CHECK POINT SANDBLAST ZERO-DAY PROTECTION: THE BEST PROTECTION AT EVERY LEVEL
THE RISE OF KNOWN AND UNKNOWN MALWARE
Malware. It’s a term that is getting a lot of attention in today’s connected world from reporters, business owners, and IT experts. In the network security world, malware is malicious software that falls into one of these categories: adware, spyware, virus, worm, Trojan, rootkit, backdoors, keyloggers, ransomware, and browser hijackers. While different types of malware affect systems differently, they often share common objectives, whether that is to steal sensitive data, gain access to unauthorized applications or privileges, and/or disrupt business. In early 2014, news organizations around the world hailed 2013 as the ‘Year of Breaches’. That was until 2014 came to a close. According to a January 2015 report from AV-Test2, an independent IT security research firm, malware incidents increased 72% between 2013 and 2014. More malware was found in the past two years than in the previous 10 years combined.
Malware complexity is increasing as cybercriminals refine their intrusion techniques, masking malware signatures and varying attack methods. Hardest to stop are what we call zero-day attacks, which exploit previously unknown vulnerabilities, as well as new variants of existing malware that have not yet been seen. Because antiviruses typically do not recognize nor catch new or unknown malware, this malware often bypasses even the most up-to-date antivirus and intrusion prevention protections. According to the 2015 Check Point Annual Security Report, the rate of unknown malware downloads jumped from 2.2 per hour in 2013 to 106 per hour in 2014.
SECURITY APPROACHES TO ZERO-DAY ATTACKS
According to Internet Live Stats, more than 2.4 million emails are sent every second. 5 In the first 3 months of 2015 alone, about 59.2% of these emails were spam.6 With email attachments becoming the preferred method to transfer files, and the false belief many hold that email attachments from known senders in their inbox are safe to open makes the inbox a prime target for attacks. The old prescription for scanning email used to be: install a good antivirus program, keep it up to date, and avoid suspiciouslooking files and sites. Unfortunately, that sage advice in today’s world is necessary— but not sufficient—to protect against modern malware
Malware can hide in executables, in regular documents, and in web pages. The dangers of attacks embedded in executable have been well publicized for many years. Because of this awareness, the majority of users delete emails with executable attachments. In addition, many organizations have network security policies that strip executable attachments from emails. The latest attacks are through seemingly safe documents, containing active elements such as macros, dynamic objects and scripts, making them much more likely to be opened. Therefore, documents now pose one of the greatest risks to organizations today.
In 2014, 86% of organizations accessed a malicious website and 63% of organizations downloaded a malicious file. 7 From human resources to purchasing and beyond, employees must routinely open documents from job applicants, customers, and vendors; and risk exposing their companies to malware embedded inside them.
Sandboxing is a commonly used method for catching these newer malware types. Sandboxes pre-screen files before they enter your network by emulating a standard operating system (OS) in a restricted environment—safely isolated from your production network. Stimulating an untested file in various ways, as if an actual user opened it, the system then monitors for behavior beyond what is normally expected. By combining up-to-date antivirus, along with behavioral analysis and static analysis, sandboxing provides solid protection against potentially malicious executables. The traditional sandbox performs the behavioral analysis as a run-time test while the static analysis deep scans the code constructs within the executable.
Key factors to consider in selecting a good sandbox include:
- Detection and blocking of attacks
- Evasion resistance
- Fast and accurate detection
- Support common file types
- Support web objects such as Flash
Scanning the widest array of file types (.doc, .xls, .ppt, .pdf, .exe, .zip, .rar, etc.) including archive files, increases a security layer’s malicious content catch rate. If your current sandbox solution only addresses a limited set of file types, you are potentially at risk, because cybercriminals embed malware into all types of transport files. When complemented with a mail transfer agent (MTA), the threat prevention process holds, and even modifies the email in transit, until sandboxing is complete. Thus it prevents malware from crossing the network boundary, and ever reaching the end-user.
Inspecting files and clearing them before they enter into a network should be a best practice, but is actually relatively recent. Ease of implementation and minimal impact on the user experience; have made sandbox technologies popular among many companies, with more and more considering adding it to their future security strategies. As sandboxing solutions are deployed more widely, cybercriminals continue to develop evasion techniques, sometimes simple and other times intricate, to prevent their malware from being detected. Today, the some of the more common sandbox bypassing techniques include :
- Delayed launch where the payload has a timer that prevents start of the actual malicious code for minutes/hours from initial opening of the file
- Identifying the sandbox by looking for virtual machine indicators, such as scanning registry keys, running processes, or disk size, and not deploying except on physical devices
- Checking for human interaction activities such as page scrolling, mouse clicks, mouse movement that are difficult to replicate in a virtual environment
Sandboxing vendors are constantly creating new ways to prevent the latest evasions from being successful and to block the malware from entering the network. However, protections against evasion techniques are still often detectable by the malware and the battle to stay ahead of hackers continues. Once the cybercriminals know that they are being watched, no matter how good the traditional sandboxing technology is— there are even smarter cybercriminals working to evade it. Therefore, an even more advanced approach to threat defense is needed.
