two level defense for apt attack (malware) & ransomware...
TRANSCRIPT
NPCore, Inc.
Zombie ZERO Introduction
Two Level Defense for APT attack (Malware) & Ransomware
ISO 9001:2008
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
Ⅰ. Proposal Overview
Ⅱ. Zombie ZERO Introduction
Ⅲ. ZombieZERO Inspector
Ⅳ. ZombieZERO EDR
Ⅴ. Company Introduction
Zombie ZEROSolutions
Introduction
Presentation
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
1. What APT attack?
2. Chronicle of Major Incidents
3. Alternatives to APT attack
Zombie ZEROProposal Overview
Presentation
1. What is APT attack?
An APT (Advanced Persistent Threat) attack is an attack by a malicious criminal group to reach a goal using a method such as e-mail, web downloading and so on, aiming at a specific target to realize a group's purpose.
Advanced
The scope and level of technical performance of an APT attack organization
- Use a variety of technologies, not just one technology
- Use ZERO-Day vulnerability attack and existing security product bypass technique
Persistent
Threat
Attitudes toward achieving the objectives of an APT attack performing organization
- Perform a continuous attack to achieve the purpose
- In order to confront attack detection, hinder detection and attempt to avoid actions.
Meaning of the threat of information
- Analyze targets directly from non-automation tools
- Includes social engineering techniques to try various attacks
<1>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Chronicle of Major incidents
<2>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Since 2006, APT attacks have become increasingly sophisticated and frequently occurring, which is currently the greatest threat to information security.
3. Alternatives to APT attack
With existing security solutions, APT (new and variant malware) can not be effectively blocked.- Behavior-based SandBox and EDR can respond to new and variant Malware & Ransomware (New Trends).
AS-IS (Signature-based) TO-BE (Behavior-based SandBox System)
TO-BE (EDR – Endpoint Detection and Response)
Internet
F/W
IPS
Switch
User PC User PC User PC
Router
Web gateway
Anti-Virus
∙ Impossible to block malware inflowing through permitted policies and applications
∙ Impossible to detect file-based
malware
∙ Impossible to block malware inflowing through permitted sites
∙ Unable to detect and block new and variant malware
64bit64bit
User PC environment Sandbox Analysis
Block / Quarantine
Behavior Analysis
Pattern Transfer
Management Server
<3>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
NewTrends
Same or Similar configuration
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
1. Zombie ZERO System Diagram
2. Zombie ZERO System Introduction
3. Zombie ZERO NCSC
Zombie ZEROSystem
Introduction
Presentation
1. Zombie ZERO System Diagram
<4>
Router
F/W
TAPMirroring
Switch
Streaming link Server
Streaming link Server
File transfer data link
Server
File transfer data link
Server
Business Network
Employee Business NetworkInstall EDR on external
network PCs
E-mail APT Inspector(Spam Mail Server + APT Analysis)
External Mail Server
Network APT Inspector
File APT Inspector
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Switch
Install EDR on internal network PCs
2. ZombieZERO Inspector Network Series
Router
F/W
TAP
Switch
Network APT Inspector
User PC
Mirroring
User PC User PC
MGT IP
Network APT system collects packets on the network and detects / analyzes APT attacks.
<5>
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO Inspector E-mail Series
F/WSwitch
E-mail APT Inspector
Mail Server
SwitchBackup
Sending normal emails
E-mail APT system provides the integrated service of APT analysis equipment and response to spam e-mail
<6>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO Inspector File Series
인터넷
User PCs
Internet Network
Business Network
Network Connection
External Relay Server
Internal Relay Server
Storage
File APT Inspector
File APT system is an APT response solution for the file transfers to the internal network in the network separation environment
<7>
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO Inspector Real Machine
A malware detection/block APT response solution through a Real Machine, not a Virtual Machine for the Sandbox bypass malware.
Router
F/W
TAP
Switch
Real Machine APT
Mirroring
User PCs
MGT IP
<8>
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR (Endpoint Detection & Response) for APT
A solution responding to new and variant malware based on the behavior via the endpoint security EDR
Router
F/W
Switch
Network APT Inspector / or ESM
MGT IP
User PCs
①File Download
③EDR execution pending : Enabling to view the status
② Analysis of executable filesMalicious files: blacklisted and quarantinedNormal file: Add whitelist
④ If analysis result of files is normal, execute the fileMalicious file: EDR can check blocking messageNormal file: You can check the file downloaded normally
<9>
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Analysis info
Analyzing...
