Website Watering Holes
46K - views

Website Watering Holes

Similar presentations


Download Presentation

Website Watering Holes




Download Presentation - The PPT/PDF document "Website Watering Holes" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "Website Watering Holes"— Presentation transcript:

Slide1

Website Watering Holes

Endpoints are at risk in numerous ways, especially when

social engineering

is applied well

Spear Phishing

Slide2

Statistics show:

End user are vulnerable to traditional threats… especially

advanced attacks

spear phishing email

peaks on weekends

Slide3

Detect and prevent hackers’ attempts to infect and commandeer endpoint devices

STAYING ONE STEP AHEAD

OF ENDPOINT INFILTRATION

[Protected] Non-confidential content

©2016 Check Point Software Technologies

Ltd.

Slide4

Timing is Everything

[Restricted] ONLY for designated groups and individuals​

Source:

2015 cost of data breach study: global analysis, Ponemon Institute

The Longer an attack goes UNDETECTED, the more time it takes to CONTAIN it

The longer it takes to CONTAIN it, the more it will COST

$

154 per lost record

$

3.79M

average

damage

23

% increase from previous

year

Slide5

Cost over Time:

Direct loss:

$162,000,000

Estimated indirect loss:

>$1 Billion

The financial impact

GROWS

dramatically with

TIME

Slide6

How do we clean it

?

 [Restricted] ONLY for designated groups and individuals​

How did it enter

?

Is there business impact?

Has it

spread

?

How can I block the attack vector?

How do I mitigate? Who should I notify?

How can I save time responding?

Am I addressing the full scope?

What You Really Need to

Know

Slide7

What do you do when you’ve been breached

?

Traditional

f

orensic analysis

Rely on AV quarantine

Re-image the PC

Works only for known malware

AV will miss all malware elements before the detectionData could be stolen before the detection

Does not

bring back lost data

Costly & disruptive procedureWill not prevent same malware from getting in again

Forensic data is often long gone

Forensics skill is a scarce resource

Too expensive to perform on all events

 [Restricted] ONLY for designated groups and individuals​

Common Approaches to Infection Response:

Slide8

SANDBLAST

CLOUD

Eliminate Zero-Day

M

alware at the Endpoint

 [Restricted] ONLY for designated groups and individuals​

Web downloads sent to SandBlast cloud

1

Sanitized version

delivered promptly

2

Original file emulated in the background

3

Slide9

Collect Forensics Data and Trigger Report Generation

 [Restricted] ONLY for designated groups and individuals​

FORENSICS

data continuously

collected from various OS sensors

1

Analysis automatically

TRIGGERED

upon detection of network events or AV

2

Digested

INCIDENT REPORT

sent to SmartEvent

4

Processes

Registry

Files

Network

Advanced

ALGORITHMS

analyze raw forensics data

3

Slide10

Investigation Trigger

Identify

the process that accessed the C&C server

Identify Attack Origin

Chrome exploited while browsing

From Trigger to Infection

Automatically trace back the infection point

Dropped Malware

Dropper downloads and installs malware

Exploit Code

Dropper process launched by Chrome

Activate MalwareScheduled task launches after boot

Attack Traced Even across system boots

Schedule Execution

Malware registered to launch after boot

 [Restricted] ONLY for designated groups and individuals​

Data Breach

Malware reads sensitive documents

Slide11

Automatically

requests logs from involved endpoints and generates complete view of attacks

Malware entry pointScope of damageOther affected hosts / usersAttack flow

Automated

Incident Reporting

Triggers

the creation of an

incident report through

Existing AV products

Network detections

Endpoint Anti-bot, Threat Emulation or Anti-malware

Investigation by IRT looking at related

cases

Slide12

 [Restricted] ONLY for designated groups and individuals​

Malicious and suspicious activities

Drill-down detail

Severity

How Serious is

T

his Event?

Understanding an Incident

Instant Answers to Important Questions

Slide13

[Restricted] ONLY for designated groups and individuals

Infection 9:15AM

What happened before?

What happened after?

Providing an Infection Timeline

Are there similar infection attempts in my network?

Telling a story

Slide14

[Restricted] ONLY for designated groups and individuals

WHAT

WEDON’TCONTROL?

How to protect against

Slide15

[Restricted] ONLY for designated groups and individuals

Mix

of personal and business dataCan’t install low level protections such as AVCan’t control individuals’ behavior

MOBILE DEVICES

ARE DIFFICULT TO CONTROL

Slide16

[Restricted] ONLY for designated groups and individuals

THE RESULT: A GROWING MOBILE THREAT LANDSCAPE

mobile

devices

infected worldwide

o

f organizations above 2000 employees have infected mobile device in their network

Slide17

[Restricted] ONLY for designated groups and individuals

THREAT PREVENTIONFOR MOBILE

Let’s think different

Slide18

[Restricted] ONLY for designated groups and individuals

Tracks Device Location

Access Calendar

Access Carrier info

Sends SMS

Access Contacts

Uses Microphone

Dynamic Analysis (Sandboxing)

Advanced Static Code Analysis (Reverse

E

ngineering)

MOBILE APPLICATION ANALYSIS

Slide19

[Restricted] ONLY for designated groups and individuals

Should look like:

Developer Certificate

SHA1 Fingerprint:

CE23A39F0EA637831D5A13FA3C

Issuer Distinguished

Name:

OU=Android, O=

Citymapper

Ltd,

L= London, ST=Greater London, C=GB.

Actually looks like:

Developer Certificate

SHA1 Fingerprint:

Issuer Distinguished

Name:

OU=Unknown,

O=Unknown,

L= Unknown, ST=Unknown, C=Unknown.

342A56F9902A384B443E322AD34

Number of apps, certificate, download scoring, etc.

APPLICATION REPUTATION

Slide20

[Restricted] ONLY for designated groups and individuals

REALTIMEREMEDIATION

On-Device

resolution

B

lock C&C communication

D

isconnect

from organization

network while infected

Slide21

[Restricted] ONLY for designated groups and individuals

BECOME

KNOWN?

What to do when

t

he

u

nknown

Slide22

[Restricted] ONLY for designated groups and individuals

Staying one step ahead:

COLLABORATION WITH

MULTIPLE INTELLIGENCE SOURCES

Slide23

WE PROVIDE

PROTECTIONSAGAINST NEW THREATS EVERY DAY

10,000,000

Bad-Reputation Events

700,000 Malware Connections Events

30,000 Malware Files Events

Slide24

[Restricted] ONLY for designated groups and individuals

INTELLIGENCE

COLLABORATION

Security

Analysis

IntelliStore

Sensors

CERTs

Security

Events

Analysis

Security

Community

Malware

Research

Slide25

[Restricted] ONLY for designated groups and individuals

CHECK POINTWE SECURE THE FUTURE

Thank You