1 / 41

Defeating Modern Attacks With Threat Prevention Innovation

Defeating Modern Attacks With Threat Prevention Innovation . Thierry Karsenti Europe Technical Director. Enterprises in a vulnerable world. APT. Botnet. HACKTIVISM. Data Leakage . Policy Violations . Social Engineering . 3 steps of modern attacks. FIND THE WEAKEST LINK.

huela
Download Presentation

Defeating Modern Attacks With Threat Prevention Innovation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defeating Modern AttacksWith ThreatPrevention Innovation Thierry KarsentiEurope Technical Director

  2. Enterprises in a vulnerable world APT Botnet HACKTIVISM Data Leakage Policy Violations Social Engineering

  3. 3 steps of modern attacks FIND THE WEAKEST LINK GETACCESS EXTRACTDATA

  4. Designing an attack FIND THE WEAKEST LINK

  5. Designing an attack FIND THE WEAKEST LINK

  6. Top Vulnerable Applications in 2012 Adobe Reader Java Microsoft Office • 30 Critical vulnerabilities • 17 Critical vulnerabilities • 16 Critical vulnerabilities Adobe Flash Firefox Internet Explorer • 57 Critical vulnerabilities • 91 Critical vulnerabilities • 14 Critical vulnerabilities

  7. WOULD YOU OPEN THIS ATTACHMENT? “Over 90% of targeted emails use malicious file attachments as the payload or infection source” Wall Street Journal Nov, 2012

  8. Get to know your target Who works there? What department? What responsibility? Lucy Smithin HR Where in the hierarchy? What suppliers/clients?

  9. Figure out the contact details Press enquiries should be directed atfirstname.lastname@company.com lucy.smith@company.com

  10. Create a hook Names of friends Names of clients, suppliers Works with John Brown as an HR subcontractor Social interests

  11. The attack path DROPZONE Attachment exploitsvulnerability Attackerextractsdata Attacker sends email CEO ATTACKER Attacker identifies targetthroughsocial engineering Emailis letthrough Attackerexploresnetwork

  12. From the news…. – PC Mag (Mar, 2011) – CNET (Feb, 2013) RSA Hack Hits Lockheed, Remote Systems Breached e-card arrives with malicious attachment containing Backdoor.Trojan.

  13. Multi-Layered Threat Prevention • WHAT ABOUTNEW ATTACKS? IPS • Stops exploits ofknown vulnerabilities Anti-Bot • Detect and preventbot damage Antivirus • Block download ofmalware infested files

  14. Multi-Layered Threat Prevention • IT ONLY DEALS WITH THE • KNOWN IPS Anti-Bot Antivirus

  15. Multi-Layered Threat Prevention • HOW TO DEAL WITH THE • UNKNOWN ? IPS Anti-Bot Antivirus

  16. Known Unknowns – Top Vulnerable Applications in 2012 We knowthat in the upcoming year 200–300 new currently unknownvulnerabilities will be discovered in popular business applications Adobe Reader Java Microsoft Office • 30 Critical vulnerabilities • 17 Critical vulnerabilities • 16 Critical vulnerabilities Adobe Flash Firefox Internet Explorer • 57 Critical vulnerabilities • 91 Critical vulnerabilities • 14 Critical vulnerabilities

  17. TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS Duqu Worm Causing Collateral Damage in a Silent Cyber-WarWorm exploiting zero-day vulnerabilities in a Word document

  18. IntroducingCheck Point Threat Emulation PREVENTION OF ZERO-DAY ATTACKS !

  19. INSPECT EMULATE PREVENT SHARE Stop undiscovered attacks with Check Point Threat Emulation

  20. INSPECT Identify files in email attachments and downloads over the web Upload file to virtual sandbox in the cloud or on local appliance Exe files, PDF and Office documents

  21. Threat Emulation Deployment Options Local Emulation Appliance Threat Emulation Cloud Service Security Gateway R77

  22. Emulating Multi OS environments WIN 7, 8, XP & user customized EMULATE • Monitored behavior: • file system • system registry • network connections • system processes Open file and monitor abnormal behavior

  23. Joseph H. Nyee Resume Report Threat Emulation in Action Abnormal file activity A STANDARD CV? Remote Connection to Command & Control Sites Tampered system registry Joseph_Nyee.pdf “Naive” processes created File System Activity System Registry System Processes Network Connections

  24. Joseph H. Nyee Resume Report Threat Emulation in Action Abnormal file activity A STANDARD CV? Remote Connection to Command & Control Sites Tampered system registry Joseph_Nyee.pdf “Naive” processes created File System Activity System Registry System Processes Network Connections

  25. PREVENT Inline stopping of malicious files on any gateway Security Gateway

  26. SHARE Immediate update of all gateways

  27. Boosting the Collaborative Power of ThreatCloud CnC servers Malware Hashes Real-time sharing for immediate Protection

  28. INSPECT EMULATE PREVENT SHARE Stop undiscovered attacks with Check Point Threat Emulation

  29. Real Life Example • Customer evaluating Threat Emulation Blade

  30. Real Life Example • Customer evaluating Threat Emulation Blade

  31. Real Life Example Customer reports about a “False Positive”

  32. Real Life Example Is this indeed a False Positive ?

  33. Real Life Example New exploit variant of vulnerability (CVE-2012-0158) Installs a bot agent Opens network ports for bot communication Steals user credentials

  34. Real Life Example What does Virus Total has to say about it? We’ve discovered it on May 8th On May 9th only 3 AVs detect it

  35. Real Life Example After a few days…Was sent many times during May 9-11, AVs began to sign it, until most of them detected it

  36. Real Life Example So now Anti-Virus is enough… Or not?On May 12th, we’ve seen a new variant… only small file name change in the dropped exe. We’ve detected it, but it was enough to fool most of the AVs.

  37. Real Life Example • Prevented 140 phishing emails targeting 4 customers in 2 days!

  38. Anyone can submit files forTHREAT EMULATION threats@checkpoint.com threatemulation.checkpoint.com

  39. Check Point Threat Prevention Solution Multi-Layered Protection Against all Incoming Cyber Threats

  40. Thank You

  41. [Protected] For public distribution

More Related