Embed Size (px)
Citation preview
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
1
CHECK POINT SANDBLAST ZERO-DAY PROTECTION: THE BEST PROTECTION AT EVERY LEVEL
“UNKNOWN MALWARE DOWNLOADS JUMPED FROM 2.2 PER HOUR IN 2013
TO 106 PER HOUR IN 2014”
THE RISE OF KNOWN AND UNKNOWN MALWARE Malware. It’s a term that is getting a lot of attention in today’s connected world from
reporters, business owners, and IT experts. In the network security world, malware is
malicious software that falls into one of these categories: adware, spyware, virus,
worm, Trojan, rootkit, backdoors, keyloggers, ransomware, and browser hijackers.
While different types of malware affect systems differently1, they often share common
objectives, whether that is to steal sensitive data, gain access to unauthorized
applications or privileges, and/or disrupt business.
In early 2014, news organizations around the world hailed 2013 as the ‘Year of
Breaches’. That was until 2014 came to a close. According to a January 2015 report
from AV-Test2, an independent IT security research firm, malware incidents increased
72% between 2013 and 2014. More malware was found in the past two years than in
the previous 10 years combined.3
Malware complexity is increasing as cybercriminals refine their intrusion techniques,
masking malware signatures and varying attack methods. Hardest to stop are what we
call zero-day attacks, which exploit previously unknown vulnerabilities, as well as new
variants of existing malware that have not yet been seen. Because antiviruses
typically do not recognize nor catch new or unknown malware, this malware often
bypasses even the most up-to-date antivirus and intrusion prevention protections.
According to the 2015 Check Point Annual Security Report, the rate of unknown
malware downloads jumped from 2.2 per hour in 2013 to 106 per hour in 2014.4
SECURITY APPROACHES TO ZERO-DAY ATTACKS According to Internet Live Stats, more than 2.4 million emails are sent every second.
5
In the first 3 months of 2015 alone, about 59.2% of these emails were spam.6 With
email attachments becoming the preferred method to transfer files, and the false belief
many hold that email attachments from known senders in their inbox are safe to open
makes the inbox a prime target for attacks. The old prescription for scanning email
used to be: install a good antivirus program, keep it up to date, and avoid suspicious-
looking files and sites. Unfortunately, that sage advice in today’s world is necessary—
but not sufficient—to protect against modern malware.
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
2
“DOCUMENTS NOW POSE ONE OF THE GREATEST RISKS TO ORGANIZATIONS TODAY”
Malware can hide in executables, in regular documents, and in web pages. The
dangers of attacks embedded in executable have been well publicized for many years.
Because of this awareness, the majority of users delete emails with executable
attachments. In addition, many organizations have network security policies that strip
executable attachments from emails. The latest attacks are through seemingly safe
documents, containing active elements such as macros, dynamic objects and scripts,
making them much more likely to be opened. Therefore, documents now pose one
of the greatest risks to organizations today.
In 2014, 86% of organizations accessed a malicious website and 63% of organizations
downloaded a malicious file.7
From human resources to purchasing and beyond,
employees must routinely open documents from job applicants, customers, and
vendors; and risk exposing their companies to malware embedded inside them.
Sandboxing is a commonly used method for catching these newer malware types.
Sandboxes pre-screen files before they enter your network by emulating a standard
operating system (OS) in a restricted environment—safely isolated from your
production network. Stimulating an untested file in various ways, as if an actual user
opened it, the system then monitors for behavior beyond what is normally expected.
By combining up-to-date antivirus, along with behavioral analysis and static analysis,
sandboxing provides solid protection against potentially malicious executables. The
traditional sandbox performs the behavioral analysis as a run-time test while the static
analysis deep scans the code constructs within the executable.
Key factors to consider in selecting a good sandbox include:
Detection and blocking of attacks
Evasion resistance
Fast and accurate detection
Support common file types
Support web objects such as Flash
Scanning the widest array of file types (.doc, .xls, .ppt, .pdf, .exe, .zip, .rar, etc.)
including archive files, increases a security layer’s malicious content catch rate. If your
current sandbox solution only addresses a limited set of file types, you are potentially
at risk, because cybercriminals embed malware into all types of transport files. When
complemented with a mail transfer agent (MTA), the threat prevention process holds,
and even modifies the email in transit, until sandboxing is complete. Thus it prevents
malware from crossing the network boundary, and ever reaching the end-user.
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
3
DOES YOUR SANDBOX: Detect AND block attacks?
Have advanced capabilities such as
evasion-resistant protection?
Provide fast and accurate detection?
Support inspection of a wide range of
file types, including archive files?
