Detección y mitigación de amenazas con Check Point

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Check Point Threat
Control

2©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 Modern Malware: Risks and Challenges
Collaborative Security Intelligence: ThreatCloud™2
Anti-Bot Software Blade3
Unified Threat Prevention Solution5
Antivirus Software Blade4

Today’s Threat Landscape
Organizations believe they have
been the target of an APT attack
159%
1 ESG APT Survey October 2011
2 Ponemon 2nd annual cost of cybercrime study Aug 2011
3 Kaspersky research labs 2011
4 Sophos Security Threat Report 2011
Experienced a Bot attack
in the past year
282%
Known attacks per day3
10 Million
A new malware is created4Every
Second
With today’s multiple vectors of attacks 
Multi-layer Real-time Solution Needed

4©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
ThreatCloud™ First Collaborative Network
to Fight Cybercrime
Check Point
ThreatCloud™
Over 250 Million
Addresses
Analyzed for Bot
Discovery
Over 4.5 Million
Malware
Signatures
Over 300,000
Malware-Infested
Sites
Up-to-the-Minute
Security Intelligence

ThreatCloud™ -
Dynamically Updated Intelligence
Industry-best
malware feeds
Malware
Sites Signatures
Bot addresses
Collect attack
information from
gateways
Global network of
sensors to identify
emerging threats
Check Point
ThreatCloud™
SensorNET

The SensorNET System
SensorNET provides a global set of observation points in the network
feeding threat observations back to a central analysis point.
Check Point’s position enables wide access to data points in the
network.

SensorNET Collects Attack Information
Attack Name: Web Client Enforcement Violation;
Protection name: Microsoft IE argument handling
memory corruption vulnerability (MS08-045)
Protection Type: signature; rule: 3;
Destination: 81.0.0.41
Source: N1.H291;
proto: tcp; product: IPS SW blade;
service: http; s_port: 5707;
Severity: High; Confidence: High
The Attack
Sensitive
customer data is
hidden
Probe identifies an attack
Attack information
sent to ThreatCloud™

SensorNET Analyzes Attack Information
Analyzes threat landscape
Multiple attacks
Same IP address
identified

New protections sent to Check Point
gateways
Identify Bot attack
and Update Check Point gateways
Further analysis
show IPs are bot
C&C addresses
New bot C&C
address protection
sent to gateways
CheckPoint
ThreatCloud™

ThreatCloud™ -
Industry-best
malware feeds
Malware
Sites Signatures
Bot addresses
Collect attack
information from
gateways
Global network of
sensors to identify
emerging threats
Check Point
ThreatCloud™
SensorNET

Collect Bot Attack Info From GWs
Run classifier
Expert analysis
Identify infection and
send potential C&C
address to ThreatCloud
Analyze address in
Check Point Labs
Add to ThreatCloud
C&C address DB –
protect ALL GWs
ThreatCloud™

Collect Bot Attack Information From GWs
Map Cyber criminal
network
• Gather bot security events from GWs
• Analyze Bot DB data in Check Point Labs
• Identify different resources (IPs) used
by the same botnet

Collect Bot Attack Information From GWs
Identify Trends
• Gather bot security events from GWs
• Analyze Bot DB data in Check Point Labs
• Identify attack trends (geography)

ThreatCloud™ -
Industry-best
malware feeds
Malware
Sites Signatures
Bot addresses
Collect attack
information from
gateways
Global network of
sensors to identify
emerging threats
Check Point
ThreatCloud™
SensorNET

ThreatCloud™ Model: High
Performance with Extended Protection
Threat Database is kept in the cloud
Download updates to
the gateway
Gateway consults
the cloud
 Malicious URLs
 Real time signatures
 C&C IP Addresses
 Binary Signatures
 Heuristic Engine
 Traffic Anomaly Check
Security updates
normalized to the
ThreatCloud
Extended Protection
High Performance

First Integrated Anti-Bot Network Solution
Discover and stop
Bot outbreaks and APT attacks
Check Point Anti-Bot Software Blade –
Now available!
16©2011 Check Point Software Technologies Ltd. | [PROTECTED] – All rights reserved |

