Evolution of Malware and the Next Generation Endpoint Protection - - PowerPoint PPT Presentation

Evolution of Malware and the Next Generation Endpoint Protection against Targeted Attacks

02/07/2015 Malware Evolution 2

Index

1. Malware volume evolution 2. Malware Eras 3. Panda Adaptive Defense 1. What is it 2. Features & Benefits 3. How does it work 4. Successs Story

02/07/2015 Malware Evolution 3

Malware samples evolution

Malware volume evolution

02/07/2015 Malware Evolution 4

02/07/2015 Malware Evolution 5

Malware Eras

1st Era

• Very little samples and Malware

families

• Virus created for fun, some very

harmful, others harmless, but no ultimate goal

• Slow propagation (months, years)

through floppy disks. Some virus are named after the city where it was created or discovered

• All samples are analysed by

technicians

• Sample static analysis and

disassembling (reversing)

02/07/2015 Malware Evolution 6

02/07/2015 Malware Evolution 7

W32.Kriz Jerusalem

2nd Era

• Volume of samples starts growing
• Internet slowly grows popular, macro

viruses appears, mail worm, etc…

• In general terms, low complexity

viruses, using social engineering via email, limited distribution, they are not massively distributed

• Heuristic Techniques
• Increased update frequency

02/07/2015 Malware Evolution 8

02/07/2015 Malware Evolution 9

Melissa Happy 99

3rd Era

• Massive worms apparition overloads the

internet

• Via mail: I Love You
• Via exploits: Blaster, Sasser, SqlSlammer
• Proactive Technologies
• Dynamic: Proteus
• Static: KRE & Heuristics Machine Learning
• Malware process identification by events

analysis of the process:

• Access to mail contact list
• Internet connection through non-standard

port

• Multiple connections through port 25
• Auto run key addition
• Web browsers hook

02/07/2015 Malware Evolution 10

02/07/2015 Malware Evolution 11

I love you Blaster

Sasser

02/07/2015 Malware Evolution 12

Static proactive technologies

Response times reduced to 0 detecting unknown malware Machine Learning algorithms applied to classic classification problems Ours is ALSO a “class” problem: malware vs goodware.

02/07/2015 Malware Evolution 13

4th Era

• Hackers switched their profile: the main

motivation of malware is now an economic benefit, using bank trojans and phishing attacks.

• Generalization of

droppers/downloaders/EK

• The move to Collective Intelligence
• Massive file classification.
• Knowledge is delivered from the cloud

02/07/2015 Malware Evolution 14

02/07/2015 Malware Evolution 15

Banbra Tinba

02/07/2015 Malware Evolution 16

El salto a la Inteligencia Colectiva

La entrega del conocimiento desde la nube como alternativa al fichero de firmas. Escalabilidad de los servicios de entrega de firmas de malware a los clientes mediante la automatización completa de todos los procesos de backend (procesado, clasificación y detección).

Big Data arrival

 Current working set of 12 TB  400K million registries  600 GB of samples per day  400 million samples stored Innovation: to make viable the data processing derived from Collective Intelligence strategy, applying Big Data technologies.

02/07/2015 Malware Evolution 17

5th Era

• First massive cyber-attack against a country,

Estonia from Russia.

• Anonymous starts a campaign against

several organizations (RIAA, MPAA, SGAE, and

• thers)
• Malware professionalization
• Use of marketing techniques in spam

campaigns

• Country/Time based malware variant

distribution

• Ransomware
• APTs
• Detection by context
• Apart from analysing what a process does,

the context of execution is also taken into account…

02/07/2015 Malware Evolution 18

02/07/2015 Malware Evolution 19

Reveton Ransomware

02/07/2015 Malware Evolution 20

APTs…

02/07/2015 Malware Evolution 21

02/07/2015 Malware Evolution 22

• November / December 2013
• 40 millions credit/debit cards stolen
• Attack made through the A/C

maintenance company

• POS
• Unknown author
• Information deletion
• TB of information stolen

Sony Pictures computer system down after reported hack

Hackers threaten to release 'secrets' onto web

02/07/2015 Malware Evolution 23

Carbanak

• Year 2013/2014
• 100 affected entities
• Countries affected: Russia, Ukraine,

USA, Germany, China

• ATMs: 7.300.000 US$
• Transfer: 10.000.000 US$
• Total estimated: 1.000.000.000 US$

02/07/2015 Adaptive Defense 24

What is Panda Adaptive Defense?

The Next Generation Endpoint Protection

02/07/2015 Adaptive Defense 25

Panda Adaptive Defense is a new security model which can guarantee complete protection for devices and servers by classifying 100% of the processes running on every computer throughout the organization and monitoring and controlling their behavior. More than 1.2 billion applications already classified. Adaptive Defense new version (1.5) also includes AV engine, adding the disinfection capability. Adaptive Defense could even replace the company antivirus.

