Ochrana pred modernými malware útokmi

©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd.
Peter Kovalcik| SE Eastern Europe
OCHRANA PRED
MODERNYMI
MALWARE UTOKMI

©2015 Check Point Software Technologies Ltd. 2
Do you think is easy to get hacked ?

Command
and Control
Attack scenario
Website
with injected iframe
Metasploit
Exploit + Payload
Spear-phishing email
1. 2.
3.
4.
Demo: Detect-only

Top vulnerable software

Top vulnerabilities 2014
HEARTBLEED
- flaw in the open-source OpenSSL cryptographic library. This allows attackers to eavesdrop on
communications, steal data directly from the services and users and to impersonate services and
users.
SHELL SHOCK
- flaw in the open-source BASH (Bourne Again SHell). The Shellshock flaw gave an attacker the ability
to execute arbitrary commands on vulnerable servers.
POODLE
- vulnerability in the SSL 3.0 cryptographic protocol that can enable an attacker to access and read
encrypted communications
Other vulnerabilities
- Home routers, iOS, Android, Flash, Java, Firefox, Chrome, Mozilla, Sandworm, Wordpress, Internet
Explorer, Microsoft Office, Apple OSX, SCADA systems

9 hours
Check Point
22 hours
Check Point
18 hours
Check Point
PAN
4 days
Fortinet
5 days
PAN
29 days
Fortinet
14 days
PAN
TBD days
Fortinet
10 days
30 hours
Check Point
PAN
10 days
Fortinet
9 days

Top security incidents 2014
Data breaches
- Sony – 25GB of sensitive data, 33 000 documents, passwords, executive emails, privacy data of
actors and employees.
- Home Depot -56 million payment card details and collected 53 million email addresses, breach
cost 62 Million USD. POS malware targeting MS Windows embedded OS.
- Dropbox leak – 7 million Dropbox username/password pairs leaked
- Others: eBay, iCloud, Xiaomi, Hospitals, …
Political driven
- Snake – Russian cyber-espionage malware targeting mostly Eastern Europe, but also in the US, UK
and other Western European countries. Leverage on watering hole + spear-phishing attack
targeting zero-day vulnerabilities (PDF, Java, IE).
- National hacking – ISIS, France, USA, North Korea, Russia, China
SCADA systems
- Energetic Bear & Dragon Fly (Havex malware)
- Target: Energy Industry in US and Europe (Spain, France, Italy, Germany, Turkey, Poland)
- Attack vector: spear-phishing, watering hole, APT, RAT tools, Trojanized SW
- 70% of EU energy companies are assume to be still infected

Top security incidents 2014
Ransomware
- Cryptolocker – encrypts disk files + connected network shares. Delivered mostly through spear-
phishing email.
- Banking trojans – stealing banking credentials.
Czech Computer Security Incident Response Team (CSIRT)
- Number of reported incidents increased from 495 (2013) to 939 (2014)
- Reported incidents: Data leaks, Ransomware, Spear-phishing, Trojans, Botnet incidents, Zero-day
malware, Banking trojans, Home routers, Espionage (DragonFly - SCADA)

Cyber-Attack cost
Monetary Losses
- Additional expense of credit monitoring and identity protection services provided to customers.
- Loss of current and future revenue from existing customers.
- Government fines associated with violation of industry regulations.
- Legal defense fees associated with litigation.
- Cost of insurance and implementation of electronic countermeasures to detect future attempts.
Non-Financial Losses
- Damage to your company’s brand and reputation in the market.
- Prolonged court cases which distract from business focus.
- Theft of company secrets or intellectual property including manufacturing processes, competitive intelligence,
company growth plans and strategic initiatives.
- Loss of focus on product development/competitiveness while time is spent cleaning up the mess.
2015 Global State of Information Security Survey® conducted by PwC

©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals
Stuxnet: Ako získať kontrolu nad jadrovou elektrárňou

198 Bezpečnostných incidentov
Zdroj: US ISS-CERT

14©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA devices were not
designed for security and
are vulnerable
Why attacks can happen?
1
Programmable
Logic
Controller

15©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
PLC Vulnerability Example
Published by Digital Bond in January 2012
Firmware
Best Config
Web
Fuzzing
Exhaustion
Undoc Features
Backdoors
Ladder Logic
N/A N/A
"x" indicates the vulnerability is
present in the system and is
easily exploited
“!” indicates the vulnerability
exists but exploit is not available
“v” indicates the system lacks
this vulnerability.

http://hackmageddon.com/2015-cyber-attacks-timeline-master-index/
Cyber jungle out there

DIY Attacks
Anyone Can Launch a DDoS Attack

If you cannot do it, you can buy it!
Rental costs
• One day – 50$
• Up to 1 month – 500$
• 3 month – 700$
Available
Online
Now!

Should I take care ?
Yes -> do the PoC

Spear-phishing in CZ
Infikovana priloha - Instaluje bankovy trojan

“Dopisy od banky”
Infikovana priloha - Instaluje Trojan

“Exekutori” campaign v CR
Infikovana priloha - Instaluje Trojan
Zasiahol desiatky tisic ludi

Infikovana priloha - Instaluje Cryptolocker, popripade iny Malware/Trojan

Magic 5
• 5 188 740 554 cyber-attacks on user computers and
mobile devices in 2013
• Every 5th computer is infected every day
• Antivirus cannot detect ~55% of malware

Exploiting Zero-day vulnerabilities
New vulnerabilities Countless new variants
“nearly 200,000 new malware samples appear
around the world each day”
- net-security.org, June 2013

Joseph_Nyee.pdf
A STANDARD CV?
Joseph H. Nyee Resume Report
File System
Activity
System
Registry
System
Processes
Network
Connections
Abnormal file activity
Remote Connection to
Command & Control Sites
Tampered system registry
“Naive” processes created
Threat Emulation @ Work

