SOFTCAMP SHIELDEX SaniTrans Mail

Contents
 Biz Challenge
 SaniTrans Mail Introduction
 Major Function
- Content Disarm & Reconstruction
- SaniMail
- Management
 SHIELDEX module List & Reference
 Architecture

- 3 - © 2015 SoftCamp Co., Ltd. All rights reserved.www.softcamp.co.kr
l APT (Advanced Persistent Threat)
 APT has a long latent period depending on the attacker’s plan and by dominating the internal system of the company,
confidential information is leaked.
 The recent APT attackers not only do not stop at stealing information but destroy the internal system, resulting in huge national
and industrial losses.
Cases of APT attacks
2010 2011 2012
Operation Aurora
 January 2010
 Over 30 companies including Google,
Dow Chemical and others
 Leakage of company’s confidential
information such as source code and
others
Stuxnet
 September 2010
 SCADA Nuclear Plant in Ira
 Operation of nuclear power
plant suspended
Knight Dragon
 February 2011
 Website of gas, gas, petrochemical
companies
 Damage undisclosed
Operation Aurora
 March 2011
 EU Commission server at Brussels,
Belgium
 Damage undisclosed
SONY PSN Hacking
 April 2011
 SONY PlayStation Network
 Leakage of personal information of 77
million subscribers, 2 months suspension
of service
APPSILON E-mail Infringement
 April 2011
 Email account of Appsilon customers
 Email of 50 client companies such as Citibank, Disney
and others seized
Biz Challenge

l Amount of spam mail sent and APT attack routes
- 4 -
Out of all APT infection routes, infection through simple
Web Surfing only takes up 11.8%
 More than 66% of emails sent worldwide and more than half of the emails sent in Korea are spam mail.
 APT attack through email is approximately 8 times higher than web and takes up 87% of the entire APT attack routes.
66%
World
Ratio of spam mail out of the emails sent worldwide Spam mail out of emails sent in Korea Out of APT cases, ratio of attack through email APT
66%
Korea
87%
APT
Biz Challenge

l APT attack cases through mail
- 5 -
 After a particular target is set, the attacker applies social engineering technique with high possibility of viewing mail to send
mails with malignant code attached.
Biz Challenge
Control Program(Latest-w2).hwp
(Shellcode)
3. Upon opening of HWP file, malignant code is
created at %TEMP% by attacking weakness
tem
p
Malignant code created
MBR
deleted
File
destroyed
Gateway service
rejected
Activated after December 11st 2014, 10:00
DLL injection of malignant code
Service created
1. Malignant HWP distributed through email
2. Open
document
4. Malignant code created at %TEMP%
6. Service created for continuous
execution
7. Malignant code becomes
active after a particular time
5. Self-deletion
Flow chart of internal APT attack at Korea Hydro & Nuclear Power

- 6 - © 2015 SoftCamp Co., Ltd. All rights reserved.www.softcamp.co.kr 6
l Limitation in existing solution
 The existing spam prevention solution and vaccine security method is impossible to react effectively against APT and to prevent
it in advance.
 Excessive amount of log makes analysis impossible or inconvenient
 Monitors all actions of all programs
 Absence of early detection or countermeasure method
 APT attack is latent at normal times and starts attack temporarily at
a particular time
 Malignant code erases all its traces after completing an attack so it is
difficult to track the cause and inflow route
 Unprotected with regards to APT attack/new malignant code
 In case of malignant code, the existing pattern takes up 20% but
new types of malignant code take up 80%
 Post-countermeasure instead of preliminary countermeasure
 Producers of virus or APT malignant code inspects malignant code in
the existing virus vaccine then distributes
 Impossible to take measures beforehand with regards to targeting
attack and advanced attack
80%
New malignant code
Existing pattern
20%
<Attack pattern becoming diverse and advanced>
<Difficult to track and monitor malignant code>
Limitation in monitoring/forensic solutionLimitation in pattern analysis
Biz Challenge

l SaniTrans Mail
 SaniTrans Mail executes sanitization with regards to the context and attachment of incoming external mail and by eliminating
malignant contents, this solution allows safe mail and attachment to be received within the customer company.
SaniTrans Mail Introduction
SHIELDEX SaniTrans
Appliance
Mail and attachment
received
Sanitizes context
and file
Receives external mail Mail sanitization Clean contents allowed

