tried to execute the malware, and see when it tries to activate and pick it up and block it
In other words, you can see the whole path.
This is a pretty simple case
In a multi-stage attack this could happen over days or weeks and involve multiple pieces of malware executing and downloading
We know security can be complex to implement. Our management system translates your security strategy into reality with unified policy and event management – known in the industry as the management gold standard. This management system provides end-to-end visibility that enables our customers to react quickly to any events affecting their network and also enables them to better prevent threats.
Since our management is unified and both the visibility and policy components are linked together, an administrator can in a single step click on a security event and convert it into a new security rule.
Also based on 3rd party analyst research, Check Point leads all other security vendors in needing the least amount of people to manage an extensive network of security gateways.