Botnet Operation: The Infection
Infection
 Social engineering
 Exploiting vulnerability
 Drive-by downloads
Download Egg
 Small payload
 Contains initial
activation sequence
 Egg downloaded
directly from infection
source or
source, such as
Command & Control
server
C&C Server

Botnet Operation: Self -Defense
Self Defense
 Stop Anti-Virus
service
 Change ―hosts‖ file
 Disable Windows
Automatic Updates
 Reset system
restore points
Command
& Control
Server

Botnet Operation: The Damages
Payload Pull
Command
& Control
Server
 Spam
 Denial of Service
 Identity Theft
 Propagation
 Click fraud

Prevent
Bot damage
Stop traffic to
remote operators
Discover
Bot infections
Multi-tier
discovery
Anti-Bot Software Blade
Extensive
forensics tools
Investigate
Bot infections
DISCOVER and STOP Bot Attacks

ThreatSpect™ Engine
Reputation
 Detect Command & Control sites and drop zones
 Over 250 millions addresses in ThreatCloud™
 Real time updates
Network
Signatures
 Over 2000 bots’ family unique communication
patterns
 Dozen of behavioral patterns
Suspicious
Email Activity
 Over 2 million outbreaks
ThreatSpect™ Engine
Maximum security with
multi-gig performance

Anatomy of Discovering a Bot
(ThreatSpect™ Engine)
ThreatCloud™
Reputation Engine
in the cloud
 Using smart
caching to minimize
number of queries
to the cloud
Resource
(IP/URL/DNS)
C&C

ThreatCloud™
Check for Signatures
in the gateway
 Multi-connection
communication
patterns (unique
per botnet family)
 Bot behavioral
patterns

ThreatCloud™
Check suspicious
Email activity
Mail params
(obfuscated)
Bot-based spam  Outbound mail
analysis to identify
Spam sent from the
organization
 Mails normalized,
parameters extracted
 All customer data is
obfuscated

Bot Damage Prevention
Bot remote
operator
Stop Traffic between
Infected Hosts and Remote Operator
Stop
Data Theft
Enable User
Work Continuity
Performance
Over 40Gbps*

26©2012 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Enhanced Network
Antivirus Software Blade
Up-to-the-minute protection
using ThreatCloud™
26
Providing extended malware protection

Antivirus Software Blade
Constantly
updated
Security intelligence
with ThreatCloud™
Prevent
Access to
Malicious Sites
Over 300,000 sites!
Stop Incoming
Malware Attacks
R75.40
Signatures
[Million]
300xProtect with 300x
more signatures!
R75.20
4.5-
0-
Extended Protection using ThreatCloud™

Antivirus Software Blade Architecture -
Prevent Access to Malware-infested Resources
ThreatCloud™
Check Connection –
Reputation Engine:
IP/DNS/URLs with
malware
 Prevent
connections to
resources that
contain malware
 Prevent drive-by-
downloads attacks
 Hundred of
thousands of
addresses
Address
Malware
containing site

Antivirus Software Blade Architecture –
Stop Incoming Malicious Files
ThreatCloud™
Check Signatures in
the gateway
 Files analyzed
against a set of
signatures
downloaded in the
gateway
 Limited number
of signatures
compared to the
cloud

ThreatCloud™
File unique
identifier (MD5)
File is
malicious
Check Signatures in
the cloud
 Real time update
and availability of
new malware
signature
 Granular signature
database
 Only MD5
Checksum is sent
to the cloud – high
performance

ThreatCloud™
Check for unknown
malware –
Heuristic Engine in
the gateway
4
 Utilizes Sandbox to
detect unknown
‘zero day’ infections
 Check for archive
files only
 Buffers entire file
 Easily configurable
to ensure optimal
user experience
Registry
OS files

Agenda
1 Modern Malware: Risks and Challenges
Collaborative Security Intelligence: ThreatCloud™2
Anti-Bot Software Blade3
Unified Threat Prevention Solution5
Antivirus Software Blade4

Unified Anti-Bot and Antivirus
Threat Prevention
Antivirus + Anti-Bot
Unified Policy
Settings
Unified Malware
Analysis

Policy Model – The Rule Base
Scope:
contains network objects to be
protected by the rule in question
Action:
Indicates which Profile
to activate

Unified Malware Report
See the BIG malware picture

The Threat Wiki
Search the ThreatCloud™
repository for a malware
Filter by Category or malware family
Learn more about a
malware

