Presentation by Zahier Madhar from Check Point Software Technologies at Infosecurity.nl for Motiv

1. ©2015 Check Point Software Technologies Ltd. 1
We’ve come a long way…
[Protected] Non-confidential content
From This:
Disney Epcot Spaceship Earth
Photo by Jeff Krause

2. ©2015 Check Point Software Technologies Ltd. 22©2014 Check Point Software Technologies Ltd.[Protected] Non-confidential content

3. ©2015 Check Point Software Technologies Ltd. 3
We’ve come a long way…
[Protected] Non-confidential content
To This:
Inside Google Data Centers.
Photo by Connie Zhou

4. ©2015 Check Point Software Technologies Ltd. 4©2015 Check Point Software Technologies Ltd.
Zahier Madhar | Security Engineer
EVOLVING THREAT
LANDSCAPE

5. ©2015 Check Point Software Technologies Ltd. 5
Why?
Bank robber, Willie
Sutton famous
answer when he was
asked why he robbed
banks:
“That’s where the
money is!”

6. ©2015 Check Point Software Technologies Ltd. 6
Today..
• Banks don’t store that large amounts of money anymore..
• Coins and notes are used less due to plastic cards
• Most money transactions are initiated from a personal
computer
• A different approach is needed to steal your money
̶ or information that is valuable and be sold..
• This is where bots takes over!
• In most cases their purpose is to steal or make money
̶ Bots are organized crimes latest tools

7. ©2015 Check Point Software Technologies Ltd. 7
High
Low 1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking
sessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers
Intruder
Knowledge
Attack
Sophistication
“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributed
attack tools
Cross site scripting
Staged
attack
Zero Day
Source: CERT
Sophistication Continues To Evolve

8. ©2015 Check Point Software Technologies Ltd. 8©2015 Check Point Software Technologies Ltd.
THE CYBER WAR IS
RAGING ON
“It's a CAT-AND-MOUSE game
We try to stay ahead.
People will try to break in,
and it's our job to STOPthem breaking in.”
Steve Jobs

9. ©2015 Check Point Software Technologies Ltd. 9
Known Unknown Back Again!
• IPS/Anti Virus work by:
̶ Looking for specific patterns
̶ Enforce compliance of protocols to standards
̶ Detect variations from the protocols
• Attackers evade signature based detection by
obfuscating the attacks and creating attacks variants
• So how tough is it?
̶ Zeus and SpyEye ‘builder’s, generating Zeus or Spyeye
variants in a click, are sold at 1-10K$
̶ www.styx-crypt.com will obfuscate HTML, Javascript,
Executable files, PDF & Flash files at 5-25$ per file, quantity
discounts apply.

10. ©2015 Check Point Software Technologies Ltd. 10
Protecting Against Such Attacks
Reputation
based
 Sender email addresses / mail server IP
 MD5 of the PDF or malware
 Ineffective against targeted attack –
no reputation data
Signature
based
 Match on the exploit
 Match on the malware
 Match on the CnC communication
 Limited due to lack of prior knowledge,
variants and obfuscation
[Protected] For public distribution
The multi-million dollar question:
How can we protect against the
known unknowns?

11. ©2015 Check Point Software Technologies Ltd. 11
Let’s Talk About Food
• What would you do if you were given a fruit you didn’t know?
How can you know it isn’t dangerous?
• You should definitely look in the encyclopedia (or Google)
• But what would you do if it’s not listed?
• You can hire someone to examine it in a lab
̶ Very time consuming & expensive
• But you can also give it to a monkey
̶ Usually it gives a good answer
̶ But monkeys are cute
We DO NOT endorse experiments on animals.
(No animal was harmed in any way during the development
of the Threat Emulation Software Blade)
Our ‘monkeys’ don’t have feelings.
We can guarantee that.

