detección y mitigación de amenazas con check point

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Check Point Threat Control

2©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |

Agenda

1 Modern Malware: Risks and Challenges

Collaborative Security Intelligence: ThreatCloud™2

Anti-Bot Software Blade3

Unified Threat Prevention Solution5

Antivirus Software Blade4


Today’s Threat Landscape

Organizations believe they have been the target of an APT attack159%

1 ESG APT Survey October 20112 Ponemon 2nd annual cost of cybercrime study Aug 2011

3 Kaspersky research labs 2011

4 Sophos Security Threat Report 2011

Experienced a Bot attack in the past year282%

Known attacks per day310 Million

A new malware is created4Every Second

With today’s multiple vectors of attacks Multi-layer Real-time Solution Needed

4©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |

ThreatCloud™ First Collaborative Networkto Fight Cybercrime

Check Point ThreatCloud™

Over 250 Million Addresses

Analyzed for Bot Discovery

Over 4.5 Million Malware

Signatures

Over 300,000 Malware-Infested

SitesUp-to-the-Minute

Security Intelligence


ThreatCloud™ -Dynamically Updated Intelligence

Industry-best malware feeds

MalwareSites Signatures

Bot addresses

Collect attack information from

gateways

Global network of sensors to identify emerging threats


SensorNET

http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org/Places-server-database-icon.html




The SensorNET System

SensorNET provides a global set of observation points in the network feeding threat observations back to a central analysis point.

Check Point’s position enables wide access to data points in the network.


SensorNET Collects Attack Information

Attack Name: Web Client Enforcement Violation; Protection name: Microsoft IE argument handling memory corruption vulnerability (MS08-045) Protection Type: signature; rule: 3; Destination: 81.0.0.41Source: N1.H291; proto: tcp; product: IPS SW blade; service: http; s_port: 5707;Severity: High; Confidence: High

The Attack

Sensitivecustomer data is

hidden

Probe identifies an attack

Attack information sent to ThreatCloud™


SensorNET Analyzes Attack Information

Analyzes threat landscape

Multiple attacks

Same IP address identified


New protections sent to Check Point gateways

Identify Bot attackand Update Check Point gateways

Further analysis show IPs are bot C&C addresses

New bot C&C address protection sent to gateways

CheckPoint ThreatCloud™





Bot addresses


gateways



SensorNET





Collect Bot Attack Info From GWs

Run classifier

Expert analysis

Identify infection and send potential C&C

address to ThreatCloud

Analyze address in Check Point Labs

Add to ThreatCloud C&C address DB – protect ALL GWs

ThreatCloud™


Collect Bot Attack Information From GWs

Map Cyber criminal network

• Gather bot security events from GWs• Analyze Bot DB data in Check Point Labs• Identify different resources (IPs) used

by the same botnet


Collect Bot Attack Information From GWs

Identify Trends

• Gather bot security events from GWs• Analyze Bot DB data in Check Point Labs• Identify attack trends (geography)





Bot addresses


gateways



SensorNET





ThreatCloud™ Model: High Performance with Extended Protection

Threat Database is kept in the cloud

Download updates to the gateway

Gateway consults the cloud

Malicious URLs

Real time signatures

C&C IP Addresses

Binary Signatures

Heuristic Engine

Traffic Anomaly Check

Security updates normalized to the ThreatCloud

Extended Protection

High Performance


First Integrated Anti-Bot Network Solution

Discover and stopBot outbreaks and APT attacks

Check Point Anti-Bot Software Blade –Now available!