2. ZombieZERO EDR for Ransomware
A solution for new and variant Ransomware through the behavior-based detection/blocking and backup by the endpoint EDR
Router
F/W
Switch
Network APT Inspector/ or ESMMGT IP
User PCs
Pattern Information uploading
Preventing the proliferation of infection by sharing the pattern information
<10>
Internet
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
3. ZombieZERO NSOC (NPCore Security Operations Center)
Malicious code analysis and Rule Pattern update through the NPCore Cyber Security Center
Malware Collection Building Big Data System
Elasticsearch
Correlation analysis/association analysis/similarity analysis through machine learning NPCore Cyber Security Center Policy Distribution Server
Customer A Customer B Custoemer N
Policy Deployment Policy Deployment Policy Deployment
<11>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
1. System Operation FLOW
2. Key Processes
- Static Environment Analysis
- Dynamic Environment Analysis
3. Product Features
ZombieZEROInspector
Presentation
1. System Operation FLOW
Detects unknown (new, variant) malware through dual analysis of signature analysis and behavior based analysis.- Pattern-based malicious code analysis for collected files- Behavior-based analysis through dynamic and static analysis- Treatment to the infected PC through generating the detected malicious code pattern- Detect VM Access behavior of executable file, detect malware for VM avoidance by forcing removal after removing relevant part
File Collection File Analysis Verification and Response
① File collection by network traffic
② Classification by file type
③ Signature-based Analysis
④ Behavior-based Analysis
⑤ Verification with VirusTotal through API
⑥ Block/Quarantine response after pattern generation
Block/Quarantine
Dynamic Analysis (Behavior Monitor)
Static Analysis (Yara Rule)
Windows 7/10 32/64 Bit Sandbox environment
<12>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Key Processes- Static Environment Analysis (Yara Rule Applied)
ZombieZERO supports sending customized YARA rules to quickly analyze suspicious objects for specific threats.
<13>
YARA RULE Update YARA RULE Update YARA RULE Update
Policy Applied
Policy Applied
Policy Applied
YARA Rule Application Scenario
INTERNET
AAAAAA
888
UUU
DDDDDD XXX
GGG
GGG
NNN
BBB
EEE
FFF
CCC
Malware file Malware file
Malware file Malware file
Extract by using Strings
AAA
BBB
CCC
DDD
EEE
FFFGGG
Create Yara Rule
Malicious file info. Normal file info.
Static YARA Rule Generation Process
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Behavioral Analysis Key Features
Analysis through virtual systems
-Provides a virtual sandbox system based on
VMWare ESXi 5.5, providing a behavior-based
detection system consisting of a static analysis
engine and a dynamic analysis engine
Various format analysis
-Provides analysis function for PE files (DLL,
EXE, etc.) and compressed files, MS-office, HWP,
PDF and ZIP files
Behavior-based analysis
- After analyzing suspicious files using dynamic
analysis system, it provides information on the
maliciousness of the behavior by analyzing the
behavior such as process behavior, file behavior,
network behavior, and memory behavior.
2. Key Processes- Dynamic Environment Analysis
<14>
Behavior-based Analysis
“Support for virtual machines by network traffic and customer environment”
Suspicious file
Suspicious file
Mirroring
File execution
Suspicious file
VirusTotal : Option
User Group
File Validation
Dynamic Analysis(Behavior Monitor)
Upload
Registration of analysis file
Virtual Machine x n
Analysis by file type
INTERNET
FTP WEBE-MAIL
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Key Processes- Detectable malicious code(Malware) using dynamic environment analysis
Name Features
Backdoor When executed, it behaves to open the Port so that the hacker can connect to the PC at any time
Ransomware When executed, it behaves to encrypt all the document files on the PC and make them unusable
Downloader Downloading and running a file without knowing the user when accessing a website or opening a document
Keylogger Hooking and storing all keyboard events typed by the user and sending them to the hacker server
Bootkit Destroying the disk to disable the OS boot by corrupting the MBR (Master Boot Record) of the PC
Exploit Executing malicious programs using vulnerabilities of Software (IE, MS-Office, PDF Viewer, etc.)
System modulation Modifying sensitive files such as PC Registry or Hosts files for malicious purposes
<15>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Key Processes- Dynamic environment analysis case (Ransomware detection result)
Summary of analysis results
12
3
1. Threat Level : If it is 4 or more, it is
determined to be malicious.
This file is determined to be
malicious by Threat level 4
2. YARA
DetectBulkChange :
Capture the behavior of modifying
files in bulk
3. Dynamic analysis results :
Behavior log that occurs when the
actual analysis target file is
executed
Files on the C drive are modified
and deleted repeatedly
<16>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Key Processes- Dynamic environment analysis case (Keylogger detection result)
Summary of analysis results
12
3
1. Threat Level : : If it is 4 or more, it is
determined to be malicious.
This file is determined to be
malicious by Threat level 4
2. YARA
HookingKeyLogger :
Capture the behavior of intercepting
user input values using keyboard
event hooking
3. Dynamic analysis results :
Behavior log when the actual
analysis target file is executed
SetWindowsHookEx (13, ..)
Hooking behavior occurred on
keyboard event
<17>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Key Processes- Dynamic environment analysis case (BootKit detection result)
Summary of analysis results
12
3
1. Threat Level : If it is 4 or more, it is
determined to be malicious.
This file is determined to be
malicious by Threat level 4
2. YARA
DetectMBR :
Detecting the behavior of
modulating the MBR
3. Dynamic analysis results :
Behavior log when the actual
analysis target file is executed
Behavior using
\Device\Harddisk0\DR0
MasterBootRecord occurred
<18>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
3. Product Features
<19>
Detection of malicious code in a closed
environment
Fast detection analysis
environment
Fast detection analysis environment
· Simultaneous executions of max. 50 virtual machines for malicious code analysis on a single device (system)
· Network APT : Provides 10G file processing capability on a single device (system).
