Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | alvin-grandon |
View: | 236 times |
Download: | 0 times |
Agenda
• Threat landscape and current approach
• The anatomy of an attack
• Next generation endpoint security
Recapping the Problem
Q2 2012:>8 million new
malware samples
Up to 200,000 new samples received
and processed daily by McAfee Labs
Two fundamental problems with todays approach…
• Detection
– 1 new threat each second versus 1 signature update per day
– New signature updates could be produced more frequently but
cannot be consumed more quickly
– The cloud helps, but we cannot check each file with the cloud
– Signatures don’t help against APTs and Zero-day attacks
• Performance
– Scanning all files for all things takes time
– As the number of threats multiply, the impact of scanning multiplies
Four Phases of an Attack
First Contact
Physical Access
Unsolicited Message
Network Access
Malicious Website or URL
Local Execution
Social Engineering
Configuration Error
Exploit
Establish Presence
Download Malware
Escalate Privilege
Self-Preservation
Persist on System
Malicious Activity
Propagation
Bot Activities
Identity &Financial Fraud
Tampering
Adware & Scareware
How the attacker first crosses path with target
How the attacker gets code running
How code persists code on the system, to survive
reboot
The business logic, what the attacker wants to
accomplish
Four Phases of an Attack, e.g. Fake AV
First Contact
Physical Access
Unsolicited Message
Network Access
Malicious Website or URL
Local Execution
Social Engineering
Configuration Error
Exploit
Establish Presence
Download Malware
Escalate Privilege
Self-Preservation
Persist on System
Malicious Activity
Propagation
Bot Activities
Identity &Financial Fraud
Tampering
Adware & ScarewareAdware & Scareware
Persist on System
Exploit
Malicious Website or URL
How the attacker first crosses path with target
How the attacker gets code running
How code persists code on the system, to survive
reboot
The business logic, what the attacker wants to
accomplish
A generic approach to protection
First Contact
Physical Access
Unsolicited Message
Network Access
Malicious Website or URL
Local Execution
Social Engineering
Configuration Error
Exploit
Establish Presence
Download Malware
Escalate Privilege
Self-Preservation
Persist on System
Malicious Activity
Propagation
Bot Activities
Identity &Financial Fraud
Tampering
Adware & Scareware
Device control Hard disk encryption
Web filtering
Host firewall Network access control
Email filtering
Memory & kernel protection Database monitoring
On-access scanning Access protection rules Application
whitelisting
Auditing Access protection rules
Web filtering Host firewall
Memory & kernel protection Database monitoring Auditing
Access protection rules
Access protection rules Kernel protection
On-access scanning Application whitelisting
Web filtering Host firewall
On-access scanning Application whitelisting
On-access scanning Access protection rules Application
whitelisting
On-access scanning Application whitelisting
Integrity monitoring
How the attacker first crosses path with target
How the attacker gets code running
How code persists code on the system, to survive
reboot
The business logic, what the attacker wants to
accomplish
Context-Aware Endpoint PlatformNext-Generation Endpoint Security
NEXT-GENERATION ENDPOINT SECURITY
Cloud
Application
Database
OS
Chip
Unified Security Operations
Security Information and Events
Risk and Compliance
Real-time information
FIRST-GENERATION
Desktop/Laptop
Blacklist Files
Focus on Devices
Windows Only
Static Device Policy
Disparate, Disconnected Management
Desktop
Laptop
Mobile
Server
Virtual
Em
bedded
Data C
enter
Next Generation Anti-Malware Core:Technology Overview
FlexibleMultiple content streams |Updateable components
Reputation enabled File, IP, site, domain |
Prevalence
ResilientAdvanced repair | Built-in
false prevention logic | Centralized quarantine
Signature-less detectionShell code & script exploits | Reputation and trust based process restrictions | Environmental heuristics | Process profiling
High performanceAdaptive scanning and dynamic scan avoidance using trust logic | Static and dynamic whitelisting
Context awarenessOS | Application | Network | File | Registry | Memory | Process execution
Adaptive scanning and false avoidance
Is a scan necessary?
Scan according to
file state
False cloud check
Traditional combined with reputation
Global Threat Intelligence
Cloud lookups for file, URL, domain, IP reputation, and
metadata
Traditionalsignatures
Generics and heuristics
What do you do about the remaining items, with various levels of suspiciousness?
Intelligent Trust and Selective Scanning
Normal
Low High
Define multiple scanning states, providing differing levels of monitoring, hooking different kernel activity etc.:
• Trusted - limited set of their events monitored
• Normal – intermediate set of events monitored
• Suspicious - full set of their events monitored
Categorise file based on knowledge:• Where did it come from (Internet, USB, local net, …)?• How did it arrive, (trusted process, user, …)?• What else is known about it?
Processes inherit the trust of their binary image file• Monitor processes based on scanning state
Adaptive Scanning based on behavior
• Malware families follow certain behavioral
patterns
• Observe what grey files and processes do,
looking for suspicious behavior
• Keep track of events in a local database
Normal
Low High
• Change state based on behaviours, e.g.
– If something suspicious seen, increase event monitoring for that process:
• Connects to known bad IP or URL: More suspicious
• Signed by known trusted certificate: Less suspicious
– Get aggressive, but in a highly targeted way!
Summary
• First gen endpoint solutions scan with signatures once and if no
infection found allow any action
– Increased malware volume means this technique will impact on
performance
– Increased speed of propagation renders this approach ineffective against
new malware, zero-day attacks and APTs
• Next gen endpoint solutions need
– Light scan to minimise performance impact
– Heavy scan to detect new malware
• An adaptive approach is the only way to improve detection whilst
reducing performance impact