12. ©2015 Check Point Software Technologies Ltd. 1212©2014 Check Point Software Technologies Ltd.
Know
Knows
Know
Unknowns
Unknown
Unknowns
Threats we
know we know
Threats we know we
don’t know
Threats we don’t
know we
don’t know
ANTI VIRUS
ANTI BOT
IPS
NEXT GEN SANDBOX
ANTI BOT
[Confidential] For designated groups and individuals
THE THREATS WE NEED TO PREVENT

13. ©2015 Check Point Software Technologies Ltd. 13[Confidential] For designated groups and individuals
Vulnerability
Trigger an attack with
unpatched software or
zero-day vulnerability
Malware
Run
malicious
code
Attack Infection Flow
Exploit
Run an embedded
payload by evading
the CPU
Shellcode
Run a small
payload to
activate malware
[Confidential] For designated groups and individuals

14. ©2015 Check Point Software Technologies Ltd. 14[Confidential] For designated groups and individuals
Vulnerability
Malware
Stop Attacks at the
First Point of Contact
Shellcode
Thousands
Millions
Exploit HANDFUL
DETECT THE ATTACK
BEFORE IT BEGINS
Identify the exploit itself instead of
looking for the evasive malware
[Confidential] For designated groups and individuals

15. ©2015 Check Point Software Technologies Ltd. 15[Confidential] For designated groups and individuals
Vulnerability
Malware
Focus on Malware in its Infancy
Shellcode
Thousands
Millions
Exploit HANDFUL
HIGHLY SOPHISTICATED
EXPLOIT DETECTION
ENGINE
Based on real-time
CPU-level analysis
[Confidential] For designated groups and individuals

16. ©2015 Check Point Software Technologies Ltd. 16
Unprecedented real-time prevention against
unknown malware, zero-day and targeted attacks
WHAT IS THE NEXT GENERATION SANDBOX?
Sandbox with CPU-
Level Detection
Evasion-
resistant
malware
detection
Threat Extraction
Prompt
Delivery of safe
reconstructed
files

17. ©2015 Check Point Software Technologies Ltd. 17
A STANDARD CV?
Emulation @ Work

18. ©2015 Check Point Software Technologies Ltd. 18[Restricted] ONLY for designated groups and individuals
THREATEXTRACTION
CPU-Level Detection
Catches the most sophisticated malware
before evasion techniques deploy
O/S Level Emulation
Stops zero-day and unknown malware
in wide range of file formats
Malware Malware
Original Doc
Safe Doc
Threat Extraction
Deliver safe version of content quickly
SANDBLAST
ZERO-DAY PROTECTION

19. ©2015 Check Point Software Technologies Ltd. 19
Threat Extraction
Document Reconstruction
Original
Document
Document
Reconstructed
Safe Copy of
Document
Reconstructed
safe copy of
documents
Delivered
immediately
Customizable
Protection
Level
[Restricted] ONLY for designated groups and individuals​

20. ©2015 Check Point Software Technologies Ltd. 20
Threat Emulation
Exploit Detection and Prevention
Original
Document
Document is sent for
sandboxing, where it
is opened and
inspected
Original
Document
If no infection
found
Prevent Zero-Day
Attacks
Constantly Update
ThreatCloud
If infected with unknown Malware
-Document is deleted,
-ThreatCloud is updated,
-Admin is notified
Attack is PREVENTED
[Restricted] ONLY for designated groups and individuals​

21. ©2015 Check Point Software Technologies Ltd. 21
VISIBILITY INTO ATTEMPTED ATTACKS
File System
Activity
System
Registry
System
Processes
Network
Connections
Abnormal file activity
Tampered system registry
Remote Connection to
Command & Control Sites
“Naive” processes created

22. ©2015 Check Point Software Technologies Ltd. 22
PROVIDING CLEAN FILES
[Restricted] ONLY for designated groups and individuals
B E F O R E A F T E R
Malware activated Malware removed

23. ©2015 Check Point Software Technologies Ltd. 24©2015 Check Point Software Technologies Ltd.
THANK YOU