ANATOMY OF A NON-EXECUTABLE MALWARE ATTACK
Non-executable malware attacks are one of the most effective attack vectors available to cybercriminals because many companies restrict the download of executable files. However, documents such as Microsoft Word, PowerPoint, or Adobe PDF, constantly enter and leave organizations. These formats support dynamic content such as macros and embedded scripts, which can be leveraged to exploit known vulnerabilities. Many targeted and advanced attacks begin with spear phishing to trick the victim into opening a seemingly legitimate document, which then infects the system, and possibly the entire network. As a result, it’s critical to defend against attacks that can be introduced by non-executables.
There are thousands of vulnerabilities found in computer system software—many with patches released, but not always applied to all systems. And, there are millions of malware variants that are activated from the starting point of these vulnerabilities. The U.S. Air Force defines vulnerabilities in their ‘Three Tenants of Cyber Security analysis: the “intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. With this definition in mind, a typical malware attack involves four stages:
- Finding a vulnerability: Every attack begins by finding one or more vulnerabilities, either in the operating system code or in a popular application such as a browser or a PDF reader. Using those vulnerabilities, cybercriminals have a way to trigger an attack
- Using an exploit method: Exploits allow the attacker’s injected logic to manipulate the target system and run malicious code. This requires overcoming the built-in security controls implemented by the OS and the CPU, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Only a handful of exploitation methods exist, and new ones surface very rarely.
- Running a shellcode: A shellcode is a small payload, typically embedded in the file or web page which started the attack. Responsible for retrieving the actual malware, the shellcode then places it on the infected system.
- Running the malware: Complete the infection by running the malware. It is at this step where evasion techniques are able to be run, preventing the malware from deploying fully in the sandbox.
Advanced sandboxing with CPU-level inspection capabilities detects these exploit methods by carefully examining CPU activity and the execution flow. This inspection is done at the assembly code level where the exploit occurs making it virtually impossible for hackers to evade detection. Attackers don’t have a chance to deploy any evasion tactics. Speed and accuracy makes CPU-level sandboxing the best technology to detect unknown threats, including even zero-day attacks.
CHECK POINT SANDBLAST ZERO-DAY PROTECTION
Organizations not only require an advanced solution against threats, they also need a simple, fast, and fool-proof method of protection. Malware should be eliminated before it ever has the opportunity to reach employees. Check Point SandBlast Zero-Day Protection does just this by eliminating threats using two innovative technologies:
- Advanced sandboxing with deep CPU-level and OS-level inspection, stopping hackers from evading detection and providing the highest catch rate for malware
- Threat Extraction to promptly deliver safe content by providing a reconstructed copy of incoming documents
Deep CPU-level sandboxing detects infection in data files at the exploit phase, while the OS-level inspection detects attacks in both executable and data files alike. Together they deliver the highest catch rate for threats. Threat Extraction capabilities within SandBlast provide immediate protection against zero-day attacks by promptly delivering safe reconstructed copies of incoming documents, while sandboxing can be completed in the background.
HIGHEST CATCH RATE
Check Point SandBlast Zero-Day Protection has the highest catch rate of malware. To evaluate efficacy and speed, Check Point conducted two tests—Zero Second10 and Unknown 30011 Comparison. These tests stacked Check Point the OS-level Threat Emulation capability within SandBlast Zero-Day Protection against OS-level sandbox offerings from other vendors, to determine (a) what percentage of unknown malware detected; and (b) how long it took. The results:
Check Point SandBlast OS-level Threat Emulation completed in four minutes with the best catch rate of unknown malware. Other vendors ranged from eight minutes up to nineteen minutes to complete sandboxing. Their catch rate ranged from 27% to 70% of the unknown malware samples.
Although the conclusion of the evaluations showed that Check Point traditional OS-level sandbox techniques were the best, this is a cat-and-mouse game with cybercriminals. No matter how good the traditional sandboxing technology, a smart cybercriminal will find some innovative way to bypass it. To counter such attacks, Check Point SandBlast Zero-Day Protection introduces CPU-level detection for maximum evasion resistance.
SUMMARY: THE BEST PROTECTION AT EVERY LEVEL
Total protection requires more than even next generation firewalls and antivirus. With cybercriminals devising new ways to attack your systems and network, you need a solution that identifies known, unknown, and zero-day threats—all while delivering safe documents to your employees in a timely manner.
The pioneer of Internet Security, Check Point innovates again with SandBlast Zero-Day Protection, introducing evasion resistant CPU-level detection alongside the industry’s best OS-level sandboxing, and combining it with Threat Extraction into an integrated solution.
The core capabilities of SandBlast include:
- Threat Extraction converts reconstructed files to PDF for best security, or keeps original format removing active content such as macros and scripts
- Deep malware inspection at the CPU-level, identifies exploits before they can hide
- Additional sandboxing techniques protect a full range of documents and file-types
- Works with existing infrastructure, reducing the need to install new equipment · Integrated prevention and security management for complete threat visibility
- Automatic sharing of new attack information with Check Point ThreatCloud to block additional occurrences of similar threats at the gateway
It’s time to take threat defense to the next level and protect your business from attacks with a combination of the fastest operating solution with the highest malware catch rate. With our SandBlast Zero-Day Protection Solution, your business receives maximum protection promptly—with no disruption to productivity.
Contact Person : email@example.com
PT. Virtus Technology Indonesia
(a Member of CTI Group)
Centennial Tower 12th Floor
Jl. Jend. Gatot Subroto Kav. 24-25
Jakarta, 12930, Indonesia
Phone: +6221 80622288
Fax: +6221 80622289