· E-mail APT : Equipped with 300K to 600K emails processing throughput daily in average on a single device (system)
· File APT : Equipped with 80K to 160k files processing throughput daily in average on a single device (system)
Flexible scalability for increased equipment
· Enabling to add virtual analysis images or organize devices in parallel to expand operations on growing analysis files
· Separation of file collecting equipment (Detector) and file analyzing equipment (Analyzer) enables system operation by adding only file analysis equipment
· Process up to 10Gbps traffic per device and configure up to four 10GbE interfaces (using accelerating board instead of regular NIC)
Stability
Ensuring stability through integrated management
· Enabling to see security level of target, status of malicious file analysis, key events, and status information through Dashboard
· Providing notification (Email, SMS, etc.) and linkage with other systems (Syslog, SNMP) when major security event occurs
· Providing stable system operating environment through status check of equipment and recovery function
Behavior-based Malware
Detection
Behavior-based Malware Detection
· Quick detection/blocking function for known malicious codes through built-in AV engine (Bit-defender)
· Detects and blocks unknown new and variants of malicious code through a sandbox
· By applying the same environment as the real environment to the virtual analysis environment, it improves the accuracy of detection and minimizes the damage caused by false positives.
Detection of malicious code in a closed environment
· Provides analysis function in closed environment through virtual analysis system and provides detection function of maliciouscode through behavior analysis method using static analysis system and dynamic analysis system
· Provides manual pattern update function in internet-blocked environment and allows manual analysis of patterns
· Provides detection function for sandbox bypass malicious code (sleep call, sandbox camouflage, VM bypass packet collection, real machine, etc.)
Scalability
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
1. System Operation FLOW
2. ZombieZERO EDR for Ransomware
3. ZombieZERO EDR for APT
ZombieZEROEDR
Presentation
1. System Operation FLOW
Behavior-based malware detection allows you to respond quickly to malware that is not known - Behavior-based detection and treatment enable immediate response to malicious behavior- Enabling to respond primarily to the damage by effective response to ZERO Day attack- Real-time response to malicious code that bypasses the network
<20>
Defenseless period
Zero-Day
Infection attack
GenerationPropagation
Damage occurrence
Vaccine development
Treatment extinction
GenerationPropagation
Detection/Blocking
Existing vaccine method vs. Behavior-based method
Zombie behavior
occurrence
Traffic blocking
and process
tracing
• Korea Patent Number 10-1036750 / System and method for blocking Zombie behavior processes• US Patent US 9060016 B2 / Apparatus and method for blocking Zombie behavior processes
ZombieZERO
Malicious code extraction Treatment
Ransomware Response
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR for Ransomware
Key Features
<21>
+ Backup technologyBehavior-based
analysis technology
· Real-time/ scheduled backup, version control
· Duplicate data removal technology
· Creating a virtual secure drive on user PC's local
drive by the Central Management Policy Server
· Immediate response to new Ransomware with behavior
based malware detection/treatment
· Uploading Ransomware pattern information to the
central management server and distributing it to prevent
proliferation to other PC
· Organically linking with security backup
24x7
Real-time
Backup Configuration Plan
Type-A Type-B
ESM Server (OS : Windows)
EDR #1
(OS : Windows)
EDR #2 EDR #n
. . . . .
PC BackupNAS Backup
ESM Sever (OS : Windows)
EDR #1
(OS : Windows)
EDR #2 EDR #n
. . . . .
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR for Ransomware2.1 Method for quarantining Ransomware and preventing proliferation (1)
When suspected Ransomware process is executed- Quarantining the process and transmitting the process pattern to ESM- Preventing proliferation of infection by sharing malicious process pattern information
<22>
Firewall
IPS
Switch
Preventing proliferation of
infection by sharing pattern information
Pattern info. upload
Router
EncryptionAPI
File manipulation
API
Sign presence
Encryptioncount
Increase of malicious entropy
Normal File
Malicious doubt
High probability of malignancy
Very high probability of malignancy
Entropy<32
Entropy≥32
Entropy≥64
Entropy≥96
Behavior detection category
ESM
+
API monitor detection and behavior algorithm
EDR
Expanding algorithm of infected PC (ZombieZERO EDR installed)
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR for Ransomware2.1 Method for quarantining Ransomware and preventing proliferation (2)
Detecting/blocking modification and manipulation of files of specific program not like authorized program- Behavior modifying and manipulating files of specific program not like authorized program- Preventing external crashes by installing I/O driver (file system driver)
<23>
USER
Kernel
Authorized program Unauthorized program
ZombieZEROEDR
Document
Request access
authorization of the Document
Approve access authorization
BLOCK
Ransomware, etc.
Request access authorization of the Document
Blocking access approval of unauthorized program of Document Blocking distribution of unauthorized program in conjunction with ESM
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR for Ransomware2.1 Method for quarantining Ransomware and preventing proliferation (3)
Detection method using file signatures- Confirming modulation of unique Signature file of executable file and document file- Techniques to detect if a modulation above a threshold is detected
Header Signature (Hex) File Type
22 50 44 46PDFFDF
D0 CF 11 E0 A1 B1 1A E1
HWPDOCPPTXLS…..
4D 5A EXE
4D 4D 00 2A TIF, TIFF
50 4B 03 04ZIP…
50 4B 03 04 14 00 06 00DOCX, PPTX
XLSX
52 49 46 46 xx xx xx xx41 56 49 20 4C 49 53 54
AVI
Normal signature file header
Header Signature (Hex) File Type
BB C9 DD DFPDFFDF
49 56 88 79 38 28 83 78
HWPDOCPPTXLS…..