16©2011 Check Point Software Technologies Ltd. | [PROTECTED] – All rights reserved |


Botnet Operation: The Infection

Infection

Social engineering Exploiting vulnerability Drive-by downloads

Download Egg

Small payload Contains initial

activation sequence Egg downloaded

directly from infection source or source, such as Command & Control server

C&C Server


Botnet Operation: Self -Defense

Self Defense

Stop Anti-Virus service

Change “hosts” file Disable Windows

Automatic Updates Reset system

restore points

Command

& Control

Server


Botnet Operation: The Damages

Payload Pull

Command

& Control

Server

Spam Denial of Service Identity Theft Propagation Click fraud


PreventBot damage

Stop traffic toremote operators

DiscoverBot infections

Multi-tier discovery

Anti-Bot Software Blade

Extensiveforensics tools

InvestigateBot infections

DISCOVER and STOP Bot Attacks


ThreatSpect™ Engine

Reputation Detect Command & Control sites and drop zones Over 250 millions addresses in ThreatCloud™ Real time updates

Network Signatures

Over 2000 bots’ family unique communication patterns

Dozen of behavioral patterns

Suspicious Email Activity

Over 2 million outbreaks

ThreatSpect™ EngineMaximum security with multi-gig performance


Anatomy of Discovering a Bot (ThreatSpect™ Engine)

ThreatCloud™

Reputation Enginein the cloud

Using smart caching to minimize number of queries to the cloud

Resource(IP/URL/DNS)

C&C



ThreatCloud™

Check for Signaturesin the gateway

Multi-connection communication patterns (unique per botnet family)

Bot behavioral patterns



ThreatCloud™

Check suspicious Email activity

Mail params (obfuscated)

Bot-based spam Outbound mail analysis to identify Spam sent from the organization

Mails normalized, parameters extracted

All customer data is obfuscated


Bot Damage Prevention

Bot remoteoperator

Stop Traffic between Infected Hosts and Remote Operator

StopData Theft

Enable User Work Continuity

Performance Over 40Gbps*

26©2012 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |

Enhanced NetworkAntivirus Software Blade

Up-to-the-minute protectionusing ThreatCloud™

26

Providing extended malware protection


Antivirus Software Blade

Constantly updated

Security intelligence with ThreatCloud™

Prevent Access to

Malicious SitesOver 300,000 sites!

Stop Incoming Malware Attacks

R

75

.40

Sig

nat

ure

s [M

illio

n]

300xProtect with 300xmore signatures!

R75.20

4.5-

0-

Extended Protection using ThreatCloud™


Antivirus Software Blade Architecture - Prevent Access to Malware-infested Resources

ThreatCloud™Check Connection – Reputation Engine: IP/DNS/URLs with

malware

Prevent connections to resources that contain malware

Prevent drive-by-downloads attacks

Hundred of thousands of addresses

Address Malwarecontaining site


Antivirus Software Blade Architecture – Stop Incoming Malicious Files

ThreatCloud™

Check Signatures in the gateway

Files analyzed against a set of signatures downloaded in the gateway

Limited number of signatures compared to the cloud



ThreatCloud™

File uniqueidentifier (MD5)

File ismalicious

Check Signatures in the cloud

Real time update and availability of new malware signature

Granular signature database

Only MD5 Checksum is sent to the cloud – high performance



ThreatCloud™

Check for unknown malware –

Heuristic Engine in the gateway

4

Utilizes Sandbox to detect unknown ‘zero day’ infections

Check for archive files only

Buffers entire file

Easily configurable to ensure optimal user experience

Registry

OS files


Agenda

1 Modern Malware: Risks and Challenges

Collaborative Security Intelligence: ThreatCloud™2

Anti-Bot Software Blade3

Unified Threat Prevention Solution5

Antivirus Software Blade4


Unified Anti-Bot and AntivirusThreat Prevention

Antivirus + Anti-Bot

Unified Policy Settings

Unified Malware Analysis


Policy Model – The Rule Base

Scope: contains network objects to be

protected by the rule in question

Action:Indicates which Profile

to activate


Unified Malware Report

See the BIG malware picture


The Threat WikiSearch the ThreatCloud™ repository for a malware

Filter by Category or malware family

Learn more about a malware


Check Point Multi-layer Threat Prevention

Keep Your Edge Against Advanced ThreatsKeep Your Edge Against Advanced Threats

Check Point Integrated Threat Prevention Solution Powered by ThreatCloud™

Antivirus Software Blade prevents incoming malware infectionsand access to malware containing sites