l Differentiated from the existing solution
 SaniTrans Mail uses contents structure analysis method that only extracts Visible Contents to re-produce documents, unlike
the detection of malignant code that uses the existing Static Analysis and Dynamic Analysis and is optimized to respond to
malignant code in document file format.
Document sanitization-contents analysis
inspection method
Analysis method of existing APT countermeasure solution
Static Analysis
Compares/detects
• Saves the malignant code’s pattern and
file information in DB and inspects by
comparing it
• In case of incoming Unknown malignant
code that has not been updated in the DB,
detection fails, and is unprotected with
regards to new malignant code until DB is
updated
Signature
/Pattern
Database
Dynamic Analysis
Executed in
Virtual environment
VM1 VM2 VM3
VM4 VM5 VM6
VM7 VM8 VM9
• Several virtual environments similar to
the Client environment are created and
file is directly executed for detection
• Environment that is exactly the same as
that of the Client cannot be created and
is impossible to detect malignant code
with time setting, VM environment
detection malignant code
<Structure of *.pptx file>
• Checks the structure of document file and inspects the
contents within the document file
• Only safe contents that are essential for delivering
information, such as Chart, SlideLayout, SlideMaster,
BodyText and others within the document file are
extracted to re-construct the document
• Optimized to countermeasure malignant code in
document file format that is recently increasing
document type of malignant code
SaniTrans Mail Introduction

- 9 - © 2015 SoftCamp Co., Ltd. All rights reserved.www.softcamp.co.kr - 9 -
 SaniTrans Mail checks/removes Hyper Link in the context and whether Script is included within the Mail Context HTML.
 Downloads and re-constructs Mail Context and Linked Image within HTML to re-construct the Mail Context in order to safely
protect the customer’s asset from attacking Web Site.
l Mail Sanitization
Major Function (Content Disarm & Reconstruction)
Sanitization of context
Sanitization of attachment
Re-constructs
document contents
Inspects and re-
constructs context
 Checks the structure of mail
context
 Inspects header structure
1. Format Verification
 Verifies the structure of all
document components such as
paragraph, chart, image, table
and others
2. Structure Analysis
 Extracts document components
 Verifies whether it is a correct
component
3. Component Extraction
 Verifies by re-constructing document
using extracted component
4. Re-Construction Verification

- 10 - © 2015 SoftCamp Co., Ltd. All rights reserved.www.softcamp.co.kr - 10 -
 Extracts only Visible Contents (text, image etc.) to re-construct into safe document and
eliminates Hidden Attachments contained in the document
 Sanitizes/examines main extension documents such as MS Office, PDF, HWP etc.
① Determines authenticity
② Extracts Visible Contents
③ Re-constructs contents and delivers to user
 SHEILDEXTM uses document file re-construction technology to inspect the attachment of mail then re-constructs it using safe
context before delivering it to the user.
 As for compressed files, the supported format within the compressed file is checked and after sanitization, it is re-compressed
then delivered to the user.
• General document: Converted normally and in case it contains macro/VB code and
others, they are eliminated before conversion
• Documents with malignant code: Due to the characteristics of documents with malignant
code, conversion does not take place normally
CDR
(Content Disarm & Reconstruction Technology)
CDR
CDR
l Attached Document Sanitization
SaniTrans Mail
Server

11
l Confirm the CDR processing result
 The success of examination/re-construction of context can be checked with “Sanitized by SHIELDEX” logo and “Result of
sanitization” at the top of the email.
Email screen after CDREmail screen before CDR
Original attachment before sanitization
`
`
`
Email contents and attachment re-constructed with
Clean Contents after sanitization

12
l Detailed processing results
 Clicking “Result of sanitization” link will connect the user to the webpage where the detailed results of sanitization can be
viewed.
 Information on the success of file sanitization, malignant file, removal of macro and others can be checked.
Detailed result of CDRMail screen after CDR
Email contents and attachment re-constructed with
Clean Contents after sanitization

13
l Resend original email
 In case original mail is needed, the mail can be received through the function, Request for re-sending of original.
Request for re-sending of original mail
1
2 3