D4 C3 EXE
D4 D4 99 B3 TIF, TIFF
C9 D2 9A 9DZIP…
C9 D2 9A 9D 8D 99 9F 99DOCX, PPTX
XLSX
CB D0 DF DF xx xx xx xxD8 CF D0 B9 D5 D0 CA CD
AVI
Modulated signature file header
“Techniques to detect if a modulation above a threshold is detected”Signature Check => Confirming modulation of File Signature
Check => Confirming file signature presence
<24>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. ZombieZERO EDR for Ransomware2.2 Advantage points
<25>
Ransomware Prevention
Storage
PC data security backup function
· Minimizing system load for real-time/scheduled backup and supporting various options such as copy, one-way, and two-way
· Version (history) management can restore the necessary point by utilizing index information even if one file is backed up several times
· Redundant data removal technology minimizes disk expense and optimizes system availability.
· Cloud business environment: Access data with multiple devices anytime, anywhere to increase the efficiency (optional)
Trust-Zone function
· Creating a virtual secure drive on the local drive of the PC by the Central Management Policy Server (for example, T: \)
· Security zone (private zone), not for backup purpose, managed by individual is not allowed to access other than authorized users
· Login based on server authentication and automatic logout when PC idle for a certain time, AES256 encrypted storage protection
· Enabling to block and delete Trust-Zone access when malicious use of external intruder or lost/stolen PC
Distribution /Service
Security Sharing / Collaboration Function
· Sharing / collaborating files and folders per user or group by user policy and permissions (except C: \ drive)
· Documents in the shared folder can only be accessed by authorized users
· When a laptop is stolen/lost, remote data deletion and the business trip can be carried out with security maintained from outside
Behavior-based malware detection
Behavior-based malware detection
· Minimizing damage from false positives using linkage analysis techniques for process/ file/traffic
· Blocking illegal behaviors (DDoS attacks, information leakage, peeking, etc.) through an endpoint agent behavior based engine
· Unlike other products that can only be blocked / interlocked with network equipment, it is possible to operate independently because it is equipped with behavior based engine with patented technology.
T-ZONE Protection
Pre-blocking function of behavior-based Ransomware
· Immediate detection and response to unknown Ransomware by behavior based malware detection and remediation
· Uploading Ransomware pattern information to the central management server and distributes it to prevent proliferation to other PC
· Organically linking with security backup
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
3. ZombieZERO EDR for APT
<26>
Key Features
+ Execution pending functionBehavior-based
analysis technology
· Providing pending function for real-time executables
· Enabling to view analysis status through the UI on
the user PC
· Endpoint users can register whitelists to respond to
false positives and analysis delays
· Enabling to respond to new and variant malicious codes by
Behavior-based malicious code detection/treatment
· Preventing proliferation to other PCs after uploading new and
variant malicious code pattern information to central
management server
· Organically linkage with APT analysis server
Excution pending and white list processing function
Execution pending Whitelist
Ensuring safety through pending and analysis
about executables
Increase operational efficiency with user's whitelist
registration
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
3. ZombieZERO EDR for APT3.1 Main functions (1) Configuring a safe environment by detecting and blocking malicious behavior that may be infected by malware on your PC
<27>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Process Hiding Detection Memory Modulation Detection
Reverse Connection Detection Peeking Prevention
Normal activity
Order t Screen Capture Order Screen Capture
Normal activity
Run user processProcess 1 Process 2 Process 3
Process hiding
C/S Model Reverse Connection
Connection
Request
C S Victim Attacker
①
②③②
① Human Thinking Time
② Propagation Delay
③ CPU Processing Time
②
①
②
③
③
If there is no
response , retry
Reverse
connection by
time interval
• Monitoring whether an administrator process is running and detecting attempts to hide own process and specific processes from the Task Manager list
• Monitoring all processes running, and detecting modulation behavior in the memory area of other processes other than own process
• Monitoring the behavior of backdoor programs and detecting them using backdoor features
• Monitoring all processes running and detecting attempts screen captures and transmissions by the target process
3. ZombieZERO EDR for APT3.1 Main functions (2) Configuring a safe environment by detecting and blocking malicious behavior that may be infected by malware on your PC
<28>
Traffic anomaly (abnormal behavior) detection File driver level quarantine
User behavior detection File transfer detection
Normal packet flow
Abnormal packet flow
T1 T2Attacker
Normal packet flow
Abnormal packet flow
T1 T2Attacker
File
Filter
Driver
Blacklist
Comparison
Typing Click Wheeling
DB
Typing Click Wheeling
BlockDetection/block by
monitoring
File execution
Normal
Abnormal
Make DB
• Monitoring packet in real time using network filter driver and check/detect whether packet is abnormal
• When PE file loading is executed, the Signature (MD5, SHA256) of the corresponding file is compared with Blacklist and the execution is blocked/quarantined in the case of malicious determination
• The target process is activated according to the input of the user's mouse and keyboard. This is a function that manages this activation process list.
• It monitors all running processes and detects the attempted file leaking attempt of the target process.