ThreatCloud™ provides security gateways with real-time security intelligence

IPS Software Blade Prevents Attacks using Known and Unknown Vulnerabilities

Anti-Bot Software Blade Detects bots and stops bot damage


Closing the Gap: Threat Emulation


Agenda

1 The contemporary world of exploits

2 Introduction to threat emulation

3 Check Point Threat Emulation Solution

4 Summary


Exploits are here to stay

Number of critical exploits which allow the attacker to execute arbitrary code, published in 2011 alone

– 5 JRE exploits– 10 Chrome exploits– 26 Office exploits– 27 Internet Explorer exploits– 60 Firefox exploits– 48 Acrobat reader exploits– 56 Flash player exploits

On average, every 1.5 days– Previously unknown (and thus, unprotected against) exploit is published– Targeting software installed virtually on every PC

We have no reason to believe that the upcoming years will be different

Source: www.cvedetails.com

Anyone with decent technical capabilities who knows about the exploit before it is published, have a ‘zero-day’ attack which can be used in order to run arbitrary code on your network.


Signature based tools are not enough

IPS/ Anti Virus work by – Looking into specific patterns– Enforce compliance of protocols to standards– Detect variations from the protocols

They are limited in protecting from:

Unknown (zero day) attacks

Attack variations / obfuscated attacks

An updated IPS is a very good tool against known attacks and some of the unknown attacks.

Not enough to protect from unknown attacks.

– We need a different approach!

Attack obfuscation is a commodity nowadays; for example, at styx-crypt.com you can create an obfuscated version of a

malicious PDF for 25$ per file, quantity discounts apply

Another example – the Zeus malware isn’t sold directly. A ‘Zeus Builder’ is sold,

allowing to generate another malware variant in a click


CVE-2008-2641 as an example

JavaScript vulnerability in Acrobat Reader

Heap Spray attack – Java Script code which ‘fills’ the heap with shell code, and allows arbitrary code execution when Acrobat ‘crashes into it’

How can you sign it?– There are infinite ways to implement the attack (using

recursion, loops, whiles, divisions to functions, etc.)– Writing code that understand code (without running it) is hard– PDF document can contain sections which are

encoded/compressed in various algorithms– Engines must be constantly updated to support new acrobat

features.

Actual code that performs get to fdf.p-.kkk.xgx78i6p6rlv0.

readnotify.com

Bottom line:

Signature based tools are not enough against advanced attacks

http://readnotify.com/


Gartner, Aug 2011 - Strategies for Dealing With APT - Quotes

“Through year-end 2015, financially motivated attacks will continue to be the source of more than 70% of the most damaging cyberthreats”

“…these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches.”

“Targeted attacks often use custom-created executables that are rarely detected by signature based techniques”

“Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious”

Key Finding – “Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve”


Agenda




4 Summary


Threat emulation – malicious attachment example

Email with malicious

attachment


Threat emulation – malicious attachment example

Email with malicious

attachmentExtracting attachments

Emulation

During the emulation, the attachment is opened on several emulated machines – from XP to Windows 7, and the entire system activity is monitored for unexpected behavior. We monitor network activity, file system & registry changes, process activity and more.

Clean

Malware detected

We know what should happen on the machines when opening a legitimate document (‘White List’), thus we can safely consider any document which causes the machine to do something else as malicious.

Intercepted by Threat Emulation Blade


Real detection of malware ‘Pdfjsc.XD’, leveraging CVE-2011-0609

Drops malware (‘rthdcpl.exe’)

Execute the dropped malware

Detected by threat emulation (alpha version)


Agenda




4 Summary


Stop stealth malware

Detect malware based on what they do, regardless of signatures

Stop Unique exploitation

Attacks

Stop data exfiltration

Threat Emulation Software blade

DISCOVER and STOP advanced attacks

Detect unsigned zero-day and attack variants

A true ability to stop the advanced tools used for the cyber warfare


How would you like your threat emulation?

