webinar: stopping evasive malware - how a cloud sandbox array works
TRANSCRIPT
11©2016.CYRENLtd. AllRightsReserved. ProprietaryandConfidential.
StoppingEvasiveMalware:
HowaCloudSandboxArrayWorks
PeteStarrDirectorofSalesEngineering
2
Agenda
• Intro:Newevasivemalware• HowaCloudSandboxArrayfitsintoawebsecurityarchitecture– DynamicWebReputationAnalysis
• HowdoesaCloudSandboxArraywork?– Advantagesofsandboxinginthecloud
• Demo:Examplesandboxarraymalwareanalysis• Forensicreportsandincidentmanagement
3
Introduction
§ Malwareisbecoming‘smarter’§ VarietyofmethodstodefeatAVtools
§ Polymorphism§ Encryption§ Droppers§ Packers
§ Nowevolvingtoevadesandboxtechnology
4
CommonMalwareEvasionTechniques
§ DelayedActivation§ Attemptingto‘outwait’thesandbox
§ SandboxDetection§ Searchforfilesorregistrykeysto’giveaway’virtualenvironment
§ HumanInteraction§ Lookingforhumanactivitysuchasmousemovement,pagescrolling
5
Multi-layeredsecurityengine
URLFiltering• CheckURLcategory• Zero-hourmalware,phishing,C&C
DynamicWebReputation• Riskcalculation• URL,IP,Host,Domain,ASN• Bigdataanalytics
Anti-MalwareScan• Modularizedengine• Superiorheuristics
CloudSandboxArray• Mitigateevasivemalware• Multiplesandboxtechnologies
6
DynamicWebReputationAnalysis– Howitworks
Host1
Host3
Host2
Domain1
Domain3
IP1
IP2
NS
BGP2
BGP1
ASN
Registrant
Domain2
§ Reputation:Ascore(0-100)representingthelikelihoodofanaccessedURLbeingmalicious§ Thehigher thescore,thegreatertheprobability thattheURLismalicious
§ Goal:Calculatethereputationforknownand unknown accessedURL/Host/Domain/IP
§ Reputationcalculationisbasedonrelationsbetweenentities§ Files,URLs,Hosts,IPs,Domains,Registrants,ASN
7
DynamicReputationSources
§ Cyren GlobalViewSecurityCloud§ Halfmillionpointsofpresence§ Unifiedcloud,19DC’sworldwide
§ Industry’slargestsecuritydatabase§ 17Btransactionsdaily§ 130Mthreatsblockeddaily§ 600Musersprotected
§ Fastestreactiontime§ Threatsidentifiedandblockedinsideof
5minutes
WebReputation
Anti-Malware
VirusOutbreakDetection
SandboxArray
LinkMonitor
URLFiltering
IPReputation
Anti-Spam
8
CloudSandboxArray– Features
§ SupportedFileTypes§ Windowsexecutablefiles§ MicrosoftOffice§ PDFs§ Flashfiles§ Scripts§ Images§ ZIPfilesaredecompressed
§ Features§ Virtual/physicalenvironments§ SSLinspection§ Screenshots§ Networkactivitydump- PCAPfile§ Droppedfilesarchive§ Internetsimulationenvironment§ Humaninteraction- Keystrokesandmousemovements
9
CloudSandboxArray– Howitworks
Re-escalation
Pre-processing
Post-processing
ReportingIncident
management
StaticAnalysis
DynamicAnalysis
SandboxnOSn
BrowsernEnvironmentn
...
§ WindowsEXE§ MSOffice§ PDFs§ Flashfiles§ Scripts§ Images§ ZIPfiles
OSRiskEvaluation NetworkRiskEvaluation
Run-timeEnvironmentSelection
Riskscoring
Sandbox2OSB
BrowserHEnvironmentT
Sandbox1OSA
BrowserGEnvironmentS
NotMalicious Malicious
GlobalViewIntelligence
10
Advantagesof‘SandboxintheCloud’
§ Idealforthemodernenterprise§ Availableanywhere,anytime§ Scalableplatformallowsforlineargrowth
§ Cloudarchitecture§ Multiplesandboxes§ Platformisextensible
16
Summary:Cyren’s CloudSandboxArray§ Designedtoensuremalwarefullyactivates
§ Combinesstaticanddynamicanalysis§ Multiplesandboxtechnologies
§ Solutionutilizesmultiplelayersincombination§ Zero-hourURLFiltering§ DynamicWebReputation§ PostInfectionandIncidentManagementtools
§ Bestfitformodernbusinesses§ Linearlyscalable§ Availableanywhere,anytime§ Rapiddeploymenttime
17
Youcanalsofindushere:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2015.CYRENLtd. AllRightsReserved. ProprietaryandConfidential.
ThankYou.
PeteStarrDirectorofSalesEngineering+447595397777pete.starr@CYREN.com
18
Thechallenge:Findwhereandwhenevasivemalwarewillexecute
§ StaticAnalysis(pre-processing)§ Choosebestmatchingruntimeenvironment
§ DynamicAnalysis§ ExecutingthefileintheSandboxenvironment
§ PostProcessing§ Matchdynamictostaticanalysistoensure“proper”detonation ofmalware§ Re-analysisandescalationflow- upto4analysesforeachfile
§ Unifiedanalysisresultandreport§ OS&Networkbehaviorconsolidation
SandboxArray