RESPONSE… and forensic information to analyze each attempted attack in detail VISIBILITY… and traceability of each action taken by the applications running on a system PREVENTION… and blockage of applications and isolation of systems to prevent future attacks DETECTION… and blockage

• f Zero-day and

targeted attacks in real- time without the need for signature files

02/07/2015 Adaptive Defense 26

Features and benefits

Daily and on-demand reports Simple, centralized administration from a Web console Better service, simpler management Detailed and configurable monitoring

• f running applications

Protection of vulnerable systems Protection of intellectual assets against targeted attacks Forensic report

Protection Productivity

Identification and blocking of unauthorized programs Light, easy-to-deploy solution

Management

Key Differentiators

• Categorizes all running processes on the endpoint

minimizing risk of unknown malware: Continuous monitoring and attestation of all processes fills the detection gap of AV products.

• Automated investigation of events significantly

reduces manual intervention by the security team: Machine learning and collective intelligence in the cloud definitively identifies goodware & blocks malware.

• Integrated remediation of identified malware:

Instant access to real time and historical data provides full visibility into the timeline of malicious endpoint activity.

• Minimal endpoint performance impact (<3%)

02/07/2015 Adaptive Defense 28

02/07/2015 Adaptive Defense 29

New malware detection capability* Traditional Antivirus (25) Standard Model Extended Model New malware blocked during the first 24 hours 82% 98,8% 100% New malware blocked during the first 7 days 93% 100% 100% New malware blocked during the first 3 months 98% 100% 100% % detections by Adaptive Defense detected by no other antivirus 3,30% Suspicious detections YES NO (no uncertainty) File Classification Universal Agent** Files classified automatically 60,25% 99,56% Classification certainty level 99,928% 99,9991% < 1 error / 100.000 files

* Viruses, Trojans, spyware and ransomware received in our Collective Intelligence platform. Hacking tools, PUPS and cookies were not included in this study.

Adaptive Defense vs Traditional Antivirus

** Universal Agent technology is included as endpoint protection in all Panda Security solutions

02/07/2015 Adaptive Defense 30

Adaptive Defense vs Other Approaches

AV vendors WL vendors* New ATD vendors**

Detection gap Do not classify all applications Management of WLs required Not all infection vectors covered (i.e. USB drives) No transparent to end-users and admin (false positives, quarantine administration,… ) Complex deployments required Monitoring sandboxes is not as effective as monitoring real environments Expensive work overhead involved ATD vendors do not prevent/block attacks

* WL=Whitelisting. Bit9, Lumension, etc ** ATD= Advanced Threat Defense. FireEye, Palo Alto, Sourcefire, etc

02/07/2015 Adaptive Defense 31

How does Adaptive Defense work?

A brand-new three phased cloud-based security model

02/07/2015 Adaptive Defense 32

1st Phase: Comprehensive monitoring of all the actions triggered by programs on endpoints 2nd Phase: Analysis and correlation of all actions monitored on customers' systems thanks to Data Mining and Big Data Analytics techniques 3rd Phase: Endpoint hardening & enforcement: Blocking of all suspicious or dangerous processes, with notifications to alert network administrators

02/07/2015 Adaptive Defense 33

Panda Adaptive Defense Architecture

02/07/2015 Adaptive Defense 34

Success Story

Adaptive Defense in figures

+1,2 billion applications already categorized +100 deployments. Malware detected in 100% of scenarios +100,000 endpoints and servers protected +200,000 security breaches mitigated in the past year +230,000 hours of IT resources saved  estimated cost reduction of 14,2M€ Lest’s see an example…

02/07/2015 Adaptive Defense 35

02/07/2015 Adaptive Defense 36

Scenario Description

Concept Value PoC length 60 days Machines currently monitored +/- 690 Machines with malware 73 Machines with malware executed 15 Machines with PUP found 91 Executed PUP files 13 Executed files classified 27.942 Concept Value Malware blocked 160 PUP blocked 623 TOTAL threats mitigated 783

02/07/2015 Adaptive Defense 37

Software vendor distribution over 100% of executable files

02/07/2015 Adaptive Defense 38

Skillbrains Igor Pavilov

02/07/2015 Adaptive Defense 39

Sandboxie Holdings LLC Eolsoft

02/07/2015 Adaptive Defense 40

Opera Software Dropbox Inc.

02/07/2015 Adaptive Defense 41

Vulnerable applications

Vulnerable applications activity:

• …
• (22 vulnerable applications in ALL seats = 2074)

Vulnerable applications inventory:

• Excel v14.0.7 - v15.0 (279)
• Firefox v34.0 - v36 (178)
• Java v6 – v7 (80)

02/07/2015 Adaptive Defense 42

Top Malware

02/07/2015 Adaptive Defense 43

Top Malware

02/07/2015 Adaptive Defense 44

PUP (Spigot)

02/07/2015 Adaptive Defense 45

Potentially confidential information extraction

02/07/2015 Adaptive Defense 46

+

Thank you