WannaCry: How to Protect Yourself
•Download as PPTX, PDF•
2 likes•1,505 views
The recent WannaCry outbreak clearly demonstrates just how damaging ransomware can be, and how quickly such attacks can disrupt vital services. View the slides from our webinar to learn about WannaCry’s inner-workings, understand how to effectively protect from this threat and what you should do to be prepared for future attacks. For more information: http://pages.checkpoint.com/anti-ransomware.html
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (10)
Similar to WannaCry: How to Protect Yourself
Similar to WannaCry: How to Protect Yourself (20)
Recently uploaded
Recently uploaded (20)
WannaCry: How to Protect Yourself
- 1. 1©2017 Check Point Software Technologies Ltd.©2017 Check Point Software Technologies Ltd. Defeat Cyber Extortion! Protecting from WannaCry THE WEBINAR WILL BEGIN SHORTLY…
- 2. 2©2017 Check Point Software Technologies Ltd.©2017 Check Point Software Technologies Ltd. Eytan Segal | Principal Product Manager Mark Lechtik | Malware Researcher Defeat Cyber Extortion! Protecting from WannaCry
- 3. ©2015 Check Point Software Technologies Ltd. 3[Internal Use] for Check Point employees WANNACRY The World Is Under Attack Lotem Finkelstein | Threat Intelligence
- 4. ©2015 Check Point Software Technologies Ltd. 4 Facts and Fiction
- 5. 5©2017 Check Point Software Technologies Ltd. 14/03 14/04 13/05 14/05 15/0312/0501/02
- 6. ©2015 Check Point Software Technologies Ltd. 6 Spreading Method SMB A Microsoft service found on all Windows OSs. Running on port TCP/445 SHADOW BROKERS An online group leaking NSA exploitation tools CVE-2017-0144 An ID given to a vulnerability in Microsoft’s implementation of SMB
- 7. ©2015 Check Point Software Technologies Ltd. 7 Spreading Method DOUBLE PULSAR A post-exploitation Trojan payload, used by many of the NSA leaked exploits MS017-10 Microsoft fix for this and several other SMB issues ETERNALBLUE Exploit leveraging the SMB vulnerability
- 8. ©2015 Check Point Software Technologies Ltd. 8 ©2016 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval INSIDE THE MALWARE STAGE I WWW KILL SWITCH TerminationSpreads itself Moving on to Stage || 1 2 STAGE II
- 9. ©2015 Check Point Software Technologies Ltd. 9 ©2016 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval INSIDE THE MALWARE STAGE II File Encryption Unpacking (encrypted) embedded modules Executes dropped modules taskdlTOR taskseUI • Display ransom note • Used for decryption • Communication anonymizer • Required for C&C communication • Delete temporary files • Resource execution stub
- 10. ©2015 Check Point Software Technologies Ltd. 10 ENCRYPTION FAKE DEMO RANSOM PAYMENT OFF BUSINNESS HOURS ©2016 Check Point Software Technologies Ltd. DON’T PAY THE RANSOM! YOU WON’T GET YOUR FILES BACK
- 11. ©2015 Check Point Software Technologies Ltd. 11[Internal Use] for Check Point employees GETTING INTO THE PARTY • We got infected with WannaCry 4 times • We spotted a new variant • We took an immediate action and registered the new kill switch domain • Our domain is being queried with new infected machine every 1 second. Establishing the most vulnerable machine everHONEYPOT
- 12. ©2015 Check Point Software Technologies Ltd. 12
- 13. ©2015 Check Point Software Technologies Ltd. 13©2015 Check Point Software Technologies Ltd. 13 Version I | Version II | Version III INFECTION RATE 10 New Infections Every 1 Second
- 14. ©2015 Check Point Software Technologies Ltd. 14©2015 Check Point Software Technologies Ltd. 14 CONCLUSION IT’S NOT THE END
- 15. 15©2017 Check Point Software Technologies Ltd.©2017 Check Point Software Technologies Ltd. WHAT CAN WE DO TO PROTECT?
