CHECK POINT SANDBLAST ZERO-DAY PROTECTION: THE BEST PROTECTION AT EVERY LEVEL Check Point SandBlast Zero-Day Protection | White Paper Inspecting files and clearing them before they enter into a network should be a best practice, but is actually relatively recent. Ease of implementation and minimal impact on the user experience; have made sandbox technologies popular among many companies, with more and more considering adding it to their future security strategies. As sandboxing solutions are deployed more widely, cybercriminals continue to develop evasion techniques, sometimes simple and other times intricate, to prevent their malware from being detected. Today, the some of the more common 8 sandbox bypassing techniques include : DOES YOUR SANDBOX: ?Detect AND block attacks? ?Have advanced capabilities such as evasion-resistant protection? ?Provide fast and accurate detection? ?Support inspection of a wide range of file types, including archive files? ?Support web objects such as Flash? ? Delayed launch where the payload has a timer that prevents start of the actual malicious code for minutes/hours from initial opening of the file ? Identifying the sandbox by looking for virtual machine indicators, such as scanning registry keys, running processes, or disk size, and not deploying except on physical devices ? Checking for human interaction activities such as page scrolling, mouse clicks, mouse movement that are difficult to replicate in a virtual environment Sandboxing vendors are constantly creating new ways to prevent the latest evasions from being successful and to block the malware from entering the network. However, protections against evasion techniques are still often detectable by the malware and the battle to stay ahead of hackers continues. Once the cybercriminals know that they are being watched, no matter how good the traditional sandboxing technology is— there are even smarter cybercriminals working to evade it. Therefore, an even more advanced approach to threat defense is needed. ANATOMY OF A NON-EXECUTABLE MALWARE ATTACK Non-executable malware attacks are one of the most effective attack vectors available to cybercriminals because many companies restrict the download of executable files. However, documents such as Microsoft Word, PowerPoint, or Adobe PDF, constantly enter and leave organizations. These formats support dynamic content such as macros and embedded scripts, which can be leveraged to exploit known vulnerabilities. Many targeted and advanced attacks begin with spear phishing to trick the victim into opening a seemingly legitimate document, which then infects the system, and possibly the entire network. As a result, it’s critical to defend against attacks that can be introduced by non-executables. There are thousands of vulnerabilities found in computer system software—many with patches released, but not always applied to all systems. And, there are millions of malware variants that are activated from the starting point of these vulnerabilities. The U.S. Air Force defines vulnerabilities in their ‘Three Tenants of Cyber Security’ analysis: the “intersection of three elements: a system susceptibility or flaw, attacker 9 access to the flaw, and attacker capability to exploit the flaw.” With this definition in mind, a typical malware attack involves four stages: ? Finding a vulnerability: Every attack begins by finding one or more vulnerabilities, either in the operating system code or in a popular application such as a browser or a PDF reader. Using those vulnerabilities, cybercriminals have a way to trigger an attack. ©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content October 26, 2015 3 Check Point SandBlast Zero-Day Protection | White Paper ? Using an exploit method: Exploits allow the attacker’s injected logic to manipulate the target system and run malicious code. This requires overcoming the built-in security controls implemented by the OS and the CPU, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Only a handful of exploitation methods exist, and new ones surface very rarely. ? Running a shellcode: A shellcode is a small payload, typically embedded in the file or web page which started the attack. Responsible for retrieving the actual malware, the shellcode then places it on the infected system. ? Running the malware: Complete the infection by running the malware. It is at this step where evasion techniques are able to be run, preventing the malware from deploying fully in the sandbox. Advanced sandboxing with CPU-level inspection capabilities detects these exploit methods by carefully examining CPU activity and the execution flow. This inspection is done at the assembly code level where the exploit occurs making it virtually impossible for hackers to evade detection. Attackers don’t have a chance to deploy any evasion tactics. Speed and accuracy makes CPU-level sandboxing the best technology to detect unknown threats, including even zero-day attacks. CHECK POINT SANDBLAST ZERO-DAY PROTECTION Organizations not only require an advanced solution against threats, they also need a simple, fast, and fool-proof method of protection. Malware should be eliminated before it ever has the opportunity to reach employees. Check Point SandBlast Zero-Day Protection does just this by eliminating threats using two innovative technologies: ? Advanced sandboxing with deep CPU-level and OS-level inspection, stopping hackers from evading detection and providing the highest catch rate for malware ? Threat Extraction to promptly deliver safe content by providing a reconstructed copy of incoming documents Deep CPU-level sandboxing detects infection in data files at the exploit phase, while the OS-level inspection detects attacks in both executable and data files alike. Together they deliver the highest catch rate for threats. Threat Extraction capabilities within SandBlast provide immediate protection against zero-day attacks by promptly delivering safe reconstructed copies of incoming documents, while sandboxing can be completed in the background. ©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content October 26, 2015 4 Please complete the form to gain access to this content Access Now Related Resources Network Boundaries Have Gone Mobile HOW MOBILE MALWARE COMPROMISES YOUR SECURE CONTAINERS AND ENTERPRISE CONTENT THE TOP 6 CYBER SECURITY THREATS TO IOS DEVICES DEMYSTIFYING MOBILE SECURITY ATTACKS THE TOP 4 CYBER SECURITY THREATS TO ANDROID MOBILE DEVICES 3 STEPS TO IMPLEMENTING AN EFFECTIVE BYOD MOBILE SECURITY STRATEGY EXPOSING THE UNKNOWN: HOW SANDBOXING TECHNOLOGY FIGHTS MODERN THREATS THREAT RESEARCH: TARGETED ATTACKS ON Enterprise ENTERPRISE MOBILE
