410 likes | 545 Views
Defeating Modern Attacks With Threat Prevention Innovation . Thierry Karsenti Europe Technical Director. Enterprises in a vulnerable world. APT. Botnet. HACKTIVISM. Data Leakage . Policy Violations . Social Engineering . 3 steps of modern attacks. FIND THE WEAKEST LINK.
E N D
Defeating Modern AttacksWith ThreatPrevention Innovation Thierry KarsentiEurope Technical Director
Enterprises in a vulnerable world APT Botnet HACKTIVISM Data Leakage Policy Violations Social Engineering
3 steps of modern attacks FIND THE WEAKEST LINK GETACCESS EXTRACTDATA
Designing an attack FIND THE WEAKEST LINK
Designing an attack FIND THE WEAKEST LINK
Top Vulnerable Applications in 2012 Adobe Reader Java Microsoft Office • 30 Critical vulnerabilities • 17 Critical vulnerabilities • 16 Critical vulnerabilities Adobe Flash Firefox Internet Explorer • 57 Critical vulnerabilities • 91 Critical vulnerabilities • 14 Critical vulnerabilities
WOULD YOU OPEN THIS ATTACHMENT? “Over 90% of targeted emails use malicious file attachments as the payload or infection source” Wall Street Journal Nov, 2012
Get to know your target Who works there? What department? What responsibility? Lucy Smithin HR Where in the hierarchy? What suppliers/clients?
Figure out the contact details Press enquiries should be directed atfirstname.lastname@company.com lucy.smith@company.com
Create a hook Names of friends Names of clients, suppliers Works with John Brown as an HR subcontractor Social interests
The attack path DROPZONE Attachment exploitsvulnerability Attackerextractsdata Attacker sends email CEO ATTACKER Attacker identifies targetthroughsocial engineering Emailis letthrough Attackerexploresnetwork
From the news…. – PC Mag (Mar, 2011) – CNET (Feb, 2013) RSA Hack Hits Lockheed, Remote Systems Breached e-card arrives with malicious attachment containing Backdoor.Trojan.
Multi-Layered Threat Prevention • WHAT ABOUTNEW ATTACKS? IPS • Stops exploits ofknown vulnerabilities Anti-Bot • Detect and preventbot damage Antivirus • Block download ofmalware infested files
Multi-Layered Threat Prevention • IT ONLY DEALS WITH THE • KNOWN IPS Anti-Bot Antivirus
Multi-Layered Threat Prevention • HOW TO DEAL WITH THE • UNKNOWN ? IPS Anti-Bot Antivirus
Known Unknowns – Top Vulnerable Applications in 2012 We knowthat in the upcoming year 200–300 new currently unknownvulnerabilities will be discovered in popular business applications Adobe Reader Java Microsoft Office • 30 Critical vulnerabilities • 17 Critical vulnerabilities • 16 Critical vulnerabilities Adobe Flash Firefox Internet Explorer • 57 Critical vulnerabilities • 91 Critical vulnerabilities • 14 Critical vulnerabilities
TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS Duqu Worm Causing Collateral Damage in a Silent Cyber-WarWorm exploiting zero-day vulnerabilities in a Word document
IntroducingCheck Point Threat Emulation PREVENTION OF ZERO-DAY ATTACKS !
INSPECT EMULATE PREVENT SHARE Stop undiscovered attacks with Check Point Threat Emulation
INSPECT Identify files in email attachments and downloads over the web Upload file to virtual sandbox in the cloud or on local appliance Exe files, PDF and Office documents
Threat Emulation Deployment Options Local Emulation Appliance Threat Emulation Cloud Service Security Gateway R77
Emulating Multi OS environments WIN 7, 8, XP & user customized EMULATE • Monitored behavior: • file system • system registry • network connections • system processes Open file and monitor abnormal behavior
Joseph H. Nyee Resume Report Threat Emulation in Action Abnormal file activity A STANDARD CV? Remote Connection to Command & Control Sites Tampered system registry Joseph_Nyee.pdf “Naive” processes created File System Activity System Registry System Processes Network Connections
Joseph H. Nyee Resume Report Threat Emulation in Action Abnormal file activity A STANDARD CV? Remote Connection to Command & Control Sites Tampered system registry Joseph_Nyee.pdf “Naive” processes created File System Activity System Registry System Processes Network Connections
PREVENT Inline stopping of malicious files on any gateway Security Gateway
SHARE Immediate update of all gateways
Boosting the Collaborative Power of ThreatCloud CnC servers Malware Hashes Real-time sharing for immediate Protection
INSPECT EMULATE PREVENT SHARE Stop undiscovered attacks with Check Point Threat Emulation
Real Life Example • Customer evaluating Threat Emulation Blade
Real Life Example • Customer evaluating Threat Emulation Blade
Real Life Example Customer reports about a “False Positive”
Real Life Example Is this indeed a False Positive ?
Real Life Example New exploit variant of vulnerability (CVE-2012-0158) Installs a bot agent Opens network ports for bot communication Steals user credentials
Real Life Example What does Virus Total has to say about it? We’ve discovered it on May 8th On May 9th only 3 AVs detect it
Real Life Example After a few days…Was sent many times during May 9-11, AVs began to sign it, until most of them detected it
Real Life Example So now Anti-Virus is enough… Or not?On May 12th, we’ve seen a new variant… only small file name change in the dropped exe. We’ve detected it, but it was enough to fool most of the AVs.
Real Life Example • Prevented 140 phishing emails targeting 4 customers in 2 days!
Anyone can submit files forTHREAT EMULATION threats@checkpoint.com threatemulation.checkpoint.com
Check Point Threat Prevention Solution Multi-Layered Protection Against all Incoming Cyber Threats