Webinar: Why evasive zero day attacks are killing traditional sandboxing

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
Why Evasive Zero-day Attacks Are
Killing Traditional Sandboxing
Richard Stiennon, IT-Harvest
Lior Kohavi, Cyren

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.
Today’s Speakers
Richard Stiennon
Chief Research Analyst
IT-Harvest
Lior Kohavi
Chief Technology Officer
Cyren

 Trends in zero-day attacks
 The next generation of zero-day threat defense
 Q&A
Agenda

Richard Stiennon
Chief Research Analyst, IT-Harvest
Blog: www.csoonline.com/blog/stiennons-
security-scorecard
twitter.com/cyberwar
Threatscape 2016

• APT (espionage)
• Botnets (spam, DDoS)
• Droppers (data theft, ransomeware)
• Worms (sabotage)
• Backdoors (surveillance)
Malware at the Root of Most Threats

• Adversary knows what they want
• Where it is
• Who has it
• Will stop at nothing
Targeting of High Value Data

Starting in 2000 and persisting for at least ten
years: “over the years [Chinese hackers]
downloaded technical papers, research-and-
development reports, business plans, employee
emails and other documents”

Compromised Designs include:
• The advanced Patriot missile system (PAC-3)
• The Terminal High Altitude Area Defense (THAAD)
• Navy’s Aegis ballistic-missile defense system.
• F/A-18 fighter jet
• V-22 Osprey
• Black Hawk helicopter
• Littoral Combat Ship
• F-35 Joint Strike Fighter

A persistent,
relentless drive to
capture SecurID
seeds.
The RSA Attack, March 2011

”…at this time we are confident
that the information extracted
does not enable a successful
direct attack on any of our RSA
SecurID customers”
source: OPEN LETTER
http://www.sec.gov/Archives/edgar/data/790070/0001193125110
70159/dex991.htm
But Don’t Worry

• Tracking the same campaign for over a year
• Saw the escalation
• Cut off all access via RSA SecurID tokens
Lockheed Martin, May 2011

• Combine capabilities and existing presence with
ransomware and you get a recipe for disaster.
• From precision to scatter shot. Advanced
targeting techniques now applied to mass market.

• From October 2013 through February 2016, law
enforcement received reports from 17,642 victims.
• This amounted to more than $2.3 billion in losses.
• Since January 2015, the FBI has seen a 270 percent
increase in identified victims and exposed loss.
• One company lost $100 million
Whaling

Step 7 software DLL
Rootkit
DLL
original
Siemens Programmable Logic Controller
New data blocks added
s7otbxdx.dll s7otbxsx.dll
Cyber sabotage: Stuxnet

BlackEnergy Targets ICS
Vulnerable systems:
GE Cimplicity
Advantech/Broadwin
WebAccess
Siemens WinCC

But how do you know you have the right sandbox?
• Technology is moving too fast
• Attackers are evading sandboxes.
Sandboxes are required for zero day defense.
Detonation Chamber
Multiple environments
• Emulation
• VM
• Full application stack

X-47B makes first flight from
aircraft carrier
• Autonomous code will
shorten possible response
time from minutes/hours to
seconds.
• Preventing is going to be
only line of defense.
It is going to get much worse

Richard Stiennon
Chief Research Analyst
IT-Harvest
richard@it-harvest.com
Blog: Forbes Cyber Domain
twitter.com/stiennon

 Trends in zero-day attacks
 The next generation of zero-day threat defense
 Q&A
Agenda

Cyren sees a huge volume of threat traffic

Methods to defeat anti-malware tools
• Polymorphism
• Encryption
• Droppers
• Packers
But malware is becoming smarter
Methods to evade sandboxes
• Delayed Activation
• Out-wait the sandbox
• Sandbox Detection
• Identify files or registry keys that
indicate a virtual environment
• Human Interaction
• Look for human activity such as
mouse movement, page scrolling

1. Attackers exploit limited CPU cycles of appliances
• First generation sandboxes limited by time and processing power
2. Attackers know that every sandbox has limitations
• Some sandboxes are more effective at OS and registry analysis,
others at network behavior, etc.
3. Sandboxing is only one technique
• Effective threat detection requires multiple techniques
Hyper-evasive malware is killing sandboxing

1. Cloud-based
• Cloud-scale compute resources
• Massive visibility to the Internet threat environment (size matters)
2. Multi-layer
• Sandboxing
• Reputation
3. Multiple different types of sandboxes
Cyren’s vision for zero-day threat defense

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.
Cyren’s multi-layered security engine
URL Filtering
• 64 URL categories
• Zero-hour malware, phishing, C&C
Dynamic Web Reputation
• Risk calculation
• URL, IP, Host, Domain, ASN
• Big data analytics
Anti-Malware
• Signature and algorithmic scanning
• Heuristics and emulation
• Leverage email outbreak visibility
Cloud Sandbox Array
• Multiple sandboxes
• Recursive analysis
Known Threats
Unknown Threats

Dynamic Web Reputation Analysis – How it works
Host1
Host3
Host2
Domain1
Domain3
IP1
IP2
NS
BGP2
BGP1
ASN
Registrant
Domain2
 Reputation: A score (0-100) representing the likelihood of an accessed URL being malicious
 The higher the score, the greater the probability that the URL is malicious
 Goal: Calculate the reputation for known and unknown accessed URL/Host/Domain/IP
 Reputation calculation is based on relations between entities
 Files, URLs, Hosts, IPs, Domains, Registrants, ASN

Dynamic Reputation Sources
 Cyren GlobalView Security Cloud
 Half million points of presence
 Unified cloud, 19 DC’s worldwide
 Industry’s largest security
database
 17B transactions daily
 130M threats blocked daily
 600M users protected
 Fastest reaction time
 Threats identified and blocked
inside of 5-15 seconds
Web
Reputation
Anti-
Malware
Virus
Outbreak
Detection
Sandbox
Array
Link
Monitor
URL
Filtering
IP
Reputation
Anti-Spam

Cloud Sandbox Array – How it Works
Re-escalation
Pre-processing
Post-processing
Reporting
Incident
management
Static Analysis
Dynamic Analysis
Sandbox n
OS n
Browser n
Environment n
...
 Windows EXE
 MS Office
 PDFs
 Flash files
 Scripts
 Images
 ZIP files
OS Risk Evaluation Network Risk Evaluation
Run-time Environment Selection
Risk scoring
Sandbox 2
OS B
Browser H
Environment T
Sandbox 1
OS A
Browser G
Environment S
Not Malicious Malicious
GlobalView
Intelligence

CYREN Advanced Malware Analysis Vizualization
DEMO

Facebook tagging trick

• Friend mentioned you in a comment

• Redirect you to downloading JSE file from google drive

• The javascript file

The End

Questions?
Lior Kohavi
lior.kohavi@CYREN.com
Richard Stiennon
richard@it-harvest.com

40©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
APPENDIX
40

CYREN Advanced Malware Analysis Vizualization

Webinar: Why evasive zero day attacks are killing traditional sandboxing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Webinar: Why evasive zero day attacks are killing traditional sandboxing

Similar to Webinar: Why evasive zero day attacks are killing traditional sandboxing (20)

More from Cyren, Inc

More from Cyren, Inc (12)

Recently uploaded

Recently uploaded (20)

Webinar: Why evasive zero day attacks are killing traditional sandboxing