ochrana pred modernými malware útokmi
TRANSCRIPT
©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd.
Peter Kovalcik| SE Eastern Europe
OCHRANA PREDMODERNYMIMALWARE UTOKMI
©2014 Check Point Software Technologies Ltd. 3
Command
and Control
Attack scenario
Website
with injected iframe
Metasploit
Exploit + Payload
Spear-phishing email
1. 2.
3.
4.
Demo: Detect-only
©2014 Check Point Software Technologies Ltd. 7
Top vulnerabilities 2014
� HEARTBLEED
- flaw in the open-source OpenSSL cryptographic library. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
� SHELL SHOCK
- flaw in the open-source BASH (Bourne Again SHell). The Shellshock flaw gave an attacker the ability to execute arbitrary commands on vulnerable servers.
� POODLE
- vulnerability in the SSL 3.0 cryptographic protocol that can enable an attacker to access and read encrypted communications
� Other vulnerabilities
- Home routers, iOS, Android, Flash, Java, Firefox, Chrome, Mozilla, Sandworm, Wordpress, Internet Explorer, Microsoft Office, Apple OSX, SCADA systems
©2015 Check Point Software Technologies Ltd. 8
9 hoursCheck Point
22 hoursCheck Point
18 hoursCheck Point
PAN4 days
Fortinet5 days
PAN29 daysFortinet14 days
PANTBD daysFortinet10 days
30 hoursCheck Point
PAN10 daysFortinet9 days
©2014 Check Point Software Technologies Ltd. 9
Top security incidents 2014
� Data breaches
- Sony – 25GB of sensitive data, 33 000 documents, passwords, executive emails, privacy data of actors and employees.
- Home Depot -56 million payment card details and collected 53 million email addresses, breach cost 62 Million USD. POS malware targeting MS Windows embedded OS.
- Dropbox leak – 7 million Dropbox username/password pairs leaked
- Others: eBay, iCloud, Xiaomi, Hospitals, …
� Political driven
- Snake – Russian cyber-espionage malware targeting mostly Eastern Europe, but also in the US, UK and other Western European countries. Leverage on watering hole + spear-phishing attack targeting zero-day vulnerabilities (PDF, Java, IE).
- National hacking – ISIS, France, USA, North Korea, Russia, China
� SCADA systems
- Energetic Bear & Dragon Fly (Havex malware)
- Target: Energy Industry in US and Europe (Spain, France, Italy, Germany, Turkey, Poland)
- Attack vector: spear-phishing, watering hole, APT, RAT tools, Trojanized SW
- 70% of EU energy companies are assume to be still infected
©2014 Check Point Software Technologies Ltd. 10
Top security incidents 2014
� Ransomware
- Cryptolocker – encrypts disk files + connected network shares. Delivered mostly through spear-phishing email.
- Banking trojans – stealing banking credentials.
� Czech Computer Security Incident Response Team (CSIRT)
- Number of reported incidents increased from 495 (2013) to 939 (2014)
- Reported incidents: Data leaks, Ransomware, Spear-phishing, Trojans, Botnet incidents, Zero-day malware, Banking trojans, Home routers, Espionage (DragonFly - SCADA)
©2014 Check Point Software Technologies Ltd. 11
Cyber-Attack cost
� Monetary Losses
- Additional expense of credit monitoring and identity protection services provided to customers.
- Loss of current and future revenue from existing customers.
- Government fines associated with violation of industry regulations.
- Legal defense fees associated with litigation.
- Cost of insurance and implementation of electronic countermeasures to detect future attempts.
� Non-Financial Losses
- Damage to your company’s brand and reputation in the market.
- Prolonged court cases which distract from business focus.
- Theft of company secrets or intellectual property including manufacturing processes, competitive intelligence, company growth plans and strategic initiatives.
- Loss of focus on product development/competitiveness while time is spent cleaning up the mess.
2015 Global State of Information Security Survey® conducted by PwC
©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals
Stuxnet: Ako získať kontrolu nad jadrovou elektrárňou
14©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA devices were not designed for security and are vulnerable
Why attacks can happen?
