©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one

©2015 Check Point Software Technologies Ltd. 1[Restricted] ONLY for designated groups and individuals©2015 Check Point Software Technologies Ltd.

Preventing the next breach or discovering the one currently underway

Tom HartigCheck Point Software TechnologiesAugust 13th, 2015

BREAKING MALWARE

©2015 Check Point Software Technologies Ltd. 2[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd. 2

Networks need protectionagainst ALL types of threats

©2015 Check Point Software Technologies Ltd. 3

Every year threats are becoming MORE SOPHISTICATED and MORE FREQUENT

An Ever-Changing Threat Landscape

[Protected] Non-confidential content

VIRUSESANDWORMS

ADWARE ANDSPYWARE

DDOSAPTS

RANSOMWARE HACTIVISMSTATE SPONSOREDINDUSTRIAL ESPIONAGENEXT GEN APTS (MASS APT TOOLS)UTILIZING WEB INFRASTRUCTURES (DWS)

2014

2010

20072004

19971,30

0 know

n viruse

s

50,000 known viruses

100,000+malware

variants daily

©2015 Check Point Software Technologies Ltd. 4[Protected] Non-confidential content

“There are known knowns; there are things we know we know.

We also know there are known unknowns; that is to say, we know there are some things we do not know.

But there are also unknown unknowns – the ones we don’t know we don’t know.”

— Donald Rumsfeld, 2002


“Anti-virus is DEAD”

Modern Anti-virus software only stops ~45% of attacks on computers

Symantec says…

Source: http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/

©2015 Check Point Software Technologies Ltd. 6[Protected] Non-confidential content

Cat and Mouse: Known Unknown

Attackers evade signature based detection by obfuscating the attacks and creating attack variants


Time it takes take to learn the root cause of an attack

One Day One Week One Month One Year Never0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

12%

18%

25%

38%41%

Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014


Building Blocks of Advanced Threat Prevention


IPS (pre) Stops exploits of known vulnerabilities

Anti-Bot (post) Detect and preventbot damage

Antivirus (pre) Block download ofknown malware infested files

Threat Emulation and Extraction

(pre) Stop zero-day and unknown malware in files

©2015 Check Point Software Technologies Ltd. 1111©2014 Check Point Software Technologies Ltd.

WOULD YOU OPEN THIS ATTACHMENT?


Exploiting Zero-Day Vulnerabilities


“nearly 200,000 new malware samples appear around the world each day”

- net-security.org, June 2013

©2015 Check Point Software Technologies Ltd. 13[Restricted] ONLY for designated groups and individuals

What is Threat Emulation or Sandboxing?

A safe environment to evaluate suspicious files

©2015 Check Point Software Technologies Ltd. 14©2015 Check Point Software Technologies Ltd. 14

Check Point Threat Emulation

STOPS Undiscovered Attacks

INSPECT FILE

EMULATE

PREVENTTURN

TOKNOWN



EMULATE

• Windows XP, 7, 8, customer images• Unique Anti Evasion Technologies

- file system- registry- connections- processes

RUN files & Identify abnormal behavior

3



PREVENT

Security Gatewa

y

Inline BLOCKING of

malicious files on the

gateway

4

Prevention-based approach [Protected] Non-confidential content


Automatic Signature Creation

for ThreatCloud

Turn the Unknown

into KNOWN

5

Collaborative protection through ThreatCloud™


©2015 Check Point Software Technologies Ltd.

Next Generat ion Zero-Day Protect ion

+NG Threat Emulation

Threat Extraction


Known Unknown Back Again!

