Targeted attacks begin with spearphishing

(1)

Targeted attacks begin with

spear-phishing

(2)

Proofpoint

(NASDAQ: PFPT)

Security-as-Service Leader

Key Partners

What We Do

Leaders Quadrant:

2012-2013-2014 Magic Quadrant for Secure Email Gateways & Enterprise Information Archive

Champions Quadrant & Innovation Award, 2012

Accolades

Select Partners & Customers Demonstrated Success 3 of the 5 largest US Retailers 5 of the 5 largest US Banks 3 of the 5 largest US Defense Contractors 2 of the 5 largest Global Pharmaceuticals Companies

Protect the Most Sensitive Data of the World’s Most Successful Companies Comprehensive Data Protection Portfolio Scalable Security-as-a-Service platform Advanced Threat Protection

(3)

Leaders in Gartner’s 2014

Magic Quadrant for Secure Email Gateways

Gartner, Inc. positions

Proofpoint in the Leaders

Quadrant in its

2014 Magic

Quadrant for Secure Email

Gateways

.

“It clearly has the sharpest focus on email security issues, resulting again in one of the highest growth rates in this market.”

The last “pure-player” in Email

security Gateway (focused only

on Email security gateway)

(4)

Comprehensive Suite

Security-as-a-Service

Suite

Full-life cycle data

protection

Big Data Platform

Advanced data processing,

search, and analytics

Cloud Infrastructure

Innovative hybrid

architecture with global

data center footprint

(5)

Threat Response

Automate threat

remediation

Proofpoint Protection

Enterprise Protection

Stop SPAM, viruses and

other forms of malware

Targeted Attack

Protection

Identify and block advanced

threats

from penetrating the

enterprise

(6)

threat protection | compliance | archiving & governance | secure communication

Targeted attacks begin with a

spear-phishing email & it’s not a

fiction !

(7)

The Industry Challenge

Breaches Keep Happening

(8)

(9)

(10)

We Think “Malware”

Attackers Think “Monetization”

Every

PC is

valuable to

cybercriminals

(11)

Some real examples

(12)

(13)

#1 Banking customer – Dridex malware

Malware campaigns

(14)

Malware not detected by AV

(15)

2.000 4.000 6.000 8.000 10.000 12.000 14.000 16.000

Major AV Vendor

379K Msgs

TAP

0 Msgs

Malware not detected by AV

(16)

Some real examples

#2 Credentials seeking

How it works

To target defense company Academi, the attacker registered two

typosquatted domain names:

• tolonevvs[dot]com (real news domain: tolonews.com (news site about Afghanistan))

• academl[dot]com (real company domain: academi.com)

When the target opens the email through the preview pane of

Microsoft Outlook Web Access and clicks on the typosquatted

domain, a new tab will be opened which loads the original

news site.

(17)

(18)

Fake Outlook Web Access login pages

The typosquatted domain tolonevvs.com actually contained a mildly obfuscated JavaScript code:

This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

window.opener.location = “hxxps://mail[dot]

academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f mail.academi.com%2fowa%2f&tids=lkdmfvlkd”

(19)

#2 Credentials seeking

(20)

(21)

#3 The human factor - Who Is Clicking?

(22)

#3 The human factor - Where Do Users Click?

On and off the network

1-in-5

clicks

occur off the

corporate

(23)

(24)

#3 The human factor

(25)

Email Borne Threat Landscape

Spear Phishing

Handcrafted, social

engineered, very low volume Target anyone with access to sensitive data

Preferred method for state actors

Multi-Variant

One campaign serving both spam & malware TDS varies payload based on time, device, geography, other factors

Longlining

High volume, mass customized phishing technique High-cost to remediate Opportunistic payloads

Watering Hole

Compromised trusted content sources

Use newsletters to drive traffic

(26)

Email-Borne Threats:

Exploit Techniques

URL-Based

Drive-by Downloads:

Compromised sites,

exploit kits, malware

Credential-seeking: false

sites, Google Doc forms,

phone number scams

.URLs pointing to zips

Attachment-Based

.exes inside archives

(.zips, rar etc.)