• File transfer detection technology regardless of user intention, file transfer detection technology by user
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<29>
3. ZombieZERO EDR for APT3.2 Advantage points
Execution pending function
Whitelist function
Whitelist function
· Whitelist policy setting through analysis server (ESM server) provides strong control over unauthorized files and processes
· Enhanced efficiency of false positives and system operation by providing users the ability to register whitelists directly on the EDR UI
· Providing verification function for registered whitelist (manual analysis and remote analysis function)
· Providing updates to whitelist patterns
Blocking illegal behaviors (detection/blocking of information leakage)
· Separating user behavior and process behavior to detect unauthorized malicious code leakage and illegal traffic source detection/blocking
· Detecting reverse session to block hacker command source for zombie PC
· Detecting/blocking PC behavior monitor that monitors real time monitor screen of user PC through network
· Detecting/blocking DDoS attack and other system hacking
StabilityConnectivity
Guarantee system stability and interworking
· In the case of the agent for the endpoint, it is installed at the driver side of the kernel, not at the application level, to prevent collision with other programs, thus minimizing system stability and PC resources
· Dual defense system can be built by interworking with other company's network equipment
Behavior-based malware
detection
Behavior-based malware detection
· Minimizing damage from false positives using linkage analysis techniques for process/file/traffic
· Blocking illegal behaviors (DDoS attacks, information leakage, peeking, etc.) through a behavior-based engine of an endpoint agent
· Unlike other products that can only be blocked/interlocked with network equipment, it is possible to operate independently because it is equipped with behavior based engine with patented technology.
Execution pending function
· Prevention of malware infection through EDR-based execution pending function for downloaded executable file (User recognized or user unrecognized)
· Execute analysis request to analysis server about execution pending file and decide whether to execute according to result (malicious / normal)
· Provides file analysis function by pending execution even for document files other than PE files
· EDR UI can be used to check the status of inspection and can be whitelisted by user specification
White List
block illegal
behavior
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
1. 사업의 이해Unknown APT/Ransomware Response SolutionsZ o m b i e Z E R O S E C a a S
1. ZombieZERO SECaaS (Security as a Service)1) What is SECaaS?
Response solution to Ransomware through EDR (Endpoint Detection & Response). Developed in cooperation with KT, KT is now providing
the services to SMEs in the form of SECaaS (Security as a Service) with the brand name 'KT securegate'. (Site link : securegate.olleh.com)
KT securegate Business Model SECaaS Block Diagram
<KT’s SecaaS Business Model> - securegate.olleh.com
< Behavior-based malware solution for PC > - securegate.olleh.com
A company B company
securegateWAS Server
Cloud Service
ZombieZEROManager (Server)
KT securegate Server Farm
Router
F/W
Switch
Router
F/W
Switch
Internet
SECaaS(malware detection / blocking solution) detects and blocks Ransomware based on behavior, and
supports PC backup and NAS backup for integrated protection of enterprise or organization’s data.
+Backup
technology
Behavior-based
analysis technology
· Providing pending function for real-time
executables
· Enabling to view analysis status through the
UI on the user PC
· Endpoint users can register whitelists to
respond to false positives and analysis delays
· Enabling to respond to new and variant malicious
codes by Behavior-based malicious code
detection/treatment
· Preventing proliferation to other PCs after
uploading new and variant malicious code pattern
information to central management server
· Organically linkage with APT analysis server
24x7
Real-time
Type-A Type-B
Central Management Server (Zombie ZERO Manager)
(OS : Windows)
PC #1
(OS : Windows)
PC #2 PC #n
. . . .
PCggBackup NASff
Backup
(OS : Windows)
PC #1
(OS : Windows)
PC #2 PC #n
. . . .
GenerationPropagation
Detection/Blocking
Occurrence of Zombie
behaviors
Blocking of Traffic
and tracing back
processes
* KOREA Patent No. 10-1036750 / Block system and method for Zombie behavior
* US Patent No. US 9060016 B2 / Apparatus and method for blocking Zombie behavior Process
ZombieZERO
Ransomware Response
Extraction of
Malware
Quarantine
1. ZombieZERO SECaaS (Security as a Service)2) Main Services
Central Management Server (Zombie ZERO Manager)
1. 사업의 이해Unknown APT/Ransomware Response SolutionsZ o m b i e Z E R O S E C a a S
Copyright © NPCore, Inc. ZombieZERO is trademark of NPCore, Inc.
1. General Information
2. Organization and Personnel
3. History and Technology
4. Customers
5. Case Studies
6. Reference Sites
7. Comparison Table
Company Introduction
Presentation
1. General Information
Company Name
NPCore, Inc.
Date of establishment
2008. 11. 19.
Annual Sales 2015 : 1.9B KRW ($1.9M) / 2016 : 2.4B KRW ($2.4M)
Employee No. 24
Main Product Information Security Solutions
AddressISBiz Tower 1001, 26, Yangpyeongro 21 gil, Yeongdeunpogu, Seoul, Korea
Contact +82-1544-5317 FAX) +82-2-413-5317
Website www.npcore.com
CEO SC Han
MS in Electronic Engineering, Yonsei Univ.
