ochrana pred modernými malware útokmi

©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd.

Peter Kovalcik| SE Eastern Europe

OCHRANA PREDMODERNYMIMALWARE UTOKMI

©2015 Check Point Software Technologies Ltd. 2

Do you think is easy to get hacked ?


Command

and Control

Attack scenario

Website

with injected iframe

Metasploit

Exploit + Payload

Spear-phishing email

1. 2.

3.

4.

Demo: Detect-only


Top vulnerable software


Top vulnerabilities 2014

� HEARTBLEED

- flaw in the open-source OpenSSL cryptographic library. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

� SHELL SHOCK

- flaw in the open-source BASH (Bourne Again SHell). The Shellshock flaw gave an attacker the ability to execute arbitrary commands on vulnerable servers.

� POODLE

- vulnerability in the SSL 3.0 cryptographic protocol that can enable an attacker to access and read encrypted communications

� Other vulnerabilities

- Home routers, iOS, Android, Flash, Java, Firefox, Chrome, Mozilla, Sandworm, Wordpress, Internet Explorer, Microsoft Office, Apple OSX, SCADA systems


9 hoursCheck Point

22 hoursCheck Point

18 hoursCheck Point

PAN4 days

Fortinet5 days

PAN29 daysFortinet14 days

PANTBD daysFortinet10 days

30 hoursCheck Point

PAN10 daysFortinet9 days


Top security incidents 2014

� Data breaches

- Sony – 25GB of sensitive data, 33 000 documents, passwords, executive emails, privacy data of actors and employees.

- Home Depot -56 million payment card details and collected 53 million email addresses, breach cost 62 Million USD. POS malware targeting MS Windows embedded OS.

- Dropbox leak – 7 million Dropbox username/password pairs leaked

- Others: eBay, iCloud, Xiaomi, Hospitals, …

� Political driven

- Snake – Russian cyber-espionage malware targeting mostly Eastern Europe, but also in the US, UK and other Western European countries. Leverage on watering hole + spear-phishing attack targeting zero-day vulnerabilities (PDF, Java, IE).

- National hacking – ISIS, France, USA, North Korea, Russia, China

� SCADA systems

- Energetic Bear & Dragon Fly (Havex malware)

- Target: Energy Industry in US and Europe (Spain, France, Italy, Germany, Turkey, Poland)

- Attack vector: spear-phishing, watering hole, APT, RAT tools, Trojanized SW

- 70% of EU energy companies are assume to be still infected


Top security incidents 2014

� Ransomware

- Cryptolocker – encrypts disk files + connected network shares. Delivered mostly through spear-phishing email.

- Banking trojans – stealing banking credentials.

� Czech Computer Security Incident Response Team (CSIRT)

- Number of reported incidents increased from 495 (2013) to 939 (2014)

- Reported incidents: Data leaks, Ransomware, Spear-phishing, Trojans, Botnet incidents, Zero-day malware, Banking trojans, Home routers, Espionage (DragonFly - SCADA)


Cyber-Attack cost

� Monetary Losses

- Additional expense of credit monitoring and identity protection services provided to customers.

- Loss of current and future revenue from existing customers.

- Government fines associated with violation of industry regulations.

- Legal defense fees associated with litigation.

- Cost of insurance and implementation of electronic countermeasures to detect future attempts.

� Non-Financial Losses

- Damage to your company’s brand and reputation in the market.

- Prolonged court cases which distract from business focus.

- Theft of company secrets or intellectual property including manufacturing processes, competitive intelligence, company growth plans and strategic initiatives.

- Loss of focus on product development/competitiveness while time is spent cleaning up the mess.

2015 Global State of Information Security Survey® conducted by PwC

©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals

Stuxnet: Ako získať kontrolu nad jadrovou elektrárňou


198 Bezpečnostných incidentov

Zdroj: US ISS-CERT

14©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |

SCADA devices were not designed for security and are vulnerable

Why attacks can happen?

1

Programmable Logic Controller

15©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |

PLC Vulnerability ExamplePublished by Digital Bond in January 2012

Firmware

Best Config

Web

Fuzzing

Exhaustion

Undoc Features

Backdoors

Ladder Logic

N/A N/A

"x" indicates the vulnerability is

present in the system and is

easily exploited

“!” indicates the vulnerability

exists but exploit is not available

“v” indicates the system lacks

this vulnerability.


http://hackmageddon.com/2015-cyber-attacks-timeline-master-index/

Cyber jungle out there


DIY Attacks

Anyone Can Launch a DDoS Attack


If you cannot do it, you can buy it!

Rental costs• One day – 50$

• Up to 1 month – 500$

• 3 month – 700$

AvailableOnlineNow!


Should I take care ?

Yes -> do the PoC


Spear-phishing in CZ

� Infikovana priloha - Instaluje bankovy trojan


“Dopisy od banky”

� Infikovana priloha - Instaluje Trojan


“Exekutori” campaign v CR

� Infikovana priloha - Instaluje Trojan

� Zasiahol desiatky tisic ludi



� Infikovana priloha - Instaluje Cryptolocker, popripade iny Malware/Trojan


Magic 5

• 5 188 740 554 cyber-attacks on user computers and mobile devices in 2013

• Every 5th computer is infected every day

• Antivirus cannot detect ~55% of malware


Exploiting Zero-day vulnerabilities

New vulnerabilities Countless new variants

“nearly 200,000 new malware samples appear around the world each day”

- net-security.org, June 2013


Joseph_Nyee.pdf

A STANDARD CV?