Check Point Multi-layer Threat Prevention
Keep Your Edge Against Advanced Threats
Check Point Integrated Threat Prevention Solution
Powered by ThreatCloud™
Antivirus Software Blade prevents incoming malware infections
and access to malware containing sites
ThreatCloud™ provides security gateways with
real-time security intelligence
IPS Software Blade Prevents Attacks using Known and
Unknown Vulnerabilities
Anti-Bot Software Blade Detects bots and stops bot damage

Closing the Gap:
Threat Emulation

Agenda
1 The contemporary world of exploits
2 Introduction to threat emulation
3 Check Point Threat Emulation Solution
4 Summary

Exploits are here to stay
 Number of critical exploits which allow the attacker to execute arbitrary
code, published in 2011 alone
– 5 JRE exploits
– 10 Chrome exploits
– 26 Office exploits
– 27 Internet Explorer exploits
– 60 Firefox exploits
– 48 Acrobat reader exploits
– 56 Flash player exploits
 On average, every 1.5 days
– Previously unknown (and thus, unprotected against) exploit is published
– Targeting software installed virtually on every PC
 We have no reason to believe that the upcoming years will be different
Source: www.cvedetails.com
Anyone with decent technical capabilities who
knows about the exploit before it is
published, have a ‗zero-day‘ attack which can be
used in order to run arbitrary code on your
network.

Signature based tools are not enough
 IPS/ Anti Virus work by
– Looking into specific patterns
– Enforce compliance of protocols to standards
– Detect variations from the protocols
 They are limited in protecting from:
 Unknown (zero day) attacks
 Attack variations / obfuscated attacks
 An updated IPS is a very good tool against known attacks and some of
the unknown attacks.
 Not enough to protect from unknown attacks.
– We need a different approach!
Attack obfuscation is a commodity
nowadays; for example, at styx-crypt.com
you can create an obfuscated version of a
malicious PDF for 25$ per file, quantity
discounts apply
Another example – the Zeus malware isn‘t
sold directly. A ‗Zeus Builder‘ is
sold, allowing to generate another
malware variant in a click

CVE-2008-2641 as an example
 JavaScript vulnerability in Acrobat Reader
 Heap Spray attack – Java Script code which ‗fills‘ the heap
with shell code, and allows arbitrary code execution when
Acrobat ‗crashes into it‘
 How can you sign it?
– There are infinite ways to implement the attack (using
recursion, loops, whiles, divisions to functions, etc.)
– Writing code that understand code (without running it) is
hard
– PDF document can contain sections which are
encoded/compressed in various algorithms
– Engines must be constantly updated to support new acrobat
features.
Actual code that performs get to fdf.p-
.kkk.xgx78i6p6rlv0.readnotify.com
Bottom line:
Signature based tools are not enough against
advanced attacks

Gartner, Aug 2011 - Strategies for
Dealing With APT - Quotes
―Through year-end 2015, financially motivated
attacks will continue to be the source of more
than 70% of the most damaging cyberthreats‖
―…these are not noisy, mass attacks that are
easily handled by simple, signature-
dependent security approaches.‖
―Targeted attacks often use custom-created
executables that are rarely detected by
signature based techniques‖
―Gartner estimates that, for the average
enterprise, 4% to 8% of executables that pass
through antivirus and other defenses are
malicious‖
Key Finding – ―Simply adding more layers of
defense does not necessarily increase
security against targeted threats — security
controls need to evolve”

Agenda
4 Summary

Threat emulation – malicious
attachment example
Email with malicious
attachment

Threat emulation – malicious
attachment example
Email with malicious
attachment
Extracting attachments
Emulation
During the emulation, the attachment is opened on several emulated machines –
from XP to Windows 7, and the entire system activity is monitored for unexpected
behavior. We monitor network activity, file system & registry changes, process
activity and more.
Clean
Malware detected
We know what should happen on the machines when opening a legitimate
document (‗White List‘), thus we can safely consider any document which causes
the machine to do something else as malicious.
Intercepted by Threat
Emulation Blade

Real detection of malware ‘Pdfjsc.XD’,
leveraging CVE-2011-0609
Drops malware (‗rthdcpl.exe‘)
Execute the dropped malware
Detected by threat emulation
(alpha version)