Dedicated appliance

For medium to large deployments

Existing gateway

Leveraging your existing investment, when your gateways

have enough horsepower

In the cloud

Same great capabilities without the need for local

emulation resources

It comes in different sizes and shapes


Dedicated emulation gateway

Perimeter Firewall

Threat Emulation

Gateway

Data Center Firewall

DMZ

Reassembled docs

sent for emulation

Reassembled docs

sent for emulation

Small performance

impact


Threat emulation is part of Check Point ThreatCloud

Check Point Threat Cloud - The Power of Collaboration

Previously unknown

attack detected by the Threat Emulation Engine

Real-time Updates

Attack Information Shared Across Organizations

Attack data


Architecture

IPS AVAnti-Bot

Signature Scan by Threat prevention blades

Kernel

Reassembly ModuleCompose and reassembly

documents received

SecureXL (Multi-Core)

Policy / rulebase check

User Space

Emulation Module

ThreatCloud

Virtual Machines

• Run Emulation and check for bad behavior

• Run forensics checks

Open and Execute multiple docs in

multiple machines

Report to

ThreatCloud

Report to

SmartEvent

SmartEvent


Threat Emulation Engine

High performance – supports up to 100,000 unique files per day

Support Check Point provided OS images and custom images

Emulation of documents and executable files

Deep inspection of the system – file system, API calls, network, registry, memory and more.

Anti-VM detection capabilities


Pre-Emulation Static Filtering

Contemporary documents range from very simple to ultra complex

Usually, the risk factor of a document varies according to the number of advanced feature it utilize–E.g. JavaScript support in Acrobat reader

The pre-emulation static filtering process allows skipping documents which contains only safe features

– Filters are constantly updated

Filters ~70 – 80% of the documents


Granular Policy

Anti Bot & Anti Virus Rule base now includes also Threat Emulation

Threat Emulation profile controls the emulation configuration:

Where to emulate – Locally, other gateway or cloud

How – which images to use, use static analysis, …

Threat Emulation allows you to define not only the inspected machines (via IPs of machines to scan),

but also scope according to email address.

Integrated with identity awareness to match the right profile according to the user identity


Encrypted traffic support

Just because traffic is encrypted doesn’t mean the file transferred isn’t malicious

Integration with Check Point SSL Inspection– Visibility into encrypted web traffic

Integration with Microsoft Exchange– Allowing visibility to SMTP over TLS– Using a dedicated Agent


Stop stealth malware

Detect malware based on what they do, regardless of signatures

Stop Unique exploitation

Attacks

Stop data exfiltration

Threat Emulation Software blade

DISCOVER and STOP advanced attacks

Detect unsigned zero-day and attack variants

A true ability to stop the advanced tools used for the cyber warfare


The DDoS phenomenon

Increasing numbers of organizations are affected by massive amounts of traffic


What is an DoS Attack?

Denial-of-Service attack (DoS attack) an attempt to make a machine or network

resource unavailable to its intended users.

Distributed Denial-of-service attack (DDoS) is coordinated and simultaneously launched

from multiple sources


DoS attackers can be segmented into three

categories:

Motivations behind (D)DoS attacks?

Hacktivists

Their motive, make social and political points Primarily through public IT disruption. “Use of legal and/or illegal digital tools in

pursuit of political ends".

Nation State Driven

Presumably sanctioned by governments. Reasons, disrupting governmental operations. Stealing national secrets.

Financially Motivated Attackers

DoS attacks are merely a diversion The actual objective is to steal information Lately instances of DoS "ransom attacks"


Cybercrime Trends for 2012

SQLInjections

44%

APTs

35%

Botnet

33%

DDoS

32%

Ponemon Institute, May 2012

32%

DDoS

65% of Businesses Experienced Attacks

Average $214,000 of Damage Per Attack


DDoS ‘as a Service’

Pay per hour, no expertise needed!