- 16. 16©2017 Check Point Software Technologies Ltd. There’s a Lot We Can Do! Educate 1 Backup 2 Patch 3 You don’t have to click on THAT link Generally a good practice Yet another good practice Protect 4 Effective technologies are available
- 17. 17©2017 Check Point Software Technologies Ltd. HOW RANSOMWARE GETS IN Downloading malicious documents Browsing infected websites Malicious attachments Malicious links Malicious File from USB Server vulnerability exploit Downloading malicious documents Browsing infected websites Malicious attachments Malicious links Malicious File from USB Server vulnerability exploit
- 18. 18©2017 Check Point Software Technologies Ltd. IT’S TIME TO DEFEAT CYBER CRIME! [Restricted] ONLY for designated groups and individuals
- 19. 19©2017 Check Point Software Technologies Ltd. Anti- Ransomware Anti-Bot Threat Emulation Threat Extraction Zero Phishing Anti-Virus IPS LAYERED PROTECTION
- 20. 20©2017 Check Point Software Technologies Ltd. CHECK POINT ANTI RANSOMWARE Prevent the most EVASIVE and ZERO-DAY ransomware variants Safely RECOVER encrypted data
- 21. LET’S SEE IT IN ACTION!
- 22. 22©2017 Check Point Software Technologies Ltd. HOW ANTI-RANSOMWARE WORKS ONGOING UPON DETECTION BEHAVIORAL ANALYSIS Constantly monitor for ransomware specific behaviors DATA SNAPSHOTS Continuously create short-term file backups QUARANTINE Stop and quarantine all elements of the attack RESTORE Restore encrypted files from snapshots ANALYZE Initiate forensic analysis to analyze attack details RANSOMWARE PROTECTION IS ON
- 23. 24©2017 Check Point Software Technologies Ltd. PRODUCTS FAMILY [Restricted] ONLY for designated groups and individuals Perimeter and datacenter protection Endpoint and browsers protection Custom applications protection Cloud applications protection Mobile devices protection MOBILE
- 24. 25©2017 Check Point Software Technologies Ltd. LEADER ADVANCED MALWARE ANALYSIS RECOMMENDED BREACH DETECTION SYSTEM WINNER BEST APT PROTECTION WINNER SECURITY PRODUCT OF THE YEAR THE MOST ADVANCED THREAT PREVENTION SUITE
- 25. 26©2017 Check Point Software Technologies Ltd. SandBlast TE Appliance HOSTED ON PREMISECHECK POINT CLOUD PUBLIC SandBlast Service [Restricted] ONLY for designated groups and individuals MOBILE
- 26. 27©2017 Check Point Software Technologies Ltd. 15600 5600 5400 5800 5200 15400 5900 5100 320031001400 Mail Web Browsing Data Center, DMZ, LAN 64000 44000 23500 23800PROTECT: • Threat Emulation • Threat Extraction • IPS • Anti Virus • Anti Bot COMPLETE PROTECTION SandBlast NGTX GATEWAYS
- 27. ©2016 Check Point Software Technologies Ltd. 28 ©2016 Check Point Software Technologies Ltd. Features Endpoint Complete Protection Suite SandBlast Agent SandBlast Anti-Ransomware Deployment Endpoint Agent Endpoint Agent Endpoint Agent Management SmartCenter SmartCenter SmartCenter Anti-Ransomware Incident analysis & quarantine Forensics report Browser extension Emulation & Extraction Zero Phishing Anti-Bot Anti Virus Full Disk Encryption & Media Encryption Firewall & VPN SANDBLAST AGENT OPTIONS
- 28. 29©2017 Check Point Software Technologies Ltd. CYBER EXTORTION DEFEATED! with ANTI RANSOMWARE • checkpoint.com/anti-ransomware
- 29. 30©2017 Check Point Software Technologies Ltd.©2017 Check Point Software Technologies Ltd. THANK YOU
Editor's Notes
- The training takes place in CP labs. The resulting neural network powers the dynamic exe emulation of both the both cloud and our TE appliances.