Head of R&D center
18 years experience in network and
information security solutions
Year 2015 2016
Total Asset 6,589 ($6.6M) 6,695 ($6.7M)
Total Capital 3,853 ($3.9M) 4,161 ($4.2M)
Sales 1,963 ($1.9M) 2,419 ($2.4M)
(Unit : M Won)
Evaluation Year
- 2016
Evaluation Institution
- Korea Enterprise Data
<30>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
2. Organization and Personnel
HQ
Branch
Subsidiary
Distributor Distributor
Distributor
Distributor
Classified Total
Master level engineer 3
Advanced level engineer 5
Intermediate level engineer 6
Elementary level engineer 1
Management & Marketing 3
Tech Sales (Korea/Overseas) 6
Total 24
Engineer ratio: 65%
<31>
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
3. History and Technology
<32>
•
•
•
•
•
•
•
•
•
•
•
•
•
1) Network intrusion prevention methods and systems
2) Abnormal traffic control device and method
3) An LAN card for server security
4) Access control system and method
5) Network interface device with information leaking prevention function, and information leakage prevention method
6) Zombie Behavior Blocking System and Method
7) Information leakage prevention device and method
8) System and method for hacking device of mobile terminal.
Registered patent (8 domestic / 1 US)
Certification details
1) GS Certification ZombieZERO V2.0 ”
2) CC Certification ZombieZERO Inspector V3.0 "
3) CC Certification ZombieZERO V2.0 “
4) Green technology certification (hybrid low power multicore NPU based high performance server platform system)
Patent application (7 domestic / 1 PCT)
9) APPARATUS AND METHOD FOR BLOCKING ZOMBIE BEHAVIOR PROCESS
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<33>
Financial Supervisory Service
Korea Water Resource Corp.
KEPCO
NUCLEAR
FUEL
Seoul City Hall
Yeongcheon
City Hall
PROPERTY OFFICE
Government
University
Financial Corp. / Enterprise
4. Main Customers
Post Business Information Center
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
Kamisu City Hall, Japan
Toukei Computer, Japan Hitachi, Japan
Royal
Malaysia
Police
Vietnam Posts
and Telecom
Group
YUHAN adopted ZombieZERO Inspector to protect the internal information and property from APT attacks getting more intelligent.
Took about one month to complete this project since Aug. 2015.
When reviews introduction, our product was the final selection by the result of product presentation and BMT.
YUHAN : Defense system against APT attack
Installed Agent in Lotte Duty Free to defend malware
Installed in Lotte Duty Free’s total user PCs including main office, Incheon International Airport shop, Jamsil shop, COEX shop, Gimpo
Airport shop, etc.
When reviews introduction, proceeded product presentation and BMT about domestic competitors and our product under the supervision of
Lotte Data Communication's security consulting team. As the result, our product was the final selection.
Due to the ransomware issue, all the system was patched (Jan. 2016) and approximately 2,000 users introduced our product
01. LOTTE DUTY FREE
02. YUHAN (pharmaceutical company)
LOTTE DUTY FREE : Endpoint’s malware defense
5. Case Studies1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<34>
Adopted ZombieZERO Inspector to buildup defense system by real-time detection and block against APT attack on Seoul City Hall.
Took about one month to complete this project since Jun. 2014.
Seoul City Hall : Intelligent malware response system
Adopted ZombieZERO Agent to user PC to prevent information exfiltration by malicious behavior Korea Aerospace Industries' internal
user cannot realize.
When reviews introduction, our product was the final selection as the result of proceeding the product presentation and BMT about
domestic competitors and our product.
Took about one month to complete this project since Dec. 2015 and approximately 2,000 users adopted our product.
03. Korea Aerospace Industries, Ltd.
04. Seoul City Hall
Korea Aerospace Industries : Information exfiltration defense system
5. Case Studies1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<35>
Cheonan Yonam College adopted ZombieZERO Agent to internal user PCs to arrange professional response system against APT
attacks getting more intelligent.
Our product was the final selection as the result of BMT
Took about one month to complete this project since Nov. 2013 and approximately 500 users adopted our product.
06. Cheonan Yonam College
Cheonan Yonam College : APT attack defense system
ZombieZERO Inspector was adopted in APT attack defense system area of Gyeongsangbuk-do Office of Education's 3 steps
SchoolNet service project.
Took about one month to complete this project since May. 2016.
Adopted 2 sets of ZombieZERO Inspector 5000 for internet network and backup network.
Built the best infra by interworking configuration with this site's other security equipment.
05. Gyeongsangbuk-do Office of Education
Gyeongsangbuk-do Office of Education : APT defense system of 3 steps SchoolNet service
<36>
5. Case Studies1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
ZombieZERO adopted as the defense solution against data exfiltration of KT&G's user PC, it was the final selection after
proceeding BMT for about a year.
Took about one month to complete this project since May. 2014 and approximately 4,000 users adopted our product.
KT&G : Zombie PC and data exfiltration prevention system
07. KT&G
ZombieZERO adopted as the defense soltion against zombie PC and data exfiltration of COMWEL's user PC, it was the final
selection after proceeding BMT for about a year.
Took about one month to complete this project since Dec. 2013 and approximately 8,000 users including nationwide branches
and 8 hospitals that COMWEL manages adopted our product.