Support web objects such as Flash?
Inspecting files and clearing them before they enter into a network should be a best
practice, but is actually relatively recent. Ease of implementation and minimal impact
on the user experience; have made sandbox technologies popular among many
companies, with more and more considering adding it to their future security
strategies. As sandboxing solutions are deployed more widely, cybercriminals
continue to develop evasion techniques, sometimes simple and other times intricate,
to prevent their malware from being detected. Today, the some of the more common
sandbox bypassing techniques include8:
Delayed launch where the payload has a timer that prevents start of the actual
malicious code for minutes/hours from initial opening of the file
Identifying the sandbox by looking for virtual machine indicators, such as
scanning registry keys, running processes, or disk size, and not deploying except
on physical devices
Checking for human interaction activities such as page scrolling, mouse clicks,
mouse movement that are difficult to replicate in a virtual environment
Sandboxing vendors are constantly creating new ways to prevent the latest evasions
from being successful and to block the malware from entering the network. However,
protections against evasion techniques are still often detectable by the malware and
the battle to stay ahead of hackers continues. Once the cybercriminals know that they
are being watched, no matter how good the traditional sandboxing technology is—
there are even smarter cybercriminals working to evade it. Therefore, an even more
advanced approach to threat defense is needed.
ANATOMY OF A NON-EXECUTABLE MALWARE ATTACK Non-executable malware attacks are one of the most effective attack vectors available
to cybercriminals because many companies restrict the download of executable files.
However, documents such as Microsoft Word, PowerPoint, or Adobe PDF, constantly
enter and leave organizations. These formats support dynamic content such as
macros and embedded scripts, which can be leveraged to exploit known
vulnerabilities. Many targeted and advanced attacks begin with spear phishing to trick
the victim into opening a seemingly legitimate document, which then infects the
system, and possibly the entire network. As a result, it’s critical to defend against
attacks that can be introduced by non-executables.
There are thousands of vulnerabilities found in computer system software—many with
patches released, but not always applied to all systems. And, there are millions of
malware variants that are activated from the starting point of these vulnerabilities. The
U.S. Air Force defines vulnerabilities in their ‘Three Tenants of Cyber Security’
analysis: the “intersection of three elements: a system susceptibility or flaw, attacker
access to the flaw, and attacker capability to exploit the flaw.”9 With this definition in
mind, a typical malware attack involves four stages:
Finding a vulnerability: Every attack begins by finding one or more
vulnerabilities, either in the operating system code or in a popular application
such as a browser or a PDF reader. Using those vulnerabilities, cybercriminals
have a way to trigger an attack.
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
4
Using an exploit method: Exploits allow the attacker’s injected logic to
manipulate the target system and run malicious code. This requires overcoming
the built-in security controls implemented by the OS and the CPU, such as Data
Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Only a handful of exploitation methods exist, and new ones surface very rarely.
Running a shellcode: A shellcode is a small payload, typically embedded in the
file or web page which started the attack. Responsible for retrieving the actual
malware, the shellcode then places it on the infected system.
Running the malware: Complete the infection by running the malware. It is at
this step where evasion techniques are able to be run, preventing the malware
from deploying fully in the sandbox.
Advanced sandboxing with CPU-level inspection capabilities detects these exploit
methods by carefully examining CPU activity and the execution flow. This inspection is
done at the assembly code level where the exploit occurs making it virtually
impossible for hackers to evade detection. Attackers don’t have a chance to deploy
any evasion tactics. Speed and accuracy makes CPU-level sandboxing the best
technology to detect unknown threats, including even zero-day attacks.
CHECK POINT SANDBLAST ZERO-DAY PROTECTION Organizations not only require an advanced solution against threats, they also need a
simple, fast, and fool-proof method of protection. Malware should be eliminated before
it ever has the opportunity to reach employees. Check Point SandBlast Zero-Day
Protection does just this by eliminating threats using two innovative technologies:
Advanced sandboxing with deep CPU-level and OS-level inspection, stopping
hackers from evading detection and providing the highest catch rate for malware
Threat Extraction to promptly deliver safe content by providing a reconstructed
copy of incoming documents
Deep CPU-level sandboxing detects infection in data files at the exploit phase, while
the OS-level inspection detects attacks in both executable and data files alike.
Together they deliver the highest catch rate for threats. Threat Extraction capabilities
within SandBlast provide immediate protection against zero-day attacks by promptly
delivering safe reconstructed copies of incoming documents, while sandboxing can be
completed in the background.