- The wanacry epidemic : 10 new infections every 1 second, which are 860K infections everyday!
- The wanacry epidemic : 10 new infections every 1 second, which are 860K infections everyday!
- Hi, I’m going to talk about how you should protect your organizations – not only from WannaCr,y but from all ransomware attacks. And indeed, from all advanced attacks. So what can we do?
- Well, there’s a lot we can do… First of all, education. You should educate your users. User awareness definitely reduces infections <CLICK> Secondly, backup. Solid backups should let you restore encrypted data in case of a ransomware attack. I should note here we’ve seen cases where backups fail at the moment of truth, and we’ve also seen cases of ransomware encrypting backups. Also, think of a network-wide infection – like we’ve seen with WannaCry. Your systems are going to be down for a loooong time while your busy restoring a system-wide infection from your backups. <CLICK> Next, Patching. I know patching can be a very painful task. But constantly patching all systems and software is always important, and WannaCry is an excellent example of why it’s important. <CLICK> And finally, protection! Yes, applying advanced protection technologies is the most effective way to prevent advanced attacks
- I’ll talk about protection in a moment, but first let’s review the common ways, in which ransomware, and other forms of malware penetrate. <CLICK> One way is by infecting users who are browsing the internet. Infections can come from malicious web sites that perform browser exploitation, or by seducing users to download and execute malicious files. <CLICK> Another very common method is to send an email to an unsuspecting user. The mail could contain either a malicious attachment, or a link to a malicious web site. And, …with a bit of social engineering, hackers trick users into clicking through and they get infected <CLICK> Infections can also enter through removable storage – like a USB stick. <CLICK> And finally, some infections go directly after your online servers. Attackers will often look for unpatched web servers, Or… in the WannaCry case, any exposed Windows host, that isn’t fully patched, will do.
- Check Point’s comprehensive solution for Advanced Threats is SANDBLAST So, … let’s have a look at SandBlast
- SandBlast offers a wide-range of advanced protections; I’ve listed a few of them on this slide. These technologies provide a multi-layered, 360-degree protection from all forms of advanced attacks, … and from all the attack vectors I showed on the previous slide. These technologies work together on the endpoint as well as on the network, to provide a complete multi-layered protection for your organization. All of these technologies will prevent ransomware attacks, and specifically, they prevent WannaCry. Talking about WannaCry: Threat Emulation – our evasion-resistant sandbox, and the Threat Extraction file sanitation technology, prevent the initial WanaCry infection via mail or web. …and our IPS technology prevents WannaCry’s propagation using the notorious SMB vulnerability. Of course, these protections also prevent numerous other forms of advanced cyber threats. I should stress here: Most of these attack vectors will be blocked by SandBlast on the network - before the attack even hits the endpoint. <CLICK> Last but not least: Anti Ransomware is our newest addition to the SandBlast family. So… let’s take a closer look at Anti-Ransomware…!
- Check Point Anti-Ransomware is an endpoint protection. It’s part of our SandBlast Agent product. Anti-Ransomware uses a set of purpose-built advanced technologies that are designed to prevent even the most evasive and sophisticated ransomware attacks. We’ve put a very strong emphasis in creating a future-proof technology that can identify and block new, unknown and zero-day ransomware attacks. <CLICK> The most important thing to all of us, is our data. And Anti-Ransomware will safely recover our data, if any was encrypted during the attack – before it was quarantined.
