Upload
vonguyet
View
215
Download
1
Embed Size (px)
Citation preview
Initial exploit
PowerShell initiated
PowerShell injects malicious code in memory and creates hidden persistence
Remote access maintained
All artifacts removed except for in-memory payload and hidden persistence
2 3
Targeted attacks are 100% successful
Targeted attacks are not just malware
Financial services and banking industry have been a
victim of targeted attacks that compromise critical
systems and stealing sensitive personally identifiable
information (PII). These attacks are human driven,
well planned and sophisticated, with a specific objective such as financial gain, reputational damage or even destruction. Targeted attacks are not just malware
based but use advanced techniques that were formerly only available to to well resourced nation state
adversaries.
A recent 2016 targeted attack hit over 140
enterprises globally, including banking, government
and telecom organizations. The attack didn't use malware, but rather leveraged legitimate tools to
compromise critical systems while existing in-memory.
Attackers integrate multiple attack vectors, such as exploits, fileless memory-based attacks and malwareless and are 100% successful at compromising enterprises.
A Typical Targeted Attack
54
2010 nation
2015 nation/crime
2016 crime
Stuxnet
Shamoon Saudi oil
N. KoreaSwift attack
APT28 Russia - DNC
NetTraveler
Shamoon2
Dridex
Odinaff
NEXT-GEN AND NICHE SOLUTIONS ARE TOO LATE TO STOP DAMAGE AND LOSS
Targeted attacks are evolving rapidly, evading point
products, legacy EDR solutions and enterprise
platforms alike. Most security programs have
next-gen AV or niche products, these are point
solutions, stopping a specific attack vector such
as malware or exploits or they depend on stale
intelligence, known IOCs, and slow rules-based
technology. It’s not just the sophistication of the
attacks that defeats defense. Speed kills too.
IOC search based tools require skilled analysts
often with prior knowledge of an attack and time
to build sophisticated queries to detect each
piece of an attack and orchestrate in time to
respond and stop damage and loss. Legacy EDR
technologies are sold with expensive managed
services because they’re difficult to
maintain (e.g. curate rules), and have efficacy
challenges. Compromise is inevitable but
breaches can be stopped. Because breaches
can be catastrophic, enterprises must design
their security programs to achieve zero
breach tolerance.
Endgame is an endpoint security solution
that enables enterprises to achieve zero
breach tolerance and stops all targeted attacks
and its components, malware, ransomware,
exploits, malware-less, fileless attacks, that
bypass enterprise defenses.
TARGETED ATTACKS ARE INCREASINGLY IN LETHALITY
Attacks targeting banks and financial services have
reached new heights, with the $81 million digital
heist on the Bangladesh Central Bank in 2016
and the Carbanak group reeling in up to $1 billion
worldwide from the financial industry since 2013.
Dridex and Odinaff, two targeted banking attack
campaigns used by crimeware groups have multiple
advanced vectors and the sophistication of nation
state hackers. These attacks epitomize how
cybercriminals are employing targeted attacks for
financial gain leveraging nation-state sophistication.
The National Crime Agency in the UK believes the
Dridex campaign may be one of the costliest
attacks in the financial sector, with global losses
exceeding $100 million.
6 7
DRIDEXV4 ATTACK LIFE-CYCLE
Initial Compromise Attacker Entrenches Attacker Pivots Theft
PROPAGATE
COLLECT
BREACH
� Numerous exploitmethods observed
� Code injection viaAtomBombingtechnique to gainexecution
� Random legitimatewindows binariesdropped to newdirectories
� Creates firewallrule to allow C2
� Collects and stealsbanking information
� Employs stolencredentials formassive theft
� Malicious DLLs droppedin same directoriesfor DLL side loading
� Running in explorer.exe
Dridex malware campaigns have used phishing
campaigns to deploy Locky ransomware in the
past, and recently has exploited a zero-day
vulnerability in Microsoft Office to target millions
of people. The attacker can take over the
machine by simply opening an attachment. The
exploited vulnerability—a remote code execution
bug—shows an increase in sophistication the
Dridex malware campaigns. Similarly, DridexV4
is credited with the first use of AtomBombing
code injection in the wild. AtomBombing allows
attackers to evade detection, and has been
deployed in version 4 of the financial trojan, in
conjunction with the ability to track victim’s to
bank sites and stealing banking credentials and
financial data. The code injection addition to
Dridex makes it harder to detect, shuffling things
EXPLOIT
ENTRENCH
EVADE
EXECUTE
up on detection mechanisms and thus requires
a protection layers to endpoints to prevent it
from deploying.