14
l Encryption ZIP CDR function
 In case of encrypted ZIP file, once the relevant password is inserted, CDR is supported up to 1-Depth with regards to the files
inside the ZIP file.
Encryption ZIP CDR
1 2
3

Major Function (SaniMail)
15
l CDR domain setting function
 In SaniTrans Mail web console, the domain subject to CDR can be set. Mail that belongs to the set domain undergoes CDR
process and is allowed into the internal mail service.
 Multi setting is possible for CDR domain.
CDR domain setting

Major Function (SaniMail)
16
l SMTP relay function
 Once the priority level of MX record is adjusted, it can be connected to the existing mail server and through SMTP relay
function, only mails that have undergone CDR are delivered to the existing mail server.
SMTP relay
 SaniTrans Mail CDR processing
SHIELDEX SaniTrans Mail
Mail
Receiver
Mail
Sender Anti-spam
Server
FirewallRouter
Mail Server
(POP3, IMAP) Receive Mail
SMTP Relay
SHIELDEX SaniTrans Mail System

Major Function (Management)
17
l Management functions
 In admin console, current status of incoming per inflow type and statistics such as number of accumulated user/file can be
provided
 Provides various policy setting and logging management with regards to external incoming mail
Management functions

l Success Case
 In Korea, SHIELDEX is used in main military institutions, bank, government institutions and others and SHIELDEX is being
serviced in 10 local governments in Japan. Introduction and consultation are rapidly increasing with regards to local
governments and conglomerates in Japan.
SHIELDEX module List & Reference
Module Name Type Functions Reference Present state
SaniTrans Net Engine Document CDR
OO military institutions (2 places)
OO Bank
OO Provincial Office
FTMS
Engine,
IEEE cable & I/F
File transmission CDR (IEEE1394 connecti
on, approved incoming)
OO City Hall (Japan)
FTMS(Simplified) Appliance
Network folder monitoring file
transmission
Expected to be applied in 10 local
governments in the second half of
2017
SaniTrans Mail Appliance Mail context and attachment CDR
OO Press (Japan)
National Policy Project Company
(Japan)
OO City Hall (7 places, Japan)
50 services targeted in 2017 with OO
Cloud Service
Server Side Appliance Type

l Composition of SaniTrans Mail
SaniTrans Mail Console
Dashboard
Incoming mail/ File sanitization status
File control policy setting
SHIELDEX
SaniTrans Mail
Mail Receiver
Mail
Sender
Anti-spam
Server
Firewall
Router
Mail Server
(POP3, IMAP)
Router
Receive Mail
SaniTrans Mail sanitization
with regards to all Incoming
Mail
SaniTrans Mail Achitecture
Security
Manager
SMTP Relay

The power to do safely
The information herein is for informational purposes only and represents the curre
nt view of SOFTCAMP Co,. Ltd. as of the date of this presentation. Because SOFTCA
MP must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of SOFTCAMP, and SOFTCAMP cannot guarantee the acc
uracy of any information provided after the date of this presentation.
ⓒ 1999-2017 SoftCamp Co., Ltd
All rights reserved. No part of this work covered by the copyright hereon may be
reproduced or used in any form or by any means -- graphic, electronic, or
mechanical, including photocopying, recording, taping, or information storage and
retrieval systems -- without written permission of SoftCamp Co., Ltd, Inc.,
SoftCamp, the traditional SoftCamp Logo, “SoftCamp Co., Ltd, Inc.,” “Document
Security,” “S-Work,” “MaxeOn,” “S-Work for Storage,” “SHIELDEX,” “Secure
Workplace,” and “Secure Keystroke” are trademarks of SoftCamp Co., Ltd. All
other trademarks mentioned herein are the property of their owners.
Printed in the Republic of Korea
SOFTCAMP Co., Ltd
http://www.softcamp.co.kr
(13487) 17, Pangyo-ro 228beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
T. +82-1644-9366 M. gihyun.ahn@softcamp.co.kr

SOFTCAMP SHIELDEX SaniTrans Mail

More Related Content

Similar to SOFTCAMP SHIELDEX SaniTrans Mail

More from Softcamp Co., Ltd.

Recently uploaded

SOFTCAMP SHIELDEX SaniTrans Mail