webinar: why evasive zero day attacks are killing traditional sandboxing

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

Why Evasive Zero-day Attacks Are Killing Traditional SandboxingRichard Stiennon, IT-HarvestLior Kohavi, Cyren

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved.

Today’s Speakers

Richard StiennonChief Research Analyst

IT-Harvest

Lior KohaviChief Technology Officer

Cyren


Trends in zero-day attacks

The next generation of zero-day threat defense

Q&A

Agenda

Richard StiennonChief Research Analyst, IT-Harvest

Blog: www.csoonline.com/blog/stiennons-security-scorecard twitter.com/cyberwar

Threatscape 2016

http://twitter.com/cyberwar

2010 20??

• APT (espionage)• Botnets (spam, DDoS)• Droppers (data theft, ransomeware)• Worms (sabotage) • Backdoors (surveillance)

Malware at the Root of Most Threats

• Adversary knows what they want • Where it is• Who has it• Will stop at nothing

Targeting of High Value Data

Starting in 2000 and persisting for at least ten years: “over the years [Chinese hackers] downloaded technical papers, research-and-development reports, business plans, employee emails and other documents”

Compromised Designs include: • The advanced Patriot missile system (PAC-3)• The Terminal High Altitude Area Defense (THAAD)• Navy’s Aegis ballistic-missile defense system.• F/A-18 fighter jet• V-22 Osprey• Black Hawk helicopter • Littoral Combat Ship• F-35 Joint Strike Fighter

A persistent, relentless drive tocapture SecurID seeds.

The RSA Attack, March 2011

”…at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers”

source: OPEN LETTERhttp://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex991.htm

But Don’t Worry

http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex991.htm

• Tracking the same campaign for over a year

• Saw the escalation

• Cut off all access via RSA SecurID tokens

Lockheed Martin, May 2011

• Combine capabilities and existing presence with ransomware and you get a recipe for disaster.

• From precision to scatter shot. Advanced targeting techniques now applied to mass market.

• From October 2013 through February 2016, law enforcement received reports from 17,642 victims.

• This amounted to more than $2.3 billion in losses.• Since January 2015, the FBI has seen a 270 percent

increase in identified victims and exposed loss.• One company lost $100 million

Whaling

Step 7 software DLLRootkit

DLLoriginal

Siemens Programmable Logic Controller

New data blocks added

s7otbxdx.dll s7otbxsx.dll

Cyber sabotage: Stuxnet

BlackEnergy Targets ICS

Vulnerable systems:

GE CimplicityAdvantech/Broadwin WebAccessSiemens WinCC

But how do you know you have the right sandbox? • Technology is moving too fast• Attackers are evading sandboxes.

Sandboxes are required for zero day defense.

Detonation Chamber

Multiple environments• Emulation• VM• Full application stack

X-47B makes first flight fromaircraft carrier

• Autonomous code will shorten possible response time from minutes/hours to seconds.

• Preventing is going to be only line of defense.

It is going to get much worse

Richard StiennonChief Research AnalystIT-Harvest

[email protected]: Forbes Cyber Domaintwitter.com/stiennon

mailto:[email protected]


Trends in zero-day attacks

The next generation of zero-day threat defense

Q&A

Agenda


Cyren sees a huge volume of threat traffic


Methods to defeat anti-malware tools• Polymorphism• Encryption• Droppers• Packers

But malware is becoming smarter

Methods to evade sandboxes• Delayed Activation

• Out-wait the sandbox

• Sandbox Detection• Identify files or registry keys that

indicate a virtual environment

• Human Interaction• Look for human activity such as

mouse movement, page scrolling


1. Attackers exploit limited CPU cycles of appliances• First generation sandboxes limited by time and processing power

2. Attackers know that every sandbox has limitations• Some sandboxes are more effective at OS and registry analysis,

others at network behavior, etc.

3. Sandboxing is only one technique• Effective threat detection requires multiple techniques

Hyper-evasive malware is killing sandboxing


1. Cloud-based• Cloud-scale compute resources• Massive visibility to the Internet threat environment (size matters)

2. Multi-layer• Sandboxing• Reputation

3. Multiple different types of sandboxes

Cyren’s vision for zero-day threat defense

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.

Cyren’s multi-layered security engine

URL Filtering• 64 URL categories• Zero-hour malware, phishing, C&C

Dynamic Web Reputation• Risk calculation• URL, IP, Host, Domain, ASN• Big data analytics

Anti-Malware• Signature and algorithmic scanning• Heuristics and emulation• Leverage email outbreak visibility

Cloud Sandbox Array• Multiple sandboxes• Recursive analysis

Known Threats

Unknown Threats


Dynamic Web Reputation Analysis – How it works

Host1

Host3

Host2

Domain1

Domain3

IP1

IP2

NS

BGP2

BGP1

ASN

Registrant

Domain2

Reputation: A score (0-100) representing the likelihood of an accessed URL being malicious The higher the score, the greater the probability that the URL is malicious

Goal: Calculate the reputation for known and unknown accessed URL/Host/Domain/IP

Reputation calculation is based on relations between entities Files, URLs, Hosts, IPs, Domains, Registrants, ASN


Dynamic Reputation Sources

Cyren GlobalView Security Cloud Half million points of presence Unified cloud, 19 DC’s worldwide

Industry’s largest security database 17B transactions daily 130M threats blocked daily 600M users protected

Fastest reaction time Threats identified and blocked

inside of 5-15 seconds

Web Reputation

Anti-Malware

Virus Outbreak Detection

Sandbox Array

Link Monitor

URL Filtering

IP Reputation

Anti-Spam


Cloud Sandbox Array – How it Works

Re-escalation

Pre-processing

Post-processing

ReportingIncident

management

Static Analysis

Dynamic Analysis

Sandbox nOS n

Browser nEnvironment n

...

Windows EXE MS Office PDFs Flash files Scripts Images ZIP files

OS Risk Evaluation Network Risk Evaluation

Run-time Environment Selection

Risk scoring

Sandbox 2OS B

Browser HEnvironment T

Sandbox 1OS A

Browser GEnvironment S

Not Malicious Malicious

GlobalViewIntelligence


CYREN Advanced Malware Analysis Vizualization

DEMO


Facebook tagging trick


• Friend mentioned you in a comment


• Redirect you to downloading JSE file from google drive


• The javascript file


The End


Questions?

Lior [email protected]

Richard [email protected]



40©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved.©2016. CYREN Ltd. All Rights Reserved. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

APPENDIX

40


CYREN Advanced Malware Analysis Vizualization