Agenda
4 Summary

Stop stealth
malware
Detect malware based on
what they do, regardless
of signatures
Stop Unique
exploitation
Attacks
Stop data
exfiltration
Threat Emulation Software blade
DISCOVER and STOP advanced attacks
Detect unsigned zero-
day and attack variants
A true ability to stop the
advanced tools used for
the cyber warfare

How would you like your threat
emulation?
Dedicated
appliance
For medium to large
deployments
Existing
gateway
Leveraging your
existing
investment, when
your gateways have
enough horsepower
In the cloud
Same great
capabilities without
the need for local
emulation resources
It comes in different sizes and shapes

Dedicated emulation gateway
Perimeter Firewall
Threat Emulation
Gateway
Data Center Firewall
DMZ
Reassembled docs
sent for emulation
Small
performance
impact

Threat emulation is part of Check Point ThreatCloud
Check Point Threat Cloud - The Power
of Collaboration
Previously unknown
attack detected by the
Threat Emulation Engine
Real-time
Updates
Attack Information Shared Across Organizations
Attack data

Architecture
IPS AVAnti-Bot
Signature Scan by Threat
prevention blades
Kernel
Reassembly Module
Compose and reassembly
documents received
SecureXL
(Multi-Core)
Policy / rulebase check
User Space
Emulation Module
ThreatCloud
Virtual Machines
• Run Emulation and
check for bad behavior
• Run forensics checks
Open and Execute
multiple docs in
multiple machines
SmartEvent

Threat Emulation Engine
 High performance – supports up to 100,000
unique files per day
 Support Check Point provided OS images and
custom images
 Emulation of documents and executable files
 Deep inspection of the system – file system, API
calls, network, registry, memory and more.
 Anti-VM detection capabilities

Pre-Emulation Static Filtering
 Contemporary documents range from very simple
to ultra complex
 Usually, the risk factor of a document varies
according to the number of advanced feature it
utilize
–E.g. JavaScript support in Acrobat reader
 The pre-emulation static filtering process allows
skipping documents which contains only safe
features
– Filters are constantly updated
 Filters ~70 – 80% of the documents

Granular Policy
 Anti Bot & Anti Virus Rule base now includes also
Threat Emulation
Threat Emulation profile controls the emulation
configuration:
Where to emulate – Locally, other gateway or cloud
How – which images to use, use static analysis, …
Threat Emulation allows you to define not only the
inspected machines (via IPs of machines to
scan), but also scope according to email address.
Integrated with identity awareness to match the
right profile according to the user identity

Encrypted traffic support
 Just because traffic is encrypted doesn‘t mean the file
transferred isn‘t malicious
 Integration with Check Point SSL Inspection
– Visibility into encrypted web traffic
 Integration with Microsoft Exchange
– Allowing visibility to SMTP over TLS
– Using a dedicated Agent

Stop stealth
malware
Detect malware based on
what they do, regardless
of signatures
Stop Unique
exploitation
Attacks
Stop data
exfiltration
Threat Emulation Software blade
DISCOVER and STOP advanced attacks
Detect unsigned zero-
day and attack variants
A true ability to stop the
advanced tools used for
the cyber warfare

The DDoS
phenomenon
Increasing numbers of organizations
are affected by massive amounts of
traffic

What is an DoS Attack?
Denial-of-Service attack (DoS attack) an
attempt to make a machine or network
resource unavailable to its intended users.
Distributed Denial-of-service
attack (DDoS) is coordinated
and simultaneously launched
from multiple sources

DoS attackers can be
segmented into three
categories:
Motivations behind (D)DoS attacks?
Hacktivists
 Their motive, make social and political points
 Primarily through public IT disruption.
 ―Use of legal and/or illegal digital tools in
pursuit of political ends".
Nation State
Driven
 Presumably sanctioned by governments.
 Reasons, disrupting governmental operations.
 Stealing national secrets.
Financially
Motivated
Attackers
 DoS attacks are merely a diversion
 The actual objective is to steal information
 Lately instances of DoS "ransom attacks"

Cybercrime Trends for 2012
SQL
Injections
44%
APTs
35%
Botnet
33%
DDoS
32%
Ponemon Institute, May 2012
32%
DDoS
65% of Businesses Experienced Attacks
Average $214,000 of Damage Per Attack

DDoS ‘as a Service’
Pay per hour, no expertise needed!