- Next, I’m going to switch to a short video, that shows Anti-Ransomware in action. Let’s see Anti-Ransomware protecting an endpoint from a WannaCry infection. {Demo… switch to video. 2 minutes}
- So, how does Anti-Ransomware do it’s magic? At the core of our detection engine we utilize a range of advanced behavioral algorithms. The behavioral algorithms are specifically tuned to detect ransomware. We look for generic malicious behavior, but we also look for a wide range of behaviors, that are unique to ransomware. Things like attempting to delete shadow-copies and backups, creating ransom notes, and ultimately we constantly monitor the file-system, and we can identify early-on any activity that is illegitimately and systematically encrypting files on the file system. <CLICK> Upon detection, we utilize SandBlast Agent’s unique and advanced ability to automatically analyze incidents with its Automated Forensic Analysis technology. <CLICK> The analysis phase identifies all the malicious elements of the malware, allowing us to automatically quarantine it – even if it’s a new attack that we’ve never seen before. <CLICK> In some cases, like we saw in the video, some data could get encrypted before the quarantine is complete. In order to mitigate this case, we’ve built an ongoing mechanism that creates temporary snapshots of data files - before granting any change that we suspect may be illegitimate. <CLICK> As we saw in the demo, if some data was encrypted during the attack, then once we’ve completed the quarantine, our data snapshots allow us to automatically restore the files.
- So how effective is Check Point Anti Ransomware? To answer this question, we’ve been putting Anti-Ransomware through very rigorous testing. Our goal is to test it’s prevention of unknown and zero-day ransomware. So, we built a dedicated ransomware test lab with PCs that are protected only by our Anti-Ransomware technology, without any additional endpoint or network protections. The lab is kept offline without any access to signature updates. <CLICK> And we created an automated process that collects fresh ransomware samples from Virus Total every day. Now, because ransomware is so prevalent, there is actually no shortage of new samples. In fact we’ve been testing over 200 samples a day for the past six months. <CLICK> And we are very proud of our catch-rate – to date it its 99.3%!! <CLICK> Now, one more point: In our lab we’ve disabled all other protections in order to isolate Anti-Ransomware’s detection metrics. But in your environment you should be deploying a wider set of protections. We always recommend implementing a multi-layered defense strategy, and with the advanced protections we offer, you can actually be very effective in preventing ransomware attacks before they hit their final target and your last line of defense on the endpoint. To understand this point better, I’m going to talk a bit about attack vectors.
- Back to SandBlast, SandBlast is a family of products. We offer protection for the network with our gateways, for endpoints – with SandBlast Agent, for Office 365 mail - with SandBlast Cloud … and for iOS and Android devices with SandBlast Mobile, Finally, the SandBlast API lets you to integrate SandBlast directly with virtually any system.
- Our SandBlast product family is a major success in the market, and is also very well recognized in the industry as the leading solution to advanced threats. You can see here a few of the awards and rankings that we’ve received from NSS Labs, Network Computing, SC magazine and Forrester.
- The SandBlast solution includes a Service element for Threat Emulation sandboxing, and in some case also for Threat Extraction. You can choose, as a configuration option, whether to send files for Emulation on the Check Point cloud, or you can host the service within your own data center with the SandBlast TE appliance.
- As a network protection, SandBlast is available on our entire range of Check Point gateways – all you need is the NGTX software license. And, it protects your incoming mail, users accessing the internet and your various network segments.
- On the endpoint side, we offer several options for SandBlast Agent: First SandBlast Anti-Ransomware is available as a dedicated product. Next, SandBlast Agent – which includes all our advanced protections and is designed to be deployed alongside any third-party end point protection suite And finally, the Endpoint Complete Suite – which offers comprehensive endpoint protection with firewall, VPN, FDE, AV, and all of SandBlast features
- We’ve talked about the WannaCry outbreak and reviewed an analysis of it’s inner workings. And we’ve looked at SandBlast and explained how it can help you address the challenge of protecting from all forms of ransomware and advanced threats – including WannaCry. Next were going to take a few questions, so back to you Michelle… and thank you all for listening till now.