“Dridex is one of the most nefarious banking Trojans active in the financial cybercrime arena”
8 9
STOP ONGOING DRIDEX ACROSS 50,000 ENDPOINTS ENDGAME STOPS ON-GOING DRIDEX IN 5 MINUTES ACROSS 50,000 ENDPOINTS
WITHOUT ENDGAMEIn-Memory Investigation
1. Tier 1 analyst gets an alert for an anomalous endpoint event
2. Tier 1 analyst pushes this to a Tier 2/3
3. Tier 2/3 investigates using network indicators, sysinterrnalsdetermines machine is compromised 20 mins
4. Tier 3 does memory forensics, a memory dumpon a single endpoint [8GB] 10 mins
5. Tier 3 analyzes memory using 3rd party toollike Rekall, Volatility 120 mins
7. Sub total: 160 minutes of analysis by Tier 3 on 1 offline machine
8. Pivot across 50K endpoints
WITHOUT ENDGAMEIn-Memory Investigation
53 YEARS, 3 MONTHS, 4 DAYS, 7 HOURS, SIX MINUTES, AND 41 SECONDS
WITH ENDGAMEIn-Memory Investigation
TIER 1 5 MINUTES
6. Remediate one single endpoint and reimage 10 mins
10 11
Endgame stops targeted attacks and all of their components, with a single agent, responding across hundreds of thousands of endpoints, before damage and loss.
ENDGAME STOPS TARGETED ATTACKS AND ITS COMPONENTS
Endgame prevents, detects and hunts for
targeted attacks and all their components across
hundreds of thousands of endpoints, before
damage and loss occurs. Our single agent
protection technology, unlike any other solution,
stops malware, exploits, malware-less and fileless
attacks and ransomware attacks.
� Patent-pending Hardware Assisted Control FlowIntegrity (HA-CFI) technology and Dynamic
Binary Instrumentation (DBI) blocks zero-day
exploits and malicious macros before malicious
code execution.
� Endgame Malwarescore™, one of the few signature-less engines running in VirusTotal, prevents execution of over 99% of known and unknown malware.
Single dissolvable agent, full stack protection
STOP ALL TARGETED ATTACKS
ELIMINATE COSTLY IR AND
FORENSIC RETAINERS
REDUCE COMPLEXITY � Patent-pending process injection protection
prevents fileless attacks designed to evade existing defenses.
� Endgame behavioral protection has been tested against over forty ransomware families, including WannaCry, Locky and CryptoLocker, stops 96% of attacks before damage and loss.
� Endgame Artemis™, AI security mentor, automates analysis and response across hundreds of thousands of endpoints ensuring operators restore them with zero disruption before damage and loss occurs.
EXPLOITS DEPLOY
COLLECT
ANALYSE
RESPOND
MALWARE
FILELESS ATTACKS
MALWARELESS
RANSOMWARE
PERSISTENCE
� Easy deployment and management
� Dissolvable, or Persistent
� In band and out of band
� Real time event collection forFile, Registry, User, Process,Network, Netflow, DNS
� Complete attack lifecycle analysis
� Live memory analysis stopsin-memory attacks
� One click response
� Zero business disruption
HA-CFI™—Exploit prevention stops 0-days, malicious macros before code execution
MalwareScore™—signature-less malware prevention, prevents 99% of known and unknown malware
Patent-pending process injection protection and fileless attack detection prevents fileless attacks
Endgame attacker technique protection stops misuse of legitimate tools, e.g. Powershell
Endgame behavioral protection stops ransomware attacks before damage and loss.
Malicious persistence analytics stops adversary entrenchment in minutes across 50,000 endpoints
12 13
Endgame Stops All Targeted Attacks
Single Agent Single Console for Prevention And Response
Endgame’s hardware assisted, and signature-less prevention technology stops all attack components.
Streamlined response in time to stop damage and loss.
14 15
Eliminate Costly IR and Forensic Retainers
Endgame Artemis™ is the first machine learning powered chatbot for Tier 1 analysts to restore 50,000 endpoints in minutes.
“Artemis is anyone misusingPowerShell in the enterprise?”
“Artemis are there any ongoing in-memory attacks in new partner network?”
“Artemis did any endpoint transmitmore than 5M to an external IP that it never transmitted to before?”
“Artemis kill process with hash0c44298fc1c14b92427934ca4 95991b7852b85598fc1c14b92 on all enterprise endpoints.”
“Artemis how did file ”x” get onmy network and where else is it?”
The Endgame
Value
�Stop damage and loss
�Reduce cost and impact of IR
�Reduce operational costs
�New productivity, not new people
About Endgame
Endgame is a leading endpoint security
platform that enables enterprises to close the
protection gap against advanced attacks and
detect and eliminate resident adversaries.
Endgame transforms security operations teams
and incident responders from crime scene
investigators into hunters preventing damage
and loss, and dramatically reduce the time and
cost associated with incident response and
compromise assessment. Our IOC-independent
platform covers the entire attack lifecycle,
leveraging machine learning and data science
to uncover, in real-time, unique attacks that
evade traditional defenses and respond precisely
without disrupting normal business operations.
WWW.ENDGAME.COM 3101 WILSON BLVD, ARLINGTON, VA 22201