Victims of Recent DDoS Attacks

DDoS Attack Examples
 Volumetric Attacks
– Fill the pipe
 DNS Amplification Attacks
– Using critical applications
as attack source
 SYN Attacks
– Simple way to use
resources
 Application Attack
– Renegotiate SSL Key
– Slow HTTP Post
– DNS Query flood

Volumetric Attacks
Victim
Mixture of
Valid Traffic
and Spoofed Traffic
Limited
Pipe
Attack
Target

DNS Amplification Attack Example
Simple DNS
Request Able to amplify DNS
request to victim
Attack
Target
Open
DNS Server
Attacker
Victim

SYN Attacks
Utilize State Table
on Firewalls
and Servers
Spoofed Traffic,
Random Sources
Attack
Target
Random
SYN Packets
Victim

Application Layer DDoS Attacks
 Exploit application weakness with Low&Slow attacks
Undetectable by threshold
‒ or volume-based solutions
New Application Attacks Are Stealthier…
 Utilize relatively low volume and fewer connections
 Used in conjunction with volume-based attacks

Real World of Real Attacks
 US Banking attacks
– Volumetric
– Application
– Continues and Dynamic
 DNSSEC Attack Example
– Ability to execute DDoS
Amplification attack
via US Gov
 Application low and slow attack
– Lets hold those HTTP connections open forever
– Very hard to find

DDoS and Traditional Security
Attackers Take Advantage of Traditional Security
 Firewalls track state of network
connections (Can be bottleneck)
 Firewalls allow legitimate traffic
(e.g. port 80 to web server)
 IPS allows legitimate request
(e.g. get http/1.0rn)
 Application Control allows legitimate
services (DNS or HTTP)

Traditional Firewalls Not Sufficient
Not Designed for Network and
Application DDoS Protection
 Basic rate based flood protection
affects all traffic
(Real users and attack traffic)
 Lacks Comprehensive Layer 7
DDoS protection
– Poor detection of sneaky attacks
– No filters to block attacks and
allow real traffic
– Administrators cannot create
custom signatures

Network
Flood
Server
Flood
Application
Low & Slow
Attacks
Layers Work Together
Protection Layers Flow
Allowed
Traffic

Decision Engine
Slide 74
Attack area
Suspicious
area
Normal
adapted area
Attack Degree = 5
(Normal- Suspect)
Abnormal rate
of Syn packetsNormal TCP flags
ratio
Flash crowd
Y-axis
X-axis
Z-axis
AttackDegreeaxis
Adaptive Detection Engine

Attack Degree = 10
(Attack)
Abnormal
high rate of
SYN
packets
SYN flood
Y-axis
X-axis
Z-axis
AttackDegreeaxis
Attack area
Suspicious
area
Normal
adapted area
Abnormal TCP flags
ratio
Slide 75
Adaptive Detection Engine

Check Point DDoS Protector™
Customized multi-layered DDoS protection
Protects against attacks within seconds
Integrated security management and expert support

+
Where to Protect Against DDoS
On-Premise Deployment
DDoS Protector Appliance
Cloud base service
DDoS Protector in the cloud
Scenarios: 1 2

Flexible Deployment Options
Ready to Protect in Minutes
Fits to Existing Network Topology
Optional Learning Mode Deployment
Low Maintenance and Support

Emergency Response and Support
Emergency
Response
Team
 Help from security experts when under
DoS attacks
 Leverage experience gathered from
real-life attacks
Check Point
Customer
Support
 World-class support infrastructure
 Always-on support 7x24
 Flexible service options

Integrated with
Check Point
Security
Management
Customized
multi-layered
DDoS protection
Ready to protect
in minutes
Blocks DDoS Attacks Within Seconds
Summary

Thank You

Detección y mitigación de amenazas con Check Point

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Detección y mitigación de amenazas con Check Point

Similaire à Detección y mitigación de amenazas con Check Point (20)

Plus de Nextel S.A.

Plus de Nextel S.A. (20)

Dernier

Dernier (20)

Detección y mitigación de amenazas con Check Point

Notes de l'éditeur