1. Detection and Analysis of 0- day Threats STEVE TAYLOR,
PRINCIPAL SOFTWARE ENGINEER 2. Meet the Presenter Steve Taylor
Steve is a Principal Software Engineer at Invincea who helped build
the foundation for Invinceas innovative security solution. As an
employee since the companys inception, he designed and implemented
major portions of the products core architecture and malware
detection engine. The containerization platform he helped develop
is currently used by large enterprises to protect against web-based
attacks, such as spear-phishing. He is named on a provisional
patent for his role in building a behavior-based approach to detect
and analyze threats. 3. Summary Anatomy of a breach Containment
Detection Analysis Demo 4. Incidental Contact Invincea Closes the
Gap Targeted Attacks (APTs) Spear-phishing (95% of all APTs*) -
Links to drive-by downloads - Weaponized document attachments
Watering hole attacks - Hijacked, trusted sites - Poisoned Search
Engine Results - Malicious Websites - Hijacked Legitimate Sites -
30,000 takeovers DAILY** - Social Networking Worms *Both Mandiant
and Trend Micro 2013 Reports ** Sophos June 2013 Zero-days and New
Malware Strains Targeting Browsers, Plug-ins, PDFs and Office Docs
5. Most Vulnerable Products 2013 Source: National Vulnerability
Database and GFI 6. Malware Evolution (1980s 1990s) Mass Targeting
Pinpoint Targeting High Sophisticatio n Low Script Kiddies Lone
Wolves Hacktivists Anti-Virus defenses 7. Malware Evolution (2000s)
Mass Targeting Pinpoint Targeting High Sophisticatio n Low Script
Kiddies Lone Wolves Organized Crime Hacktivists Nation States (Tier
2) Nation States (Tier 1) Anti-Virus defenses Network Sandboxing
White Listing 8. Malware Evolution (circa 2010) Mass Targeting
Pinpoint Targeting High Sophisticatio n Low Script Kiddies Lone
Wolves Organized Crime Hacktivists Nation States (Tier 2) Nation
States (Tier 1) Anti-Virus defenses Network Sandboxing Threat Curve
circa 2010 White Listing 9. 2014+ changing Threat Curve Mass
Targeting Pinpoint Targeting High Sophisticatio n Low Script
Kiddies Lone Wolves Organized Crime Hacktivists Nation States (Tier
2) Nation States (Tier 1) Anti-Virus defenses Threat Curve (today)
Takeaway: Less advanced adversaries now have access to very
sophisticated malware Network Sandboxing White Listing 10. New
Defenses are Needed Mass Targeting Pinpoint Targeting High
Sophisticatio n Low Script Kiddies Lone Wolves Organized Crime
Hacktivists Nation States (Tier 2) Nation States (Tier 1)
Anti-Virus defenses Threat Curve (today) Advanced Endpoint
Protection Network Sandboxing White Listing 11. Controls Training
IAM Antivirus Firewalls IPS/IPS Patching Mapping Enterprise
Security Controls to ThreatScape Advanced Threat Conventional
Threat 12. Re-thinking Endpoint Security DETECTION | PREVENTION |
INTELLIGENCE 13. Why Endpoints Are Easy to Exploit Adobe Acrobat
Reader 14. Why Endpoints Are Easy to Exploit Browser Toolbars &
Widgets 15. Why Endpoints Are Easy to Exploit Browser Plugins 16.
Why Endpoints Are Easy to Exploit 17. Using Virtual Container
Architecture to Cover the Largest Attack Surfaces Invincea
Communications Interface Secure Virtual Container Virtual File
System Behavioral sensors (process, file, network) Command and
Control Forensic data capture 18. Using Virtual Container
Architecture to Cover the Largest Attack Surfaces Contained Threats
Attacks against the browser, PDF reader, Office suite are
air-locked from the host operating system. Detection, kill and
forensic capture occurs inside the secure virtual container.
Detection Containerized application behavior is meticulously
whitelisted. Any deviation from known behavior is immediately
flagged as suspicious. This means no signatures are required and
0-day threat detection is realized. 19. Using Virtual Container
Architecture to Cover the Largest Attack Surfaces Malware Killed
& Collected Virtual File System IOCs Command and Control
Forensic data capture 20. Real-time Forensic Data Feeds Invincea
Management Server Virtual appliance Software Physical appliance
Hosted 21. Protecting Against Drive-bys 22. Each app has a profile
of possible behaviors Behavior that deviates from expected is a
likely IOC Malware will create artifacts as it executes including
file system, registry, in-memory, and network activities These
artifacts are triggers to start collecting intel and alert the user
How Detection Works 23. Malware-Free Intrusion IOCs Unexpected
process launches Dropping and launching processes Code injection
into running processes Loading modules reflectively in memory
Loading modules from the network 24. Leveraging Containerization
For Behavioral Detection Behavioral detection traditionally tricky
Hard to define expected behaviors for the entire system Only
behaviors of contained apps need to be mapped The container is a
controlled environment with predictable outcomes 25. The Source of
Attack Attribute any source website or document Any iframes
embedded in the website are traced Links/Documents opened in
Outlook that lead to a detection are indicators of spear phishing
26. Collecting Intel All activity from suspect processes is
collected File/registry/network/execution Execution and code
injections are traced to filter only behaviors stemming from the
attack Process and network metadata is gathered 27. Analyzing the
Data DEMO 28. Questions? Invincea Research Edition:
www.invincea.com/researchedition Webinar Recording :
www.invincea.com/2014/12/detection-and-analysis-of-0-day-threats-with-
invincea-freespace Demo Request: www.invincea.com/demo 29.
#12daysofSploitmas www.invincea.com/12-days-of- sploitmas 'Tis the
season for eggnog, holiday music... and online exploits. Learn
about all the ways Invincea has detected and stopped cyber attacks
in 2014. 30. Thank you. Invincea @Invincea