Weaponized

Documents (PDF,

Office)

(27)

(28)

The Cybercrime Attack Chain

• High-volume unsolicited email

• Credential phish

(29)

Legitimate Email, Compromised Sites

Web marketing

email to

subscribers of a

popular

healthcare site

Compromised site

meant that

legitimate emails

carried malicious

links

(30)

• Malicious scripts

• Malicious redirects

• Virtually infinite supply: domain and

URL reputation cannot keep up

(31)

Legitimate Email, Compromised Sites

Malicious

JavaScript in

compromised site

pulls in Sutra

TDS

TDS directs to

Sweet Orange

exploit kit

Drops signed

(32)

• Traffic Distribution System

(TDS)

(33)

Multi-Variant Campaign:

TDS in Action

(34)

• “For-hire” service

•

Can include 0-days (

Angler

)

• Pre-exploit (heap-spray)

• Exploits chosen based on client apps

and patch level

(35)

Delivery:

• Dropper downloads malware

• Or can have a ‘single-stage’ where dropper

is also malware

(36)

threat protection | compliance | archiving & governance | secure communication

(37)

New Landscape

New Requirements

TRADITIONAL

ANTI-SPAM

Traditional Reputation

and Signature Systems

99% effectiveness

good enough

Black-box

TODAY’S

THREATS

Mass customization

and botnets

increasingly by-pass

Every message

matters

Real-time, end-to-end

(38)

Proofpoint Email Security Suite

Known, Emerging

Threats

Proofpoint Enterprise Protection DETECT BLOCK

Targeted,

Previously

Unknown Threats

Proofpoint Targeted Attack Protection RESPOND

(39)

Known / Emerging Threats:

Proofpoint Enterprise Protection

Blocks today’s advanced campaigns

• Effectively blocks known threats

• Predictively blocks new, emerging threats

Enables unmatched visibility and control

• Powerful threat classification

• Rich policy

• Real-time analysis

Provides robust delivery and administration functionality

(40)

Blocks

Today’s Advanced Campaigns

Effectively block known threats

• Industry leading visibility & analysis

• Real-time IP, URL reputation

• Content & attachment signatures

Predictively block new, emerging

threats

• Predictive URL sandboxing

• IP-velocity and volume tracking

• Zero-hour attachment blocking

• Automated campaign identification

• Predictive content analysis

(41)

Unmatched

Visibility and Control

Powerful threat

classification

• Phish, Malware, Spam, Adult, Bulk, Suspect

Rich policy

• Flexible options, discard, delay, quarantine

• Separate, configurable quarantines

Real-time analysis

(42)

Robust

Delivery & Administration

Flexible deployment, scalable

performance

• Cloud, Appliances, Virtual Machines, Hybrid – proven ability to scale rapidly from thousands to hundreds of

thousands of users

Powerful routing

• Built on top of the commercial version of Sendmail, the world’s most widely used MTA

Flexible, global

administration

• Granular and delegated administration for complex global organizations

(43)

Even the Best Protection Has Limits

Hand-crafted spear-phish

• Low Volume

• Legit IPs and sender addresses

Legitimate Email

• Watering Hole or Malvertising compromised legit website • Leverages existing routine newsletters from the site

Nothing to Detect at Delivery

• Malware not mounted at time of delivery

• TDS system and obfuscated redirects mask bad IPs • No attachments, only URLs with morphing results

(44)

Unknown Threats:

Targeted Attack Protection

Detects today’s advanced threats – even after

delivery

• Polymorphic & zero-day malware in attachments and

URLs

• Credential phishing

Protects on click, even while mobile or remote

• Click-time defense: validation of URLs when you click

• Follow-me protection: for users on and off the

corporate network

Provides end-to-end, real-time,

per-user insight

(45)

Detects

Today’s Advanced Threats

Polymorphic & Zero-Day

• Advanced, cloud-based dynamic and sandbox analysis

• Full-attack chain detection: compromised site, TDS, pre-exploit, exploit, malicious payload

URLs and Attachments

• URLs, URL campaigns, Malicious Ads

• Weaponized documents (PDF, Office, flash etc.)