Joseph H. Nyee Resume Report

File System Activity

System Registry

System Processes

Network Connections

Abnormal file activity

Remote Connection to Command & Control Sites

Tampered system registry

“Naive” processes created

Threat Emulation @ Work


Local Emulation MechanismsArchitectural overview

[Confidential] For designated groups and individuals

Kernel User Space

CoreXLinstance

CoreXL

instance

VM_M

DLPU

instance

DLPU instance

TE_CLI

TED – Threat Emulation Daemon

Resource Guard

Policy

DB

Static Analysis

Emulation Manager

Logging

Sharing with Check Point

Statistics

VM

Controller

Agent

Controller

Activity Detection

Forensics gatherer

UserSpaceVM

Operation

System

CP Agent

Parsers

Parsers


NOVINKY

Threat Extraction

CPU-Level emulation


Today’s Solutions Leave Gaps

ANTI-VIRUS

Catches knownor old malware

Of known malware, 71 in

1000 are not caught

ANTI-VIRUS

Catches knownor old malware

Of known malware, 71 in

1000 are not caught

ZERO-DAY

PROTECTION

Detects new and unknown malware

5 in 100 instances of unknown

malware go undetected

ZERO-DAY

PROTECTION

Detects new and unknown malware

5 in 100 instances of unknown

malware go undetected

100%

SECURITY

GAP


Zero Malware Documents

CHECK POINT

T H R E AT E X T R A C T I O NCHECK POINT

T H R E AT E X T R A C T I O N

Original Document Document ReconstructedZero Malware

Document


Case Study: Infected PDF Luring Defense OfficialsThreat Extraction + Threat Emulation Deployed

Conference Invitation (PDF)

Infected with Malware

Zero Malware Files and Attack Visibility

1

Infected PDF designed exactly like official documentInfected PDF designed exactly like official document

2

2

Zero Malware

Reconstructed PDF

Zero Malware

Reconstructed PDF

Administrator alerted of the attack

Administrator alerted of the attack

Threat Extraction

Threat Emulation


CPU-Level Detection Focus

• Detect the attack before it begins Limit the attacker’s ability to

employ sandbox evasion techniques

• Detect in a narrow playground Only a handful of exploitation

methods exists Compare with endless number of

vulnerabilities, malware and evasion techniques

Vulnerability

Exploit

Malware

Shellcode

Focus on identifying the use

of exploitation methods


Hyperwise Technology Advantages

• Highest accuracy

Detection is outright, not based on heuristics or statistics

• Evasion-proof

Detection occurs before any evasion can be applied

• Efficient and fast

CPU-level technology identifies the attack at its infancy

• OS Independent

Detection occurs at the CPU level

Hypervisor

CPU

CPU-level Sandbox

Win

do

ws

XP

Win

do

ws

7 (

32

bit

)

Win

do

ws

7 (

64

bit

)

Win

do

ws

Se

rve

r 2

01

2

Ma

c O

S X

10

.9

Ce

ntO

S7


How do we test zero-day

catch-rate and effectivity


The Unknown 300 Test

Lab Setup

VirusTotal queried for pdf, doc and portable executable files detected as malicious by more than 10 antivirus engines

300 known malware files randomly selected (120 pdf, 120 exe, 60 doc) and transformed into unknown malware files

New 300 unknown malware files were then tested to simulate the reality of a user downloading an infected file


Typical Use Case Scenario

Email received by HR

HR Opens Enclosed RESUME documentHR Opens Enclosed RESUME document

Hacker sends Email

Encloses malicious RESUME documentEncloses malicious RESUME document

Company-wide network infectedCompany-wide

network infected

Malware propagates laterally


The Zero Second Test

• Email with malicious unknown PDF malware sent every minute to the employee workstation

• Unknown PDF malware can be detected by all vendors in their sandbox solution

• Test measured how long it takes to block the email from entering the network


Test Results for Detecting and Blocking Malware

Check Point: Industry’s Fastest Threat Emulation!


How long does it take to prevent a detected unknown malware?

Meircom Advanced Threat Prevention Report, November 2014


How to protect against cyber-threats?


(pre) Stop zero-day (unknown)

malware in files

(pre) Block download of

known malware infested files

(post) Detect and prevent

bot damage

(pre) Stops exploits of

known vulnerabilitiesIPS

Anti-Bot

Antivirus

TE + TEX

Check Point Multi-LayeredThreat Prevention


Protections Out-of-the-box inIPS Software Blade

CVE-2013-2471

All IPS Software Blade customers can activate

protections for this exploit.


Threat Prevention - Protections

Automate your security


Zero-day and Unknown malware


Immediately applied policies


Threat Emulation


Analytic tools

Suspicious source = HankHash-laptop (192.168.86.4)


Consolidate reporting and visibility



Ako Vám vieme pomôcť


� Proven leadership and Best protection in a security market

� Full & unified threat prevention solution

How Check Point help you

SECURITY CHECKUP

THREAT ANALYSIS REPORT

DATA LOSS

INCIDENTS

BANDWIDTH

ANALYSIS

COMPLIANCE

& SECURITY POLICY CHECK

THE REPORT

RISKY WEB APPLICATIONS

AND SITES

MALWARE INFECTED

COMPUTERS

EXPLOITED

VULNERABILITIES

60©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Summary

� Security trends -> Malware and Exploits on the rise

� Unknown attacks -> 45% of all attacks

� Protection against financial loss cause by cyber attacks

� Check Point for You -> consolidated and effective security solution

ochrana pred modernými malware útokmi

Technology

point pan

vulnerable software

days pan tbd days fortinet

spear phishing email

security incidents

reported incidents

data leaks

botnet incidents