1
Programmable Logic Controller
15©2013 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
PLC Vulnerability ExamplePublished by Digital Bond in January 2012
Firmware
Best Config
Web
Fuzzing
Exhaustion
Undoc Features
Backdoors
Ladder Logic
N/A N/A
"x" indicates the vulnerability is
present in the system and is
easily exploited
“!” indicates the vulnerability
exists but exploit is not available
“v” indicates the system lacks
this vulnerability.
©2014 Check Point Software Technologies Ltd. 16
http://hackmageddon.com/2015-cyber-attacks-timeline-master-index/
Cyber jungle out there
©2014 Check Point Software Technologies Ltd. 19
If you cannot do it, you can buy it!
Rental costs• One day – 50$
• Up to 1 month – 500$
• 3 month – 700$
AvailableOnlineNow!
©2014 Check Point Software Technologies Ltd. 21
Spear-phishing in CZ
� Infikovana priloha - Instaluje bankovy trojan
©2014 Check Point Software Technologies Ltd. 22
“Dopisy od banky”
� Infikovana priloha - Instaluje Trojan
©2014 Check Point Software Technologies Ltd. 23
“Exekutori” campaign v CR
� Infikovana priloha - Instaluje Trojan
� Zasiahol desiatky tisic ludi
©2014 Check Point Software Technologies Ltd. 24
Spear-phishing in CZ
� Infikovana priloha - Instaluje Cryptolocker, popripade iny Malware/Trojan
©2014 Check Point Software Technologies Ltd. 29
Magic 5
• 5 188 740 554 cyber-attacks on user computers and mobile devices in 2013
• Every 5th computer is infected every day
• Antivirus cannot detect ~55% of malware
©2014 Check Point Software Technologies Ltd. 30
Exploiting Zero-day vulnerabilities
New vulnerabilities Countless new variants
“nearly 200,000 new malware samples appear around the world each day”
- net-security.org, June 2013
©2014 Check Point Software Technologies Ltd. 31
Joseph_Nyee.pdf
A STANDARD CV?
Joseph H. Nyee Resume Report
File System Activity
System Registry
System Processes
Network Connections
Abnormal file activity
Remote Connection to Command & Control Sites
Tampered system registry
“Naive” processes created
Threat Emulation @ Work
©2014 Check Point Software Technologies Ltd. 32
Local Emulation MechanismsArchitectural overview
[Confidential] For designated groups and individuals
Kernel User Space
CoreXLinstance
CoreXL
instance
VM_M
DLPU
instance
DLPU instance
TE_CLI
TED – Threat Emulation Daemon
Resource Guard
Policy
DB
Static Analysis
Emulation Manager
Logging
Sharing with Check Point
Statistics
VM
Controller
Agent
Controller
Activity Detection
Forensics gatherer
UserSpaceVM
Operation
System
CP Agent
Parsers
Parsers
©2015 Check Point Software Technologies Ltd. 34
Today’s Solutions Leave Gaps
ANTI-VIRUS
Catches knownor old malware
Of known malware, 71 in
1000 are not caught
ANTI-VIRUS
Catches knownor old malware
Of known malware, 71 in
1000 are not caught
ZERO-DAY
PROTECTION
Detects new and unknown malware
5 in 100 instances of unknown
malware go undetected
ZERO-DAY
PROTECTION
Detects new and unknown malware
5 in 100 instances of unknown
malware go undetected
100%
SECURITY
GAP
©2015 Check Point Software Technologies Ltd. 35
Zero Malware Documents
CHECK POINT
T H R E AT E X T R A C T I O NCHECK POINT
T H R E AT E X T R A C T I O N
Original Document Document ReconstructedZero Malware
Document
©2015 Check Point Software Technologies Ltd. 36
Case Study: Infected PDF Luring Defense OfficialsThreat Extraction + Threat Emulation Deployed
Conference Invitation (PDF)
Infected with Malware
Zero Malware Files and Attack Visibility
1
Infected PDF designed exactly like official documentInfected PDF designed exactly like official document
2
2
Zero Malware
Reconstructed PDF
Zero Malware
Reconstructed PDF
Administrator alerted of the attack
Administrator alerted of the attack
Threat Extraction