Malware and Credential-Seeking

(46)

Protects on Click, Even Mobile or

Remote

Click-time Defense

• Protects users post delivery • Provides end-to-end visibility

Follow-me Protection works

anywhere

• Works on any device any location: mobile, home use, hotels, airports

• Nothing installed on the client

Respects Existing Security Layers

• Leverages industry-standard http redirection; does not proxy, so requests still pass through existing security layers

(47)

End-to-End Insight

Who is being targeted

• User level insight into who is being targeted with what campaigns

• Insight into targeted vs. broad-based attacks

Who is at risk, from what

• Who’s clicking, when, what they’re clicking on • Detailed forensics

In Real-time, back-in-time

• Continual “rescoring” of history • Real-time alerts

• Real-time aggregation and summarization

(48)

Proofpoint Targeted Attack Protection

URL Defense

External MTA End Users Proofpoint URL Analysis Proofpoint Malware Service Proofpoint BIG DATA ANALYSIS Sandboxing

(49)

Attachment Defense

External MTA End Users Proofpoint Attachment Defense API SHA256 Hash Sent to Cloud

• Reputation? • BAD? • GOOD? • Unknown BAD GOOD

SHA256 Hash Sent to Cloud

• Reputation?

• BAD?

• GOOD?

• Unknown

• Reputation? • BAD? • GOOD? • Unknown UNKNOWN Proofpoint Sandboxing

• Reputation Post Scan?

• BAD?

• GOOD?BAD

GOOD

PDF Present?

• Initiate Dynamic Content Scan

No Dynamic Content Present • Deliver Email

(50)

(51)

https://urldefense.proofpoint.com/v1/url?u=http:/ /onesourceprocess.com/ab3bp5r/index.html&s=ab eb44ac1/&k=CPgDZ%...

(52)

When & Whether you’re being attacked

When & Whether you’ve been compromised

(53)

(54)

(55)

(56)

(57)

Summary:

Proofpoint Protection

Predictively Block more attacks DETECT BLOCK Quickly detect targeted, polymorphic and zero-day attacks RESPOND Full visibility into targets,

(58)

TAP

Email: Sender IP: Clicked URL: [email protected] 10.10.10.253 http://waterhole.me?xy

Who clicked a bad link?

(59)

TAP+Threat Response

Threat Response Add: • Username • Infection history • Group • Local information • Local IP

• Malicious file check

• IP/Domain Reputation

• Geo-location

• CNC server checks

• Assign incidents

• Put user in “Penalty box”

• Update Firewalls • Update Proxies • Document responses Update Email: AD User: User Group: [email protected] Josephsmith Finance AD User Context Sender IP: Known Malware?: New Domain? Domain Reputation? CNC List? Country?

Known bad actor Trojan.Turla.A Yes Neutral Y N. Korea IP reputation Geolocation WhoIS Virus Total

Additional Incident Context

Threat Verified

(60)

Exchange Threat Scanner

https://www.proofpoint.com/us/id/scanner

(61)

Audit or Proof of Concept

Deploy Proofpoint behind

your current solution

• Can be deployed to remain

passive within mail flow

Quickly determine your

current risk exposure and

effectiveness

(62)

How Can You Defend Your Organization?

Continue to emphasize the importance of email

security and social media security

Deploy defenses that use multiple, contextual

big data and threat intelligence-based detection

techniques

Ensure layered security that incorporates

automated threat response systems content

control systems as well as next-generation

detection

... because someone will always click – and it only

takes one.

(63)

&