17
1 COMBATTING ADVANCED MALWARE THREATS IN EMAIL A guide to how an Email Sandbox helps organizations to prepare for Advanced Persistent Threats

COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

  • Upload
    others

  • View
    8

  • Download
    0

Embed Size (px)

Citation preview

Page 1: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

1

COMBATTING ADVANCED

MALWARE THREATS IN EMAIL A guide to how an Email Sandbox helps organizations to prepare for Advanced Persistent Threats

Page 2: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

2

Advanced malware and advanced persistent threats (APT) are frequently used as terms to

describe malicious code that bypasses traditional security systems, such as signature-based

detectors (anti-virus engines and intrusion detection systems). Sandboxing works by

running code inside a tightly controlled environment, in which one can monitor and

analyze the code's behavior. Since it is not necessary to have seen a specific threat before,

sandboxing offers the promise to identify advanced malware and zero-day threats.

Not all sandbox technologies provide the same level of detection capabilities.

This guide will introduce you to the CYBONET Sandbox—available as a module

in CYBONET’s PineApp Mail SeCure Solution.

APT IS THE “NEW NORMAL”

Page 3: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

3

WHAT IS AN ADVANCED PERSISTENT THREAT

Modern malware uses Advanced techniques

such as encrypted communication channels,

kernel-level rootkits and sophisticated evasion

capabilities to get past a network's defenses.

More importantly they often leverage ero-day

vulnerabilities—flaws for which no patch is

available and no signature has been written.

Modern malware is Persistent and designed to

stick around for “as long as it takes” to achieve

its mission. It is stealthy and hides its

communications and exists within a victim's

network for as long as possible, often cleaning

up after itself by deleting logs, using strong

encryption and reporting back to its controller in

small, difficult to trace bursts of communication.

Many attacks now blend combinations of sveral

techniques. These threat often originate and are

initiated by groups of highly skilled and

motivated criminals and represent a very serious

Threat to organizations of all sizes. No

organization is immune to the threat that these

criminal networks represent and so many of

today’s solutions fall short in delivering deep

protection - often exposing vulnerabilities.

Page 4: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

4

The number of known cybersecurity incidents rose

by 48 percent last year. Moreover, these attacks have

become far more costly, as the losses from advanced

phishing scams increased from $525 million in 2012

to $800 million last year, an increase of more than 50

percent.

The costs associated with cybersecurity threats

exponentially increase as the criminals themselves

evolve from isolated individual actors to organized

hacker groups to nation states.

COST OF APT THREATS

Page 5: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

5

TRADITIONAL MALWARE DETECTION

The emergence of signature-based detection can be conceptualized as attempting to identify people

strictly by how the look: What color is their hair? How tall are they? What is their eye color? How old are

they? Do we have their fingerprint? These types of questions make a lot of sense when threats are

straightforward and traditional in nature. What happens, though, if the criminal is wearing a black hat

and sun glasses for disguise? What if the criminal is also able to change his fingerprints on the fly,?

Unfortunately, Advanced Persistent Threats behave in the same manner—detecting malware just based

on “looks” does not work anymore.

Page 6: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

6

ANTIVIRUS IS NOT ENOUGH

Protecting organizations against malware is a

constant struggle. Antivirus companies monitor

and analyze files and programs in a test

environment in order to update and report new

virus signatures.

A “brute force” component of today’s attack

methodology is to automatically generate tens

of thousands of variants of old or new viruses, at

a rate which far outpaces the capacity of any anti

-virus vendor to keep up. To quantify this, up to

around 2005, several hundred new threats were

identified each day, but by the end of 2009 some

15-25,000 new threats were identified every day,

and this number keeps doubling every 6-12

months.

According to data compiled by Panda Research,

traditional AV only stops 30-50 percent of new

zero-hour malware when it’s first seen. A few

take up to eight hours to reach even the 90

percent level, with the majority needing a full 24

hours. The conclusion must be that “traditional”

AV technology is not dead, but needs to be

complemented with other approaches that

provide additional signals for detection.

Page 7: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

7

THE SANDBOX: A CONCEPT

Sandboxes execute an unknown malware

program in an instrumented, separate

environment and monitor their execution—

allowing for the identification of previously

unseen (zero day) malware.

THE GOALS OF A SANDBOX:

A Sandbox has to achieve three goals: Visibility,

resistance to detection, and scalability.

1. First, a sandbox has to see as much as

possible of the execution of a program.

In order to make solid deductions about the

presence or absence of malicious behaviors.

2. Second, a sandbox has to perform

monitoring in a fashion that makes it

difficult to detect. Otherwise, it is easy for

malware to identify the presence of the

sandbox and alter its behavior to evade

detection.

3. The third goal captures the desire to run

many samples through a sandbox, in a

way that the execution of one sample does

not interfere with the execution of subsequent

malware programs.