Threat Emulation
©2015 Check Point Software Technologies Ltd. 37
CPU-Level Detection Focus
• Detect the attack before it begins Limit the attacker’s ability to
employ sandbox evasion techniques
• Detect in a narrow playground Only a handful of exploitation
methods exists Compare with endless number of
vulnerabilities, malware and evasion techniques
Vulnerability
Exploit
Malware
Shellcode
Focus on identifying the use
of exploitation methods
©2015 Check Point Software Technologies Ltd. 38
Hyperwise Technology Advantages
• Highest accuracy
Detection is outright, not based on heuristics or statistics
• Evasion-proof
Detection occurs before any evasion can be applied
• Efficient and fast
CPU-level technology identifies the attack at its infancy
• OS Independent
Detection occurs at the CPU level
Hypervisor
CPU
CPU-level Sandbox
Win
do
ws
XP
Win
do
ws
7 (
32
bit
)
Win
do
ws
7 (
64
bit
)
Win
do
ws
Se
rve
r 2
01
2
Ma
c O
S X
10
.9
Ce
ntO
S7
©2015 Check Point Software Technologies Ltd. 40
The Unknown 300 Test
Lab Setup
VirusTotal queried for pdf, doc and portable executable files detected as malicious by more than 10 antivirus engines
300 known malware files randomly selected (120 pdf, 120 exe, 60 doc) and transformed into unknown malware files
New 300 unknown malware files were then tested to simulate the reality of a user downloading an infected file
©2015 Check Point Software Technologies Ltd. 41
Typical Use Case Scenario
Email received by HR
HR Opens Enclosed RESUME documentHR Opens Enclosed RESUME document
Hacker sends Email
Encloses malicious RESUME documentEncloses malicious RESUME document
Company-wide network infectedCompany-wide
network infected
Malware propagates laterally
©2015 Check Point Software Technologies Ltd. 42
The Zero Second Test
• Email with malicious unknown PDF malware sent every minute to the employee workstation
• Unknown PDF malware can be detected by all vendors in their sandbox solution
• Test measured how long it takes to block the email from entering the network
©2015 Check Point Software Technologies Ltd. 43
Test Results for Detecting and Blocking Malware
Check Point: Industry’s Fastest Threat Emulation!
©2015 Check Point Software Technologies Ltd. 4444
How long does it take to prevent a detected unknown malware?
©2014 Check Point Software Technologies Ltd. 47
(pre) Stop zero-day (unknown)
malware in files
(pre) Block download of
known malware infested files
(post) Detect and prevent
bot damage
(pre) Stops exploits of
known vulnerabilitiesIPS
Anti-Bot
Antivirus
TE + TEX
Check Point Multi-LayeredThreat Prevention
©2014 Check Point Software Technologies Ltd. 48
Protections Out-of-the-box inIPS Software Blade
CVE-2013-2471
All IPS Software Blade customers can activate
protections for this exploit.
©2014 Check Point Software Technologies Ltd. 49
Threat Prevention - Protections
Automate your security
©2014 Check Point Software Technologies Ltd. 54
Analytic tools
Suspicious source = HankHash-laptop (192.168.86.4)
©2014 Check Point Software Technologies Ltd. 55
Consolidate reporting and visibility
Automate your security
©2014 Check Point Software Technologies Ltd. 57
� Proven leadership and Best protection in a security market
� Full & unified threat prevention solution
How Check Point help you
DATA LOSS
INCIDENTS
BANDWIDTH
ANALYSIS
COMPLIANCE
& SECURITY POLICY CHECK
THE REPORT
RISKY WEB APPLICATIONS
AND SITES
MALWARE INFECTED
COMPUTERS
EXPLOITED
VULNERABILITIES
60©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Summary
� Security trends -> Malware and Exploits on the rise
� Unknown attacks -> 45% of all attacks
� Protection against financial loss cause by cyber attacks
� Check Point for You -> consolidated and effective security solution