COMWEL : Zombie PC and data exfiltration prevention system
08. Korea Workers’ Compensation & Welfare Service (COMWEL)
5. Case Studies1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<37>
Division Customer Project Period Adopted Type
Gov. Agency
Geongsangbuk-do Office of Education APT Defense System Apr.2016~Now Inspector (Network)
Korea Aerospace Industries, Ltd. Data Spill Defense System Jan.2016~Feb.2016 Agent (Endpoint)
Korea Water Resource Corp. APT Defense System Apr.2015~May.2015 Inspector + Agent
KEPCO NUCLEAR FUEL Advanced Malware Defense System Apr.2015~Jun.2015 Inspector (Network)
Seoul Metro APT Defense System Oct.2014~Nov.2014 Inspector (Network)
Seoul City Hall Advanced Malware Defense System Apr.2014~Jun.2014 Inspector (Network)
Yeongcheon City Hall APT Defense System Mar.2014 Agent (Endpoint)
The Independence Hall of Korea Zombie PC Detection System Nov.2013~Dec.2013 Inspector (Network)
Korean Intellectual Property Office APT Defense System Dec.2013 Inspector (Network)
Daegu-Gyeongbuk Free Economic Zone
AuthorityZombie PC Detection System Nov.2013 Inspector (Network)
Korea Workers' Compensation & Welfare
ServiceZombie PC Defense System Aug.2013~Oct.2013 Agent (Endpoint)
Korea Forest Service Zombie PC & Data Spill Defense System Oct.2012~Nov.2012 Agent (Endpoint)
The Blue House New Hacking Blocking System Nov.2011~Dec.2011 Agent (Endpoint)
Univ.
Munkyung College Zombie PC Detection System Jun.2015~Jul.2015 Inspector (Network)
Seoyeong Univ. Advanced Malware Defense System Feb.2015~Mar.2015 Inspector (Network)
Hanshin Univ. Zombie PC Detection System Mar.2014~Apr.2014 Agent (Endpoint)
Cheonan Yonam College Zombie PC Detection System Nov.2013 Agent (Endpoint)
Dongduk Womens Univ. Zombie PC Detection/Blocking System Feb.2012 Agent (Endpoint)
Chosun Univ. Zombie PC Detection/Blocking System Feb.2011 Agent (Endpoint)
Financial
Corp. /
Enterprise
Lotte Duty Free APT Defense System Aug.2014~Now Agent (Endpoint)
KT&G APT Defense System Apr.2014 Agent (Endpoint)
Financial Supervisory Service APT Defense System Apr.2013~May.2013 Agent (Endpoint)
YUHAN Corp. APT Defense System Sep.2015~Nov.2015 Inspector (Network)
Hankook Capital Co., Ltd. APT Defense System Apr.2013~May.2013 Agent (Endpoint)
Sapphire Technology APT Defense System Apr.2014~May.2014 Agent (Endpoint)
DGB Life Insurance APT Defense System Aug.2013~Sep.2013 Agent (Endpoint)
Busan Bank New Hacking Blocking System Jun.2012~Jul.2012 Agent (Endpoint)
Actual Cases
The Independence Hall of Korea
Cheonan Yonam College
COMWEL
6. Reference Sites1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<38>
Division-1 Division-2 Customer Project Setup Period Setup Type
Republicof
KOREA
Gov. Agency
Korea Post Office APT Defense System Setup Nov.2016~Dec. 2016 ZomebieZERO Inspector (Network)
Geongsangbuk-do Office of Education APT Defense System Setup Apr.2016~Jun. 2016 ZomebieZERO Inspector (Network)
Korea Aerospace Industries, Ltd. Data Spill Defense System Setup Jan.2016~Feb.2016 ZomebieZERO Agent (Endpoint)
Korea Water Resource Corp. APT Defense System Setup Apr.2015~May.2015 ZomebieZERO Inspector + Agent
KEPCO NUCLEAR FUEL Advanced Malware Defense System Setup Apr.2015~Jun.2015 ZomebieZERO Inspector (Network)
Seoul Metro APT Defense System Setup Oct.2014~Nov.2014 ZomebieZERO Inspector (Network)
Seoul City Hall Advanced Malware Defense System Setup Apr.2014~Jun.2014 ZomebieZERO Inspector (Network)
Yeongcheon City Hall APT Defense System Setup Mar.2014 ZomebieZERO Agent (Endpoint)
The Independence Hall of Korea Zombie PC Detection System Setup Nov.2013~Dec.2013 ZomebieZERO Inspector (Network)
Korean Intellectual Property Office APT Defense System Setup Dec.2013 ZomebieZERO Inspector (Network)
Daegu-Gyeongbuk Free Economic Zone Authority Zombie PC Detection System Setup Nov.2013 ZomebieZERO Inspector (Network)
Korea Workers' Compensation & Welfare Service Zombie PC Defense System Setup Aug.2013~Oct.2013 ZomebieZERO Agent (Endpoint)
Korea Forest ServiceZombie PC & Data Spill Defense System Set
upOct.2012~Nov.2012 ZomebieZERO Agent (Endpoint)
The Blue House(The President Office) New Hacking Blocking System Setup Nov.2011~Dec.2011 ZomebieZERO Agent (Endpoint)
Univ.