Page 8: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

8

CYBONET SANDBOX FOR ADVANCED PROTECTION

CYBONET integrates CheckPoint’s ThreatCloud

Ecosystem into the PineApp Mail Secure Sandboxing

Module. This Integration means that newly

discovered threats are sent to the ThreatCloud

intelligence database. Each newly discovered threat

signature is distributed across the ThreatCloud

ecosystem to protect other connected gateways. This

enables connected gateways to block the new threat

before it has a chance to become widespread.

Constant collaboration makes ThreatCloud the most

advances and up-to-date threat Intelligence network

available.

Page 9: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

9

CHECK POINT

CYBONET is proud to partner with Check Point

Software Technologies. Check Point Software

Technologies are a worldwide industry leader in

securing the internet. Check Point ensures that

internet communications and critical data are secure,

reliable and available everywhere.

By partnering with Check Point, we at CYBONET

believe that together we can provide the most

comprehensive security messaging security solution.

Page 10: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

10

CYBONET has integrated with Check Point’s SandBlast Network Threat into the PineApp Mail Secure

Sandboxing Module. The SandBlast Zero-Day Protection employs Threat Emulation and Threat

Extraction capabilities to elevate network security to the next level with evasion-resistant malware

detection, and a comprehensive protection from the most dangerous attacks.

CYBONET’s Sandbox provides complete detection, inspection and protection against the most

dangerous zero-day and targeted attacks at the network.

CYBONET SANDBOX NETWORK OVERVIEW

Page 11: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

11

THREAT EMULATION AND THREAT EXTRACTION

The Threat Emulation feature performs deep CPU-level inspection, stopping even the most dangerous

attacks before malware has an opportunity to deploy and evade detection. The use of OS-level

inspection examines a broad range of file types, including executables and data files. With its unique

inspection capabilities, SandBlast Threat Emulation delivers the best possible catch rate for threats, and

is virtually immune to attackers’ evasion techniques.

Threat Extraction complements the solution by promptly delivering safe content, or clean and

reconstructed versions of potentially malicious files, maintaining uninterrupted business flow. By

eliminating unacceptable delays created by traditional sandboxes, Threat Extraction makes real-world

deployment in prevent mode possible, not just issuing alerts but blocking malicious content from

reaching users at all.

Page 12: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

12

PROACTIVE PREVENTION

The Threat Extraction component within SandBlast

eliminates threats by removing risky content such as

macros or embedded links and then reconstructs the

document using only known safe elements. Unlike

detection technologies that require time to search

for and identify threats before blocking them, Threat

Extraction preemptively eliminates risk, ensuring

prompt delivery of safe documents.

Page 13: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

13

FULL SYSTEM EMULATION

The SandBlast Threat Emulation sandboxing stops attacks before they have a chance to evade detection

by the sandbox. The engine also monitors CPU– based instruction flow for exploits attempting to

bypass operating system and hardware security controls. Threat Emulation supports multiple

deployment options, providing a cost-effective solution for virtually any size organization. Files can be

sent from existing gateways to either the SandBlast cloud-based service or to an on premise appliance

available with a range of capacities.

Page 14: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

14

HOW TO EVADE A SANDBOX

New evasion techniques are constantly

developed which are capable of bypassing

traditional sandbox detection technology. These

evasion techniques include not activating the

malware on virtual environments, delaying the

attack by time or action, different OS versions

and variants as well as encrypted channels.

Today’s hacker ecosystem makes it easy for

cybercriminals to share exploit code, newly

identified vulnerabilities and even talent with

their co-conspirators. Traditional sandbox

solutions identify “new” and unknown malware,

but take time, risking potential exposure to

network infection before detection and blocking

occurs. Unfortunately, they are also vulnerable to

evasion techniques capable of bypassing

traditional sandbox detection technology.

Page 15: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

15

PINEAPP MAIL SECURE SANDBOXING MODULE

After first running through the PineApp Mail Secure

Solution for standard Spam and Virus protection,

emails and attachments are fingerprinted and

checked against an existing database. If the file has

never been seen before, it is analyzed using the

system emulator, which monitors the execution of all

instructions and can spot evasive techniques that

other sandboxes miss. When malware is detected it

is quarantined and alerting measures are triggered.

FILE TYPES ANALYZED:

All Windows executable files, Adobe PDF, MS Office,

.apk, .zip, etc.

Sender

Inbound Email &

Attachment Mail Secure Spam

& Virus Scan

Check Point SandBlast

Recipient

PineApp Mail Secure

Page 16: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

16

PINEAPP MAIL SECURE SOLUTION MODULES

Page 17: COMBATTING ADVANCED MALWARE THREATS IN EMAIL · Advanced malware and advanced persistent threats (APT) are frequently used as terms to describe malicious code that bypasses traditional

17

CYBONET | p. +1.646.883.3455 | e. [email protected] | www.CYBONET.com

©2016 Cybonet, Ltd., All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is

prohibited. Cybonet and the Cybonet logo are registered trademarks. Cybonet believes that the information in this publication is accurate as of

its publication date; such information is subject to change without notice.