H A C K E R S

Develop techniques to evade sandboxing /

threat emulation products

Delays – malware to operate after XX hours- Accelerating the clock won’t

work…

Malware to execute on shutdown/restart

Malware to detect and not work on virtual environments

Malware to look for human behavior to operate

Evasion is code that comes together with the

malware, but executes first…



Attack Infection Flow

Trigger an attack through unpatched software or zero-day vulnerability

Bypass the CPU and OS securitycontrols using exploitation methods

Activate an embedded payload toretrieve the malware

Run malicious code

V U L N E R A B I L I T Y

E X P L O I T

S H E L L C O D E

M A LWA R E



Attack Infection Flow

V U L N E R A B I L I T Y

E X P L O I T

S H E L L C O D E

M A LWA R E

Thousands

Millions

HANDFUL

DETECT THE ATTACK BEFORE IT BEGINSIdentify the Exploit itself instead of looking for the evasive malwareEVASION CODE



DEP (Data Execution Prevention - since XP SP2)

The processor will only run code marked as executable

Re-use pieces of legit executable code that are already loaded

What the OS does

What the attackers do

ROPMost popular exploitation technique

• Examine code known to be loaded when the exploit is activated

• Search for useful Gadgets: short pieces of code immediately followed by a flow control opcode

• Bypass DEP using Gadgets as code primitives

Why does an attack need to start with exploitation?


CPU-Level Threat Emulation Detects the Exploitation

Use the latest CPU-interfacing technologies

Monitor CPU based instructions for exploits attempting to bypass OS Security Controls

Applications

Operating System(Windows, MAC OS, etc.)

CPU

OS-Level Threat Emulation

CPU-Level Threat Emulation


CPU-Level Threat Emulation


Highest accuracyDetection is outright, not based on heuristics or statistics

Evasion-proofDetection occurs before any evasion code can be applied

Efficient and fastCPU-level technology identifies the attack at its infancy

OS IndependentDetection occurs at the CPU level


FASTEST OS-Level

CPU-Level

+ADVANCED DETECTION

HIGHEST CATCH RATE

EVASION RESISTANT

Check Point Next Gen Threat Emulation

©2015 Check Point Software Technologies Ltd.

THREAT EXTRACTION


How can we further reduce the attack surface?

100%

P O S S I B L E S E C U R I T Y G A P

NG THREAT EMULATIONDetects unknown or zero-day malware

ANTIVIRUSCatches known or old malware


Addressing the possible Security Gap: Threat Extraction

THREATEXTRACTION


Proactively REMOVE potential malicious objects from ALL incoming attachments

• Eliminates any remaining threats • 100% of all incoming attachments go through

Threat Extraction - whether malicious or not


How Does Threat Extraction Work?

RECONSTRUCTSDOCUMENTS

Removes embedded objects, macros and Java Script Code,

sensitive hyperlinks

USER EXAMPLES• HR with CV’s• Purchasing receiving

quotes• Data from untrusted

websites

Security Gateway with Threat Extraction

Software Blade



Remove active content from the file (such as macros and embedded objects)• Cleaned 93% of the files• Average cleaning time: 0.3 seconds / document

Convert file to PDF • Cleaned 100%• Average conversion time: 5 seconds

Threat Extraction Statistics

Tested Thousands of Recently-Discovered Malicious Files



Configurable Content Removal For Original Format Documents

Administrator Establishes Removal Policy:

Macros or JavaScript

Embedded Objects

External Links

Document Properties



Always Maintain Access to Originals



Check Point Offering

Threat Extraction

NG Threat Emulat ion

Threat Extract ion

Visibility on attack attempts and inspection

of original documents


Zero malware documents delivered in

zero seconds


Threat Extraction/Emulation Demo

https://threatemulation.checkpoint.com/


Zero Second Protection

Industry’s Fastest Threat Emulation


Test Results for Detecting and Blocking Malware

[Restricted] ONLY for designated groups and individuals

Check Point:Industry’s Fastest Threat Emulation!


A Real Customer Example


LiveDemo


NG Threat Emulation

Threat Extraction+

Summary

ADVANCED DETECTION

STRONGEST

EVASION RESISTANT

FASTEST

HIGHEST CATCH RATE

BEST

ZERO SECOND DELIVERY

ZERO MALWARE

SAFE DOCUMENTS

TRY IT NOW!It’s easy and free!

©2015 Check Point Software Technologies Ltd. 40©2014 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals

Q U E S T I O N S