Local Emulation Mechanisms
Architectural overview
[Confidential] For designated groups and individuals
Kernel User Space
CoreXL
instance
CoreXL
instance
VM_M
DLPU
instance
DLPU
instance
TE_CLI
TED – Threat Emulation Daemon
Resource Guard
Policy
DB
Static Analysis
Emulation Manager
Logging
Sharing with Check Point
Statistics
VM
Controller
Agent
Controller
Activity
Detection
Forensics
gatherer
UserSpace
VM
Operation
System
CP Agent
Parsers
Parsers

NOVINKY
Threat Extraction
CPU-Level emulation

Today’s Solutions Leave Gaps
ANTI-VIRUS
Catches known
or old malware
Of known malware, 71 in
1000 are not caught
ANTI-VIRUS
Catches known
or old malware
Of known malware, 71 in
1000 are not caught
ZERO-DAY
PROTECTION
Detects new and
unknown malware
5 in 100 instances of unknown
malware go undetected
ZERO-DAY
PROTECTION
Detects new and
unknown malware
5 in 100 instances of unknown
malware go undetected
100%
SECURITY
GAP

Zero Malware Documents
CHECK POINT
T H R E AT E X T R A C T I O N
CHECK POINT
T H R E AT E X T R A C T I O N
Original Document Document Reconstructed
Zero Malware
Document

Case Study: Infected PDF Luring Defense Officials
Threat Extraction + Threat Emulation Deployed
Conference Invitation (PDF)
Infected with Malware
Zero Malware Files and Attack Visibility
1
Infected PDF designed exactly
like official document
Infected PDF designed exactly
like official document
2
2
Zero Malware
Reconstructed PDF
Zero Malware
Reconstructed PDF
Administrator alerted of the
attack
Administrator alerted of the
attack
Threat Extraction
Threat Emulation

CPU-Level Detection Focus
• Detect the attack before it begins
̶ Limit the attacker’s ability to
employ sandbox evasion techniques
• Detect in a narrow playground
̶ Only a handful of exploitation
methods exists
̶ Compare with endless number of
vulnerabilities, malware and
evasion techniques
Vulnerability
Exploit
Malware
Shellcode
Focus on identifying the use
of exploitation methods

Hyperwise Technology Advantages
• Highest accuracy
̶ Detection is outright, not based on heuristics or
statistics
• Evasion-proof
̶ Detection occurs before any evasion
can be applied
• Efficient and fast
̶ CPU-level technology identifies the
attack at its infancy
• OS Independent
̶ Detection occurs at the CPU level
Hypervisor
CPU
CPU-level Sandbox
WindowsXP
Windows7(32bit)
Windows7(64bit)
WindowsServer2012
MacOSX10.9
CentOS7

How do we test zero-day
catch-rate and effectivity

The Unknown 300 Test
Lab Setup
VirusTotal queried for pdf, doc and portable executable files
detected as malicious by more than 10 antivirus engines
300 known malware files randomly selected (120 pdf, 120 exe, 60
doc) and transformed into unknown malware files
New 300 unknown malware files were then tested to simulate the
reality of a user downloading an infected file

Typical Use Case Scenario
Email
received
by HR
HR Opens Enclosed
RESUME document
HR Opens Enclosed
RESUME document
Hacker
sends
Email
Encloses malicious
RESUME document
Encloses malicious
RESUME document
Company-wide
network infected
Company-wide
network infected
Malware
propagates
laterally

The Zero Second Test
• Email with malicious unknown PDF malware sent every minute to the employee
workstation
• Unknown PDF malware can be detected by all vendors in their sandbox solution
• Test measured how long it takes to block the email from entering the network

Test Results for Detecting and Blocking
Malware
Check Point: Industry’s Fastest Threat Emulation!

How long does it take to prevent a detected
unknown malware?

Meircom Advanced Threat Prevention
Report, November 2014

How to protect against cyber-threats?

(pre) Stop zero-day (unknown)
malware in files
(pre) Block download of
known malware infested files
(post) Detect and prevent
bot damage
(pre) Stops exploits of
known vulnerabilitiesIPS
Anti-Bot
Antivirus
TE + TEX
Check Point Multi-Layered
Threat Prevention

Protections Out-of-the-box in
IPS Software Blade
CVE-2013-2471
All IPS Software Blade
customers can activate
protections for this
exploit.

Threat Prevention - Protections
Automate your security

Zero-day and Unknown malware

Immediately applied policies

Threat Emulation

Analytic tools
Suspicious source = HankHash-laptop (192.168.86.4)

Consolidate reporting and visibility

Ako Vám vieme pomôcť

Proven leadership and Best protection in a security
market
Full & unified threat prevention solution
How Check Point help you

SECURITY CHECKUP
THREAT ANALYSIS REPORT

DATA LOSS
INCIDENTS
BANDWIDTH
ANALYSIS
COMPLIANCE
& SECURITY POLICY CHECK
THE REPORT
RISKY WEB APPLICATIONS
AND SITES
MALWARE INFECTED
COMPUTERS
EXPLOITED
VULNERABILITIES

60©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Summary
Security trends -> Malware and Exploits on the rise
Unknown attacks -> 45% of all attacks
Protection against financial loss cause by cyber attacks
Check Point for You -> consolidated and effective
security solution

Ochrana pred modernými malware útokmi

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Ochrana pred modernými malware útokmi

Similar to Ochrana pred modernými malware útokmi (20)

More from MarketingArrowECS_CZ

More from MarketingArrowECS_CZ (20)

Recently uploaded

Recently uploaded (20)

Ochrana pred modernými malware útokmi