Victims of Recent DDoS Attacks

“DDos-attacker är nästan omöjliga att värja sig

emot” — SVD “Overload attacks are almost impossible

to protect against.” — SVT


DDoS Attack Examples

Volumetric Attacks – Fill the pipe

DNS Amplification Attacks– Using critical applications

as attack source

SYN Attacks– Simple way to use

resources

Application Attack – Renegotiate SSL Key– Slow HTTP Post– DNS Query flood


Volumetric Attacks

Victim

Mixture of Valid Traffic

and Spoofed Traffic

LimitedPipe

AttackTarget


DNS Amplification Attack Example

Simple DNS Request Able to amplify DNS

request to victim

AttackTarget

OpenDNS Server

Attacker

Victim


SYN Attacks

Utilize State Table on Firewalls and Servers

Spoofed Traffic,Random Sources

AttackTarget

RandomSYN Packets

Victim


Application Layer DDoS Attacks

Exploit application weakness with Low&Slow attacks

Undetectable by threshold ‒ or volume-based solutions

New Application Attacks Are Stealthier…

Utilize relatively low volume and fewer connections

Used in conjunction with volume-based attacks


Real World of Real Attacks

US Banking attacks – Volumetric

– Application

– Continues and Dynamic

DNSSEC Attack Example– Ability to execute DDoS

Amplification attack via US Gov

Application low and slow attack– Lets hold those HTTP connections open forever

– Very hard to find


DDoS and Traditional Security

Attackers Take Advantage of Traditional Security

Firewalls track state of network connections (Can be bottleneck)

Firewalls allow legitimate traffic (e.g. port 80 to web server)

IPS allows legitimate request (e.g. get http/1.0\r\n)

Application Control allows legitimate services (DNS or HTTP)


Traditional Firewalls Not Sufficient

Not Designed for Network and Application DDoS Protection

Basic rate based flood protection affects all traffic (Real users and attack traffic)

Lacks Comprehensive Layer 7 DDoS protection

– Poor detection of sneaky attacks

– No filters to block attacks and allow real traffic

– Administrators cannot create custom signatures


Network Flood

Server Flood

ApplicationLow & Slow

Attacks

Layers Work Together

Protection Layers Flow

Allowed Traffic


Decision Engine

Slide 74

Rate-invariant anomaly axis

Attack area

Suspicious area

Normal adapted area

Attack Degree = 5 (Normal- Suspect)

Abnormal rate of Syn packets

Normal TCP flags ratio

Flash crowd

Rate-based anomaly axis

Y-axisX-axis

Z-axisA

tta

ck

De

gre

e a

xis

Adaptive Detection Engine


Attack Degree = 10 (Attack)

Abnormal high rate of SYN packets

SYN flood

Rate-invariant anomaly axis Rate-based anomaly axis

Y-axisX-axis

Z-axisA

tta

ck

De

gre

e a

xis

Attack area

Suspicious area

Normal adapted area

Abnormal TCP flags ratio

Slide 75

Adaptive Detection Engine


Check Point DDoS Protector™

Customized multi-layered DDoS protection

Protects against attacks within seconds

Integrated security management and expert support


+

Where to Protect Against DDoS

On-Premise Deployment

DDoS Protector Appliance

Cloud base service

DDoS Protector in the cloud

Scenarios: 1 2


Flexible Deployment Options

Ready to Protect in Minutes

Fits to Existing Network Topology

Optional Learning Mode Deployment

Low Maintenance and Support


Emergency Response and Support

Emergency Response

Team

Help from security experts when under DoS attacks

Leverage experience gathered from real-life attacks

Check Point Customer Support

World-class support infrastructure Always-on support 7x24 Flexible service options


Integrated with Check Point

Security Management

Customized multi-layered

DDoS protection

Ready to protect

in minutes

Blocks DDoS Attacks Within Seconds

Summary


Thank You

detección y mitigación de amenazas con check point

Technology

check point users

check point labs

check point threat control

update check point gateways

point threatcloud sensornet

bot attack information

attack information attack

attack attack information