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
5
MIERCOM TESTING SHOWED THAT CHECK POINT OS-LEVEL THREAT EMULATION WAS ABLE TO IDENTIFY MALWARE AND UPDATE SIGNATURES IN APPROXIMATELY 3 MINUTES
HIGHEST CATCH RATE Check Point SandBlast Zero-Day Protection has the highest catch rate of malware. To
evaluate efficacy and speed, Check Point conducted two tests—Zero Second10
and
Unknown 30011
Comparison. These tests stacked Check Point the OS-level Threat
Emulation capability within SandBlast Zero-Day Protection against OS-level sandbox
offerings from other vendors, to determine (a) what percentage of unknown malware
detected; and (b) how long it took. The results:
Check Point SandBlast OS-level Threat Emulation completed in four minutes with the
best catch rate of unknown malware
Other vendors ranged from eight minutes up to nineteen minutes to complete
sandboxing. Their catch rate ranged from 27% to 70% of the unknown malware samples.
An industry assessment from Miercom on Advanced Persistent Threats (APTs) in
2014 found similar results.12
Although the conclusion of the evaluations showed that Check Point traditional
OS-level sandbox techniques were the best, this is a cat-and-mouse game with
cybercriminals. No matter how good the traditional sandboxing technology, a smart
cybercriminal will find some innovative way to bypass it. To counter such attacks,
Check Point SandBlast Zero-Day Protection introduces CPU-level detection for
maximum evasion resistance.
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
6
SUMMARY: THE BEST PROTECTION AT EVERY LEVEL Total protection requires more than even next generation firewalls and antivirus. With
cybercriminals devising new ways to attack your systems and network, you need a
solution that identifies known, unknown, and zero-day threats—all while delivering
safe documents to your employees in a timely manner.
The pioneer of Internet Security, Check Point innovates again with SandBlast
Zero-Day Protection, introducing evasion resistant CPU-level detection alongside the
industry’s best OS-level sandboxing, and combining it with Threat Extraction into an
integrated solution.
The core capabilities of SandBlast include:
Threat Extraction converts reconstructed files to PDF for best security, or keeps original
format removing active content such as macros and scripts
Deep malware inspection at the CPU-level, identifies exploits before they can hide
Additional sandboxing techniques protect a full range of documents and file-types
Works with existing infrastructure, reducing the need to install new equipment
Integrated prevention and security management for complete threat visibility
Automatic sharing of new attack information with Check Point ThreatCloud to block
additional occurrences of similar threats at the gateway
It’s time to take threat defense to the next level and protect your business from attacks
with a combination of the fastest operating solution with the highest malware catch
rate. With our SandBlast Zero-Day Protection Solution, your business receives
maximum protection promptly—with no disruption to productivity.
FOR MORE INFORMATION ON CHECK POINT SANDBLAST, PLEASE
CLICK HERE
©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non-confidential content
October 26, 2015
Check Point SandBlast Zero-Day Protection | White Paper
7
REFERENCES: 1
The Truth About Malware. http://www.malwaretruth.com/the-list-of-malware-types/
2 AV-Test. https://www.av-test.org/en/statistics/malware/
3 AV-Test. https://www.av-test.org/en/statistics/malware/
4 Check Point Software Technologies. “2015 Check Point Security Report,” 2015. www.checkpoint.com/resources/2015securityreport/
5 Internet Live Stats. http://www.internetlivestats.com/one-second/#email-band
6 Ilyin, Yuri. “Spam and Phishing in Q1, 2015: Banks and Banking Trojans,” Kaspersky Lab Business, June 24, 2015. https://business.kaspersky.com/spam-and-phishing-in-q1-2015-banks-and-banking-trojans/4113/
7 Check Point Software Technologies. “2015 Check Point Security Report,” 2015. www.checkpoint.com/resources/2015securityreport/
8 Calhoun, Pat. “A Glimpse at the Latest Sandbox Evasion Techniques,” Security Week, January 15, 2015. http://www.securityweek.com/glimpse-latest-sandbox-evasion-techniques
9 The Three Tenants of Cyber Security. http://www.spi.dod.mil/tenets.htm
10 Check Point Software Technologies. “Zero Second Test,” 2014. http://www.checkpoint.com/campaigns/zerosecond/zero_second_white_paper.pdf
11 Check Point Software Technologies. “Unknown 300,” 2014. http://www.checkpoint.com/resources/300/
12 Miercom. “Advanced Threat Prevention with Sandbox Analysis,” October, 2014. http://www.checkpoint.com/resources/miercom-report/full-miercom-report.pdf
Learn more
At Insight, we’ll help you solve challenges and improve
performance with Intelligent Technology SolutionsTM.
Work smarter.