Munkyung College Zombie PC Detection System Setup Jun.2015~Jul.2015 ZomebieZERO Inspector (Network)
Seoyeong Univ. Advanced Malware Defense System Setup Feb.2015~Mar.2015 ZomebieZERO Inspector (Network)
Hanshin Univ. Zombie PC Detection System Setup Mar.2014~Apr.2014 ZomebieZERO Agent (Endpoint)
Cheonan Yonam College Zombie PC Detection System Setup Nov.2013 ZomebieZERO Agent (Endpoint)
Dongduk Womens Univ. Zombie PC Detection/Blocking System Setup Feb.2012 ZomebieZERO Agent (Endpoint)
Chosun Univ. Zombie PC Detection/Blocking System Setup Feb.2011 ZomebieZERO Agent (Endpoint)
Financial Corp. / Enterprise
Lotte Duty Free APT Defense System Setup Aug.2014~Now ZomebieZERO Agent (Endpoint)
KT&G APT Defense System Setup Apr.2014 ZomebieZERO Agent (Endpoint)
Financial Supervisory Service APT Defense System Setup Apr.2013~May.2013 ZomebieZERO Agent (Endpoint)
YUHAN Corp. APT Defense System Setup Sep.2015~Nov.2015 ZomebieZERO Inspector (Network)
Hankook Capital Co., Ltd. APT Defense System Setup Apr.2013~May.2013 ZomebieZERO Agent (Endpoint)
Sapphire Technology APT Defense System Setup Apr.2014~May.2014 ZomebieZERO Agent (Endpoint)
DGB Life Insurance APT Defense System Setup Aug.2013~Sep.2013 ZomebieZERO Agent (Endpoint)
Busan Bank New Hacking Blocking System Setup Jun.2012~Jul.2012 ZomebieZERO Agent (Endpoint)
JAPAN
Enterprise Daou Japan APT Defense System Setup Aug.2015~Mar.2016 ZomebieZERO Inspector (Network)
Gov. Agency Kamisu City APT Defense System Setup Nov.2015 ZomebieZERO Inspector (Network)
Enterprise Toukei Computer APT Defense System Setup Mar.~May 2016 ZomebieZERO Inspector + Agent
Enterprise Hitachi APT Defense System Setup 1Q. 2017 ZomebieZERO Inspector + Agent
Vietnam
Enterprise VNPT Network Device / DB Security Setup Aug. 2016 ~ Oct. 2016 Network Device / DB Security
Enterprise Tsukatani Network Device Mar. 2016 ~ May. 2016 Network Device
Enterprise Enshu Network Device Mar. 2016 ~ May. 2016 Network Device
Enterprise Elentec Network Device May. 2016, Nov. 2016 Network Device
Malaysia Gov. Agency Ministry of Police APT Defense System Setup Oct. 2016 ZomebieZERO Inspector (Network)
UAE Gov. Agency Smart City APT Defense System Setup 1Q~2Q. 2017 ZomebieZERO Inspector + Agent
6. Reference Sites1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
<39>
Division NPCore (ZombieZERO) FireEye TrendMicro Checkpoint Ahn Lab
Main technology Behavior-based analysis Behavior-based analysis Behavior-based situation awareness Behavior-based analysis Behavior-based analysis
Ransomware
detection’s main
feature
- Behavior-based category monitors
API(encrypting, sign, file manipulating)
- Signature counterfeit & modulation
- Manages & controls document access
- File change, set-up limit
- If digital signature is or not
- Realizes ransomware’s specific
pattern
- Realizes ransomware’s pattern
- Detects file modulation
- PC-based Backup
No ransomware technology
- Detects file access behavior
- Detects continuous encrypting
behavior
- PC-Base Backup
Ransomware
block function
Block/isolation/cure functions
(when registers cure pattern)
Block/isolation/cure functions
(when registers cure pattern)Isolation/Backup X
Isolation/Backup
(when registers cure pattern)
Agent’s
APT response
O
- Process/file/traffic interworking analysis
- Reverse access (detects C&C)
- Memory modulation, traffic’s abnormal
behavior
- Detects file transfer
O
- Detects C&C
- Detects pattern DB and real-time
threat
- Protects from web browser’s threat
X
△(cannot use Agent alone)
- Detects C&C
- Classifies the same process use
O
- Detects C&C
- Prevents data exfiltration
- Detects user’s behavior, etc.
If possesses own APT
equipment for
network or not
Possesses APT equipment for Network, Email,
net connection
Possesses APT equipment for Network
& EmailX Possesses Network APT equipment X
If possesses own
C&C list or notO O X X O
If possesses own
Blacklist or notO O X X O
If possesses own
Whitelist or notO O X X O
Management server
Based on customer or Cloud (option)
- Integrates network equipment or configures
alone
- ESM (Dashboard)
- Deploys policy for customer’s nature
- Prevents spread by registering pattern (easy
for big customer management and response)
Customer-based
- Configured by Agent alone
- Dashboard
- Deploys central policy
Cloud-based
- Management tool for each user
- Difficulties in deploying policy to
group company and institute
- Security manager’s difficulties in total
status management
Customer-based
- Network integrated configuration
- Dashboard
- Deploys central policy
Customer-based
- Network integrated configuration
- Dashboard
- Deploys central policy
1. 사업의 이해Zombie ZERO Solutions
Dual defense solution for new APT attacks
7. Comparison Table
<40>