Check Point SandBlast Zero-Day Protection | White Paper Inspecting files and clearing them before they enter into a network should be a best practice, but is actually relatively recent. Ease of implementation and minimal impact on the user experience; have made sandbox technologies popular among many companies, with more and more considering adding it to their future security strategies. As sandboxing solutions are deployed more widely, cybercriminals continue to develop evasion techniques, sometimes simple and other times intricate, to prevent their malware from being detected. Today, the some of the more common 8 sandbox bypassing techniques include : DOES YOUR SANDBOX: ?Detect AND block attacks? ?Have advanced capabilities such as evasion-resistant protection? ?Provide fast and accurate detection? ?Support inspection of a wide range of file types, including archive files? ?Support web objects such as Flash? ? Delayed launch where the payload has a timer that prevents start of the actual malicious code for minutes/hours from initial opening of the file ? Identifying the sandbox by looking for virtual machine indicators, such as scanning registry keys, running processes, or disk size, and not deploying except on physical devices ? Checking for human interaction activities such as page scrolling, mouse clicks, mouse movement that are difficult to replicate in a virtual environment Sandboxing vendors are constantly creating new ways to prevent the latest evasions from being successful and to block the malware from entering the network. However, protections against evasion techniques are still often detectable by the malware and the battle to stay ahead of hackers continues. Once the cybercriminals know that they are being watched, no matter how good the traditional sandboxing technology is— there are even smarter cybercriminals working to evade it. Therefore, an even more advanced approach to threat defense is needed. ANATOMY OF A NON-EXECUTABLE MALWARE ATTACK Non-executable malware attacks are one of the most effective attack vectors available to cybercriminals because many companies restrict the download of executable files. However, documents such as Microsoft Word, PowerPoint, or Adobe PDF, constantly enter and leave organizations. These formats support dynamic content such as macros and embedded scripts, which can be leveraged to exploit known vulnerabilities. Many targeted and advanced attacks begin with spear phishing to trick the victim into opening a seemingly legitimate document, which then infects the system, and possibly the entire network. As a result, it’s critical to defend against attacks that can be introduced by non-executables. There are thousands of vulnerabilities found in computer system software—many with patches released, but not always applied to all systems. And, there are millions of malware variants that are activated from the starting point of these vulnerabilities. The U.S. Air Force defines vulnerabilities in their ‘Three Tenants of Cyber Security’ analysis: the “intersection of three elements: a system susceptibility or flaw, attacker 9 access to the flaw, and attacker capability to exploit the flaw.” With this definition in mind, a typical malware attack involves four stages: ? Finding a vulnerability: Every attack begins by finding one or more vulnerabilities, either in the operating system code or in a popular application such as a browser or a PDF reader. Using those vulnerabilities, cybercriminals have a way to trigger an attack. ©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content October 26, 2015 3 Check Point SandBlast Zero-Day Protection | White Paper ? Using an exploit method: Exploits allow the attacker’s injected logic to manipulate the target system and run malicious code. This requires overcoming the built-in security controls implemented by the OS and the CPU, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Only a handful of exploitation methods exist, and new ones surface very rarely. ? Running a shellcode: A shellcode is a small payload, typically embedded in the file or web page which started the attack. Responsible for retrieving the actual malware, the shellcode then places it on the infected system. ? Running the malware: Complete the infection by running the malware. It is at this step where evasion techniques are able to be run, preventing the malware from deploying fully in the sandbox. Advanced sandboxing with CPU-level inspection capabilities detects these exploit methods by carefully examining CPU activity and the execution flow. This inspection is done at the assembly code level where the exploit occurs making it virtually impossible for hackers to evade detection. Attackers don’t have a chance to deploy any evasion tactics. Speed and accuracy makes CPU-level sandboxing the best technology to detect unknown threats, including even zero-day attacks. CHECK POINT SANDBLAST ZERO-DAY PROTECTION Organizations not only require an advanced solution against threats, they also need a simple, fast, and fool-proof method of protection. Malware should be eliminated before it ever has the opportunity to reach employees. Check Point SandBlast Zero-Day Protection does just this by eliminating threats using two innovative technologies: ? Advanced sandboxing with deep CPU-level and OS-level inspection, stopping hackers from evading detection and providing the highest catch rate for malware ? Threat Extraction to promptly deliver safe content by providing a reconstructed copy of incoming documents Deep CPU-level sandboxing detects infection in data files at the exploit phase, while the OS-level inspection detects attacks in both executable and data files alike. Together they deliver the highest catch rate for threats. Threat Extraction capabilities within SandBlast provide immediate protection against zero-day attacks by promptly delivering safe reconstructed copies of incoming documents, while sandboxing can be completed in the background. ©2015 Check Point Software Technologies Ltd. All rights reserved. [Protected] Non -confidential content October 26, 2015 4
